Components Of AWS System Manager Or SSM
Welcome to CloudAffaire and this is Debjeet.
In this blog post, we will discuss different components of AWS System Manager or SSM.
What Is AWS System Manager OR SSM:
AWS Systems Manager or SSM (Amazon Simple Systems Manager (SSM) and Amazon EC2 Systems Manager (SSM)) is an AWS service that you can use to view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. Systems Manager is comprised of individual capabilities, which are grouped into five categories: Operations Management, Application Management, Actions & Change, Instances & Nodes, and Shared Resources.
AWS System Manager or SSM can be broadly classified into below major components, each having multiple sub-components.
- Operations Management
- Application Management
- Actions & Change
- Instances & Nodes
- Shared Resources
- Quick Setup
AWS System Manager Components:
- Operations Management: Operations Management is a suite of capabilities that help you manage your AWS resources.
- Explorer: Explorer is a customizable operations dashboard that reports information about your operations data (OpsData) which includes metadata about your EC2 instances, patch compliance details, and operational work items (OpsItems).
- OpsCenter: OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources.
- Amazon CloudWatch Dashboards: Amazon CloudWatch Dashboards are customizable home pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across different regions
- Application Management: Application Management is a suite of capabilities that help you manage your applications running in AWS.
- AWS Resource Groups: An AWS resource is an entity you can work with in AWS, such as SSM documents, patch baselines, maintenance windows, parameters, and managed instances; an EC2 instance; an EBS volume; a security group; or an VPC. With Resource Groups, you can create a custom console that organizes and consolidates information based on criteria that you specify in tags for viewing monitoring and configuration insights.
- AppConfig: AppConfig helps you create, manage, and quickly deploy application configurations. You can use AppConfig with applications hosted on EC2 instances, AWS Lambda, containers, mobile applications, or IoT devices. To prevent errors when deploying application configurations, AppConfig includes validators. A validator provides a syntactic or semantic check to ensure that the configuration you want to deploy works as intended. During a configuration deployment, AppConfig monitors the application to ensure that the deployment is successful. If the system encounters an error or if the deployment triggers an alarm, AppConfig rolls back the change to minimize impact for your application users.
- Parameter Store: Parameter Store provides secure, hierarchical storage for configuration data and secrets management. You can store data such as passwords, database strings, EC2 instance IDs and Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name you specified when you created the parameter.
- Actions & Change: Systems Manager provides the following capabilities for taking action against or changing your AWS resources.
- Automation: Automation can be used to automate common maintenance and deployment tasks. You can use Automation to create and update Amazon Machine Images, apply driver and agent updates, reset passwords on Windows Server instance, reset SSH keys on Linux instances, and apply OS patches or application updates.
- Change Calendar: Change Calendar lets you set up date and time ranges when actions you specify may or may not be performed in your AWS account. In Change Calendar, these ranges are called events. When you create a Change Calendar entry, you are creating a SSM document of the type ChangeCalendar. Events that you add to the Change Calendar entry become part of the document.
- Maintenance Windows: Maintenance Windows are used to set up recurring schedules for managed instances to run administrative tasks like installing patches and updates without interrupting business-critical operations.
- Instances & Nodes: Systems Manager provides the following capabilities for managing your EC2 instances, your on-premises servers and virtual machines (VMs) in your hybrid environment, and other types of AWS resources (nodes).
- Compliance: SSM Configuration Compliance can be used to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations.
- Inventory: Inventory automates the process of collecting software inventory from managed instances. You can use Inventory to gather metadata about applications, files, components, patches, and more on your managed instances.
- Managed instance: A managed instance is any EC2 instance or on-premises machine–a server or a virtual machine (VM)–in your hybrid environment that is configured for Systems Manager. To set up managed instances, you need to install SSM Agent on your machines and configure IAM permissions. On-premises machines also require an activation code.
- Hybrid Activations: To set up servers and VMs in your hybrid environment as managed instances, you need to create a managed-instance activation. After you complete the activation, you receive an activation code and ID. This code/ID combination functions like an Amazon EC2 access ID and secret key to provide secure access to the Systems Manager service from your managed instances.
- Session Manager: Session Manager can be used to manage your EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
- Run Command: SSM Run Command can be used to remotely and securely manage the configuration of your managed instances at scale. Use Run Command to perform on-demand changes like updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of instances.
- State Manager: SSM State Manager can be used to automate the process of keeping your managed instances in a defined state. You can use State Manager to ensure that your instances are bootstrapped with specific software at startup, joined to a Windows domain (Windows Server instances only), or patched with specific software updates.
- Patch Manager: SSM Patch Manager can be used to automate the process of patching your managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) This capability enables you to scan instances for missing patches and apply missing patches individually or to large groups of instances by using EC2 instance tags. Patch Manager uses patch baselines, which can include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches.
- Distributor: SSM Distributor can be used to create and deploy packages to managed instances. Distributor lets you package your own software—or find AWS-provided agent software packages, such as AmazonCloudWatchAgent—to install on AWS Systems Manager managed instances. After you install a package for the first time, you can use Distributor to completely uninstall and reinstall a new package version, or perform an in-place update that adds new or changed files only.
- Shared Resources: Systems Manager uses the following shared resources for managing and configuring your AWS resources.
- Documents: A Systems Manager document (SSM document) defines the actions that Systems Manager performs. SSM document types include Command documents, which are used by State Manager and Run Command, and Automation documents, which are used by Systems Manager Automation. Systems Manager includes dozens of pre-configured documents that you can use by specifying parameters at runtime. Documents can be expressed in JSON or YAML, and include steps and parameters that you specify.
- Quick Setup: Quick Setup is a tool you can use to quickly configure required security roles and commonly used Systems Manager capabilities on your EC2 instances. These capabilities help you manage and monitor the health of your instances while providing the minimum required permissions to get started.
To get more details on AWS SSM, please refer below AWS documentation