AWS Tutorials: AWS Systems Manager (SSM)
Introduction to AWS Systems Manager (SSM)
AWS Systems Manager (SSM) is a comprehensive management service designed to help you automate and manage your EC2 instances, on-premises servers, and other AWS resources. It provides features such as RunCommand, Parameter Store, Automation, Session Manager, and Patch Manager, allowing you to streamline operational tasks and ensure consistent configurations.
Why Use AWS Systems Manager?
- Centralized Management: Manage multiple resources (both on AWS and on-premises) from a single interface.
- Automation: Automate common operational tasks such as patching, configurations, and deployments.
- Security and Compliance: Enforce security best practices and maintain compliance through centralized access and control.
- Cost-Effectiveness: Reduce operational overhead by automating tasks and reducing manual intervention.
- Enhanced Troubleshooting: Use features like Session Manager to securely access instances without SSH keys, enabling easier troubleshooting.
Core Features of AWS Systems Manager
1. RunCommand
RunCommand allows you to remotely execute scripts, commands, or automation workflows on your EC2 instances without needing SSH or RDP access.
- Common Use Cases:
- Remotely installing software.
- Restarting services or checking system status.
- Collecting logs for analysis.
- Steps to Use RunCommand:
- Navigate to the AWS Systems Manager console.
- Select RunCommand from the navigation pane.
- Choose a Document like
AWS-RunShellScript. - Target specific instances using filters or Instance IDs.
- Define the command to run, such as a script, and execute it.
Example:
bashCopy codeaws ssm send-command
--document-name "AWS-RunShellScript"
--targets "Key=instanceIds,Values=i-0abcdef1234567890"
--parameters "commands=echo 'Hello World'"
2. Session Manager
Session Manager provides a secure way to access your EC2 instances without opening SSH ports or managing keys.
- Benefits:
- No need for SSH keys or inbound ports.
- Centralized logging of all session activity.
- Works for both Linux and Windows instances.
- Steps to Use Session Manager:
- Install the SSM Agent on your EC2 instance (pre-installed on some AMIs).
- Ensure your instance has an IAM role with
AmazonSSMManagedInstanceCorepermissions. - Open Session Manager in the AWS console.
- Start a session to access the shell directly from the AWS console.
3. Parameter Store
Parameter Store allows you to store configuration data such as database connection strings, API keys, and other sensitive data securely.
- Key Features:
- Securely store strings, encrypted secrets, and hierarchical configurations.
- Easy integration with other AWS services like Lambda and EC2.
- Versioning for tracking changes to parameters.
- Steps to Use Parameter Store:
- Navigate to AWS Systems Manager.
- Choose Parameter Store and click Create Parameter.
- Define your parameter’s name, value, and data type (String, SecureString).
- Use the parameter in your applications by querying it using the SDK or CLI.
Example to retrieve a parameter:
aws ssm get-parameter --name "my-database-password" --with-decryption
4. Automation
Automation helps in creating workflows to perform tasks like instance patching, AMI creation, and remediation workflows.
- Key Features:
- Automate tasks across AWS resources with predefined or custom automation documents.
- Integration with services like EC2, S3, and Lambda.
- Supports multi-step workflows for complex operations.
- Steps to Create an Automation Workflow:
- Go to AWS Systems Manager and select Automation.
- Choose an automation document like
AWS-UpdateLinuxAmi. - Configure inputs such as instance IDs, desired actions, and parameters.
- Execute the automation, and Systems Manager will perform the tasks.
5. Patch Manager
Patch Manager automates the process of applying patches to your EC2 instances, ensuring that your infrastructure remains secure and up-to-date.
- Features:
- Schedule patching operations.
- Set patch baselines for both Linux and Windows instances.
- Integration with automation for patching at scale.
- Steps to Use Patch Manager:
- Define a patch baseline that specifies the patches to be applied.
- Schedule a maintenance window for patching.
- Patch instances automatically within the defined window.
6. Inventory
Inventory collects metadata from your instances about installed applications, configurations, and files, helping you keep track of your resources.
- Key Benefits:
- Get insights into installed applications and system configurations.
- Generate detailed reports for compliance audits.
- Track inventory changes over time.
Security Best Practices for AWS Systems Manager
- IAM Role Permissions: Ensure that only required permissions are assigned to the roles associated with EC2 instances. The
AmazonSSMManagedInstanceCorerole provides the minimum necessary permissions. - Secure Parameter Store Data: Use SecureString for sensitive data in Parameter Store and enable encryption using AWS KMS.
