100 Days of DevOps — Day 36-Introduction to AWS System Manager

Pre-requisites: There are two pre-requisites on setting up System Manager

  • One role authorizes the user to use System Manager
  • First one assign AmazonSSMFullAccess policy to the user
  • Other authorizes systems to be authorized by the system manager
  • Create a new role and assign AmazonEc2Rolefor SSM
  • Attach the role, I have created earlier to an existing instance or during instance creation
  • Go to Actions → Run Command → AWS-RunShellScript → Commands → Type any Linux command eg: ls -l → Target Instance(Select the instance)
  • You can also check the output under view output tab
  • To execute the same command via aws cli
  • AWS Systems Manager State Manager is a secure and scalable configuration management service that automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define.
  • One of the use case I found out of AWS System Manager State Manager is to run the command on a scheduled basis(eg: SnapShot Creation)
  • passwords
  • database strings
  • license codes
  • Now to retrieve this value via command line
$ aws ssm get-parameters --names "testpass"{"InvalidParameters": [],"Parameters": [{"Name": "testpass","LastModifiedDate": 1552923749.085,"Value": "test123","Version": 1,"Type": "String","ARN": "arn:aws:ssm:us-west-2:XXXXXXX:parameter/testpass"}]}
  • When we store a secure string in the EC2 parameter store, the data is encrypted by the KMS key associated with my account.
  • If you try to verify via UI, you will see something like this
  • You can access it via command line
$ aws ssm get-parameters --names "mysecurestring" --with-decryption{"InvalidParameters": [],"Parameters": [{"Name": "mysecurestring","LastModifiedDate": 1552923877.289,"Value": "test123","Version": 1,"Type": "SecureString","ARN": "arn:aws:ssm:us-west-2:349934551430:parameter/mysecurestring"}]}
  • To store the secret
# To store the secret# aws ssm put-parameter --name "secret-password" --value 'XXXXX' --type SecureString --key-id XXXXXX{"Version": 1}
* Give you inventory some name
* Targets: Either Manually select the instance or better to use Tag so that all the future installed instance will be tracked automatically
* Schedule: How frequently you want to collect Invnetory
* Parameter: Different Parameter you want to collect
  • After waiting for a few mins, you will see something like this
  • If you go to managed instance tab, select your instance and then inventory tab
  • Under configuration timeline, you will see something like this, all the changes happen to this instance



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store