AWS Management Tools Blog

Amazon EC2 Systems Manager Automation is now a Amazon CloudWatch Events Target

Today we are excited to announce a new target for Amazon CloudWatch Events: Amazon EC2 Systems Manager Automation. Through this integration, Automation workflows can be triggered by a schedule, or when specific AWS system events occur.

  • Automation is part of Amazon EC2 Systems Manager.  Using Automation you can build workflows that are streamlined, repeatable and auditable. For example, you can create workflows to patch, update agents, or bake applications into an Amazon Machine Image (AMI). You can also avoid the time and effort associated with updating your images manually, and instead build AMIs that meet your IT standards and make the approved AMIs available to you teams.
  • Amazon CloudWatch Events allows you to create rules that trigger based on AWS events, or on a periodic schedule.  CloudWatch Events can be setup to respond to Amazon EC2 Service state changes, Amazon Simple Storage Service (S3) bucket operations, and other events automatically. Supported targets include AWS Lambda, Amazon SNS, Amazon EC2 Systems Manager Run Command, and now Amazon EC2 Systems Manager Automation.

With Automation as a supported CloudWatch Events target, you can take advantage of some interesting use cases. You can perform routine tasks better when you schedule tasks for specific days and times or after specific event patterns. In this blog, we are going to show examples of how you can use CloudWatch Events and Automation to automate repetitive tasks, such as periodically starting and stopping instances.


Maintenance Windows: Support for New Task Types Using Amazon EC2 Systems Manager

In Amazon EC2 Systems Manager, the Maintenance Windows service allows you to define a set of tasks, along with the instances where those tasks should be run and a run schedule. In this post, I talk about a new feature for Maintenance Windows—support for New Task types.

Maintenance Windows now supports Systems Manager Automation documents, AWS Step Functions tasks, and AWS Lambda functions as tasks, including support for Parameter Store (when using Step Functions and Lambda). This allows you to perform complex workflows on your instances, such as patching a server running SQL Server using an Automation document.

In this post, I show you the steps for executing this example and walk through the required configuration steps one-by-one.


Improving Security through Delegated Administration with Amazon EC2 Systems Manager Automation

EC2 Systems Manager Automation simplifies common system maintenance and deployment tasks. You can create workflows to automate repetitive tasks such as systems configuration, deployment and maintenance. Workflows are authored in JSON and saved as Automation documents.

Automation service operates in the context of the user that invokes the execution. Automation documents can be authored with an optional service role (also called an assume Role) with an attached managed policy (AmazonSSMAutomationRole).

  • When the service role is specified: The Automation service executes the document in the context of the role.
  • When the service role is not specified: The Automation service creates a temporary session in the context of the user and then executes the document.

In this blog, we are going to show the two methods for executing Automation. If you are using Automation for the first time or when you would like to automate and execute simple workflows in the context of your Account, the service role is not required. When you would like to control the context in which Automation workflows are executed, and limit permissions needed by a user that executes workflows you will use the service role.

Note: For Automation documents that you expect to run longer than 12 hours, you must specify a service role because the temporary session to execute Automation in the user’s context expires 12 hours after starting the execution.


Example Scenarios for AWS Config Continuous Monitoring of Amazon S3 Bucket Access Controls

Recently, AWS Config announced two new managed rules to detect Amazon S3 buckets that have overly permissive controls. You can now check your S3 buckets continuously for unrestricted public write access or unrestricted public read access. In addition, you can view compliance of all your S3 buckets against these rules, and receive notifications via Amazon SNS when permissions change. You can also view the permissions history in the Config console.

With these new rules, you can view the historical state of bucket Access Control Lists (ACLs) and bucket policies, and you can identify when changes were made. If someone changes a bucket policy or a bucket ACL, the Config rule automatically re-evaluates the new effective access. The rules evaluate the ACL to determine whether any anonymous user or any AWS user is allowed read or write permissions. The bucket polices are evaluated using a semantic-based automated reasoning engine, which returns a compliance decision.

“These AWS Config rules are backed by a new formal model of IAM semantics, offering a dramatic improvement over existing tools that rely on simple pattern matching, which often fails to capture the nuances of the IAM policy language,” said Bridgewater Associates engineer Dan Peebles. “For the first time, (more…)

Secure, Scalable, and Efficient Instance Management Using Amazon EC2 Run Command

This post was written by Miguel João, Cloud Software Engineer at OutSystems.

The OutSystems low-code development platform allows users to create and deliver high-quality web and mobile apps a lot faster, leveraging all the advantages of visual programming with few of the drawbacks. Of course, providing this high productivity, enterprise-grade Platform-as-a-Service (PaaS) solution can be challenging. For us at OutSystems, those challenges ended up inspiring us to build custom solutions to manage large infrastructures.

We were working on a custom offer for clients that would enable them to build their tailored apps. That led us to deploy our own orchestration processes.

  • Instead of only using the common configuration management tools, we had to deploy a custom remote command execution environment. This resulted in a tight control over all the steps in the deployment and configuration of the infrastructure.
  • We needed to provide an enterprise-grade PaaS solution with secure access, data integrity, and high availability.
  • This solution must scale to meet future demand, and for the long run we’re talking about 1M+ instances.
  • We had to ensure a path for the solution to evolve without disrupting the customer service.

