1.4 AWS Systems Manager Lab

AWS Systems Manager - an AWS service that you can use to view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. Systems Manager helps you maintain security and compliance by scanning your managed instances and reporting on (or taking corrective action on) any policy violations it detects.

AWS Systems Manager (SSM) has many capabilities:

  • Run Command - remotely and securely manage the configuration of your managed instances at scale. Use Run Command to perform on-demand changes like updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of instances. Run Command uses Command Documents.
  • Automation - automate common maintenance and deployment tasks. You can use Automation to create and update Amazon Machine Images, apply driver and agent updates, reset passwords on Windows instance, reset SSH keys on Linux instances, and apply OS patches or application updates. Automation used Automation Documents.
  • Inventory - Inventory provides visibility into your Amazon EC2 and on-premises computing environment. You can use Inventory to collect metadata from your managed instances. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which instances are running the software and configurations required by your software policy, and which instances need to be updated.
  • What are documents? - AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than a dozen pre-configured documents that you can use by specifying parameters at runtime. Documents use JavaScript Object Notation (JSON) or YAML, and they include steps and parameters that you specify.
  • What is a Managed Instance - A managed instance is any machine configured for AWS Systems Manager. You can configure Amazon EC2 instances or on-premises machines in a hybrid environment as managed instances. Systems Manager supports various distributions of Linux, including Raspberry Pi devices, and Microsoft Windows Server.

In this Lab, we will focus on the following actions:

  1. Setup Inventory Collection
  2. Use Run Command to execute a command against an EC2 Instance
  3. Use Automation to execute a workflow againts an EC2 Instance

1. Setup Inventory Collection

Finally, let’s setup inventory collection. This will collect information on what software is installed on our instances. This integrated with Config to help us get visibility to what is installed on our instances and how that changes over time.

  1. Click on AWS Systems Manager under Management & Governance to go to the Systems Manager Console.
  2. On the left side menu click on Inventory under Instances & Nodes.
  3. Then on the right side find the Setup Inventory Button and click on it. This will create a State Manager that will collect inventory on a schedule.
  4. Lets Accept the defaults here, and click on Setup Inventory. However, notice that we can capture specific files, and registry keys if we want to in our inventory collection.

2. Use Run Command to execute a command against an EC2 Instance

  1. On the left side menu click on Run Command under Instances & Nodes.
  2. Click on the Run Command Button in the upper right hand corner.
  3. Click on the magnifying glass and select Document name prefix and then select Equals and type in AWS-Run, this will filter out the list of documents we can see. You will see a list of AWS managed command documents that start with AWS-Run. Select the AWS-RunShellScript Command Document, which runs shell commands on linux instances.
  4. Type in or copy the command from the next code block and enter it into the Commands section. This will output the interface information on our linux instance.

    ifconfig
    
  5. We need to determine how we are going to target our instances. In this case we are going to specify our targets by Tag which will pick up our deployed instance or any instance with that tag. Targeting instances by Tag or by AWS Resource Groups is the most scalable and flexible way to target instances using AWS Systems Manager. Here we will specify Name tag, and the value will be MGMT312-EC2.

  6. In our next step we will specify how we want output logs to be handled. In this case we are going to output our Logs to CloudWatch Logs, but notice we can also output logs to an S3 bucket. We will examine the output after we executed this run command document.

  7. Run Command will also give you the AWS Command Line interface command to execute this same process. We can click on the Run Button to execute the command against our instance.

  8. This will execute this command document against our target instances, we can monitor the status after it is executed. Once completed we can click on the Instance ID and observe the output.

  9. Here, we can observe the output of the command or click to go to CloudWatch Logs to observe the logs there. We see the output of the ifconfig command, as though we were SSH’ed into the instance.

Here we demonstrated how we can use Run Command to run Commands remotely on an instance and get the output information.

Note that we were able to execute commands without having to login into the instance. Using Run Commmand we can restrict the need for SSH or RDP access to EC2 Instances, improving your organizations security posture.

Now let’s use AWS Systems Manager Automation to run a workflow that will resize our Instance.

