⬡ Hub
Skip to content

AWS Systems Manager

Detailed Content

AWS Systems Manager is a collection of capabilities that helps you automate operational tasks, gain operational insights, and manage AWS resources and on-premises servers. It simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easier to operate and manage your infrastructure at scale.

Core Capabilities

AWS Systems Manager offers a unified approach to managing your AWS resources, providing a central console and set of tools for operational insights and management capabilities across your environment.

  • Run Command: Securely executes commands on one or more instances (EC2 or on-premises) remotely, without SSH or RDP. It allows for automation of administrative tasks, such as installing software, running shell scripts, and applying patches.
  • State Manager: Automates the process of keeping your servers in a defined, desired state. You can define and maintain OS configurations, application configurations, and other settings. It helps ensure compliance and consistency across your fleet.
  • Patch Manager: Automates the process of patching managed instances with security updates and other bug fixes. It allows you to set up patch baselines, scan instances for missing patches, and apply patches automatically on a schedule.
  • Session Manager: Provides secure and auditable instance management without opening inbound ports, managing SSH keys, or using bastion hosts. It allows you to access EC2 instances or on-premises servers through a browser-based shell or AWS CLI, improving security posture.
  • Parameter Store: Provides secure, hierarchical storage for configuration data and secrets management. You can store data such as database strings, passwords (encrypted with KMS), API keys, and other values. Parameters can be retrieved and used by other AWS services.
  • Automation: Simplifies common maintenance and deployment tasks for AWS resources. It defines runbooks (sequences of actions) that can be executed automatically or on demand. Automation documents can interact with various AWS services.
  • Distributor: Safely and reliably distributes software packages (e.g., agents, applications) to your managed instances. It supports versioning, rollback, and can target instances based on tags.
  • Inventory: Collects metadata (applications, network configurations, services, system information) from your managed instances (EC2 or on-premises). This provides visibility into your instance configurations, helping with auditing and compliance.
  • Maintenance Windows: Allows you to define recurring windows of time to perform potentially disruptive actions, such as patching an operating system, updating drivers, or installing software. This helps ensure that critical operations are performed during off-peak hours.
  • Explorer: An customizable operations dashboard that aggregates operational data from across your AWS accounts and Regions. Explorer displays a contextualized view of your operations items (OpsItems) and resources, helping you quickly focus on issues.
  • OpsCenter: Provides a central location where operational engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to your AWS resources. OpsCenter automatically aggregates and dedupes OpsItems from various AWS services like CloudWatch, Config, and EC2.
  • Application Manager: A capability that helps you manage your applications across different AWS services (e.g., EC2, Lambda, EKS) from a single console. It allows you to view operational data, application resources, and define application groups.
  • AppConfig: Helps developers quickly and safely deploy application configuration changes without deploying new code. It includes capabilities for validation, gradual deployments, and rollbacks.
  • Change Manager: A framework within Systems Manager that simplifies the way you request, approve, implement, and report on operational changes to your application configuration and infrastructure. It helps reduce the risk of changes to your application environment.

Use Cases

  • Automated Patching and Updates: Use Patch Manager to automatically apply security patches and updates to your EC2 instances and on-premises servers on a schedule, ensuring systems are up-to-date and secure.
  • Configuration Management: Maintain consistent configurations across your server fleet using State Manager, ensuring compliance and reducing configuration drift.
  • Secure Remote Access: Grant engineers secure, auditable, and browser-based access to instances without opening SSH/RDP ports using Session Manager, enhancing security and simplifying access management.
  • Centralized Application Management: Store and retrieve configuration parameters and secrets securely using Parameter Store, centralizing application settings and improving security by not hardcoding sensitive data.
  • Orchestrate Operational Workflows: Automate complex operational tasks using Automation documents, such as instance restarts, AMI golden image creation, or custom application deployments.
  • Inventory and Compliance: Collect detailed software and hardware inventory from all managed instances using Inventory, helping you identify installed applications, analyze compliance, and prepare for audits.
  • Incident Response and Troubleshooting: Use Explorer and OpsCenter to get a centralized view of operational issues, investigate their root causes, and initiate remediation actions quickly.

