Date post: | 15-Feb-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 24 times |
Download: | 1 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dean SamuelsManager, Solutions Architecture
Hong Kong & Taiwan
19th January 2017
New Launch!Amazon EC2 Systems Manager
Hybrid Cloud Management at Scale
What to Expect from the Session
• Overview of Systems Manager and its capabilities
• Learn how to configure and manage your cloud and hybrid IT environments at scale
• Demos
Cloud is the new normal – enterprises of all sizes are moving to the cloud to take
advantage of increased agility, lower costs, and a global reach
Many enterprises often bring their traditional on-premises toolset to manage their cloud and
hybrid environments
What we heard from customers
• Traditional IT tools not built for the cloud• Managing resources at scale is difficult• Lack of visibility into configuration and
execution history • Multiple vendors; complex licensing
Managing cloud and hybrid environments using traditional tools is complex and costly
Introducing EC2 Systems Manager
A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all of your Windows and Linux workloads, running in Amazon EC2 or
on-premises
Why should I care?
Hybrid Cross-platform Scalable
Secure Easy-to-write automation
Reduced TCO
Click icon to add picture Click icon to add picture Click icon to add picture
Click icon to add picture Click icon to add picture Click icon to add picture
Systems Manager capabilities
Run Command Maintenance Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,and Administer
Track andUpdate
Shared Capabilities
Documents
Parameter Store
• Parameters reference-able via a Run Command, State Manager, and Automation Service
• Granular access control limits unwanted data access
• Encrypt sensitive information using your own AWS KMS keys
• Eliminates on-going maintenance challenge of critical enterprise assets
Centralized management of IT assets such as passwords and connection strings
New!
Parameter Store – Getting Started
1. Set parameters as key-value pairs
3. Reuse: In Documents and easily reference at runtime across EC2 Systems manager using {{ssm:parameter-name}}
4. Access Control: Create an IAM policy to control access to specific parameter
2. Secure strings: encrypt sensitive parameters with your own KMS or default account encryption key
Maintenance Window
• Define one or more recurring windows of time during which it is acceptable for disruptive actions to occur
• Built-in integration with Run Command and Patch Manager
• Helps improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time
Schedule disruptive tasks in well-defined window to minimize downtime
New!
Run Command
• Example: Running shell and PowerShell scripts
• Easily define new tasks using simple JSON-based Documents – no specialized skillset required
• Leverage Documents built by AWS and the broader community
• Delegate access, perform audit, receive notifications
• Helps improve security posture by eliminating the need to SSH or RDP
Perform common administrative tasks remotely at scale
Run Command – Getting Started
1. Instance: Setup agent, AWS Identity & Access Management (IAM) role on your instance. On-premise servers: create activation code, deploy agent and activate
3. Command and Command Invocation on target instances and on-premise servers
4. View status and output – granular results
2. Create Document to author your intent, define the plugins to run and parameters to use
State Manager
• Example: Configuring firewall and updating anti-malware definitions
• Define new policies using simple JSON-based Documents
• Control how and when a configuration is applied and maintained
• Helps enforce enterprise-wide compliance of configuration policies
• Re-apply to keep servers from drifting
• Track aggregate status for your fleet
Define and maintain a consistent configuration of OS and applications
New!
State Manager – Getting Started
1. Create Document to author your intent
3. Schedule: When to apply your association
4. Status: Check the state of your association at an aggregate or instance level
2. Association: Binding between a document and a target
Automation Service
• Optimized for building and maintaining Amazon Machine Images (AMIs)
• Start with an AMI perform automation steps like OS patching and drive updates produce a new AMI
• Express your workflow as automation steps in a JSON-based Document
• Support for Run Command, AWS Lambda functions, AWS CloudTrail, IAM and Amazon CloudWatch integrations
• Eliminates the overhead in managing ‘golden’ enterprise images
Automate common tasks using simplified workflowsNew!
Automation – Getting Started
1. Create an automation document
2. Run automation 3. Monitor your automation
Walkthrough Demo
Inventory
• Example: Instance and OS details, network configuration, list of files, installed software and patches
• Collect data from predefined inventory types or write a custom one using JSON Document
• AWS Config integration enables tracking the history of changes
• Simplifies management scenarios, such as licensing usage tracking and identifying zero-day vulnerabilities
Scalable way of collecting, querying, and auditing detailed software inventory information
New!
Inventory – Getting Started
1. Configure Inventory policy
2. Apply Inventory policy
3. Query inventory
Walkthrough Demo
Inventory – System Diagram
SSMAgent
EC2 Windows Instance
SSMAgent
EC2 Linux
Instance
SSMAgent
On-Premises Instance
AWS SSM Service
State Manager
EC2 Inventory SSM document
Inventory Store
EC2 Console, SSM CLI/APIs
AWS Config
AWS Config Console + CLI/APIs
Patch Manager
• Express custom patch policies as patch baselines, e.g., apply critical patches on day 1 but wait 7 days for non-critical patches
• Perform patching during scheduled maintenance windows
• Built-in patch compliance reporting
• Eliminates manual intervention and reduces time-to-deploy for critical updates and zero-day vulnerabilities
Roll out Windows OS patches using custom-defined rules and pre-scheduled maintenance windows
New!
Patch Manager – Getting Started
1. Create a Patch Baseline to define approved patches
3. Maintenance Window executes patching
4. Audit results with Patch Compliance
2. Create a Maintenance Window to schedule patching for a set of instances
Patch Manager - Overview
Prod Environment
Instance A
Patch Group:Prod
Patch Baseline
- Critical, High- 5 days or older
1
Maintenance Window
- Sundays @ 1AM- 2 hrs. long- Task: Patching
2 3
Patch Compliance
2up to date
0missingupdates
1error
4
Instance B
Patch Group:Prod Patch Group:Prod
Best-practices and FAQs
• What OS platforms are supported? • Update your SSM agent today to get started!• What ports or network access do my instances need?• Is there anything different to set up on-premises servers?• Use notifications, velocity control• For disruptive actions, use Run Command with Maintenance
Window• Fine-grained access control through IAM policies on resources (e.g.
documents)• Customize configuration with idempotent scripts for State Manager
Systems Manager availability
• No charge – only pay for AWS resources you manage
• Available in multiple regions
Systems Manager capabilities
Run Command Maintenance Window
Inventory
State Manager Parameter Store
Patch Manager
Automation
Deploy, Configure,and Administer
Track andUpdate
Shared Capabilities
Your Feedback is Important!
• These services are available today• Learn more at
https://aws.amazon.com/ec2/run-command/ • Technical documentation at http://
docs.aws.amazon.com/AWSEC2/latest/UserGuide/run-command.html
• Please send your feedback, improvements, requests to [email protected]
Next steps
• Learn more at https://aws.amazon.com/ec2/systems-manager/
• Join us at the booth! We’d love to hear your feedback.
Remember to complete your evaluations!
Thank you!Dean Samuels
Manager, Solutions ArchitectureHong Kong & Taiwan
18/01/2017