Sounds complicated, right? Well, it was, especially when you consider that we had to apply our custom environment to an existing underlying infrastructure while keeping the security, isolation, and evolution requirements.

The end result was a leaner and more secure solution. Amazon EC2 Run Command service improved the stability of our orchestration processes (error ratio reduction of over 80%), and the performance (10–20 times faster).


Supercharge Multi-Account Management with AWS CloudFormation

As your use of Amazon Web Services evolves, you will probably outgrow your first account, and need to move into a multi-account model.

There are plenty of benefits to using more than one AWS account:

  • An administrative boundary: I can choose how permissive or restrictive my policies are based on the account type. Separating user authority within an account can be complicated and error prone. Using separate accounts is often the answer.
  • A workload boundary: I can choose to peer (or not to peer) various workloads together within accounts, ensuring that my ‘blast radius’ for a poorly behaved application is minimized.
  • A billing entity: Detailed bills are generated at an account level. An account has higher ‘resolution’ than is afforded by billing tags, and can be easier to implement.

However, management complexities increase using multiple accounts. How do you manage the administrative boundaries? Who can log in and how? How do you manage your baseline infrastructure, such as VPCs and CloudTrail? Is it possible to deploy these by hand and not make potentially critical mistakes?

In this blog post I’ll explore ways to manage deployments in your multi-account AWS environment.


How Cloudticity Automates Security Patches for Linux and Windows using Amazon EC2 Systems Manager and AWS Step Functions

This guest post was written by Uri Katsir, AWS Architect at Cloudticity, and Thomas Zinn, Project Manager at Cloudticity.

As a provider of HIPAA-compliant solutions using AWS, Cloudticity always has security as the base of everything we do. HIPAA breaches would be an end-of-life event for most of our customers. Having been born in the cloud with automation in our DNA, Cloudticity embeds automation into all levels of infrastructure management including security, monitoring, and continuous compliance. As mandated by the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164), patches at the operating system and application level are required to prevent security vulnerabilities. As a result, patches are a major component of infrastructure management.


Combating Configuration Drift Using Amazon EC2 Systems Manager and Windows PowerShell DSC

Configuration drift occurs when a system “drifts” or changes from its intended configuration. It is caused by having inconsistent configuration items (CIs) across environments.

Amazon EC2 Systems Manager is a management service that helps you automatically collect a software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems. These capabilities help you define and track system configurations, prevent drift, and maintain software compliance of your EC2 and on-premises configurations.

Systems Manager provides a management approach that is designed for the scale and agility of the cloud but extends into your on-premises data center. Systems Manager makes it easier for you to seamlessly bridge your existing infrastructure with AWS.

In my last post, I introduced the concept of using Systems Manager Run Command to apply a declarative based model for EC2 instance configuration (configuration as code) via Windows PowerShell Desired State Configuration (DSC). In this post, I show how you can combat configuration drift at scale using PowerShell DSC and a management tool from Systems Manager called State Manager.


Organize Parameters by Hierarchy, Tags, or Amazon CloudWatch Events with Amazon EC2 Systems Manager Parameter Store

This post was written by Lusha Zhang, Software Development Engineer with Amazon Web Services.

Parameter Store, part of Amazon EC2 Systems Manager, provides a centralized, encrypted store to manage your configuration data, whether plaintext data (database strings) or secrets (passwords, API keys for example). Because Parameter Store is available through the AWS CLI, APIs, and SDKs, you can easily reference parameters across AWS services such as AWS Lambda and Amazon ECS.

For additional posts on Parameter Store, please see:

Parameter Store recently launched hierarchy support, parameter tagging, and CloudWatch Events support, which makes it easy to organize and manage parameters at scale. In this post, I demonstrate how you can use these new features to scale and improve your security posture.


Windows AMI Patching and Maintenance with Amazon EC2 Systems Manager

The Automation service, which is part of Amazon EC2 Systems Manager, helps you save time and the effort associated with routine management operations. Automation workflows are streamlined, repeatable, and auditable. For example, you can easily automate manual tasks such as golden image creation, baking applications into Amazon Machine Images (AMIs), or patching and updating agents.

In a recent post on the AWS Blog (Streamline AMI Maintenance and Patching Using Amazon EC2 Systems Manager), AWS announced the availability of the first public Document for Automation: AWS-UpdateLinuxAmi. This Document streamlines patching for Linux AMIs, allowing you to get started quickly with a predefined Automation workflow managed by AWS.

Today, AWS announces the updated availability of the Windows equivalent: AWS-UpdateWindowsAmi. The AWS-UpdateWindowsAmi Document is a great fit for building a hardened AMI from the monthly Windows AMI release, applying Windows patches and AWS agent updates to your proprietary Windows AMI, or baking applications into a golden Windows AMI as part of your CI/CD pipeline. You can also use your custom AMIs as a source for images that meet organizational IT policies. Documents help centrally create, manage, and share code for IT Ops and the management tasks that Systems Manager can perform on your managed infrastructure.