3. Use Automation to execute a workflow against an EC2 Instance

  1. On the left side menu click on Automation under Actions & Changes.
  2. Once there let’s click on the Execute Automation Button on the upper right section of the console.
  3. Select the Cost Management category, Select the AWS-ResizeInstance Document and then Click Next
  4. Next we want to select a Simple Execution, but we have other options most notably Multi-Account and Multi-Region option. We could also select manual execution which could be used for testing.
  5. We then want to provide some input such as the instance size we want to resize to, and the target instance. Let’s slide the Show Interactive Instance Picker and select the instance we deployed through CloudFormation. We are going to resize from a t3.small to a t3.micro.
  6. Again AWS Systems Manager will provide us with the AWS CLI command, and then we can click on Execute
  7. We can observe the execution steps and click into each step to get more detailed information.

Here we demonstrated how we can execute a multiple step workflow using AWS Systems Manager Automation. In this example we made calls againt AWS API’s to stop, resize and start an EC2 Instances. AWS Systems Manager Automation can be used for runbooks that respond to events within your environment.

Create a Custom Automation Document

So far we have used AWS Managed Documents, but you can also create your own Command and Automation documents. In this step we will create an Automation Document that we will use later in Section 2 of this workshop. This document will install nginx on an EC2 Instance.

  1. Let’s open up our Cloud9 IDE Again , click File > New File to create a new file

  2. Review the template below and recreate it in your IDE. Notice the mainSteps section of the Automation Document, which is steps and running commands one after the other.

   ---
   schemaVersion: "0.3"
   description: "Updates AMI with Linux distribution packages and installs Nginx software"
   assumeRole: "{{AutomationAssumeRole}}"
   parameters:
     InstanceId:
       description: "ID of the Instance."
       type: "String" 
     AutomationAssumeRole:
       default: ""
       description: "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf."
       type: "String" 
   mainSteps:
   - name: "updateOSSoftware"
     action: "aws:runCommand"
     maxAttempts: 3
     timeoutSeconds: 3600
     inputs:
       DocumentName: "AWS-RunShellScript"
       InstanceIds:
       - "{{InstanceId}}"
       CloudWatchOutputConfig:
         CloudWatchOutputEnabled: "true"
       Parameters:
         commands: 
           - |
              sudo yum update -y
   - name: "InstallNginx"
     action: "aws:runCommand"
     maxAttempts: 3
     timeoutSeconds: 300
     inputs:
       DocumentName: "AWS-RunShellScript"
       InstanceIds:
       - "{{InstanceId}}"
       CloudWatchOutputConfig:
         CloudWatchOutputEnabled: "true"
       Parameters:
         commands:
           - |
               sudo amazon-linux-extras install nginx1 -y
               sudo service nginx start
   - name: "TestInstall"
     action: "aws:runCommand"
     maxAttempts: 3
     timeoutSeconds: 3600
     onFailure: "Abort"
     inputs:
      DocumentName: "AWS-RunShellScript"
      InstanceIds:
       - "{{InstanceId}}"
      Parameters: 
       commands:
           - |
              curl localhost
  1. Lets save this document and call it nginxinstall.yaml to the root of the environment.

  2. Once we have saved this document, run the command in the next code block in the terminal section of our Cloud9 IDE environment.

   aws ssm create-document --content file://nginxinstall.yaml --name "nginxinstall" --document-type "Automation" --document-format YAML --target-type "/AWS::EC2::Instance" --region eu-west-1

We will come back to this document in Section 2, where we create it a self-service action in AWS Service Catalog.

AWS Systems Manager Automation is a powerful tool that allows us to create workflows to execute scripts against instances but also make AWS Api Calls. For more information on how to work with Automation Documents please checkout documentation on how to create operational playbooks.

Review

In this lab we became familiar with some capabilities of AWS Systems Manager to manage and configure managed instances. We demonstrated the ability to securely and remotely execute commands within supported managed instances, and how we can orchestrate maintenance task against the EC2 managed Instances. We also demonstrated how to create a custom Automation Document and also to setup inventory collection in AWS Systems Manager.

Let’s delete our mgt312-test stack before we move on to the next Section.

Please visit the AWS Systems Manager page and documentation for more information about the service and use cases.