Deutsche Kreditbank AG (DKB), one of Germany’s largest direct banks with over five million customers. In 2023, DKB migrated their back-office IT infrastructure to Amazon Web Services (AWS). This Included their diverse infrastructure, backup, networking, and both Windows and Linux servers, while managing risks like downtime, data integrity, and security vulnerabilities.

Customers in regulated industries must comply with various regulations (for example, GDPR, PCI, DSS, BAIT or DORA), and other local and international laws governing data protection and privacy. It is imperative to address regulatory compliance to various regulations, standards, and best practices to ensure data security, privacy, and operational integrity.

We will discuss how DKB used AWS Systems Manager, Automation, Patch Manager, and Session Manager capabilities to streamline operational tasks during their migration journey. We demonstrate how you can use the AWS Systems Manager to run Windows workloads on AWS frictionless.

With AWS Systems Manager, Automation, and Patch Manager DKB reduced manual effort to operate Amazon Elastic Compute Cloud (Amazon EC2) based workloads on AWS from several hours for each Amazon EC2 to minutes. Operators leveraged the capability of Systems Manager to setup Windows instances at large scale on AWS. After automation processes were implemented, DKB achieved a time saving of two hours per instance, which scales with a growing number of documents that reflect automation scripts. This also standardizes and speeds up bulk deployments with a minimum of management effort.

Overview of the Architecture

The following diagram illustrates the AWS architecture for automating tasks and workflows using Systems Manager, specifically targeting the setup of Windows instances in a multi-account environment. It focuses on automating Amazon EC2 instance setup and maintenance using AWS services like AWS Lambda and AWS Systems Manager.

Figure 1: Architecture overview

1. When an Amazon EC2 instance is launched within an auto-scaling group, it invokes an EC2 Launch Event that will request an AWS Lambda function.
2. The Lambda function initiates an automation using predefined Windows setup documents or other relevant setup documents. This ensures that the new EC2 instance is configured according to the required specifications and policies.
3. Using Run Commands to post-setup, Run Commands are executed on the EC2 instance to perform any additional maintenance tasks. This includes applying patches, updates, or any necessary configurations for the applications.
4. Patch Manager allows the deployment of patches on a schedule and viewing of a patch dashboard summary. This reduces the manual effort required for day-to-day operations, automating routine management and maintenance activities.

Following this approach, leads to a decrease in licensing costs for the various infrastructure tools and services, while also improving the overall resiliency and reliability of the migrated systems.

VPC Endpoints for AWS Systems Manager Patch Manager

Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed nodes with both security-related updates and other types of updates. DKB uses Patch Manager to install Service Packs on Windows nodes and perform minor version upgrades on Linux nodes.

Patching both security-related updates and other types of updates is crucial for maintaining the security, stability, and functionality of DKB’s IT infrastructure. In large-scale environments, the process is complex and challenging. Through Patch Manager, phased rollouts, with centralized management, and robust scheduling and reporting reduces the complexity and risk associated with patching at scale.

During the process of patching managed nodes, with both security-related updates and other types of updates, DKB needed to ensure connectivity to Windows Update Catalog and Windows Server Update Services (WSUS). Windows Server managed nodes must be able to connect to the Windows Update Catalog or WSUS.

DKB used Amazon Virtual Private Cloud (Amazon VPC) endpoints for AWS Systems Manager, allowing DKB to privately access Amazon EC2 instance and AWS Systems Manager APIs by using private IP addresses. Through AWS PrivateLink DKB restricted all network traffic between their managed nodes, Systems Manager, and Amazon EC2 without exposing data to the internet. Thus, DKB improved their security posture of managed nodes.

AWS Systems Manager Automation

Automation helped DKB to build automated solutions to deploy, configure, and manage their EC2 resources at scale. Whenever a new Amazon EC2 is created Systems Manager Automation will run certain documents through specific steps to setup the EC2 instance based on the selected parameters. With this, manual tasks can be reduced and automated by Systems Manager Automation such as:

• Installations of volume shadow copy service (VSS) components
• Joining Amazon EC2 to the Active Directory Domain
• Application specific installations, time zone settings, and application configuration scripts

Install VSS components to perform application consistent backups

Installing VSS components for DKB was essential for performing application-consistent backups, which provide a higher level of data integrity, reliability, and compliance. These backups ensured that critical applications is restored quickly and accurately, minimizing downtime and reducing the risk of data corruption—vital for maintaining DKB business operations and meeting regulatory requirements.

To perform application consistent backups for Windows EC2 instances VSS is required. This is done using an AWS-managed package that is installed using a Run Command document calling the aws:configurePackage action and appropriate input parameters.

EC2 Active Directory Domain Join

Active Directory Domain Services (AD DS) provides a robust, scalable, and secure framework for managing users, computers, and resources in a networked environment, making it a cornerstone of IT infrastructure in many organizations. Manually joining thousands of servers to Active Directories (ADs) is a substantial undertaking. The process could take significant time, depending on the environment. Improper execution could lead to downtime or misconfigurations, which could impact business operations.

