AWS Management & Governance Blog

Aggregate operational tasks with AWS Systems Manager Explorer and OpsCenter

AWS Systems Manager Explorer is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data (OpsData) for your AWS accounts and across AWS Regions. Explorer provides context into how operational issues are distributed, trend over time, and vary by category.

In this blog post, we explain how AWS Systems Manager Explorer creates an aggregated view of the compliance status of AWS Config rules and operational work items (OpsItems) in your AWS accounts across AWS Regions.

AWS Systems Manager OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve OpsItems related to AWS resources.

AWS Config is used to assess, audit, and evaluate the configuration of your AWS resources. You can use a set of AWS Config managed rules for common compliance scenarios or you can create your own rules for custom scenarios.

The following diagram shows the architecture of the solution.

The diagram shows the interaction between AWS Config, the creation of rules, the Explorer dashboard, OpsCenter, and OpsItems.

Figure 1: Creating an aggregated view of operational Items with AWS Systems Manager Explorer

Solution overview

In this post, we’ll show you how to perform the following steps:

  • Use Quick Setup in the AWS Systems Manager console to set up Explorer and OpsCenter and create an aggregated view of your operational data across the accounts and AWS Regions in your organization.
  • Create OpsItems automatically with Amazon CloudWatch alarms.
  • Create OpsItems manually through OpsCenter to track and remediate your operational tasks like routine backups, creating an Amazon Machine Image (AMI), and more.
  • Create AWS Config rules. Explorer gathers the compliance status of AWS Config rules and resources in your AWS account.
  • View aggregated operations data in a Systems Manager Explorer dashboard.

Set up Explorer and OpsCenter

You can view Explorer operational data across multiple accounts and Regions from a delegated administrator account in your organization, in addition to the master account in AWS Organizations. This helps you improve security and flexibility by making it possible to dedicate a separate operations account for viewing operations data and investigating issues across your organization. The master account from the organization can now designate one member account in the same organization as a delegated administrator.

The OpsCenter setup is now integrated with the Explorer setup. For more information, see Getting started with Systems Manager Explorer and OpsCenter.

Systems Manager Quick Setup simplifies setup by automating common or recommended tasks across multiple accounts and AWS Regions by integrating with AWS Organizations.

  1. From the left navigation pane in the Systems Manager console, choose Quick Setup, and then choose Create.

Quick Setup provides a Configurations search field where you can search by configuration type, Region, or deployment status and a Create button.

Figure 2: AWS Systems Manager Quick Setup

  1. For Configuration type, choose Host Management, and then choose Next.

Choosing  configuration type in AWS Systems Manager Quick Setup

Figure 3: AWS Systems Manager Quick Setup configuration type

  1. On Customize Host Management configuration options, leave the defaults, and then choose Create.

Under Systems Manager, the options to update the SSM Agent every two weeks, collect inventory from instances every 30 minutes, and scan instances for missing patches daily are selected.

Figure 4: Customize Host Management configuration options

You can also follow the steps in the Manage instances using AWS Systems Manager Quick Setup across organizations in AWS Organizations blog post.

The next step is to aggregate OpsData and OpsItems across the Regions and AWS accounts in your organizationTo do that, create a resource data sync.

Explorer supports a maximum of five resource data syncs. You can use one resource data sync for all accounts, one for a subset of Organizational Units (OUs), one for a subset Regions, and so on.

  1. On Create resource data sync, for Resource data sync name, enter a name (for example, org-datasync).
  2. Under Add accounts, choose Include all accounts from my AWS Organizations configuration.
  3. Under Regions to include, select the Include all current and future regions and All regions You can also choose Regions as appropriate for your requirements.
  4. Choose Create resource data sync.

Create resource data sync page displays values and selections as described in the blog post procedure.

Figure 5: Create resource data sync

You can choose which OpsData sources and widgets to include in your Explorer dashboard. You can use the Category menu to filter OpsData sources by availability, security, cost savings, and governance.

On Configure OpsData sources and widgets, the following OpsData sources are enabled: AWS Config Compliance, OpsCenter OpsItems, Systems Manager Patch Compliance, Amazon EC2, and Systems Manager Inventory.

