AWS SysOps Associate (SOA-C02) Review Material – System Manager

General

• A collection of capabilities to help you manage your applications and infrastructure running in the AWS Cloud.
• Capabilities:
  • Application Management
    1. Application Manager
    2. App Config
    3. Parameter Store
  • Change Management
    • Change Manager
    • Automation
    • Change Calendar
    • Maintenance Window
  • Node Management
    • Compliance
    • Fleet Manager
    • Inventory
    • Session Manager
    • Run Command
    • State Manager
    • Patch Manager
    • Distributor
    • Hybrid Activation
  • Operation Management
    • Incident Manager
    • Explorer
    • OpsCenter
    • Cloudwatch Dashboard
  • Quick Setup
    • Quick Setup
  • Shared Resources
    • Documents
• SSM Agent:
  • Runs on the following resources:
    1. EC2
    2. Edge devices
    3. On-Prem Servers
    4. On-Prem VMs
  • Makes it possible for Systems Manager to update, manage, and configure these resources.
  • Come pre-installed with Amazon AMI
  • For EC2 instances need to add an IAM Role with a policy ‘AmazonEC2RoleForSSM
• Documents:
  • defines the actions that Systems Manager performs on the managed instances.
  • over 100 pre-configured documents
  • written in JSON or YAML
  • similar to Ansible script

Application Management

Change Management

1. Automation

• Simplifies common maintenance, deployment, and remediation tasks for AWS services like Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), Amazon Redshift, Amazon Simple Storage Service (Amazon S3), and many more
• Example of Use:
  • Release elastic IP
  • Disable public access
  • Detach EBS
  • Create AMI
  • Create RDS snapshot
• Uses ‘Run Book’ or ‘Documents’ to define the steps,
• Extension of Run Command (can call AWS API)

2. Maintenance Window

• Define a schedule for when to perform potentially disruptive actions on your nodes such as patching an operating system, updating drivers, or installing software or patches
• Can schedule actions on numerous other AWS resource types, such as Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Queue Service (Amazon SQS) queues, AWS Key Management Service (AWS KMS) keys
• Each maintenance window has a schedule, a maximum duration, a set of registered targets (the nodes or other AWS resources that are acted upon), and a set of registered tasks.

Node Management

1. Run Command

• Execute ad-hoc commands
• Remotely and securely manage the configuration of your managed nodes.
• Automate common administrative tasks and perform one-time configuration changes at scale.
• Send commands from the AWS Systems Manager console to managed nodes
• Requires command Documents.
• Example use:
  • Configure docker.
  • Create EBS snapshot
  • Export metrics and logs from the instance to CloudWatch

2. State Manager

• A secure and scalable configuration management service that automates the process of keeping your managed nodes and other AWS resources in a state that you define.
• Defines a configuration (association) that is assigned to an AWS resource.
• The configuration defines the state that you want to maintain on your resources. For example, an association can specify that antivirus software must be installed and running on a managed node, or that certain ports must be closed.
• An association specifies a schedule for when to apply the configuration and the targets for the association. 
• Similar to Puppet.

3. Inventory

• A provides visibility into your AWS computing environment.
• Collects metadata from the managed nodes.
• Need to specify metadata collection interval
• Can be stored in S3 and analyzed by Athena or Quick Insight
• Rely on State Manager to collect inventory information.

4. Patch Manager

• Automates the process of patching managed nodes with both security-related and other types of updates. 
• Apply patches for both operating systems and applications.
  •  E.g. Install Service Packs on Windows nodes and perform minor version upgrades on Linux nodes. 
• Can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. 
  • Can generate patch compliance reports that are sent to an Amazon Simple Storage Service (Amazon S3)
• Pre-requisites:
  • SSM Agent
  • Connectivity to the patch source
  • Only supported OS (MacOS is supported)
• Can run patch on-demand or scheduled (via Maintenance Window)
• By default, Patch Manager doesn’t install all available patches, but rather a smaller set of patches focused on security.
• Patch baselines, which include rules for auto-approving patches within days of their release, in addition to a list of approved and rejected patches.
• Use patch group to associate managed nodes with a specific patch baseline in Patch Manager 
  • A patch group must be defined with the tag key: Patch Group. The key is case-sensitive.
  • You associate a patch group to a patch baseline.
  • Any resources with no Patch Group can be associated with a default patch baseline.

5. Session Manager

• Provide a one-click browser-based shell or the AWS Command Line Interface (AWS CLI) to access EC2, edge devices, on-prem servers or VMS.
• Does not need SSH keys or special ports to open
• Support Linux, Windows and MacOS
• Capable of logging connections and commands to S3 or CloudWatch
• Connection is via SSM i.e.
  • Users —> SSM —> Nodes (with SSM Agent Running)
  • Access is controlled via IAM in combination with Tags.

6. Fleet Manager

• A unified user interface (UI) experience that helps remotely manage your nodes running on AWS or on-premises. 
• Can gather data from individual nodes to perform common troubleshooting and management tasks from the console
• EC2 instances need to add an IAM Role with a policy ‘AmazonEC2RoleForSSM

Operation Management