AWS Management Tools Blog

Join a Microsoft Active Directory Domain with Parameter Store and Amazon EC2 Systems Manager Documents

by Matteo Rinaudo | on |

The process of configuration management can be difficult, in particular when performed at scale. An example could be an application, running on your fleet, which uses configuration values like database connection strings or passwords.

For deployment best practices, isolate application configuration portions so that you can separately deploy configuration values specific to each environment, for example development and production environments. To ameliorate the security posture of your application, encrypt sensitive configuration values like passwords. From a management standpoint, store configuration values in a central and secure location, instead of storing and maintaining such information on your fleet. Central storage has the advantage of easily maintaining and rotating configuration values in one single place, and it also facilitates auditing changes and access to such configuration values.

Amazon EC2 Systems Manager is a management service that helps you configure and manage Amazon EC2 instances and on-premises servers. Parameter Store is a Systems Manager feature that makes it easier to reference your configuration data, securely stored in a central location. Parameter Store integrates with other AWS services like AWS Identity and Access Management (IAM) and AWS Key Management Service (AWS KMS). With IAM, you define access control to Systems Manager parameters. With KMS, you can encrypt sensitive information, such as SecureString parameters. API calls made to Systems Manager parameters can be recorded with AWS CloudTrail, so you can audit access or changes to your parameters, for example.

In this post, I show you a scenario for centralized configuration management, with an example of joining EC2 instances to a Microsoft Active Directory. You launch an EC2 instance that consumes and uses configuration values stored as Systems Manager parameters to join your Active Directory domain. For more information about creating an Active Directory with AWS Directory Service instead, see the Seamlessly Join EC2 Instances to a Domain blog post.


Introducing Tagging Support for AWS OpsWorks Stacks

by Kai Rubarth | on |

AWS now supports tagging of AWS OpsWorks Stacks application environments. Tags that you add to a stack and layer now automatically propagate down to all underlying AWS resources, including Amazon EC2 instances, Elastic Load Balancing load balancers, Amazon RDS databases, Amazon EBS volumes, and Amazon ECS clusters. This benefits everyone who wants to track their AWS usage for OpsWorks Stacks infrastructure and components.


Using Microsoft PowerShell DSC with Amazon EC2 Systems Manager

by Shaun Breen | on |

Amazon EC2 Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems. These capabilities help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations.

By providing a management approach that is designed for the scale and agility of the cloud but extends into your on-premises data center, Systems Manager makes it easier for you to seamlessly bridge your existing infrastructure with AWS.

In this post, I show you how you can remotely manage your EC2 Windows instances using a declarative based model for instance configuration management at cloud scale. You use Microsoft PowerShell Desired State Configuration (DSC) to define a configuration and then apply it to your instances using Systems Manager.


  • Systems Manager is built for cloud scale. It can handle applying your PowerShell DSC configuration to thousands of instances at one time.
  • Systems Manager allows you to send logs (stdout/stderr) offline. When you apply your configuration to an instance, you can have the logs sent directly to an Amazon S3 bucket. There is no need to log in to instances to retrieve logs.
  • Systems Manager works on your on-premises servers. There are some prerequisites required to get this to work. For more information, see Setting Up Systems Manager.


AWS Config Support for Amazon CloudWatch Alarms

by Shashi Prabhakar | on |

On June 1st, AWS Config announced support for Amazon CloudWatch alarms. CloudWatch alarms are used on any of your CloudWatch metrics to send notifications or take other automated actions.

You can now start tracking the current as well as historical configuration of your alarms and get notified via Amazon SNS when your alarm configuration changes. You can also use three new Config rules to verify the following:

  • Your resources have CloudWatch alarms for the specified metric
  • Alarm metrics have the right settings
  • All alarms have at least one action configured

You can get started via the AWS Config console, AWS CLI, or AWS SDKs.

With this integration, you can view the historical configuration of your CloudWatch alarms and review all changes that occurred to them. This information is valuable in determining why certain CloudWatch alarms did not get triggered and how their configuration was modified. In this post, we show you two example scenarios in detail.

AWS Config

Config enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. (more…)

Automate Running Tasks Using Amazon EC2 Systems Manager Maintenance Windows

by Mats Lanner | on |

In Amazon EC2 Systems Manager, a maintenance window defines a specific set of tasks, along with a set of managed instances where those tasks should be run and the schedule for when the tasks should run. Each task also has a velocity and error threshold defined (for example, run the task on at most four instances at a time and stop if there are one or more errors). You can use this to automate running many common systems administration tasks to ensure they run when needed and that you get notified about any problems running the tasks.

In this post, I discuss how maintenance windows work and provide a walkthrough for setting one up.

Maintenance window overview

You can consider the Maintenance Window capability of Systems Manager to be a replacement for tools like cron or Windows Task Scheduler. Instead of scheduling tasks on individual instances, you can use a feature that’s fully integrated with AWS and the rest of Systems Manager that also provides a central access point for task history and notification support.

