Introduction to AWS Systems Manager

Hitesh Jethva

Hitesh Jethva

0
(0)

AWS Systems Manager (AWS SSM) is the operations hub for AWS that provides a unified user interface where you can track and resolve operational issues across your AWS or on-premises applications and resources from a central place. For that purpose, AWS Systems Manager has many services for you, such as OpsCenter, Change Manager, Fleet Manager, and many others. In this article, we’ll introduce you to the AWS Systems Manager Parameter Store, Session Manager, and Patch Manager and show how to set them up.

AWS Systems Manager Parameter Store

AWS Systems Manager Parameter Store is a service that allows you to store and securely manage your application configuration and secret data. It provides centralized storage to store plain-text data such as integration service URL or secrets such as passwords or applications licenses. By using Parameter Store, you can separate your secrets and configuration data from the application code. All stored parameters can be tagged and organized into hierarchies to help you manage parameters easily and systematically. For example, you can declare the same parameter as db-pasword withing different hierarchical paths dev/db-name/db-password and prod/db-name/db-password to store different access credentials for development and production environments.

Here’s a typical example of using Parameter Store:

Introduction to AWS Systems Manager - Parameter Store Workflow

Purpose of AWS Systems Manager Parameter Store

Managing the security of the application’s data and configuration is a critical process of every organization. It becomes especially true when you deploy your infrastructure on the cloud. A challenging topic of every application’s security is storing parameters like environmental variables, API keys, products keys, whether in plain text or an encrypted format. Many organizations still using plain text configuration files, but it is way more secure to store sensitive application configuration data in an encrypted form and import this information at application runtime.

Since managing your own parameter store is a difficult task, AWS came out with the AWS Systems Manager Parameter Store to solve this problem. Now you can store and securely manage all sorts of application data such as passwords, database strings, Amazon Machine Image IDs, licenses, and many other possible parameters.

Features of AWS Systems Parameter Store

The AWS Systems Parameter Store provides you with the following features:

Introduction to AWS Systems Manager - Features
  • Change notification – Parameter Store allows you to react on parameter’s change events to apply required automated action. For example, you can change database password in Parameter Store and configure AWS Lambda to automatically update it in your database.
  • Organized access control – You can individually tag your parameters to group multiple parameters based on specified tags. For instance, you can give multiple tags for parameters like departments, specific environments, users, groups, etc. Furthermore, you also can restrict access to parameters using Identity and Access Management policies.
  • Labeled parameter versions – Labeled versions or aliases help you easily identify a parameter version when there are multiple versions exist.
  • Data validation – This feature allows you to create parameters pointing to an AWS cloud resource instance (for example, AMI) to make sure that the referencing resource type exists, and the resource customer has the permission to use the resource.
  • Secrets referencing – This integration with Systems Manager helps applications to retrieve any secrets from the Secrets Manager if they already using parameters from the Parameter Store.
  • Access from other AWS services – You can access Parameter Store data from other AWS services to retrieve secrets and configure data from the central location. The common use-cases include such services as AWS Lambda, AWS Cloud Formation, AWS Code Build and many others.

Parameter Store vs Secrets Manager

AWS Systems Manager Parameter Store is a service that allows you to store and securely manage your application configuration and secret data.

AWS Secrets Manager is a service similar to the AWS SSM Parameter Store. But, it not only stores secrets it also automates the process of rotation of those secrets. Automatic secrets rotation by schedule helps you to increase the security of your secrets even more.

As soon as both services are very similar, it gets tough to choose between the two. Let’s take a look at the key differences and similarities between the two services so you can choose which one suits your needs better.

Introduction to AWS Systems Manager - Parameter Store vs. Secrets Manager

Similarities

  1. Managed data store – Both these services offer a solution for managing and storing key-value pairs.
  1. Encryption – Both the services has integration with AWS KMS for data encryption. The Parameter store can store plain text and KMS to encrypt values. On the other hand, AWS Secrets Manager stores only encrypted data.
  1. Cloud Formation integration – Values from both services are referenceable in CloudFormation templates. This permits you to not hardcode secrets and other dynamic values for security purposes.

