What is AWS Systems Manager? The Ultimate Introduction to Amazon SSM

As an AWS developer, I’ve learned how crucial it is to have the proper resources available to me in order to make sure that my applications function properly. Amazon Systems Manager (SSM), a complete management tool, fills this need by offering a uniform interface for managing resources across various AWS services. 

SSM helps save time and effort while enhancing the security and performance of your cloud-based resources, whether you’re automating activities, managing instances, or guaranteeing compliance across your whole AWS infrastructure.

In this post, I’ll go through Amazon Systems Manager’s capabilities, advantages, and use cases, as well as present practical examples of how it may be used to manage and automate your AWS infrastructure. I’ll also cover advanced topics and best practices to assist you in optimizing your SSM configuration and making the most of this powerful tool. 

I hope that this article will give you the information and tools you need to take your cloud operations to the next level, whether you’re a seasoned AWS developer or just starting started. Let’s get started!

What is AWS Systems Manager?

Let us first examine what AWS SSM is.

Source: https://aws.amazon.com/systems-manager/ 

My office’s technical security team recently had to deploy an agent on all of their AWS hosting servers. They often operate many EC2 instances in their account to meet the needs of their clients. These servers run a variety of operating systems and also have a variety of workloads. As a result, generating Amazon Machine Images (AMIs) for each type of instance with the agent would have required a long time and a lot of work, which is not a smart strategy. Furthermore, numerous servers cannot support restarts.

Here comes our savior, AWS System Manager, also known as SSM, which allows you to inspect and control your infrastructure as well as perform remote commands without the need for SSH, view operational data from numerous AWS services, and automate operational activities across your AWS resources. It allows you to manage and configure virtual machines and other AWS resources.

Furthermore, you can use Systems Manager to automate routine maintenance and deployment processes like patching, upgrading software, and managing settings across many instances and applications. It assists you in maintaining security and compliance by scanning your managed nodes (any system set for Systems Manager) and notifying any policy breaches it finds.

AWS Systems Manager Process Flow

It’s crucial to comprehend the AWS SSM process flow in order to fully understand how SSM functions. The SSM process flow is made up of a number of phases that automate the management and configuration of AWS resources.

Installing the SSM agent on the EC2 instances you want to control is the first step in the SSM process flow. To carry out various tasks, the SSM agent operates on the EC2 instances and interacts with the SSM service.

An SSM document, which is a JSON or YAML file containing a set of instructions for the SSM service, should then be created. The SSM document outlines the tasks that must be completed on the EC2 instances, including software installation, script execution, and configuration file updates.

Then you need to establish an SSM association, or a link between the SSM document and the managed EC2 instances. The document’s targets are specified by the SSM association and might be a single instance, a collection of instances, or a fleet of instances.

You can execute the document on the designated targets using the SSM console or API after the SSM association has been setup. The EC2 instances’ SSM agents will then carry out the instructions sent by the SSM service, carrying out the SSM document’s specified activities.

AWS Systems Manager Features

AWS Systems Manager is a complete management program that offers a variety of tools for managing your AWS resources. Let’s go through some of AWS Systems Manager’s important features.

Inventory

Systems Manager Inventory creates a consolidated software inventory of your AWS resources, such as EC2 instances, VPCs, RDS databases, and other services. Resource Inventory allows you to query, search, and export inventory data to aid compliance and auditing. 

SSM Inventory automatically captures metadata about your resources, such as the operating system, network interfaces, and applications installed on the instance. It collects information on your instances and the software that runs on them, allowing you to understand your system setups and installed applications better.

Data can be gathered about programs, files, network configurations, Windows services, registries, server roles, updates, and other system properties. Among other things, you may use the information gathered to manage program assets, track licensing, check file integrity, and locate apps that aren’t installed by a regular installer.