Prior to joining the domain instances, they must be configured with the correct proxy settings. Then an AD join needs to be performed to allow the instanced to be managed by AD.

Using State Manager associations DKB configured and defined the appropriate state for the Windows EC2 instances. The configuration defines the state the Windows EC2 instances need to be, either domain joined to an AD domain or un-joined from the AD domain. This process scales DKB Windows workloads, allowing DKB to maintain the appropriate domain join/unjoin state for one Windows EC2 instance or a fleet of Windows EC2 instances.

The following code is using PowerShell with the aid of the command document. Visit aws:runCommand to learn more.

The following code is using PowerShell with the aid of the command document. Visit aws:runCommand to learn more.

   {
      "name": "WindowsJoinDomain",
      "action": "aws:runCommand",
      "onFailure": "Abort",
      "isCritical": true,
      "timeoutSeconds": 600,
      "maxAttempts": 2,
      "inputs": {
        "DocumentName": "AWS-RunPowerShellScript",
        "InstanceIds": [
          "{{instanceIds}}"
        ],
        "Parameters": {
          "commands": [
            "$ipdns = (Get-SSMParameterValue -Name /domain/dns_ip).Parameters[0].Value \n",
            "$domain = (Get-SSMParameterValue -Name /domain/name).Parameters[0].Value \n",
            "$ouPath = (Get-SSMParameterValue -Name /domain/ou_path).Parameters[0].Value \n",
            "$username = (Get-SSMParameterValue -Name /domain/username).Parameters[0].Value \n",
            "$domain_username = \"$username\" \n",
            "$password = (Get-SSMParameterValue -Name /domain/password -WithDecryption $True).Parameters[0].Value | ConvertTo-SecureString -asPlainText -Force \n",
            "$credential = New-Object System.Management.Automation.PSCredential($domain_username,$password) \n",
            "try{",
            "$domainjoined = (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain \n",
            "$memberdomain = (Get-WmiObject -Class Win32_ComputerSystem).Domain \n",
            "$currentHostname = [System.Net.Dns]::GetHostName() \n",              
            "if($domainjoined.ToString() -ne \"True\"){ \n",
            "Write-Host \"instance with hostname $currentHostname is not joined to domain, initializing domain join...\" \n", 
            "Add-Computer -DomainName $domain -OUPath $ouPath -Credential $credential -Force -Restart} \n",
            "else{ \n",   
            "Write-Host \"already member of domain $memberdomain, nothing to do\"}} \n",
            "Catch{ \n",
            "Write-Host 'An error occured, see details below, aborting ...' \n",
            "Write-Host ($_.Exception | Format-List -Force | Out-String) \n",
            "Write-Host ($_.InvocationInfo | Format-List -Force | Out-String) \n",
            "exit 1}"
          ]
        }
      }

Application specific installations

DKB deployed packages to their AWS Systems Manager managed nodes by using Distributor, a capability of AWS Systems Manager. Distributor can install new packages or update existing installations in place. You can choose to deploy a specific version or choose to always deploy the latest version of a package for deployment. We recommend, and DKB is, using State Manager, a capability of AWS Systems Manager, to automatically install a package on new managed nodes.

In this example DKB is using AWS Systems Manager document “InstallSoftwareforASG”

    {
      "name": "InstallSoftwareforASG",
      "action": "aws:runCommand",
      "onFailure": "Abort",
      "isCritical": true,
      "timeoutSeconds": 600,
      "maxAttempts": 2,
      "inputs": {
        "DocumentName": "AWS-ConfigureAWSPackage",
        "InstanceIds": [
          "{{instanceIds}}"
        ],
        "Parameters": {
          "action": [
            "Install"
          ],
        "installationType": ["In-place update"],
        "name":["package-name (in same account) or package-ARN (shared from different account)"]
        }
      }

Conclusion

Working closely with AWS Professional Services and the AWS Cloud Operations Technical Field Communities specialists, DKB was able to achieve a seamless migration from on-premises infrastructure to AWS. This included different types of infrastructure and application solutions, such as backup, networking, encryption, Windows, and Linux server workloads.

The migration of DKB’s Windows-based workloads to AWS, coupled with the effective use of AWS Systems Manager Automation, has enabled the bank to streamline its back-office IT operations significantly. By reducing the manual effort required for routine management and maintenance tasks, DKB has not only achieved cost savings on licensing and infrastructure tools but has also improved the overall resiliency and reliability of its migrated systems.

If you are an AWS Enterprise Support customer, contact your AWS account team. Otherwise, please contact an AWS Representative to know how we can help accelerate your business.

Further Reading

• Automate Active Directory domain join activities at scale with AWS Systems Manager
• Issue: managed node doesn’t have access to Windows Update Catalog or WSUS
• Improve the security of EC2 instances by using VPC endpoints for Systems Manager