- Session Manager Logging: Enable centralized logging and auditing of all Session Manager sessions using AWS CloudTrail and Amazon S3.
Monitoring and Auditing with Systems Manager
- CloudWatch Logs: Systems Manager can be integrated with CloudWatch to monitor command outputs, errors, and logs from your instances.
- CloudTrail Integration: Track every API call made through Systems Manager using AWS CloudTrail for security and auditing purposes.
- Compliance Reporting: Systems Manager allows you to report on compliance for patches, configurations, and inventory across your resources.
Conclusion
AWS Systems Manager (SSM) is a powerful service for managing, automating, and securing EC2 instances and other AWS resources. Whether you’re managing a fleet of instances or applying patches to specific resources, SSM provides a unified interface to handle common operational tasks. With its focus on automation and security, Systems Manager helps reduce operational overhead and ensures your infrastructure remains compliant and up-to-date.
Further Reading
1. ssm-user
The ssm-user is the default user created by AWS Systems Manager (SSM) when you connect to a managed instance (like an EC2 instance) using the Session Manager feature. Session Manager allows you to establish a shell session on your instance without needing to open an SSH connection or manage SSH keys.
- When you use Session Manager to connect to an EC2 instance, the default user for the session is
ssm-user. - This user has limited privileges and is used to provide access to the instance while still maintaining the security practices around session control.
2. SSM Document
An SSM document (or Systems Manager document) is a JSON or YAML file that defines actions for AWS Systems Manager to execute on your instances. It can be used for automating tasks like running commands, patching, or managing configurations.
- AWS provides predefined SSM documents, and you can also create custom SSM documents to suit your specific needs.
- SSM documents can include different types of operations, such as running scripts, configuring services, or applying patches.
- Each document contains steps that the Systems Manager performs, which can be configured with input parameters.
3. RunCommand
RunCommand is an action within AWS Systems Manager that allows you to remotely execute commands on your EC2 instances. You can use RunCommand to:
- Run shell commands or PowerShell scripts on your instances.
- Install software or patches.
- Manage configurations.
RunCommand operates through SSM Agent, which needs to be installed and running on your EC2 instance. You can run commands either via the AWS Management Console, the AWS CLI, or through an automation process like SSM documents.
Here’s a comparison of ssm-user, SSM Document, and RunCommand presented in a tabular format:
| Feature | ssm-user | SSM Document | RunCommand |
|---|---|---|---|
| Definition | A default user created by AWS when using Session Manager to connect to an EC2 instance. | A JSON or YAML file that defines actions for AWS Systems Manager to execute on instances. | An action within Systems Manager used to remotely execute commands on EC2 instances. |
| Purpose | Provides a default, secure user for session connections (via Session Manager) to EC2 instances. | Automates tasks such as running commands, applying patches, and managing configurations on EC2 instances. | Allows you to execute commands (scripts, software installations) remotely on EC2 instances. |
| Scope | User-specific, managing login sessions to instances via AWS Session Manager. | Document-level, defines specific tasks to be automated across multiple instances. | Command-specific, allowing the execution of individual tasks or commands. |
| Usage | Automatically used when you connect via Session Manager. | Executed by Systems Manager based on a predefined structure (actions and steps). | Can be run interactively via the console, CLI, or API. |
| Customization | Limited (default user cannot be changed directly unless manually configured). | Can be fully customized by creating custom SSM documents for specific tasks. | Allows specifying different commands/scripts to be run on instances. |
| Security | Managed by AWS, provides secure access to instances via Session Manager without SSH keys. | Supports encryption and access control for task execution on instances. | Requires proper IAM permissions to run commands on targeted instances. |
| Example | User created automatically when connecting to an instance using Session Manager. | A document to run a shell script or apply a patch to an instance group. | Sending a command to run a script on an instance using the AWS CLI. |
| IAM Role Requirements | Uses an IAM role to establish session and provide permissions. | IAM roles define which SSM documents can be used. | IAM role required to allow access for command execution on EC2 instances. |
| Integration | Integrated with AWS Session Manager for secure instance management. | Used by Systems Manager to automate operations like patching, configuration, etc. | Integrated with SSM Agent on EC2 instances to execute commands remotely. |