Here are two code examples for software inventory that use the AWS SDK for Python (boto3):

// Add an inventory item
import boto3
ssm = boto3.client('ssm')
response = ssm.put_inventory(
    InstanceId='i-0123456789abcdef0',
    Items=[
        {
            'Type': 'AWS:InstanceInformation',
            'SchemaVersion': '1.0',
            'CaptureTime': '2022-02-15T08:00:00Z',
            'Content': {
                'InstanceType': 't2.micro',
                'PlatformType': 'Linux/UNIX',
                'PlatformName': 'Amazon Linux AMI',
                'PlatformVersion': '2018.03',
            },
        },
    ]
)

print(response)

This sample of code adds an inventory item to an EC2 instance (specified by the InstanceId parameter). The Items field defines the inventory item to add, which contains instance metadata (such as its Type, and PlatformVersion).

// List inventory items for multiple instances
import boto3
ssm = boto3.client('ssm')
response = ssm.list_inventory_entries(
    InstanceId='i-0123456789abcdef0,i-0123456789abcdef1',
    TypeName='AWS:InstanceInformation',
)
inventory_items = response['Entries']

for item in inventory_items:
    print(item)

This code demonstrates how to list inventory items for several EC2 instances (specified by the InstanceId parameter, separated by commas). TypeName defines the inventory data type to be retrieved (in this case, AWS instance information).

Configuration Compliance

AWS Systems Manager allows you to examine your managed instances for patch compliance and configuration discrepancies. You may gather and aggregate configuration data from several AWS accounts and Regions before drilling down into non-compliant resources.

By default, AWS Systems Manager displays patching and association information. You may tailor the service to your unique requirements by defining compliance status.

Automation

With the framework, AWS systems manager ensures automation execution of basic IT tasks. You can utilize public papers or build documents that specify the specific task lists in Systems Manager. 

These documents can be viewed through the AWS Management Console, CLI, or SDK, scheduled during maintenance times, or triggered by Amazon CloudWatch Events when AWS resources change. You may monitor the progress of each procedure and seek permission. Similarly, new modifications can be implemented slowly as a backup or paused when an issue occurs.

Amazon ElasticComputer Clouds, Amazon Relational Database Services, Amazon RDS, and other AWS services frequently undertake remediation, maintenance, and deployment tasks. An AWS function that can automate tasks such as deployment and maintenance of AWS resources is used to optimize operations and reduce mistakes that may occur when manually handled. 

AWS also offers a software development toolkit called Runbook. The runbook is a document that includes routine maintenance actions that are triggered by events. AWS can develop and deploy running books in a matter of days.

Session Manager

AWS Systems Manager provides secure remote management of a single or more instance without login into a server. Users can utilize the program to automate common administration tasks, including registry modification, user control, and software patch installation across groups. 

Sessions manager combines a Windows operating system terminal and Windows PowerShell for running Windows instances. Session managers enable administrators to open any ports and offer an auditable terminal environment, considerably increasing your security posture.

Patch Manager

Patch Manager allows you to patch EC2-based apps automatically. It also provides security and system fixes. Patch Manager uses baseline patch rules to set guidelines for auto-approving and rejecting changes. 

Patch scheduling is also possible in System Manager. Understanding the health of your system managers’ servers is critical for providing compliant and dependable workloads for your application and servers.

Here is a code example for utilizing the AWS SDK for Python (boto3) with Amazon Systems Manager (SSM) Patch Manager:

// Get a list of available patches for an operating system
import boto3
ssm = boto3.client('ssm')
response = ssm.describe_available_patches(
    Filters=[
        {
            'Key': 'Product',
            'Values': [
                'AmazonLinux2',
            ]
        },
        {
            'Key': 'Classification',
            'Values': [
                'Security',
            ]
        },
    ]
)
for patch in response['Patches']:
    print(patch['Id'])

This code sample fetches a list of available patches for the chosen operating system and categorization. It then outputs the ID of each patch that is accessible.

State Manager

SSM State Manager is an AWS solution that allows you to define, manage, and automate the state of your AWS resources. It assists you in keeping your resources in the appropriate state. If the actual state of a resource deviates from the planned state, State Manager can take corrective steps to bring it back into line.

State Manager defines and manages the intended state of your AWS resources by combining declarative configuration documents, known as State Manager associations, and State Manager documents. State Manager may handle operations like patch management, software installation, and configuration updates on your EC2 instances and automate remediation steps when resources are out of compliance with your set parameters.

