Amazon Web Services (AWS) customers who own a fleet of servers are sometimes unsure of how to best automate their fleet management for operational efficiency and maintenance. AWS Systems Manager provides a unified user interface so customers can view operational data from multiple AWS services, and allows customers to automate operational tasks across your AWS resources.

To help customers more easily leverage the capabilities of Systems Manager, AWS offers the Server Fleet Management at Scale solution. This solution combines Systems Manager with Amazon Inspector, an automated security assessment service, to help simplify software inventory management, OS patch compliance, and security vulnerability assessments on managed instances.  

This webpage provides best practices for implementing an automated fleet management solution, as well as an overview of the Server Fleet Management at Scale solution's design and functionality.

Managing fleets of servers can be challenging due to the number of maintenance tasks that are required for each server, such as patching the operating system when needed, maintaining the proper software inventory, and running security assessments on a routine basis. Automating these maintenance tasks can reduce the operational complexity of managing fleets of servers on the cloud, allowing personnel to focus on adding value to the fleet instead of maintenance. When automating server fleet manaagement, consider these best practices when implementing an automated fleet management solution:

  • Use services that provide a unified view for visibility into your managed instances.
  • Automate security assessments for the fleet and associate the findings with each server.
  • Automate operating system patching and software inventory scanning for each server.
  • Implement a resource-identification system, such as tags for instances. This helps to ensure that automated actions are targeted to the correct resource, and also allows for easier filtering, modification, and troubleshooting according to categories that you define.
  • Grant least-privilege access to individuals or systems that perform automated actions on resources.

The Server Fleet Management at Scale solution allows you to automate maintenance and deployment tasks, or automatically apply patches, updates, and configuration changes across any resource group. The solution also allows you to deploy a sample fleet of servers for testing. The diagram below presents the architecture you can deploy in minutes using the solution's implementation guide and accompanying AWS CloudFormation template.

  1. An Amazon CloudWatch event triggers Amazon Inspector to run daily security assessments on your fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances.
  2. Amazon Inspector defines the rules packages for assessments and identifies the target Amazon EC2 instances for assessment runs.
  3. Amazon Inspector also publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic that has two subscribers; an AWS Lambda function, and the provided email address.
  4. The Lambda function queries Amazon Inspector for the agent IDs of the agents within the assessment run and publishes the IDs to a second Amazon SNS topic.
  5. Another Lambda function receives a notification for each agent ID and queries Amazon Inspector for the findings for each agent, sorts them by vulnerabilities, and updates the Systems Manager Inventory data for the instance under management.
Deploy Solution
Implementation Guide

What you'll accomplish:

Deploy the Server Fleet Management at Scale using AWS CloudFormation. The CloudFormation template will automatically launch and configure the components necessary to automatically manage your fleet of servers.

Run daily security assessments for your Amazon EC2 instances using Amazon Inspector.

Specify patch compliance thresholds and define patching schedules using AWS Systems Manager.

What you'll need before starting:

An AWS account: You will need an AWS account to begin provisioning resources. Sign up for AWS.

Skill level: This solution is intended for IT infrastructure and DevOps professionals who have practical experience with automation and architecting on the AWS cloud.

Q: Can I use the Server Fleet Management at Scale solution with my server fleet?

Yes. This solution is designed to integrate with your server fleet, but it also includes a sample server fleet you can deploy to test the solution.

Q: Can I identify which Amazon EC2 instances are targeted managed instances?

Yes. Systems Manager uses a tag key that you specified during initial configuration to identify tagged Amazon EC2 instances.

Q: Can I define and schedule tasks to be run against my instances?

Yes. The solution includes a maintenance window to define tasks that will be run against a set of instances. The solution-created OS patching maintenance window is scheduled to run weekly in a two-hour window and the server inventory schedule is scheduled to run daily. For more information, see the implementation guide

Q: Can I deploy the solution in a region where Amazon Inspector is not available?

Yes. Deploying this solution in a region that does not support Amazon Inspector will not deploy the Amazon Inspector resources. However, the Systems Manager features will be deployed and used by the solution.

Need more resources to get started with AWS? Visit the Getting Started Resource Center to find tutorials, projects and videos to get started with AWS.

Tell us what you think