Figure 6: Configure OpsData sources and widgets

You have now successfully completed the setup of Systems Manager Explorer and OpsCenter.

Create OpsItems with Amazon CloudWatch alarms

You can configure Amazon CloudWatch to create an OpsItem in Systems Manager OpsCenter when an alarm enters the ALARM state. Doing so enables you to quickly diagnose and remediate issues with AWS resources from a single console.

Now you’ll configure an alarm to create an OpsItem if there is a spike in EC2 instance CPU with a CPU metric greater than 70%. The OpsItem includes contextually relevant information, such as the instance name and ID of the monitored AWS resource, alarm details, alarm history, and an alarm timeline graph.

  1. From the left navigation pane of the Amazon CloudWatch console, choose Alarms, and then choose Create alarm.
  2. To create an alarm that will be triggered when the CPU utilization on an EC2 instance is greater than 70%, under Specify metric and conditions, choose Select metric.
  3. On Select metric, choose EC2, and then double-click Per-Instance Metrics to populate all EC2 metrics.
  4. Enter the EC2 instance ID in Per-Instance Metrics search box, choose the CPUUtilization metric, and then choose Select metric.

Select metric displays an instance named web1, its instance ID, and the CPUUtilization metric.

Figure 7: Selecting CloudWatch metric

  1. On Specify metric and conditions, leave the defaults.
  2. Under Conditions, for the threshold value, enter 0.70.

Specifying CloudWatch metric and conditions

Figure 8: Specify CloudWatch metric and conditions

  1. On Configure actions, for Alarm state trigger, choose In alarm.
  2. Under Select an SNS topic, choose Select an existing topic, and then under Send a notification to, enter your email address.
  3. In Systems Manager OpsCenter action, for Severity, choose 2 – High. For Category, choose Availability. Choose Next.

Configure actions page displays options selected as described in the blog post procedure

Figure 9: Systems Manager OpsCenter action

  1. In Add name and description, enter a name for your alarm (for example, High-CPU), and then choose Next.

Under Alarm name, High-CPU is displayed. The optional Alarm description is blank.

Figure 10: Add alarm name

  1. Review the configuration, and then choose Create alarm to complete the setup.

Simulate a CPU load on your EC2 instance that will trigger the high CPU alarm. You can use the cat/dev/random > /dev/null command to simulate high CPU on Linux EC2 instances or consume.exe on Windows EC2 instances.

An OpsItem will be created and displayed in the Explorer dashboard, as shown in Figure 10.

Under OpsData, an OpsItem named CloudWatch alarm - High CPU is in ALARM state is displayed with a severity of 2, a status of open, and a source of CloudWatch alarm.

Figure 11: OpsItem created by CloudWatch alarm

You have successfully created an OpsItems with an Amazon CloudWatch alarm.

Create OpsItems manually through OpsCenter

You can create OpsItems manually for the issues that aren’t automatically created by Amazon EventBridge or CloudWatch alarms. In this section, you’ll create two OpsItems: one for EC2 instance image creation and one for an RDS snapshot.

When you manually create an OpsItem for an impacted AWS resource, collect information about that resource so that you can create an Amazon Resource Name (ARN). If you specify an ARN when you create an OpsItem, OpsCenter creates a deep link to detailed information about the resource.

  1. In the left navigation pane of the AWS Systems Manager console, choose OpsCenter.
  2. On the OpsItems tab, choose Create OpsItem.
  3. Under OpsItem details, enter the following:
    • For Title, enter Create an image for web-1 EC2 instance.
    • For Source, choose EC2.
    • For Priority, choose 3.
    • For Severity, choose 3-Medium.
    • For Category, choose Recovery.
    • For Description, enter Create an image for web-1 EC2 instance.

Create OpsItem page displays values as described in the blog post procedure.

Figure 12: Create OpsItem

  1. Under Related resources, choose Add. For Resource type, choose AWS::EC2::Instance, and then under Resource ID, enter your instance ID. Choose Add to complete the resource association.

