AWS Cloud Operations Blog
Automating account administration using AWS Systems Manager
This post focuses on one way Dedalus, an AWS Premier Consulting Partner based out of Brazil, maintains agility and control over their customer environments, by using AWS Systems Manager Automation to simplify everyday administration tasks and perform configuration management at scale on Amazon EC2 instances.
Dedalus, an AWS Premier Consulting Partner based in Brazil, who is also a managed services provider with decades of systems integrator expertise, has been helping Enterprise companies successfully navigate their cloud journeys. As a service provider, Dedalus continuously looks for ways to move the needle when it comes to innovation, operational excellence, and security. This was such the case when the company was looking for an effective way of managing customer environments in the AWS Cloud.
There were various objectives Dedalus wanted to address as part of their cloud management strategy in AWS, including reducing privileged access to customer resources, robust monitoring and logging with automated notifications when issues arose, and the ability to automate account administration so engineers could focus on innovation to further benefit their customers.
Overview
To manage customer environments at scale, Dedalus has a repeatable and consistent configuration management process. When onboarding new customer accounts, it is important that all necessary components for the customer are installed safely using AWS Systems Manager Run Command being executed from custom Automation Documents, with monitoring in place to ensure successful progress, with a recovery process, if needed.
Prior to automating administrations tasks, operations staff were required to maintain multiple scripts to administer each of their customer environments, with administrator access to the environments because the scripts ran in the operating system run time. These scripts were run manually, which resulted in staff spending time to ensure the successful completion of the configuration tasks and if issues were encountered, time consuming recovery procedures.
When moving the administration tasks to AWS Systems Manager Automation, privileges were restricted to Automation Document execution, because the Document has the ability to assume a role with the appropriate permissions to execute administration tasks. Additionally, prior to making any changes, an AMI of the changed instances are created, so that the recovery process can be less effort intensive.
By leveraging AWS Systems Manager Automation, which integrates with other AWS services, logging of all the executions can be stored and archived into Amazon Simple Storage Service (S3) or stream to Amazon CloudWatch Logs, which are used for notifications of any execution failures. Also, auditing capabilities were enhanced because access to the AWS service APIs are tracked, and the potential for human error was reduced because all administrative tasks are automated.
Solution
Dedalus uses multiple custom Systems Manager Automation documents, one targeted for each operating system platform that needs support, mainly for additional flexibility and less reliance on a single Automation Document:
- Windows – Using PowerShell for configuration management.
- Linux – Using a combination of Linux shell scripts and Ansible playbooks.
These Automation documents install and configure the components needed to maintain various customer specific software and required monitoring services, including the Amazon CloudWatch agent.
Additional benefits gained by using Systems Manager Automation include:
- Managing the distribution and execution of the scripts efficiently, managing the code centrally, and having a secure and scalable deployment mechanism with appropriate logging levels.
- Executing the commands across more than one thousand customer environments without the need to grant the operations team privileges to the underlying infrastructure.
- Retaining execution logs for future auditing and dashboarding.
- Being flexible to target customer environments in various ways, for example resource tags and resource groups.
- Sending notifications for failed executions for quick troubleshooting.
- Focusing on more complex engineering problems, as opposed to repetitive administrative tasks.
·
Summary
This solution is just one of the ways Dedalus innovates for its customers while maintaining an appropriate level of governance, repeatable best practices, and standardization across more than a thousand customer environments. As a long-standing AWS Premier Partner, Dedalus continues to use Systems Manager Automation to evolve its DevOps practice and enhance the level of service that it provides its customers.
To learn more about Running Automation Workflows in Multiple AWS Regions and Accounts, please visit AWS documentation or read the Centralized multi-account and multi-Region patching with AWS Systems Manager Automation blog for a practical example.