As heavy users of Amazon’s EC2 Systems Manager (often referred to as SSM), to manage AWS environments, we were very interested in the recent announcement of AWS Systems Manager as a stand-alone service. Given the management tool’s prolific use across AWS accounts, we thought we’d walk you through the announcement, clarifying some of the confusion around AWS’s nomenclature, and in a second, follow-up blog, illustrate how its new features can benefit SSM users.
AWS Systems Manager vs SSM
First, some definitions and explanations. Prior to the announcement of AWS Systems Manager, operators used SSM, aka Amazon EC2 Systems Manager, to manage resources running on Amazon EC2, conducting tasks like applying patches, creating system images, and configuring OSs. The DevOps team at Flux7 particularly likes SSM for its ability to help ensure security-related compliance.
With this announcement, AWS Systems Manager effectively becomes your new SSM, expanding on its features. Note that all SSM tools and features are available in the new AWS Systems Manager (yes, you can even still invoke aws ssm commands) with the addition of new features and the ability to use those tools for more than just EC2. We think this makes sense as SSM already had many features that were important outside of EC2 affecting Lambda, AWS CloudFormation, and even on-premise infrastructure. The elevation of SSM to AWS Systems Manager is a welcome and much appreciated change.
What’s In AWS Systems Manager?
AWS Systems Manager allows you to create groups of resources from across AWS services (e.g. Amazon S3, Amazon RDS, VPC, etc.), operational data from which can be visualized as a group and then acted upon. This central hub offers operators a holistic vantage point where they can effectively manage AWS resources. Specifically, AWS Systems Manager encapsulates the following features:
|Resource Groups||Collection of AWS resources in the same region that match criteria provided in a query.||Use AWS Systems Manager tools e.g. Automation, Run Command, Patch Manager, etc. manage tasks across a group of resources.||Leave AWS resources unassociated and perform actions one by one across each.|
|Insights Dashboards||Centralizes all operational data for resource groups.||Provides a single dashboard for operational data analysis.||Create and maintain custom dashboards by ingesting data.|
|Inventory||Collects data on your instances and software installed on them.||More effectively manage application assets, track licenses, monitor file integrity, etc. with deeper system config and app data.||The variety of inventories collected are similar to tools like SolarWinds and OSSec. But with inventory manager, the focus is on collecting the data more so than the dashboards which need to be created by the user.|
|Automation||Automate tasks across AWS resources.||Create and execute a specific task list for common and/or repetitive tasks. The native EC2, CloudFormation, Lambda, and AWS Systems Manager integrations allow you to handle complex workloads.||Some features are similar to tools like Skeddly, but as a whole Automation brings the complete power of SSM allowing you to do a very wide variety of tasks.|
|Run Command||Secure remote management||Ability to run commands across fleets of servers, throttling, bypassing the requirement of VPN tunnels, and using IAM to manage server access.||SSH, or remote PowerShell with a tool like Ansible or Fabric and setting up the required network infrastructure including Bastion hosts and VPN tunnels can be setup, with some custom code and permission handling.|
|Patch Manager||Create patch rules (baselines) to be deployed on instances||Allow patches to deploy that fit the required criteria including type of patch and the time since the patch was released.||Similar to the patching rules we can create in Microsoft SCCM.|
|Maintenance Window||Create time windows for performing and rolling out administrative tasks. Includes features for throttling.||Particularly powerful in conjunction with Patch Manager. Maintenance Windows allow admins to control system stability when performing high risk or disruptive tasks.||Managing through cron or a config management tool like Chef or Puppet, or Microsoft SCCM if we’re using Windows.|
|State Manager||Periodically runs an operation, deploying the operation deployed inline, in S3, or GitHub.||Can provide configuration management and run tests to ensure the system is in compliance.||While similar to Chef and Puppet, State Manager is not opinionated about how to perform the operations needed and can be used with configurations described in other config management tools including native support of Ansible.|
|Parameter Store||Allows you to save configuration options. Can be both encrypted and unencrypted using KMS.||Use to maintain secrets and configuration information. Especially useful for getting secrets out of code for better data security.||CyberArk and HashiCorp Vault are two of the most popular secret managers. While these are more comprehensive solutions with more features, Parameter Store beats them in ease of setup, use, and maintenance.|
A few of the things that we are most excited about are that AWS Systems Manager:
- Visualizes and manages more than EC2. For example, it can be used to manage on-premise servers and VMs alongside AWS resources, all in one interface.
- Allows you to define, watch and take action on resource groups, allowing you to see when a problem arises that would affect the group and immediately take action. This hub, if you will, greatly improves visibility into resources as you no longer need to alt-tab between different consoles to find the operational data you need for different resources. This solidifies and improves on the existing Resource Groups feature that Amazon released.
- Automates tasks like applying patches, updates, and configuration changes as before, but can now do so across heterogeneous resource groups. One obvious example of how this might be used is by grouping prod, dev and test environments.
- Features a new compliance dashboard that shows the state of defined security controls and patching status. Further expanding its compliance capabilities, Systems Manager is also now integrated with AWS Config, giving even greater insight into potential configuration drift, and with it the ability to return configs to a known, good state for configuration compliance. And just like SSM, Systems Manager has a centralized store for configuration data management so that secrets and configs can be stored outside of code.
As systems management plays a critical role in overall AWS success, it’s little wonder that SSM, and now the AWS Systems Manager, plays an integral role in many enterprise AWS deployments. Read our follow-up blog in which we illustrate how current SSM users can benefit from the new AWS Systems Manager, as told through the story of a global enterprise.
Get Started with AWS
Receive AWS tips, DevOps best practices, news analysis, commentary and more. Sign up for our IT Modernization blog here and set your topic and frequency preferences. Or, download our guide on getting started with AWS, establishing a secure AWS enterprise architecture with Flux7 Landing Zones.