Differences

  1. Cost – The Parameter Store has two offerings – Standard and Advanced. The Standard version is provided to you at no additional charges for storing plain-text parametes (KMS usage charges applied for encrypted parameters). On the other hand, the Advanced Parameter Store and AWS Secrets Manager will cost you at AWS rates per parameter per month.
  1. Secrets Rotation – The AWS Secrets Manager provides secrets rotation with full RDS integration. In simple terms, it means that the Secrets Manager is capable to rotate keys and generate new passwords in RDS. For the AWS SSM Parameter Store you have to implement this process yourself by using change notification events.
  1. Cross Account Access – Another feature that differentiates the AWS Secrets Manager from the SSM Parameter Store is cross-account access. You can share secrets across multiple accounts using the AWS Secrets Manager. For instance, the IAM users or roles can access secrets stored in a completely different AWS account. The cross-account feature is particularly helpful when you need to share secrets with your partners. For the AWS SSM Parameter Store you have to implement this process yourself by using cross-account roles.
  1. Storage Limits – The Standard SSM Parameter Store has a limit of 4 KB per parameter, while the Advanced version can store up to 8 KB. Side by side, the Secrets Manager allows you to store value up to 64 KB.

Managing AWS SSM Parameter Store parameters

Parameter Store is a feature of AWS System Manager used to store and manage your configuration data, such as database strings or secrets. It can be integrated with AWS KMS for encryption and control user and resource access with IAM.

Creating plain-text parameter

In this section, we will walk you through creating and accessing a parameter in the Parameter Store.

To create a parameter store, follow the below steps:

Access the AWS System Manager at https://console.aws.amazon.com/systems-manager/ and click on Parameter Store as shown below:

1. Introduction to AWS Systems Manager - Create parameter - Systems Manager Dashboard

Click on Create parameter to create a parameter to store database URL. You should see the following screen:

2. Introduction to AWS Systems Manager - Create parameter - Parameter Store Dashboard

Fill the form with the following information:

  • Name: /myapp/dev/db-url
  • Description: Database URL for Application
  • Value: db.example.com:3306
3. Introduction to AWS Systems Manager - Create parameter - Parameter Store Form

Next, click on the Create parameter to create a parameter. You should see the following screen:

4. Introduction to AWS Systems Manager - Create parameter - Parameter created

Creating encrypted parameter

Click on Create a parameter again to store the database password.

Fill in the following information:

  • Name: /myapp/dev/db-pass
  • Description: Database Password for Application
  • Value: secure-password
  • Type: SecureString
  • KMS key source: My current account
5. Introduction to AWS Systems Manager - Create parameter - Parameter Store Create Encrypted Parameter

Next, Click on Create parameter to create a parameter. You should see the following screen:

6. Introduction to AWS Systems Manager - Create parameter - Encrypted Parameter created

Accessing parameters

To access the AWS SSM parameters, you will need to install AWS CLI tools and configure your AWS environment.

You may also run Cloud9 IDE, which has all the required tools installed and the environment configured for you.

As soon as tools and environment are configured, run the following command to access your parameter:

aws ssm get-parameters --names /myapp/dev/db-url /myapp/dev/db-pass

Here’s an example output:

7. Introduction to AWS Systems Manager - Query parameters

As you can see, one of your parameters is in an encrypted format. You can decrypt your saved parameters using the following command:

aws ssm get-parameters --names /myapp/dev/db-url /myapp/dev/db-pass --with-decryption

Here’s an example output:

8. Introduction to AWS Systems Manager - Query encrypted parameters

If you’re interested in examples of working with AWS Systems Manager Parameter Store using Boto3, we’ll cover them in a separate article soon.

AWS Parameter Store Limits

AWS Parameter Store allows you to increase the default throughput limit to the maximum number of transactions per second. When writing this tutorial, AWS Systems Manager Parameter Store supports up to 3,000 requests per second. Increased throughput will allow you to run applications that require higher concurrent access to a large number of parameters.

AWS Parameter Store Limit Increase

To increase the Parameter Store limits, use the following steps:

Go to the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/

Click on the Parameter Store in the left pane and choose the Setting tab.

9. Introduction to AWS Systems Manager - Parameter Store settings

Click on the Set limit. You should see the following screen:

10. Introduction to AWS Systems Manager - AWS Parameter Store Limits - Increase throughput request confirmation

Review the message and click on the Set limit to set the limit.

AWS Systems Manager Session Manager

AWS Systems Manager Session Manager is a service that allows you to manage your workloads in the cloud. It’s not a single-use tool but a bundle of utilities that are used independently to secure access to your workloads and systems. Additionally, it allows you to comply with corporate policies requiring controlled access instances and strict security practices while still providing all the users with a one-click solution for accessing managed instances.

Introduction to AWS Systems Manager - Session Manager Workflow

In technical terminology, AWS SSM Session Manager is a capability within the AWS cloud platform that allows you to connect your EC2 instances with temporary credentials and administrate your servers without SSH key pairs.

AWS Systems Manager Session Manager also allows you to access the EC2 instances in the same way in multiple different accounts.

