Amazon EC2 Systems Manager

Q: What is Amazon EC2 Systems Manager?

Amazon EC2 Systems Manager is a flexible and easy to use management service that enables enterprises to securely manage and administer their workloads, running on-premises or in AWS, using a single unified AWS experience. EC2 Systems Manager is designed to be highly automation-focused to enable configuration and management of instances at a large scale, while making it really simple to write and maintain automation artifacts.

Q: How do I get started with EC2 Systems Manager?

The best way to get started is to ensure your instance has met the necessary requirements in our Getting Started Guide. Once you've confirmed the requirements have been met, you can access the various EC2 Systems Manager capabilities from the left navigation bar in the EC2 Management Console or use the AWS SDKs and AWS Command Line Interface.

Q: Which operating systems does EC2 Systems Manager support?

EC2 Systems Manager is optimized to manage both Windows and Linux platforms from a single unified experience. Refer to Supported Operating Systems for more details on managing on-premises systems.

Q: Does EC2 Systems Manager manage instances running on-premises?

Yes, EC2 Systems Manager supports managing instances that are running on-premises data center. Refer to EC2 Systems Manager Prerequisites for more details.

Q: In which AWS regions is EC2 Systems Manager available?

EC2 Systems Manager is available in multiple public regions. Refer to AWS Regions and Endpoints for a complete list of supported regions.

Q: How much does EC2 Systems Manager cost?

There is no charge for EC2 Systems Manager.

Run Command

Q: What is Run Command?

Run Command is a feature of EC2 Systems Manager that provides a simple and secure way to remotely execute commands or run scripts against EC2 instances or on-premises servers, all from the EC2 API, CLI, or console. With Run Command, you can perform commands which make it easy to accomplish common administrative tasks like installing software, executing scripts, making configuration changes, and more.

Q: Who should use Run Command?

Run Command is designed for developers, system administrators, and other IT professionals who need to remotely manage their EC2 instances in a secure, reliable, and scalable way.

Q: Does AWS provide any predefined commands?

Yes. There are predefined commands available which are designed to help with commonly used administrative tasks. For Windows you can run a PowerShell command or script, configure Windows Update settings, deploy an MSI application and more. For Linux you run any Shell command or script, and remotely update the installed agent.

Q: Can I create my own commands?

Yes. Run Command allows you to easily create custom commands to perform common tasks required for your environment.

Q: What other types of commands or script can I run?

You can run any command or script that you can type into a command window on your EC2 instances.

Q: Can I send the same command to multiple EC2 instances at once?

Yes. You can easily issue a command to a fleet of instances by providing a list of instances when issuing a command.

Q: Can I retrieve the history of commands run against my instances?

Yes. Run Command keeps the output for each command for 30 days. In addition, you can have Run Command store a copy of all log files in Amazon S3 or capture the output of your commands using AWS CloudTrail.

Q: Can I control who can execute a command?

Yes. Using the published AWS Identity and Access Management (IAM) permissions and policies, you can control who has access to execute commands or documents on specific instances. For example, you can specify an IAM user who can run PowerShell commands, but not join an instance to a domain. Another IAM user can only be given access to run a very specific command like restarting services, giving you the flexibility to specify how much access any given user can have.

Q: Can I check the status of a running command?

Run Command provides the status of a command for each instance it is running on. All of this can be retrieved from the AWS CLI, SDK, or the EC2 Management Console.

State Manager

Q: What is State Manager?

State Manager automates the process of defining and maintaining a consistent configuration of OS and applications across your entire fleet of systems. For example – configuring and enforcing firewall policies, keeping anti-malware definitions current. Through reapplication of your configuration policies, State Manager ensures that your systems are always compliant with your enterprise policies.

Q: Why should I use State Manager?

Businesses are moving towards automated IT with applications across environments and locations, including on AWS and on-premises data centers. However, ensuring that the infrastructure powering your applications is consistent is a challenge. State Manager allows you create policies, reapply these policies to prevent configuration drift, and monitor the status of your intended state.

Q: How do I create my policies?

Policies can be easily created through Systems Manager Documents. In addition, you also have predefined configurations that you can use for installing applications, joining instances to domain and so on.

Q: What are the targets that can be configured?

You have the flexibility to target instances or tags. This means you have the flexibility to have specific configurations for groups of instances such as webservers.

Patch Manager

Q: What is Patch Manager?

Patch Manager is a new automation-focused patching service which makes it easy for customers to keep their Windows instances up to date. Patch Manager helps you streamline your patching process through the implementation of built in best practices, such as maintenance windows and dynamic patch approval policies. 

Q: How do I specify when I would like to patch an instance?

You use Maintenance Windows to define when patching occurs. Maintenance Windows are a new feature of EC2 which provide you the ability to define one or more recurring windows of time during which it is acceptable for your own maintenance to occur. By defining these windows and associating your instances with them, it is easier for you to ensure that any maintenance activities you perform on your instances which may impact the availability of a workload is done so during a well-defined window of time. Maintenance windows make it easy to schedule when you would like your own Run Command tasks to occur.

Q: How do I customize the patching process?