Configuring related resources in Create OpsItem

Figure 13: Configuring related resources in Create OpsItem

  1. Click on Create OpsItem button to complete the OpsItem creation.

Confirming Create OpsItem

Figure 14: Confirming Create OpsItem

  1. Follow steps 1-5 to create an OpsItem for an RDS snapshot.

You now have three OpsItems. One was created through a CloudWatch alarm. Two were created manually.

OpCenter dashboard shows three open and in progress OpsItems: CloudWatch Alarm, RDS, and EC2.

Figure 15: Open OpsItems in OpsCenter dashboard

Create AWS Config rules

To aggregate AWS Config rules and resource compliance into Explorer, use the AWS Config console, AWS CLI, or the AWS Config SDKs to set up the service.

In this section, you’ll create five simple AWS config rules to enable S3 server-side encryption, s3-bucket-versioning-enabled, rds-instance-deletion-protection-enabled, dynamodb-pitr-enabled , and release unattached EIP.

  1. Sign in to the AWS Config console and choose Get started.
  2. Under Settings, leave the defaults. Under Amazon SNS topic, choose Create a topic, and then choose Next.

Settings page includes General settings where Record all resources supported in this region is selected. Under AWS Config role, Use an existing AWS Config service-linked role is selected. Under Delivery method, Created a bucket is selected. Under Amazon SNS topic, the Stream configuration changes and notifications to an Amazon SNS topic is selected.

Figure 16: AWS Config settings

  1. Under Rules, search for s3-bucket-server-side-encryption-enabled as shown in Figure 14, and then choose Next.

Under AWS Managed Rules, the search field displays s3-bucket-server-side-encryption-enabled.

Figure 17: Searching for S3 bucket server-side encryption enabled AWS Config rule

  1. On the Review page, review the rules, and then choose Confirm.

Confirming AWS Config rule creation.

Figure 18: Review AWS Config rule

  1. Repeat steps 1-4 for the s3-bucket-versioning-enabled, rds-instance-deletion-protection-enabled, dynamodb-pitr-enabled, and eip-attached rules.

You can now see the AWS Config rules compliance summary in the console. The Explorer dashboard will display config compliance summary and associated resources information.

AWS Config rules compliance summary

Figure 19: AWS Config rules compliance summary

For more information, see the AWS Config Rules – Dynamic Compliance Checking for Cloud Resources blog post.

View aggregated operations data in Systems Manager Explorer

After you complete the steps in this post, you can see an aggregated view of all of your operations data like OpsItems created through OpsCenter, OpsItems created through Cloud Watch alarms, and the AWS Config rules compliance summary in the Explorer dashboard, as shown here.

Explorer dashboard displays 3 open and 3 unresolved OpsItems. It also displays 0 compliant config rules and 5 noncompliant config rules and 0 compliant resources and 12 noncompliant resources.

Figure 20: AWS Systems Manager Explorer dashboard

Conclusion

In this blog post, we showed you how to create OpsItems manually through OpsCenter and automatically through Cloud Watch alarms. We showed you how to configure AWS Config rules and view a rules compliance summary in the Explorer dashboard.

Using the information in this post, you can now build your own aggregated view of all your AWS resources across AWS Regions by using AWS Systems Manager Explorer. For more information about AWS Systems Manager features, see the AWS Systems Manager User Guide.

The following blog posts show you how to use AWS Systems Manager Automation runbooks to resolve OpsItems and remediate noncompliant AWS Config rules:

About the authors

Raghavarao Sodabathina

Raghavarao Sodabathina

Raghavarao Sodabathina is an Enterprise Solutions Architect at AWS. His areas of focus are data analytics, AI/ML, and the serverless platform. He engages with customers to create innovative solutions that address customer business problems and accelerate the adoption of AWS services. In his spare time, Raghavarao enjoys spending time with his family, reading books, and watching movies.

Rajat Mathur

Rajat Mathur

Rajat Mathur is an Enterprise Solutions Architect at AWS. Rajat is a passionate technologist who enjoys building innovative solutions for AWS customers. His areas of focus are IoT, networking, and serverless computing. In his spare time, Rajat enjoys long drives, traveling, and cooking.