Purpose of the AWS Session Manager

You can use AWS Session Manager for a variety of tasks. Some of the common ones are given as follows:

  • Manage hybrid cloud systems – The AWS Session Manager helps you manage multiple systems running on the Amazon Web Services and in your on-premise data centre with a single platform. It uses a lightweight agent installed on the EC2 instances and on-premise servers to communicate and flawlessly execute tasks. This, in turn, helps you manage resources of operating systems such as Windows, Linux running on Amazon EC2 and in data centre infrastructure like Microsoft Hyper-V etc.
  • Improve visibility and control – AWS Session Manager helps you improve the visibility and control of your EC2 instances and OS configurations. Not only this, but it collects inventory information and software configuration about your fleet of instances and software installed on them. The AWS Session Manager is a great tool to handle and check your data and other deployment details.
  • Maintain security and compliance – The AWS Session Manager maintains your systems and keeps them up-to-date by complying with all configuration policies. In short, it helps you keep everything in security posture.
  • Secure role-based management – With the integration of AWS Session Manager with Amazon Identity and Access Management, you can apply granular permissions to control the actions of the users. The Amazon CloudTrail records the actions taken by the AWS Session Manager and lets you audit changes throughout your environment.
  • Port forwarding – AWS Session Manager enables you to redirect the port inside your instance to a local port on a client. This can help you gain all the information running inside the instance.

Features of AWS Session Manager

Here’s a list of the most important features of AWS Systems Manager Session Manager:

Introduction to AWS Systems Manager - Session Manager Features
  1. Support for hybrid cloud systems – The AWS Session Manager enables you to support various hybrid cloud systems such as Windows, Linux, macOS etc. by establishing secure connections with Amazon Elastic Compute Cloud Instances, on-premise instances and virtual machines.
  1. Console, CLI and SDK access to Session Manager capabilities – There are three ways which you can use these feature. First, you can use the AWS Systems Manager Console to access all the Session Manager capabilities for administrators and end-users. With the Systems Manager Console, you can acomplish almost every task related to your servers administration in a hassle-free manner. The Amazon EC2 console allows end-users to connect to the EC2 instances which they have been granted session permissions for. Second, the AWS CLI gives the end-users access to the Manager’s Session Capabilities with which they can easily start, view and end a session. Third, the SDK session manager consists of all the libraries and sample codes that allows application developers to create front-end applications like custom shells and self-service portals. This feature also enables users to build custom solutions.
  1. IAM access control – With IAM access control, you can check and control the members who can access and initiate sessions to instances and which instances they can access. Also, with this IAM access control feature, you can allow temporary access to your instances. For instance, you can give temporary access to an on-call engineer immediately to access production servers only for the duration of their rotation period.
  1. Logging and auditing capability support – AWS Session Manager gives you options to audit and logging session histories stored in your AWS account. This takes place through the integration of various other AWS services.
  1. Configurable shell profiles – The AWS Session Manager provides you with an option to configure preferences within sessions. The customizable profiles then allow you to define various preferences like shell preferences, environment variables and working directories whenever a session starts.
  1. KMS data encryption support – You can configure Session Manager to use KMS keys. So, you can encrypt data logs that you’re sending to the AmazonS3 bucket or CloudWatch. Furthermore, the data transfered between the client machines and managed instances during sessions is also encrypted.
  1. VPC Endpoints support – You can set VPC Endpoints for Systems Manager for your private VPC networks. This can help your manage workloads within isolated environments in secure way.
  1. Tunnelling – You can use the AWS Session Manager to tunnel traffic like HTTP or any other custom protocol, between a local port on a client machine and a remote port on an instance.
  1. Interactive commands – This feature allows you to create a session-type SSM document that uses a single session to interactively run a single command.

Using Session Manager to control EC2 instances

In this section, we will show you how to launch an EC2 instance with Session Manager support. We also explain how to connect to AWS EC2 instances using Session Manager without using SSH.

Create EC2 instance IAM Profile Role

First, you will need to create an IAM Profile Role for the EC2 instance. This will allow you to connect to the EC2 instance and start managing it using AWS Session Manager:

Log in to the AWS console at https://console.aws.amazon.com/.

Search for IAM (Identity and Access Management) in the search bar.

aws session manager access IAM

Click on IAM.

aws session manager access roles

In the left pane, click on Roles.

aws session manager create role

Click on Create role.

aws session manager select entity

Select EC2 service and click on Next.

aws session manager create policy

Search for AmazonaSSMFullAccess in the Filter policies, select the AmazonSSMFullAccess policy and click on the Next button.

aws session manager add tags

Define your Tag name and value, then click on the Next button.

aws session manager provide role details

Define your Role name, description and click on the Create role button.

aws session manager roles dashboard

Launch an EC2 instance

At this point, the IAM Instance Profile Role for Session Manager is created. Now, we will launch an EC2 instance with this role.