Here are some of the benefits:

  • Schedule and duration
  • Targets
  • Tasks
  • History


Getting Started with Patch Manager and Amazon EC2 Systems Manager

by Kevin Yung | on |

At last year’s re:Invent, AWS launched Amazon EC2 Systems Manager, which helps you automatically apply OS patches within customized maintenance windows, collect software inventory, and configure Windows and Linux operating systems. These capabilities enable automated configuration and ongoing management of systems at scale and help maintain software compliance for instances running in Amazon EC2 or on-premises.

One of the capabilities of Systems Manager is Patch Manager, which can automate the process of patching Windows managed instances at scale. With Patch Manager, you can scan instances for missing patches, or scan and install missing patches to individual instances or large groups of instances by using EC2 tags. Patch Manager can also be used with Systems Manager Maintenance Windows, so you can create a schedule to perform patch operations on your instances within a customized maintenance window.

In this post, I guide you through using Patch Manager to patch your Windows instances. If you run the demo, you are charged for the EC2 resources, but Systems Manager is free of charge.


To get on the fast track of experiencing Patch Manager, these examples use newly created Windows EC2 instances. Here are the steps: (more…)

Running Ansible Playbooks using EC2 Systems Manager Run Command and State Manager

by Andres Silva | on |

If you are running complex workloads on AWS and managing large groups of instances, chances are you are using some form of configuration management. Configuration management tools are effective in automating the deployment and configuration of applications on hybrid instances. However, efficiently managing the distribution and execution of the playbooks or recipes, centrally managing the code, having a secure and scalable deployment mechanism and properly logging system changes is a challenge. To address this, some of our customers use tools like cron, Rundeck or others provided by configuration management vendors.

State Manager and Run Command, part of EC2 Systems Manager, automate management tasks by providing a secure, and easy to use platform to maintain state and remotely execute commands on large groups of instances. Using these tools also addresses many of the common challenges of managing infrastructure at scale. Here are some of the benefits of these tools:

  • Better security
    • There is no need to open incoming ports to remotely execute the directives. This eliminates the need for using SSH
    • You can use IAM to restrict and control access to the platform
    • All command execution is audited via AWS Cloudtrail
  • Performance and reliability
    • Asynchronous execution of commands
    • Commands are delivered and executed even when the system comes back from being offline
    • Execute at scale by taking advantage of velocity control
    • Control deployment rate if errors increase during deployment

In this blog post, I will show you how to execute configuration management directives using Ansible on your instances using State Manager and Run Command, and the new “AWS-RunAnsiblePlaybook” public document. This document runs Ansible locally on your instances.


Use Application Load Balancers with your AWS OpsWorks Chef 12 Stacks

by Kai Rubarth | on |

Want to build scalable applications that take advantage of Elastic Load Balancing Application Load Balancer features? You could add capabilities such as content-based routing, HTTP/2 and WebSocket protocols, support for containers, and enhanced metrics, and more.

AWS OpsWorks Stacks users have been asking AWS how they can use the new Application Load Balancer option with their layer. So AWS decided to develop and open source a set Chef 12 recipes to make this integration simple. This post walks you through the steps required to make any Chef 12 Linux layer in OpsWorks Stacks work with Application Load Balancers.


More Automation Actions for Amazon EC2 Systems Manager

by Taylor Anderson | on |

Recently, AWS released five new Amazon EC2 Systems Manager Automation actions. These actions allow you to:

  • Launch an AWS CloudFormation stack
  • Delete the stack
  • Insert a delay in your workflow
  • Copy and encrypt Amazon Machine Images (AMIs)
  • Tag AWS resources

These actions extend the existing collection of actions, which can be used to orchestrate tasks such as instance launch, OS-level instance configuration and patching, AWS Lambda function invocation, and AMI creation.

In this post, I introduce the actions, discuss possible uses, and include examples.

Automation Overview

Automation allows you to patch, update agents, or bake applications into an AMI. With Automation, you can avoid the time and effort associated with manual image updates, and instead build AMIs through a streamlined, repeatable, and auditable process. Automation workflows are composed of a series of steps, where each step is based on an action.

Automation actions

Here are the actions:

  • aws:createStack
  • aws:deleteStack
  • aws:sleep
  • aws:createTags
  • aws:copyImage


Streamline AWS CloudTrail Logs Using Event Filters

by Bob O'Dell | on |

In November 2016, AWS CloudTrail announced a new feature that provides the ability to filter events that are collected within a CloudTrail trail. This simple feature helps AWS customers save time and money by creating trails that contain a subset of overall API operations and account activity.

In this post, I show you how to add event filters when creating a trail from the AWS Management Console or the AWS CLI.

A common and often recommended CloudTrail setup is to have two or more trails configured within your AWS account. One trail is for security and auditing purposes, leverages Amazon S3 file encryption and log file validation, and is stored in an S3 bucket with a policy allowing only security or audit team access.

Additional trails are often stored in a separate S3 bucket and used to send data to 3rd party tools, set up for the DevOps team to access and use, or leveraged by support teams to troubleshoot and better investigate account issues.