AWS Systems Manager (AWS SSM) is the operations hub for AWS that provides a unified user interface where you can track and resolve operational issues across your AWS or on-premises applications and resources from a central place. For that purpose, AWS Systems Manager has many services for you, such as OpsCenter, Change Manager, Fleet Manager, and many others. In this article, we’ll introduce you to the AWS Systems Manager Parameter Store, Session Manager, and Patch Manager and show how to set them up.
Table of contents
- AWS Systems Manager Parameter Store
- Purpose of AWS Systems Manager Parameter Store
- Features of AWS Systems Parameter Store
- Parameter Store vs Secrets Manager
- Managing AWS SSM Parameter Store parameters
- AWS Parameter Store Limits
- AWS Systems Manager Session Manager
- AWS Systems Manager Patch Manager
- Related articles
AWS Systems Manager Parameter Store
AWS Systems Manager Parameter Store is a service that allows you to store and securely manage your application configuration and secret data. It provides centralized storage to store plain-text data such as integration service URL or secrets such as passwords or applications licenses. By using Parameter Store, you can separate your secrets and configuration data from the application code. All stored parameters can be tagged and organized into hierarchies to help you manage parameters easily and systematically. For example, you can declare the same parameter as
db-pasword withing different hierarchical paths
prod/db-name/db-password to store different access credentials for development and production environments.
Here’s a typical example of using Parameter Store:
Purpose of AWS Systems Manager Parameter Store
Managing the security of the application’s data and configuration is a critical process of every organization. It becomes especially true when you deploy your infrastructure on the cloud. A challenging topic of every application’s security is storing parameters like environmental variables, API keys, products keys, whether in plain text or an encrypted format. Many organizations still using plain text configuration files, but it is way more secure to store sensitive application configuration data in an encrypted form and import this information at application runtime.
Since managing your own parameter store is a difficult task, AWS came out with the AWS Systems Manager Parameter Store to solve this problem. Now you can store and securely manage all sorts of application data such as passwords, database strings, Amazon Machine Image IDs, licenses, and many other possible parameters.
Features of AWS Systems Parameter Store
The AWS Systems Parameter Store provides you with the following features:
- Change notification – Parameter Store allows you to react on parameter’s change events to apply required automated action. For example, you can change database password in Parameter Store and configure AWS Lambda to automatically update it in your database.
- Organized access control – You can individually tag your parameters to group multiple parameters based on specified tags. For instance, you can give multiple tags for parameters like departments, specific environments, users, groups, etc. Furthermore, you also can restrict access to parameters using Identity and Access Management policies.
- Labeled parameter versions – Labeled versions or aliases help you easily identify a parameter version when there are multiple versions exist.
- Data validation – This feature allows you to create parameters pointing to an AWS cloud resource instance (for example, AMI) to make sure that the referencing resource type exists, and the resource customer has the permission to use the resource.
- Secrets referencing – This integration with Systems Manager helps applications to retrieve any secrets from the Secrets Manager if they already using parameters from the Parameter Store.
- Access from other AWS services – You can access Parameter Store data from other AWS services to retrieve secrets and configure data from the central location. The common use-cases include such services as AWS Lambda, AWS Cloud Formation, AWS Code Build and many others.
Parameter Store vs Secrets Manager
AWS Systems Manager Parameter Store is a service that allows you to store and securely manage your application configuration and secret data.
AWS Secrets Manager is a service similar to the AWS SSM Parameter Store. But, it not only stores secrets it also automates the process of rotation of those secrets. Automatic secrets rotation by schedule helps you to increase the security of your secrets even more.
As soon as both services are very similar, it gets tough to choose between the two. Let’s take a look at the key differences and similarities between the two services so you can choose which one suits your needs better.
- Managed data store – Both these services offer a solution for managing and storing key-value pairs.
- Encryption – Both the services has integration with AWS KMS for data encryption. The Parameter store can store plain text and KMS to encrypt values. On the other hand, AWS Secrets Manager stores only encrypted data.