On the AWS console, search for EC2.

aws session manager access EC2

Click on the EC2.

aws session manager launch ec2 instance

Click on Launch Instance.

aws session manager select ubuntu ami

Search for Ubuntu AMI, select the first image.

aws session manager select micro instance

Select the second instance and click on Next: Configure Instance Details.

aws session manager attach ssm role

Attach your SSMFullAccess Role and click on the Next: Add Storage.

aws session manager add storage

Click on Next: Add Tag.

aws session manager add tags

Click on Next: Configure Security Group.

aws session manager create security group

Select “Create a new security group,” provide the name and description of the security group, remove the SSH rule and click on the Review and Launch button.

aws session manager review instance

Review your instance details and click on the Launch button.

aws session manager define ssh key

Select “Proceed without a key pair” and click on Launch Instances.

aws session manager ec2 instance launched

Click on instance id. You should see your newly launched instance on the following screen:

aws session manager ec2 dashboard

Accessing EC2 instance through Session Manager

At this point, your EC2 instance is ready. You can now connect it through Session Manager.

On the AWS console, search for System Manager.

aws session manager access system manager

Click on System Manager.

aws session manager access session manager

In the left pane, scroll down and click on the Session Manager.

aws session manager start ec2 session

Click on Start a session.

aws session manager start ubuntu session

Select your running instance and click on Start session.

aws session manager access ubuntu instance

From here, you can run any command in the Ubuntu instance.

Logging AWS Session Manager sessions to CloudWatch

Amazon CloudWatch Logs allow you to monitor, store and access your logs from EC2 instances. In this section, we will configure CloudWatch Logs to collect AWS Session Manager session logs.

On the AWS console, search for CloudWatch.

aws session manager access cloudwatch

Click on CloudWatch.

aws session manager access logs

In the left pane, click on Logs => Logs groups.

aws session manager create log groups

Click on Create log group.

aws session manager provide log group details

Provide your log group details and click on Create button.

aws session manager log groups dashboard

Now, search for Session Manager.

aws session manager access session manager

Click on Session Manager.

aws session manager edit session manager

In the Preferences tab, click on the Edit button.

aws session manager enable cloudwatch logging

Enable the CloudWatch logging, select log groups, and click on the Save button.

aws session manager logging enabled

Now, open the CloudWatch => Logs => Log groups as shown below:

aws session manager log groups dashboard

Click on your log group.

Double click on your Log streams. You should see your Ubuntu session log in the following screen:

aws session manager cloudwatch events

AWS Systems Manager Patch Manager

AWS Systems Manager Patch Manager is an AWS service that automates the process of patching your managed instances with both- security and other kinds of software updates. You can use the AWS Systems Manager Patch Manager for your operating systems as well as your applications.

If we talk about the patch management process, we have to mention that the AWS Patch Manager uses “patch baselines” configured by the rules for auto-approving patches within a few days after their release. Patch baseline also includes a list of approved and rejected patches.

Purpose of AWS Systems Manager Patch Manager

Some of the main areas where AWS Systems Manager Patch Manager flaunts its importance and purpose are:

  1. Security – Patch management helps fixing the vulnerabilities on your software and applications. This way, AWS Systems Patch Manager helps your organization sail through susceptible security risks by integrating with AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon EventBridge.
  1. System Uptime – AWS Systems Manager Patch Manager ensure that all your software and applications are kept up-to-date with the introduced changes, thereby supporting system uptime.
  1. Compliance – You can use AWS Systems Patch Manager to fulfil the compliance and regulatory requirements.
  1. Feature Improvements – AWS SSM Patch Manager can accurately do the job for you as it is not only there to fix the software bugs. It can also help ensure that you have the latest and the greatest features/plans that a product has to offer to its audience.
  1. Enhance productivity – The AWS SSM Patch Manager runs automatically. Additionally, it comes with performance improvements for the products it applies to fix crashes. This, in turn, leads to increased productivity levels in the organization. The employees do not have to spend hours on their systems to get rid of all the issues. This eventually results in better performance and reduced downtime.

Create IAM Role for AWS Patch Manager

First, you will need to create/add an IAM role for the Patch Manager to the Instance Profile. Follow the below steps to create/modify the IAM Role for the EC2 instance:

On the AWS console, search for IAM in the search bar.

access IAM

Click on IAM. You should see the IAM dashboard on the following screen:

create IAM role

In the left pane, click on the Roles and click on the Create role.

select trusted entity

Select EC2 service and click on Next.

select IAM role

Search for core in the Filter policies, select the AmazonSSMManagedInstanceCore policy and click on the Next button.

add tag

Define your Tag name and value, then click on the Next button.

provide role information

Define your Role name, description and click on the Create role button.

