Flux7 DevOps Blog

AWS Case Study: Use the New AWS Systems Manager to Manage AWS

Feb 6, 2018 1:35:00 PM Flux7 Labs EC2 Systems Manager

AWS Case Study: Use the New AWS Systems Manager to Manage AWS

Earlier we shared our analysis of the new AWS Systems Manager as a stand-alone service to manage AWS. If you missed that story, you can find ourwalk through of the announcement here. As promised, in today’s blog we will illustrate how the new features of AWS Systems Manager can benefit existing SSM users. While Flux7’s DevOps consulting teams are heavy users of SSM, we’d like to call out two enterprise AWS case study stories for you today that effectively illustrate how the new AWS Systems Manager can streamline and improve operations and compliance for SSM users moving forward.

As you will see in the following stories, a consolidated view on operational data for monitoring and troubleshooting will help streamline the management process for many enterprise AWS users as will the ability to automate actions on resource groups. Moreover, we expect the new AWS Systems Manager to increase security though its integrated compliance dashboards, automated patching, and data that will help expedite problem resolution. The new AWS Systems Manager is available across all public AWS regions, so if you are currently using SSM, you already have access to the new toolset -- all at no additional charge.

Our first story is of a Fortune 500 manufacturer who wanted to simplify the maintenance of its instances to improve security and compliance. SSM was used to accomplish this goal. First, we employed SSM’s encrypted parameter store to handle secrets. As the firm already followed solid IAM practices regarding permissions, this made it easy to provide the necessary separation of KMS keys for encrypted parameters. Next we used SSM Run Command, using its ability to run scripts from S3, to create an API for handling common administrative tasks. This allowed us to create a common repository of administrative scripts that different users could run on their servers.

We rebuilt their AMI baking process to a serverless setup using SSM Automations triggered by CloudWatch events to start with a base AMI, run the Ansible playbook, bake an image, perform tests on the image, and share the image with other accounts. Finally, the target account had a periodic trigger to search for new images shared with the account and again using SSM automation to bring up instances with the image with encrypted volumes, and bake the image again as an encrypted image.

We met the customer’s other compliance needs using Patch Manager, State Manager, and Inventory. We deployed multiple patch groups and baselines for Patch Manager so users can choose the rules appropriate for them using tags. We also created baselines with delays in deploying patches, so users can get a chance to test the updates in development before rolling them out to production. All of this compliance data was ingested into an ElasticSearch cluster.

With the new AWS Systems Manager, we could have easily grouped the company’s AWS assets, and implemented automated patching across the entire group, not just EC2 instances. This fleet-wide automation would have simplified the patching process while providing a more accessible, central console for ease of management and visualization.

The second organization, Voyant, is a leader in the financial services industry. While it had a very solid system in place, it sought continuous improvement for internal and external security compliance, including patch management, creating audit trails, and alerting on suspicious activity. While we used AWS CloudTrail and AWS Config for creating an audit trail and creating alerts on the audit trail, for server patch management we used SSM Patch Manager with it architected to automate the process of patching instances. It was designed to scan for missing patches and/or instances that need updating. Under the design, the firm could easily select the patches it wanted to install and could then automatically install any or all missing patches.

With automated patches (and rules for auto-approving patches) this firm’s systems are patched regularly and on an as-needed basis as well. To further automate the process, we used AWS Inspector to trigger alerts on common vulnerabilities and exposures. These alerts in turn triggered a Lambda function and used the EC2 run command to update the element. Thus actively meeting the company’s need for internal and external security policy compliance.  

While the solution we architected for this firm was elegant, the new AWS Systems Manager now provides the company with the ability to aggregate its operational data into a single dashboard, including integrating in its existing AWS Config rules, and AWS CloudTrail trails. AWS System Manager’s new compliance dashboard will also be a boon to this firm, as it will be able to easily see the state of its patches and security controls.

For ongoing updates on AWS service news, tips and tricks, and analysis, please subscribe to our DevOps blog below. For additional AWS case studies on using advanced AWS services to increase management effectiveness and security:

Sign Me Up!

Flux7 Labs

Written by Flux7 Labs

Flux7 is the only Sherpa on the DevOps journey that assesses, designs, and teaches while implementing a holistic solution for its enterprise customers, thus giving its clients the skills needed to manage and expand on the technology moving forward. Not a reseller or an MSP, Flux7 recommendations are 100% focused on customer requirements and creating the most efficient infrastructure possible that automates operations, streamlines and enhances development, and supports specific business goals.

Subscribe to Flux7's Blog

Posts by Topic

see all

Recent Posts