- Cloud Formation integration – Values from both services are referenceable in CloudFormation templates. This permits you to not hardcode secrets and other dynamic values for security purposes.
- Cost – The Parameter Store has two offerings – Standard and Advanced. The Standard version is provided to you at no additional charges for storing plain-text parametes (KMS usage charges applied for encrypted parameters). On the other hand, the Advanced Parameter Store and AWS Secrets Manager will cost you at AWS rates per parameter per month.
- Secrets Rotation – The AWS Secrets Manager provides secrets rotation with full RDS integration. In simple terms, it means that the Secrets Manager is capable to rotate keys and generate new passwords in RDS. For the AWS SSM Parameter Store you have to implement this process yourself by using change notification events.
- Cross Account Access – Another feature that differentiates the AWS Secrets Manager from the SSM Parameter Store is cross-account access. You can share secrets across multiple accounts using the AWS Secrets Manager. For instance, the IAM users or roles can access secrets stored in a completely different AWS account. The cross-account feature is particularly helpful when you need to share secrets with your partners. For the AWS SSM Parameter Store you have to implement this process yourself by using cross-account roles.
- Storage Limits – The Standard SSM Parameter Store has a limit of 4 KB per parameter, while the Advanced version can store up to 8 KB. Side by side, the Secrets Manager allows you to store value up to 64 KB.
Managing AWS SSM Parameter Store parameters
Parameter Store is a feature of AWS System Manager used to store and manage your configuration data, such as database strings or secrets. It can be integrated with AWS KMS for encryption and control user and resource access with IAM.
Creating plain-text parameter
In this section, we will walk you through creating and accessing a parameter in the Parameter Store.
To create a parameter store, follow the below steps:
Access the AWS System Manager at https://console.aws.amazon.com/systems-manager/ and click on Parameter Store as shown below:
Click on Create parameter to create a parameter to store database URL. You should see the following screen:
Fill the form with the following information:
Database URL for Application
Next, click on the Create parameter to create a parameter. You should see the following screen:
Creating encrypted parameter
Click on Create a parameter again to store the database password.
Fill in the following information:
Database Password for Application
- KMS key source:
My current account
Next, Click on Create parameter to create a parameter. You should see the following screen:
You may also run Cloud9 IDE, which has all the required tools installed and the environment configured for you.
As soon as tools and environment are configured, run the following command to access your parameter:
aws ssm get-parameters --names /myapp/dev/db-url /myapp/dev/db-pass
Here’s an example output:
As you can see, one of your parameters is in an encrypted format. You can decrypt your saved parameters using the following command:
aws ssm get-parameters --names /myapp/dev/db-url /myapp/dev/db-pass --with-decryption
Here’s an example output:
If you’re interested in examples of working with AWS Systems Manager Parameter Store using Boto3, we’ll cover them in a separate article soon.
AWS Parameter Store Limits
AWS Parameter Store allows you to increase the default throughput limit to the maximum number of transactions per second. When writing this tutorial, AWS Systems Manager Parameter Store supports up to 3,000 requests per second. Increased throughput will allow you to run applications that require higher concurrent access to a large number of parameters.
AWS Parameter Store Limit Increase
To increase the Parameter Store limits, use the following steps:
Go to the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
Click on the Parameter Store in the left pane and choose the Setting tab.
Click on the Set limit. You should see the following screen:
Review the message and click on the Set limit to set the limit.
AWS Systems Manager Session Manager
AWS Systems Manager Session Manager is a service that allows you to manage your workloads in the cloud. It’s not a single-use tool but a bundle of utilities that are used independently to secure access to your workloads and systems. Additionally, it allows you to comply with corporate policies requiring controlled access instances and strict security practices while still providing all the users with a one-click solution for accessing managed instances.
In technical terminology, AWS SSM Session Manager is a capability within the AWS cloud platform that allows you to connect your EC2 instances with temporary credentials and administrate your servers without SSH key pairs.
AWS Systems Manager Session Manager also allows you to access the EC2 instances in the same way in multiple different accounts.
