Prashant Lakhera

Mar 19, 2019

6 min read

100 Days of DevOps — Day 36-Introduction to AWS System Manager

Welcome to Day 36 of 100 Days of DevOps, Focus for today is AWS System Manager

What Is AWS Systems Manager?

AWS Systems Manager is a collection of capabilities for configuring and managing your Amazon EC2 instances, on-premises servers and virtual machines, and other AWS resources at scale.

Reference

Pre-requisites: There are two pre-requisites on setting up System Manager

Setting up IAM Role for System Manager

To use system manager you need to set up two roles

  • One role authorizes the user to use System Manager
  • First one assign AmazonSSMFullAccess policy to the user
  • Other authorizes systems to be authorized by the system manager
  • Create a new role and assign AmazonEc2Rolefor SSM
  • Attach the role, I have created earlier to an existing instance or during instance creation

For more info about IAM

Installing SSM Agent

  • Go to Actions → Run Command → AWS-RunShellScript → Commands → Type any Linux command eg: ls -l → Target Instance(Select the instance)
  • You can also check the output under view output tab
  • To execute the same command via aws cli

What is AWS Systems Manager State Manager

  • AWS Systems Manager State Manager is a secure and scalable configuration management service that automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define.
  • One of the use case I found out of AWS System Manager State Manager is to run the command on a scheduled basis(eg: SnapShot Creation)

But I believe there is a much better way to achieve this eg: EBS LifeCycle Manager

One other option that has tried is the AMI creation on the scheduled basis but there is a bug already raised for this issue https://forums.aws.amazon.com/thread.jspa?messageID=893995&#893995

AWS Systems Manager Parameter Store

AWS System Manager Parameter store provides secure, hierarchical storage for configuration data management and secrets management. We can store data such as,

  • passwords
  • database strings
  • license codes

Which we can then be programmatically accessed via the SSM API.

Parameter store is offered at no additional charge

Go to the parameter store https://us-west-2.console.aws.amazon.com/systems-manager → Create Parameter

  • Now to retrieve this value via command line
$ aws ssm get-parameters --names "testpass"{"InvalidParameters": [],"Parameters": [{"Name": "testpass","LastModifiedDate": 1552923749.085,"Value": "test123","Version": 1,"Type": "String","ARN": "arn:aws:ssm:us-west-2:XXXXXXX:parameter/testpass"}]}

How to store a secure string

  • When we store a secure string in the EC2 parameter store, the data is encrypted by the KMS key associated with my account.
  • If you try to verify via UI, you will see something like this
  • You can access it via command line
$ aws ssm get-parameters --names "mysecurestring" --with-decryption{"InvalidParameters": [],"Parameters": [{"Name": "mysecurestring","LastModifiedDate": 1552923877.289,"Value": "test123","Version": 1,"Type": "SecureString","ARN": "arn:aws:ssm:us-west-2:349934551430:parameter/mysecurestring"}]}
  • To store the secret
# To store the secret# aws ssm put-parameter --name "secret-password" --value 'XXXXX' --type SecureString --key-id XXXXXX{"Version": 1}

AWS Systems Manager Inventory

AWS Systems Manager Inventory provides visibility into your Amazon EC2 and on-premises computing environment. You can use Inventory to collect metadata from your managed instances. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which instances are running the software and configurations required by your software policy, and which instances need to be updated.

* Give you inventory some name
* Targets: Either Manually select the instance or better to use Tag so that all the future installed instance will be tracked automatically
* Schedule: How frequently you want to collect Invnetory
* Parameter: Different Parameter you want to collect
  • After waiting for a few mins, you will see something like this
  • If you go to managed instance tab, select your instance and then inventory tab
  • Under configuration timeline, you will see something like this, all the changes happen to this instance

Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.

Reference