AWS Systems Manager State Manager has the following major features:

1. State Manager allows you to set flexible timetables for when your resources should be verified for compliance with the intended state and when automatic repair actions should be initiated.
2. State Manager interfaces with other AWS services, such as AWS CloudFormation, to give a unified automation experience across your whole infrastructure.
3. Centralized control: From a single place, you can specify and manage the intended state of your resources, and State Manager will automatically apply those configurations to all of your resources.
4. Customizable remediation actions: While State Manager includes several built-in remediation activities, such as launching scripts or restarting services, you may specify your own custom remediation actions.

Parameter Store

Another AWS systems manager feature is the Parameter Store offers a hierarchical storage structure for managing configurations and secrets. License numbers, data strings, database identification, and passwords may all be stored on a parameter. Values are saved in either plain text or encrypted form.

AWS Parameter Store, an AWS service, allows you to store and manage configuration data for your applications. Some of the primary characteristics of the AWS Parameter Store are as follows:

1. AWS Parameter Store offers safe and encrypted storage for sensitive data, including database connection strings, API keys, and passwords.
2. It enables you to store various data types, including texts, integers, and even binary data.
3. By utilizing pathways, you may organize your parameters hierarchically, making it easier to maintain and retrieve related parameters.
4. AWS Parameter Store allows you to save several parameter versions, trace changes, and return to prior versions as needed.
5. AWS Identity and Access Management (IAM) rules let you govern who has access to your settings.
6. AWS Parameter Store interfaces with other AWS services, such as AWS Systems Manager and AWS CloudFormation, making managing and automating your infrastructure simple.
7. Parameter Store can cache frequently requested parameters, lowering the frequency of API requests and boosting application performance.

Overall, AWS Parameter Store is a robust service that simplifies the configuration of data management tasks and makes it easy to store and retrieve parameters securely.

Resource Groups

You could have resources for organizing AWS resources. A resource group facilitates the management of huge quantities of resources. AWS Resources Groups offers two methods for defining the resource group. Both strategies require polling group members. 

The first method adds resources to an organization by using tags for resources in AWS. Using these tools, you apply different sorts of data to different types of data in a user’s account using a key pair tag, and then you use the AWS resource group services to establish the Group based on these tag pairs. Second, this solution takes advantage of AWS CloudFormation stack resources.

Monitoring and Reporting

On each instance, SSM Agent logs information about executions, planned activities, errors, and health statuses. You may set up either the SSM Agent or the CloudWatch Agent to transfer this log data to CloudWatch Logs for more effective instance monitoring. 

CloudWatch Logs can monitor log data in real-time, search and filter it using one or more metric filters, and store and recover previous data as needed.

Agent Logs

In its local logs, the agent gives data on condition, execution, and error. These are easily accessed from the source. For improved analytics and monitoring, AWS includes an automated method of recording and monitoring logs to CloudWatch logs. The steps for configuring an SM agent log forwarding are outlined below. 

Systems Manager sends a data stream to Cloud Watch showing if the Resource Command is active and whether there was any failure or delay. You may also set the alarm if the selected SSM Document does not have a success report.

AWS Systems Manager (SSM) provides a command-line interface (CLI) for viewing and managing logs created by your agents. In AWS SSM, you can monitor and analyze your agent logs using a variety of metrics.

Here are some critical metrics to keep an eye on

• Log volume.
• Log latency.
• Log errors.
• Log ingestion rate.
• Log retention.

AWS CloudWatch, which provides a complete set of monitoring and logging capabilities for AWS services, may be used to monitor these data. CloudWatch Metrics and CloudWatch Logs may be used to track and analyze the metrics above, and alarms can be set to alert you when particular thresholds are exceeded. You can also utilize CloudWatch Logs Insights to run sophisticated searches and analyses on your agent logs.