Purpose of the AWS Session Manager
You can use AWS Session Manager for a variety of tasks. Some of the common ones are given as follows:
- Manage hybrid cloud systems – The AWS Session Manager helps you manage multiple systems running on the Amazon Web Services and in your on-premise data centre with a single platform. It uses a lightweight agent installed on the EC2 instances and on-premise servers to communicate and flawlessly execute tasks. This, in turn, helps you manage resources of operating systems such as Windows, Linux running on Amazon EC2 and in data centre infrastructure like Microsoft Hyper-V etc.
- Improve visibility and control – AWS Session Manager helps you improve the visibility and control of your EC2 instances and OS configurations. Not only this, but it collects inventory information and software configuration about your fleet of instances and software installed on them. The AWS Session Manager is a great tool to handle and check your data and other deployment details.
- Maintain security and compliance – The AWS Session Manager maintains your systems and keeps them up-to-date by complying with all configuration policies. In short, it helps you keep everything in security posture.
- Secure role-based management – With the integration of AWS Session Manager with Amazon Identity and Access Management, you can apply granular permissions to control the actions of the users. The Amazon CloudTrail records the actions taken by the AWS Session Manager and lets you audit changes throughout your environment.
- Port forwarding – AWS Session Manager enables you to redirect the port inside your instance to a local port on a client. This can help you gain all the information running inside the instance.
Features of AWS Session Manager
Here’s a list of the most important features of AWS Systems Manager Session Manager:
- Support for hybrid cloud systems – The AWS Session Manager enables you to support various hybrid cloud systems such as Windows, Linux, macOS etc. by establishing secure connections with Amazon Elastic Compute Cloud Instances, on-premise instances and virtual machines.
- Console, CLI and SDK access to Session Manager capabilities – There are three ways which you can use these feature. First, you can use the AWS Systems Manager Console to access all the Session Manager capabilities for administrators and end-users. With the Systems Manager Console, you can acomplish almost every task related to your servers administration in a hassle-free manner. The Amazon EC2 console allows end-users to connect to the EC2 instances which they have been granted session permissions for. Second, the AWS CLI gives the end-users access to the Manager’s Session Capabilities with which they can easily start, view and end a session. Third, the SDK session manager consists of all the libraries and sample codes that allows application developers to create front-end applications like custom shells and self-service portals. This feature also enables users to build custom solutions.
- IAM access control – With IAM access control, you can check and control the members who can access and initiate sessions to instances and which instances they can access. Also, with this IAM access control feature, you can allow temporary access to your instances. For instance, you can give temporary access to an on-call engineer immediately to access production servers only for the duration of their rotation period.
- Logging and auditing capability support – AWS Session Manager gives you options to audit and logging session histories stored in your AWS account. This takes place through the integration of various other AWS services.
- Configurable shell profiles – The AWS Session Manager provides you with an option to configure preferences within sessions. The customizable profiles then allow you to define various preferences like shell preferences, environment variables and working directories whenever a session starts.
- KMS data encryption support – You can configure Session Manager to use KMS keys. So, you can encrypt data logs that you’re sending to the AmazonS3 bucket or CloudWatch. Furthermore, the data transfered between the client machines and managed instances during sessions is also encrypted.
- VPC Endpoints support – You can set VPC Endpoints for Systems Manager for your private VPC networks. This can help your manage workloads within isolated environments in secure way.
- Tunnelling – You can use the AWS Session Manager to tunnel traffic like HTTP or any other custom protocol, between a local port on a client machine and a remote port on an instance.
- Interactive commands – This feature allows you to create a session-type SSM document that uses a single session to interactively run a single command.
Using Session Manager to control EC2 instances
In this section, we will show you how to launch an EC2 instance with Session Manager support. We also explain how to connect to AWS EC2 instances using Session Manager without using SSH.
Create EC2 instance IAM Profile Role
First, you will need to create an IAM Profile Role for the EC2 instance. This will allow you to connect to the EC2 instance and start managing it using AWS Session Manager:
Log in to the AWS console at https://console.aws.amazon.com/.
