An often unsung hero of the AWS EC2 service is the systems manager, this service is located at the bottom of the left hand menu. It has an array of powerful features that you can leverage to manage your instances. This can allow you to handle running scripts, patching and configuration tasks from the AWS console as opposed to directly on the instance.
There are multiple components available for use with systems manager:
EC2 run command
EC2 run command is a service that allows you to remotely execute shell scripts on windows and Linux. Additionally, this functionality can be extended to on premise instances! There is an agent involved in this process but it is baked into most of the stock AMI’s available on AWS the functionality of this service is near limitless if you are skilled with bash or PowerShell. Run command allows you to push out commands to all required instances at once.
The state manager is a powerful tool that helps to govern the configuration of a system. For example, using state manager you can apply the windows firewall settings you want and set that as the state. If these rules are changed outside of state manager then they are automatically reverted to match the state. This is also useful for things such as ensuring the latest patches are installed and reinstalling them if they are removed, malware definitions and ensuring only permitted services can run. State manager is extremely useful for environments where you need to maintain compliance and as part of a continuous compliance solution.
Available for windows systems, the patching tools available with systems manager involve setting up baseline documents and then using the compliance feature to monitor the instances and their patched states. You can use prebuilt documents or create your own to specify the maintenance windows and patch types you want to be used. You can organise it so that security updates are installed daily across all your windows instances.
The parameter store is a service that can store strings, lists and encrypted strings. These can be used in conjunction with other features to inject values into scripts or configurations. A use case for this is to use a secure string encrypted with a KMS key to host a password needed for an initial setup of an application for all new machines which they can securely reference. There are vendors that offer this kind of functionality but now you can have it natively in AWS.
The automation tool is designed to help you manage updating your AMI’s You can use the premade document to take a base AMI, run scripts on the AMI, include or omit package and then save the resulting system as a new AMI.
Inventory allows you to keep track of all the details of your system, it can tell you operating system versions, patch status, installed applications and their versions, You can created custom inventory items and control the polling rate of the instances, this tool is very useful in identifying outdated applications.
Now let’s put it all together!
The system in the diagram can do the following without requiring RDP/SSH:
- Automatically install windows updates and patches during a maintenance window.
- Ensure that the firewall rules are set as desired and not changed.
- Keep running tabs on malware definitions.
- Run any kind of PowerShell script.
- Access an externally stored encrypted password for initial setup of windows apps on new copies of this instance.
- Package management and updates with package manager.
- List of packages that require installation and or updates is managed externally by a parameter list that the instance references. Packages can be added or removed by updating the list in the AWS console.
- Run bash scripts for administration tasks.
This system is great as it allows you to get the same number of tasks done with even less access. In many use cases, you will not need to SSH or RDP into the instances at all. Additionally, this adds automation to many of the mundane tasks involved with managing instances.
The EC2 systems manager makes instances more compliant, more secure and involving less work, on top of this all tools and services in systems manager cost nothing at all to use!