A simple Python code example demonstrating how to collect Amazon Systems Manager agent logs using the AWS SDK for Python (Boto3) is provided below:

import boto3
ssm = boto3.client('ssm')
response = ssm.get_inventory(
    Filters=[
        {
            'Key': 'AWS:InstanceInformation.InstanceId',
            'Values': ['i-0123456789abcdef0']
        },
        {
            'Key': 'AWS:InstanceInformation.LogType',
            'Values': ['ssm-agent']
        }
    ]
)
if 'Entities' in response:
    for entity in response['Entities']:
        for data in entity['Data']:
            print(data['Name'] + ": " + data['Value'])

Using the boto3 client for SSM’s get_inventory function, this code collects the Amazon Systems Manager agent logs for a given EC2 instance (provided by the instance ID). The code defines a log type filter to obtain only SSM agent logs. It then loops through the answer and publishes the log data.

It should be noted that this is a fairly simple example and may not be enough for more complex cases. You may need to adjust the code to meet your use cases, such as filtering log messages or publishing logs to a file or a log aggregation service.

Now that you know all about SSM agent’s main features, check out this high-level diagram to understand the bigger picture better:

Source: https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html

What are Some Practical Uses of AWS SSM?

As an AWS developer, I’ve discovered that AWS Systems Manager (SSM) is a fantastic resource for controlling and monitoring resources. Here are some ways I’ve utilized SSM:

• Patch management is an essential element of keeping my resources secure. I’ve used SSM to automate the patching of my EC2 instances and virtual machines, ensuring they always receive the most recent security upgrades.
• SSM has also made it much easy to collect metadata about my resources. It makes tracking and managing my resources easier by giving information on installed applications, network setups, and system use.
• The secure remote shell access provided by SSM has been quite useful for performing remote commands and moving data to and from my instances. I no longer have to be concerned about compromising security while logging into my instances.
• SSM’s Run Command capability has also come in handy. It has enabled me to automate routine administrative operations such as program installs and system setups, allowing me to devote more time to essential responsibilities.
• SSM Automation has shown to be quite beneficial in automating more complicated activities like application deployment and disaster recovery. Automating the entire process has helped me save time and eliminate mistakes.
• SSM has also made it extremely easy to generate software compliance reports. It assists me in tracking compliance status, automating remedial steps, and generating audit reports, making compliance reporting much easier.
• By centralizing access control and eliminating the risk of handling access keys and inbound ports, Amazon EMR with Session Manager may considerably increase your trust in security and audit posture. See the chart below to understand how SSM interacts with EMR cluster:

Source: https://aws.amazon.com/blogs/big-data/securing-access-to-emr-clusters-using-aws-systems-manager/

SSM has been an amazing tool for managing and monitoring my resources as an AWS developer. It has made my job more productive and effective, and I strongly suggest it to anyone working in AWS.

AWS Systems Manager Pricing

Pricing with AWS SSM is intended to be both flexible and affordable. There are no up-front costs or minimum commitments; customers only pay for what they use. With SSM, you can get started for nothing and use a few, but restricted, functionalities. 

In addition, pricing is tiered, with expenses per instance decreasing as the number of managed instances rises. Based on the quantity of API queries made and the length of the service used, some sophisticated capabilities are subject to additional fees. Learn more about SSM’s pricing here.

Final Thoughts

As we come to a close with our overview of Amazon Systems Manager (SSM), I hope you’ve gathered some useful knowledge about how this potent tool may assist you in automating and managing your AWS infrastructure. As an Azure developer who utilizes a variety of AWS services, I am acutely aware of how crucial it is to have the appropriate tools and services in place to guarantee the seamless and effective operation of your apps. That’s where SSM comes in; it offers a complete solution for managing all of your resources and apps in an one location.

The numerous features and capabilities of SSM have been covered in this tutorial, from managing instances and automating processes to improving compliance and security. To further assist you in understanding how SSM might be applied to enhance your own operations, we have also included real-world examples and use cases.

SSM is a tool you won’t want to neglect, regardless of whether you’re new to AWS or an experienced pro. It has personally proven to be a tremendous benefit to me in my profession as an Azure developer, enabling me to use my cloud-based resources and advance my business. So, SSM is an essential tool for any developer trying to optimize their AWS infrastructure due to its robust feature set and seamless connectivity with other AWS services.