Search for IAM (Identity and Access Management) in the search bar.
Click on IAM.
In the left pane, click on Roles.
Click on Create role.
Select EC2 service and click on Next.
Search for AmazonaSSMFullAccess in the Filter policies, select the AmazonSSMFullAccess policy and click on the Next button.
Define your Tag name and value, then click on the Next button.
Define your Role name, description and click on the Create role button.
Launch an EC2 instance
At this point, the IAM Instance Profile Role for Session Manager is created. Now, we will launch an EC2 instance with this role.
On the AWS console, search for EC2.
Click on the EC2.
Click on Launch Instance.
Search for Ubuntu AMI, select the first image.
Select the second instance and click on Next: Configure Instance Details.
Attach your SSMFullAccess Role and click on the Next: Add Storage.
Click on Next: Add Tag.
Click on Next: Configure Security Group.
Select “Create a new security group,” provide the name and description of the security group, remove the SSH rule and click on the Review and Launch button.
Review your instance details and click on the Launch button.
Select “Proceed without a key pair” and click on Launch Instances.
Click on instance id. You should see your newly launched instance on the following screen:
Accessing EC2 instance through Session Manager
At this point, your EC2 instance is ready. You can now connect it through Session Manager.
On the AWS console, search for System Manager.
Click on System Manager.
In the left pane, scroll down and click on the Session Manager.
Click on Start a session.
Select your running instance and click on Start session.
From here, you can run any command in the Ubuntu instance.
Logging AWS Session Manager sessions to CloudWatch
Amazon CloudWatch Logs allow you to monitor, store and access your logs from EC2 instances. In this section, we will configure CloudWatch Logs to collect AWS Session Manager session logs.
On the AWS console, search for CloudWatch.
Click on CloudWatch.
In the left pane, click on Logs => Logs groups.
Click on Create log group.
Provide your log group details and click on Create button.
Now, search for Session Manager.
Click on Session Manager.
In the Preferences tab, click on the Edit button.
Enable the CloudWatch logging, select log groups, and click on the Save button.
Now, open the CloudWatch => Logs => Log groups as shown below:
Click on your log group.
Double click on your Log streams. You should see your Ubuntu session log in the following screen:
AWS Systems Manager Patch Manager
AWS Systems Manager Patch Manager is an AWS service that automates the process of patching your managed instances with both- security and other kinds of software updates. You can use the AWS Systems Manager Patch Manager for your operating systems as well as your applications.
If we talk about the patch management process, we have to mention that the AWS Patch Manager uses “patch baselines” configured by the rules for auto-approving patches within a few days after their release. Patch baseline also includes a list of approved and rejected patches.
Purpose of AWS Systems Manager Patch Manager
Some of the main areas where AWS Systems Manager Patch Manager flaunts its importance and purpose are:
- Security – Patch management helps fixing the vulnerabilities on your software and applications. This way, AWS Systems Patch Manager helps your organization sail through susceptible security risks by integrating with AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon EventBridge.
- System Uptime – AWS Systems Manager Patch Manager ensure that all your software and applications are kept up-to-date with the introduced changes, thereby supporting system uptime.
- Compliance – You can use AWS Systems Patch Manager to fulfil the compliance and regulatory requirements.
- Feature Improvements – AWS SSM Patch Manager can accurately do the job for you as it is not only there to fix the software bugs. It can also help ensure that you have the latest and the greatest features/plans that a product has to offer to its audience.
- Enhance productivity – The AWS SSM Patch Manager runs automatically. Additionally, it comes with performance improvements for the products it applies to fix crashes. This, in turn, leads to increased productivity levels in the organization. The employees do not have to spend hours on their systems to get rid of all the issues. This eventually results in better performance and reduced downtime.
Create IAM Role for AWS Patch Manager
First, you will need to create/add an IAM role for the Patch Manager to the Instance Profile. Follow the below steps to create/modify the IAM Role for the EC2 instance:
On the AWS console, search for IAM in the search bar.