Patch Manager leverages Run Command to provide a fully automated patching process. While Patch Manager provides a pre-built Run Command document, you can easily customize the patching process by writing your own Run Command Document. For example, you can stop an NT service before rolling out the patches.

Q: What types of patches can I install with the Patch Manager?

Patch Manager supports the patching of Windows based instances, and provides the ability to select and deploy patches for Windows Server 2008 through Windows Server 2016 and Windows 7 – Windows 10.

Q: How do I pick the patches I want to install?

Patch Manager provides you with the ability to create Patch Baselines, which define the set of patches you have approved or blocked for deployment to your instances. In a Patch Baseline, you can select patches by the products (e.g. Windows Server 2008, Windows Server 2012, etc.), categories (e.g. Critical Updates, Security Updates, etc.) and severities for which you would like to review patches for deployment. For each category selected, you can then define a schedule on which the contained patches will be automatically approved for distribution. In addition to the rules, you can also specify a whitelist and blacklist of patches which indicate patches which are to be installed or blocked respectively. At the time of patching, Patch Manager will assess targeted instances for only the patches that have been approved prior to that point in time.

Q: How do I track the compliance levels of my instances?

With Patch Manager you can view patch compliance information which tells you the detailed results of the patching process. From the EC2 Management Console or API you can easily get aggregate compliance details per instance. In addition, you drill in further and for each instance you can determine which patches are installed, missing, not applicable, and which failed to install.

Inventory

Q: What is Inventory?

The Inventory capability in EC2 Systems Manager provides visibility into an instance's software catalog and configuration. You can set up Inventory to gather detail on a variety of instance attributes such as installed applications, AWS components and agents, network configuration, OS details, and more. Then use the powerful query feature to assess compliance and identify instances in need of remediation across your fleet.

Q: Who should use Inventory?

IT administrators and devops professionals will find this capability useful in understanding the configuration and composition of their fleets. Users can quickly determine which instances are missing a patch or are running an outdated application version. Similarly admins can run licensing audits to understand software usage. The net result is that systems administrators are better able to troubleshoot issues and assess security posture.

Q: Can I customize the information gathered by the Inventory?

Yes, you can create your own custom Inventory types and effectively extend Inventory's schema. For example, you can configure your instance to gather additional OS and CIM details, or record items like rack location and in-service date for on-premise servers.

Q: How can I track changes to my configuration over time?

Using AWS Config, you can monitor an instance's compliance with a desired configuration through Config Rules. This capability allows security experts and compliance auditors to have a complete audit trail of instance configuration changes, as well as receive proactive notifications in the event of non-compliance.

Automation

Q: What is Automation?

The Automation capability in EC2 Systems Manager simplifies the process of building and maintaining Amazon Machine Images (AMIs). This provides you a repeatable process to apply patches, application updates, and other changes to your AMIs.

Q: What tasks can I automate?

AMI maintenance is greatly simplified by Automation feature of Systems Manager, allowing you to patch, update agents, or bake-in applications using a streamlined, repeatable, and auditable process. Alternately, you can use Run Command and AWS Lambda in your workflows orchestrate the configuration and management of instances and other AWS resources at scale.

Parameter Store

Q: What is Parameter Store?

Parameter Store makes it easy for you to store, reference and control access to your configuration parameters and sensitive information such as connection strings, and administrator passwords.

Q: Why should I use Parameter Store?

You can use Parameter Store to quickly store and reference configuration and sensitive information. Rather than storing data in config files or referencing them in plain text, you can leverage Parameter Store to obtain this information in your applications or scripts. Additionally, you control who has access to parameters so that only the right set of users have access to the appropriate information.

Q: How do you store sensitive data?

A secure string is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you do not want users to reference in clear text or have access to data that can be tampered or misused, you should use secure strings in Parameter Store. You can encrypt your sensitive data using your own AWS Key Management Service (KMS) key or your user account default key provided by KMS.

Q: What services can I reference my parameters?

You can easily reference your parameters across EC2 Systems Manager services such as Run Command, State Manager and Automation.

Q: Can I track usage and provide access control to specific parameters?

Yes, you can provide granular access control through customized permissions to users and resources (such as instances) for parameters access using AWS IAM. This means you can control who can access which parameter on what resource. Additionally, you can also track and audit parameter API calls using AWS CloudTrail.

Maintenance Windows

Q: What is a maintenance window?

Maintenance windows is a feature of EC2 Systems Manager which provide you the ability to define one or more recurring windows of time during which it is acceptable for any disruptive operation to occur. By defining these windows and associating your instances with them, it is easier for you to ensure that any maintenance activities you perform on your instances which may impact the availability of a workload is done so during a well-defined window of time.

Q: Why should I use maintenance window?

Maintenance windows help improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time, significantly reducing the impact of any operational or infrastructure failures.

Q: What types of tasks can I schedule in a maintenance window?

Currently, you can only schedule any Run Command based task in a maintenance window.

Q: What are the types of schedules I can choose for my maintenance windows?

Maintenance windows can be scheduled for a recurring date (e.g. Weekly on Tuesdays at 22:00:00 or 1st Sunday of every month at 22:00:00). You can define your schedule using cron or rate expression.