Interview Questions

Conceptual Questions

  1. What is AWS Systems Manager and what is its primary goal?
    • AWS Systems Manager is a collection of capabilities that helps automate operational tasks, gain operational insights, and manage AWS resources and on-premises servers. Its primary goal is to simplify and automate infrastructure management at scale, improve operational efficiency, and reduce manual effort.
  2. Explain the purpose of Run Command and Session Manager in Systems Manager.
    • Run Command: Securely executes commands on one or more instances remotely, without needing SSH or RDP. It's used for automating administrative tasks like installing software, running scripts, or configuring services.
    • Session Manager: Provides secure and auditable browser-based shell or AWS CLI access to instances without opening inbound ports or managing SSH keys. It enhances security and simplifies instance access.
  3. How does Systems Manager Parameter Store help with secrets management and configuration?
    • Parameter Store provides secure, hierarchical storage for configuration data (e.g., database connection strings) and secrets (e.g., passwords, API keys). Secrets can be encrypted using KMS. It centralizes configuration, allows for versioning, and secure retrieval by other AWS services, preventing sensitive data from being hardcoded in applications.
  4. What is the role of Patch Manager in Systems Manager?
    • Patch Manager automates the process of scanning instances for missing patches and applying security updates and other bug fixes. It helps maintain a secure and compliant IT infrastructure by ensuring operating systems and applications are up-to-date.
  5. Explain the difference between Systems Manager Automation documents and Run Command.
    • Run Command: Designed for executing single commands or scripts on instances.
    • Automation: Designed for orchestrating complex, multi-step maintenance and deployment tasks across multiple AWS resources, often involving several AWS services using runbooks. Automation can call Run Command.

Scenario-Based Questions

  1. You have a fleet of EC2 instances running a web application, and you need to ensure they are all patched regularly and consistently during a specific maintenance window. How would you achieve this using Systems Manager?
    • I would use Patch Manager to define a patch baseline (e.g., AWS-WindowsUpdateBaseline or AWS-LinuxDefaultPatchBaseline). Then, I would configure a Maintenance Window for the desired patching schedule. Within that Maintenance Window, I would create a Patch Manager task targeting my EC2 instances (identified by tags), which would scan for and apply the approved patches, ensuring consistent and scheduled updates without disrupting peak application usage.
  2. Your security team has mandated that no inbound SSH ports should be open on any EC2 instances for enhanced security. However, your operations team still needs shell access for troubleshooting. How would you address this requirement?
    • I would use Session Manager. This allows the operations team to get secure, auditable, and interactive shell access to the EC2 instances through a browser-based console or AWS CLI without opening any inbound SSH ports. Session Manager traffic is encrypted and uses IAM for authentication and authorization, eliminating the need for SSH keys and bastion hosts.
  3. You are deploying a new application that uses several configuration parameters (e.g., database endpoints, external API keys) that need to be managed securely and easily updated. How would you store and manage these parameters?
    • I would use Systems Manager Parameter Store. I would store the database endpoints as String parameters and the external API keys as SecureString parameters (encrypted with AWS KMS). My application code would then retrieve these parameters at runtime. This centralizes configuration, enables versioning of parameters, securely handles secrets, and allows for easy updates without redeploying the application code.
  4. You need to create a golden AMI for your EC2 instances weekly, which involves starting an instance from a base AMI, installing software, configuring it, testing it, and then creating a new AMI. How can you automate this complex workflow?
    • I would use Systems Manager Automation. I would create an Automation runbook that orchestrates these steps:
      1. Launch a new instance from the base AMI.
      2. Use Run Command to execute scripts for software installation and configuration.
      3. Perform tests (potentially using another Run Command for a testing script or integrating with a CI/CD pipeline).
      4. Create an AMI from the configured instance.
      5. Clean up the temporary instance. This entire process can be triggered on a schedule or on-demand.

Coding/CLI Examples

Here are some common Systems Manager operations using the AWS CLI and Python (Boto3).

AWS CLI Examples

  1. Send a command to an EC2 instance using Run Command (e.g., check disk usage): ```bash # Ensure the EC2 instance has an IAM role with SSM permissions (e.g., AmazonSSMManagedInstanceCore) INSTANCE_ID="i-0abcdef1234567890" # Replace with your EC2 Instance ID

    aws ssm send-command \ --instance-ids $INSTANCE_ID \ --document-name "AWS-RunShellScript" \ --parameter 'commands=["df -h"]' \ --comment "Check disk usage on instance" ```

  2. Create a Parameter Store parameter (SecureString): bash aws ssm put-parameter \ --name "/my-app/prod/db-password" \ --value "MySuperSecretDBP@assword" \ --type "SecureString" \ --key-id "alias/aws/ssm" \ --description "Database password for production application" \ --overwrite # Use if updating existing parameter

