AWS Systems Manager (SSM) is an AWS managed service that you can use to take automatic control over your cloud infrastructure. It will help you be compliant with security requirements by scanning and patching your managed nodes and reporting policy violations when they are detected. This service offers a complete powerful set of tools used in daily operational task as definition of a central configuration for a group of resources, schedule maintenance and deployment operations, connection to EC2 instances in a secure matter without exposing them to internet.
The time that passes between a problem and when someone is notified to apply a fix of it is critical. AWS Systems Manager State Manager feature is a scalable and secure configuration service that automates the process of keeping Amazon EC2 instances and VMs on-premises in a compliant state defined by the customer.
Compliance policy configuration can be defined in JSON or YAML format. Third-party configuration tools as Ansibile playbooks or Chef are supported to control how and when a configuration is applied and maintained.
AWS provides a wide number of services to create a flexible and scalable environment. As a Managed Service Provider, Storm Reply’s exploits AWS Systems Manager Run Command and AWS Systems Manager Automation to maintain the configuration and perform common tasks on IaaS environments.
The former service allows our Operations team to deploy, install and bootstrap applications inside EC2s in secure and automated fashion without the need to access the server. The power of these services is that you can define a task and a group of resources where to perform the execution and the same configuration will be applied to all.
AWS Systems Manager Automation service, instead, is useful to define playbooks for administrative tasks that can perform complex processes among scalable infrastructures. Operations are enhanced by a security side by removing human interaction and simplifying complex and common IT activities.
AWS Systems Manager Inventory provides visibility into Amazon EC2 and on-premises instances by collecting metadata from them.
All the server information regarding for example: OS, running applications, services, networking are centrally stored on Amazon S3 Bucket and then made available to other Amazon services like Amazon Athena and Amazon QuickSight to be queried and to be analyzed. This service can be configured to be used in cross-region and multi-account in order to have a unique dashboard with a complete infrastructure overview.
Hybrid environments, where the infrastructure is shared between AWS and on-premises or other public clouds, are the most challenging scenarios to keep under control. AWS Systems Manager helps to achieve this task.
Once the VMs on-premises or running in other public clouds are registered with the SSM Agent previously installed, they can be managed and monitored like all other AWS resources. This feature allows you to take advantage of all the AWS SSM services described before by using a single control plane to orchestrate administration tasks.
AWS SSM Patch Manager service simplifies your operating system patching process for both Linux and Windows managed instances.
Primary focus is on operating system security-related updates, but also Linux application packages and Microsoft app patching for Windows are available. You can easily define what patches you want to perform, in which group of instances it should be applied and when this task should be scheduled by defining a maintenance window.
A set of best practices has been developed in Storm Reply over the AWS Systems Manager service by leveraging our experience in management of complex environments. In the last yers we have improved and acquired competences in configuration and maintenance of scalable environments exploiting AWS SSM features.
Keeping your cloud environment updated is one of the primary and common requirements, but this task could start to be complex to perform by operations team in a short time if your infrastructure becomes huge.
Following Cloud governance best practices, each resource provisioned in the AWS Account is tagged. Leveraging AWS Systems Manager Inventory, servers are grouped by tag project, environment and OS type to get a clear overview of the managed instances. On these groupings Patch baselines are defined and continuously run on the fleet of managed instances to update the security posture of the cloud landscape into SSM Inventory service. These data are then exported to an Amazon QuickSight dashboard that can be used to maintain a birds-eye-view over the patch status of your cloud environment at all times.
According to the maintenance window defined together with the customer, security patches are then scheduled to be applied using SSM RunCommand feature, orchestrated in such a way to minimize service impact.
This central solution allows Operations teams to save time from periodic, common and long patching tasks, while at the same time feeding the feedback loop of information regarding the status of your cloud fleet.
It is a common requirement to have application configuration items shared between environments. Some of these configuration items may contain sensitive information such as password or database credentials, so they require proper storage. SSM Parameter store helps deal with the need to store these items in a secure and organized manner using a path-key-value store, allowing the retrieval of CIs with a simple API call.
Those values can be retrieved during building and deployment phases of your CI/CD pipelines or the application can be integrated to get them on the fly when they are needed. Access to those configuration items can be managed through standard AWS IAM policies, enforcing least privilege and separation of concerns principles.
Secure Network Connectivity on Cloud is a high priority topic each time that private servers should be reached from Internet, but they cannot be exposed for security manners.
Storm Reply leverages AWS SSM Session Manager service to securely connect to SSM Managed instances without exposing ports on the target server. This allows to relay a SSH connection securely thanks to the amazon-ssm-agent without the need to go over a jump station, saving on the cost of usually idle bastion hosts.
AWS IAM policies can be used to enforce the “least privilege” principle in order to grant access to users on the servers that they need to access.
SSM Session Manager also natively integrates with Amazon CloudWatch service, providing native logging functionalities of the session to ensure proper auditing and control over the connection. The session is also encrypted using AWS KMS service to ensure security in transit.