Click on IAM. You should see the IAM dashboard on the following screen:
In the left pane, click on the Roles and click on the Create role.
Select EC2 service and click on Next.
Search for core in the Filter policies, select the AmazonSSMManagedInstanceCore policy and click on the Next button.
Define your Tag name and value, then click on the Next button.
Define your Role name, description and click on the Create role button.
Launch an EC2 Instance with IAM Role
Next, you will need to create a new EC2 instance and attach the SSM role you created in the previous section.
On the AWS console, search for EC2.
Click on EC2.
Click on Launch instance.
Select an Amazon Machine Image.
Select instance type and click on the Next button.
Provide your instance details, define the SSM role, and click on the Next button.
Add storage and click on the Next button.
Define the Tag name and click on the Next button.
Create a new security group and click on the Next button.
Create a new SSH key pair and click on the Launch instance button.
Now, search for the Managed instances.
Click on the Managed Instances. You should see the status of your instance on the following screen:
Install SSM Agent on Linux and Windows Instances
By default, SSM Agent is installed on Amazon Machine Images and following EC2 instances:
- Amazon Linux 1/2
- Amazon Linux 2 ECS-Optimized Base AMIs
- Ubuntu Server 16.04, 18.04, and 20.04
So you don’t need to install the SSM agent of the above instances.
Install SSM Agent on Linux
To install SSM Agent on CentOS 8 instance, run the following command:
sudo dnf install -y https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm
After installing the SSM agent, start the service using the following command:
sudo systemctl start amazon-ssm-agent
To install SSM Agent on Debian 9 and Debian 10 instances, run the following command:
wget https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/debian_amd64/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb
Next, start the service using the following command:
sudo systemctl status amazon-ssm-agent
Install SSM Agent on Windows
By default, the SSM agent comes pre-installed in the following Amazon Machine Images (AMIs):
- Windows Server 2008-2012 R2 AMIs published in November 2016 or later
- Windows Server 2016 and 2019
You can also download and install the latest version of the SSM agent on the Windows system. Follow the below steps to install SSM agent to Windows instance:
Log in to your Windows instance by using Remote Desktop.
Open the PowerShell Windows and run the following command:
Invoke-WebRequest ` https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe ` -OutFile $env:USERPROFILE\Desktop\SSMAgent_latest.exe
Start the SSM service using the following command:
Start-Process ` -FilePath $env:USERPROFILE\Desktop\SSMAgent_latest.exe ` -ArgumentList "/S"
Create a Patch Baseline
AWS SSM Patch Manager uses patch baselines to control what patches are installed on the instances based on the specified configuration. It also provides a set of predefined patch baselines for all operating systems. You can either use the predefined baseline or create your custom baseline. In this section, we will create a custom patch baseline.
Search for Patch Manager.
Select the Patch Manager from the menu.
Go to the View predefined patch baselines.
Click Create patch baseline button.
Provide your patch baseline details, rules for the operating system, and click on the Create patch baseline.
Install Patch on EC2 Instance
At this point, your patch baseline is ready to apply on your EC2 instance. Follow the below steps to install Patch on the EC2 instance.
Open the Patch Manager.
Click on Patch now button.
Select basic patching configuration, select patch on target instances, choose instance manually, select your running instance, and click the Patch now button. Once all patches are installed, you should see the following screen:
Next, open the Managed Instances as shown below:
Click on your instance id and search for State installed in the filter bar. You should see all installed patches on the following screen:
In this article, we’ve covered the AWS Systems Manager Parameter Store, Session Manager, and Patch Manager and described step-by-step process how to set up and start using them.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?
Over 12 years of experience as a Linux system administrator. My skills include a depth knowledge of Redhat/Centos, Ubuntu Nginx and Apache, Mysql, Subversion, Linux, Ubuntu, web hosting, web server, Squid proxy, NFS, FTP, DNS, Samba, LDAP, OpenVPN, Haproxy, Amazon web services, WHMCS, OpenStack Cloud, Postfix Mail Server, Security, etc.