  3. Get a Parameter Store parameter (decrypting SecureString): bash aws ssm get-parameter \ --name "/my-app/prod/db-password" \ --with-decryption \ --query 'Parameter.Value' --output text

  4. Start a Session Manager session (requires SSM Agent installed on instance): ```bash INSTANCE_ID="i-0abcdef1234567890" # Replace with your EC2 Instance ID

    Ensure you have the session-manager-plugin installed for AWS CLI

    aws ssm start-session \ --target $INSTANCE_ID ```

  5. Create a Systems Manager Automation document (simplified example): yaml # Example automation document: RestartWebServer.yml # --- # schemaVersion: '0.3' # description: Restart a web server (e.g., Apache/Nginx) on an EC2 instance. # assumeRole: '{{AutomationAssumeRole}}' # parameters: # InstanceId: # type: String # description: (Required) The ID of the instance. # AutomationAssumeRole: # type: String # description: (Required) The ARN of the IAM role that allows Automation to perform the actions on your behalf. # mainSteps: # - name: stopWebServer # action: aws:runShellScript # inputs: # InstanceIds: ['{{InstanceId}}'] # Commands: ['sudo systemctl stop httpd || sudo systemctl stop nginx'] # CloudWatchOutputConfig: {CloudWatchLogGroupName: '/aws/ssm/Automation', CloudWatchOutputEnabled: true} # - name: startWebServer # action: aws:runShellScript # inputs: # InstanceIds: ['{{InstanceId}}'] # Commands: ['sudo systemctl start httpd || sudo systemctl start nginx'] # CloudWatchOutputConfig: {CloudWatchLogGroupName: '/aws/ssm/Automation', CloudWatchOutputEnabled: true} # ... (Actual document would be more robust) ```bash # Upload the document aws ssm create-document \ --name "RestartWebServer" \ --content "file://RestartWebServer.yml" \ --document-type "Automation"

    Execute the automation (Requires an AutomationAssumeRole with appropriate permissions)

    ROLE_ARN="arn:aws:iam::123456789012:role/AutomationServiceRole" # Replace with your Automation Role ARN

    # aws ssm start-automation execution-parameters \ # DocumentName="RestartWebServer", \

    Parameters={InstanceId=["i-0abcdef1234567890"], AutomationAssumeRole=["$ROLE_ARN"]}

    ```

Python (Boto3) Examples

First, ensure you have Boto3 installed (pip install boto3) and your AWS credentials configured.

  1. Send a command to an EC2 instance using Run Command (Python version check): ```python import boto3

    ssm_client = boto3.client('ssm')

    instance_id = "i-0abcdef1234567890" # REPLACE with your EC2 Instance ID command = "python3 --version"

    try: response = ssm_client.send_command( InstanceIds=[instance_id], DocumentName="AWS-RunShellScript", Parameters={'commands': [command]}, Comment="Check Python 3 version" ) command_id = response['Command']['CommandId'] print(f"Command sent with ID: {command_id}")

    # Wait for command to complete and get output
time.sleep(5) # Give it some time to execute
output = ssm_client.get_command_invocation(
    CommandId=command_id,
    InstanceId=instance_id
)
print("Output:")
print(output['StandardOutputContent'])
print("Error:")
print(output['StandardErrorContent'])

    except Exception as e: print(f"Error sending command: {e}") ```

  2. Create a Parameter Store parameter (String type): ```python import boto3

    ssm_client = boto3.client('ssm')

    parameter_name = "/my-boto3-app/dev/api-endpoint" parameter_value = "https://dev.api.example.com/v1"

    try: response = ssm_client.put_parameter( Name=parameter_name, Value=parameter_value, Type='String', Description="API endpoint for development environment", Overwrite=True ) print(f"Parameter {parameter_name} created/updated. Version: {response['Version']}") except Exception as e: print(f"Error creating parameter: {e}") ```

  3. Retrieve Parameter Store parameters by path: ```python import boto3

    ssm_client = boto3.client('ssm')

    path = "/my-boto3-app/dev/"

    try: response = ssm_client.get_parameters_by_path( Path=path, Recursive=True, WithDecryption=True # Set to True if SecureString parameters are in the path ) print(f"Parameters under path {path}:") for param in response['Parameters']: print(f"- {param['Name']}: {param['Value']}") except Exception as e: print(f"Error retrieving parameters: {e}") ```