In this session, you will learn how you can use EC2 management capabilities to perform repeatable automation of your infrastructure at scale, across platforms and hybrid environments. As you embark on your cloud journey and embrace a modern DevOps mindset, you not only want to deploy software quickly but also ensure configuration consistency at cloud scale. Many enterprises have successfully used services such as EC2 Run Command to perform administrative tasks, and we'll share some of those stories. In addition, we will demo new capabilities to ensure a desired state approach to software configuration either through predefined or easy to build custom configurations, and also how you can integrate with other AWS services to deliver enterprise IT and business value.
2. What to Expect from the Session
• Introduction to EC2 Systems Manager
• Learn about Run Command, State Manager, and
Parameter Store
• How Xero uses Run Command
• Demo!
• FAQs and best-practices
3. What we heard from you
• Traditional IT tools not built for the
cloud
• Managing resources at scale is difficult
• Lack of visibility into configuration,
granular control
• Multiple vendors; complex licensing
4. Introducing EC2 Systems Manager
A set of capabilities that enable automated configuration and
ongoing management of systems at scale, across all your
Windows and Linux workloads, running in Amazon EC2 or
on-premises
5. Systems Manager Capabilities
Run Command Maintenance
Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,
and Administer
Track and
Update
Shared
Capabilities
7. Run Command
• Execution of administrative tasks
• Improve security posture – no need to SSH or RDP
• Delegated access control
• Customizable and flexible
• Get notified on the status of your commands
• Control the rate at which you send commands for scale
8. Sending a command
aws ssm send-command
--document-name AWS-RunPowerShellScript
--instance-id i-1234567
--parameters commands=“mkdir C:Demo”
--service-role-arn <my-service-role>
-- notification-config NotificationArn=<my-topic-
arn>,NotificationEvents=“Success”,NotificationType=“Command”
Remotely create a directory on an instance and notify via
SNS when it completes
9. Run Command – Getting started
• Instance: Setup agent, AWS Identity & Access
Management (IAM) role on your instance
• Document: Author your intent
• Command and Command Invocation
• Plugins: In-guest actions that perform tasks
• Status and output: Granular results
10. Run Command – Scale
• Send a command based on a tag query
• Velocity control and error handling
aws ssm send-command --document-name <value> --targets
“Key=tag:ServerRole;Values=WebFrontEnd” […]
aws ssm send-command --max-concurrency 10 …
aws ssm send-command --max-errors 10 …
11. Setting up your instances
• Single light-weight agent, cross-platform
• SSM agent is open source, written in Go
• Health status via DescribeInstanceInformation
• On-demand agent update
• Hybrid support
12. Finding out which instances are heartbeating
D:Usersamjadhu>aws ssm describe-instance-information
{
"InstanceInformationList": [
{
"IsLatestVersion": false,
"PingStatus": "Online",
"InstanceId": "i-c6d69773",
"ResourceType": "EC2Instance",
"AgentVersion": "3.17.1032",
"PlatformVersion": "6.2.9200",
"PlatformName": "Windows Server 2012 Standard",
"PlatformType": "Windows",
"LastPingDateTime": 1477203028.78
},
13. Setting up the agent for on-premises
• One-time setup to register
on-premises servers
• Consistent experience
• Identified by mi-*
• One-time setup to register
on-premises servers
• Consistent experience
• Identified by mi-*
14. Customizing commands
• Documents: A common way of authoring across EC2
Systems Manager
• Parameters: Allows passing in run-time values
• JSON schema, allows editing and versioning
• Sharing with accounts
• Amazon published documents (begin with AWS-*)
18. Xero – Run Command
Beautiful cloud-
based
accounting software
Connecting people with the right numbers
anytime, anywhere, on any device
Beautiful accounting software
19. Xero – Run Command
1,500+
Staff globally
862k
Subscribers globally
$303m
sub revenue FY16
All figures shown are in NZD
2 years
AWS design and build
6 months
AWS service migration
20. Xero – Operational Challenges
• Host discovery
• Dynamic, disposable servers
• Increase in host count
• Integration with pipeline tools
• CI/CD tooling
• Chat bots
• Lambda
• Network isolation
• Production Servers vs Pipeline tools (git, CI/CD)
• Multiple AWS accounts
• Production Servers vs operations/development team workstations
22. Xero – Run Command Use Cases
• Validation of .Net application configuration - From CI
• Reloading application pools - via CI
• Enabling services on a sample of machines in an
ASG via AWS Lambda
• PowerShell modules for interactive investigation
25. State Manager
• Maintain consistent state of instances
• Reapply to keep instances from drifting
• Easily view status of configuration changes
• Define schedule – ad hoc, periodic
• Track aggregate status for your fleet
26. State Manager – Getting started
• Document: Author your intent
• Target: Instances or tag queries
• Association: Binding between a document and a
target
• Schedule: When to apply your association
• Status: Check the state of your association at an
aggregate or instance level
27. Creating an Association
aws ssm create-association
--document-name WebServerDocument
--document-version $DEFAULT
--schedule-expression cron(0 */30 * * * ? *)
--targets “Key=tag:Name;Values=WebServer”
--output-location "{ "S3Location": { "OutputS3Region": “us-east-1",
"OutputS3BucketName": “MyBucket", "OutputS3KeyPrefix": “MyPrefix" } }“
Configures all instances that match the tag query and reapplies every
30 minutes
29. Parameter Store
• Centrally store and find config data
• Repeatable, automatable management (e.g. SQL
connection strings)
• Granular access control – view, use and edit values
• Encrypt sensitive data using your own AWS KMS keys
30. Parameter Store – Getting started
• Parameter: Key-value pair
• Secure Strings: Encrypt sensitive parameters with your
own KMS or default account encryption key
• Reuse: In Documents and easily reference at runtime
across EC2 Systems Manager using {{ssm:parameter-
name}}
• Access Control: Create an IAM policy to control access
to specific parameter
31. Creating and using a parameter
aws ssm put-parameter
--name mycommand
--type string
--value “dir C:Users”
aws ssm send-command
--name AWS-RunPowerShellScript
--parameters commands=[“echo {{ssm:mycommand}}”]
--target Key=tag:Name,Values=WebServer
33. Best-practices and FAQs
• What OS platforms are supported?
• Update your SSM agent today to get started!
• What ports or network access do my instances need?
• Is there anything different to set up on-premises servers?
• Use notifications, velocity control
• For disruptive actions, use Run Command with Maintenance
Window
• Fine-grained access control through IAM policies on resources (e.g.
documents)
• Customize configuration with idempotent scripts for State Manager
34. Your Feedback is Important!
• These services are available today
• Learn more at https://aws.amazon.com/ec2/run-
command/
• Technical documentation at
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/
run-command.html
• Please send your feedback, improvements, requests to
ec2-ssm-feedback@amazon.com