Launch an EC2 Instance with IAM Role

Next, you will need to create a new EC2 instance and attach the SSM role you created in the previous section.

On the AWS console, search for EC2.

access EC2

Click on EC2.

launch EC2 instance

Click on Launch instance.

Select instance AMI

Select an Amazon Machine Image.

select instance type

Select instance type and click on the Next button.

configure instance

Provide your instance details, define the SSM role, and click on the Next button.

add storage

Add storage and click on the Next button.

add tag

Define the Tag name and click on the Next button.

configure security group

Create a new security group and click on the Next button.

create ssh key

Create a new SSH key pair and click on the Launch instance button.

instance launch status

Now, search for the Managed instances.

access managed instances

Click on the Managed Instances. You should see the status of your instance on the following screen:

managed instances dashboard

Install SSM Agent on Linux and Windows Instances

By default, SSM Agent is installed on Amazon Machine Images and following EC2 instances:

  • Amazon Linux 1/2
  • Amazon Linux 2 ECS-Optimized Base AMIs
  • Ubuntu Server 16.04, 18.04, and 20.04

So you don’t need to install the SSM agent of the above instances.

Install SSM Agent on Linux

To install SSM Agent on CentOS 8 instance, run the following command:

sudo dnf install -y https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/linux_amd64/amazon-ssm-agent.rpm

After installing the SSM agent, start the service using the following command:

sudo systemctl start amazon-ssm-agent

To install SSM Agent on Debian 9 and Debian 10 instances, run the following command:

wget https://s3.cn-north-1.amazonaws.com.cn/amazon-ssm-cn-north-1/latest/debian_amd64/amazon-ssm-agent.deb

sudo dpkg -i amazon-ssm-agent.deb

Next, start the service using the following command:

sudo systemctl status amazon-ssm-agent

Install SSM Agent on Windows

By default, the SSM agent comes pre-installed in the following Amazon Machine Images (AMIs):

  • Windows Server 2008-2012 R2 AMIs published in November 2016 or later
  • Windows Server 2016 and 2019

You can also download and install the latest version of the SSM agent on the Windows system. Follow the below steps to install SSM agent to Windows instance:

Log in to your Windows instance by using Remote Desktop.

Open the PowerShell Windows and run the following command:

Invoke-WebRequest `
    https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe `
    -OutFile $env:USERPROFILE\Desktop\SSMAgent_latest.exe

Start the SSM service using the following command:

Start-Process `
    -FilePath $env:USERPROFILE\Desktop\SSMAgent_latest.exe `
    -ArgumentList "/S"

Create a Patch Baseline

AWS SSM Patch Manager uses patch baselines to control what patches are installed on the instances based on the specified configuration. It also provides a set of predefined patch baselines for all operating systems. You can either use the predefined baseline or create your custom baseline. In this section, we will create a custom patch baseline.

Search for Patch Manager.

Access patch manager

Select the Patch Manager from the menu.

patch manager dashboard

Go to the View predefined patch baselines.

view predefined baselines

Click Create patch baseline button.

patch baseline details
define approval rules
provide other patch information

Provide your patch baseline details, rules for the operating system, and click on the Create patch baseline.

view your patch baseline

Install Patch on EC2 Instance

At this point, your patch baseline is ready to apply on your EC2 instance. Follow the below steps to install Patch on the EC2 instance.

Open the Patch Manager.

access patch installation

Click on Patch now button.

define target instance
define patch instance

Select basic patching configuration, select patch on target instances, choose instance manually, select your running instance, and click the Patch now button. Once all patches are installed, you should see the following screen:

patch summary

Next, open the Managed Instances as shown below:

access managed instances

Click on your instance id and search for State installed in the filter bar. You should see all installed patches on the following screen:

instance overview
patch installation overview

Summary

In this article, we’ve covered the AWS Systems Manager Parameter Store, Session Manager, and Patch Manager and described step-by-step process how to set up and start using them.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Top rated Udemy Courses to improve you career

Subscribe to our updates

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on Linkdin
Share on pinterest
Share on Pinterest

Want to be an author of another post?

We’re looking for skilled technical authors for our blog!

Leave a comment

If you’d like to ask a question about the code or piece of configuration, feel free to use https://codeshare.io/ or a similar tool as Facebook comments are breaking code formatting.