Prashant Lakhera

Mar 19, 2019

6 min read

100 Days of DevOps — Day 36-Introduction to AWS System Manager

Welcome to Day 36 of 100 Days of DevOps, Focus for today is AWS System Manager

What Is AWS Systems Manager?

AWS Systems Manager is a collection of capabilities for configuring and managing your Amazon EC2 instances, on-premises servers and virtual machines, and other AWS resources at scale.


Pre-requisites: There are two pre-requisites on setting up System Manager

Setting up IAM Role for System Manager

To use system manager you need to set up two roles

  • One role authorizes the user to use System Manager
  • First one assign AmazonSSMFullAccess policy to the user
  • Other authorizes systems to be authorized by the system manager
  • Create a new role and assign AmazonEc2Rolefor SSM
  • Attach the role, I have created earlier to an existing instance or during instance creation

For more info about IAM

Installing SSM Agent

  • Go to Actions → Run Command → AWS-RunShellScript → Commands → Type any Linux command eg: ls -l → Target Instance(Select the instance)
  • You can also check the output under view output tab
  • To execute the same command via aws cli

What is AWS Systems Manager State Manager

  • AWS Systems Manager State Manager is a secure and scalable configuration management service that automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define.
  • One of the use case I found out of AWS System Manager State Manager is to run the command on a scheduled basis(eg: SnapShot Creation)

But I believe there is a much better way to achieve this eg: EBS LifeCycle Manager

One other option that has tried is the AMI creation on the scheduled basis but there is a bug already raised for this issue

AWS Systems Manager Parameter Store

AWS System Manager Parameter store provides secure, hierarchical storage for configuration data management and secrets management. We can store data such as,

  • passwords
  • database strings
  • license codes

Which we can then be programmatically accessed via the SSM API.

Parameter store is offered at no additional charge

Go to the parameter store → Create Parameter

  • Now to retrieve this value via command line
$ aws ssm get-parameters --names "testpass"{"InvalidParameters": [],"Parameters": [{"Name": "testpass","LastModifiedDate": 1552923749.085,"Value": "test123","Version": 1,"Type": "String","ARN": "arn:aws:ssm:us-west-2:XXXXXXX:parameter/testpass"}]}

How to store a secure string

  • When we store a secure string in the EC2 parameter store, the data is encrypted by the KMS key associated with my account.
  • If you try to verify via UI, you will see something like this
  • You can access it via command line
$ aws ssm get-parameters --names "mysecurestring" --with-decryption{"InvalidParameters": [],"Parameters": [{"Name": "mysecurestring","LastModifiedDate": 1552923877.289,"Value": "test123","Version": 1,"Type": "SecureString","ARN": "arn:aws:ssm:us-west-2:349934551430:parameter/mysecurestring"}]}
  • To store the secret
# To store the secret# aws ssm put-parameter --name "secret-password" --value 'XXXXX' --type SecureString --key-id XXXXXX{"Version": 1}

AWS Systems Manager Inventory

AWS Systems Manager Inventory provides visibility into your Amazon EC2 and on-premises computing environment. You can use Inventory to collect metadata from your managed instances. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which instances are running the software and configurations required by your software policy, and which instances need to be updated.

* Give you inventory some name
* Targets: Either Manually select the instance or better to use Tag so that all the future installed instance will be tracked automatically
* Schedule: How frequently you want to collect Invnetory
* Parameter: Different Parameter you want to collect
  • After waiting for a few mins, you will see something like this
  • If you go to managed instance tab, select your instance and then inventory tab
  • Under configuration timeline, you will see something like this, all the changes happen to this instance

Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.