1. SSM – Overview & Quick Setup
Okay, so we are getting into aws Systems Manager and ssn. So this will help you manage your EC Two and onpremise systems at scale and you will get operational insights about the state of your infrastructure. You can easily detect problems and you can easily do patching automation for enhanced compliance and security. So whenever you see some patching in the questions, usually Systems Manager will play a great role in it. It will work both for Windows and the linux operating system and it’s tightly integrated with cloudwatch Metrics and dashboards. It’s also integrated with iOS configs, as we see in this section. And it’s a free service.
So what sort of features do we need to know? And we’ll probably visit all of them in these lectures. So the first is Resource Group to group your resources together. Then you have insights such as the Inside dashboard, the inventory to discover and audit the software installed. You’ll get some compliance insights, you have access to the parameter store we’ve been using. It already a bit little, but we’ll see in depth how it works. And we’ll see some actions, such as automation for example, to shut down EC Two automatically or create amis. We’ll look into more complex examples as well. Run Command to run commands directly on your fleet. Session manager to open an ssh command.
Patch Manager to patch your instances and manage the state of those maintenance window to ensure that your instances can be patched at the right time and State Manager to define and maintain configuration of the OS and applications. Now, I don’t expect you to remember all these names right now in this lecture, but don’t worry, we’ll go through them in hands on all of those. And so at the end of this section you should have a really, really good understanding of Systems Manager and you will be able to answer any questions at the exam regarding it. So how does it work? Well, we have ssm service by aws and we’ll need to install the ssm agent onto the systems we want to control.
So by default, if we launch an Amazon linux ami or some ubuntu Mi, the ssm agent will come installed out of the box or otherwise we have to install the agent manually. So we have our EC two instances, our on premise vms and we’ll install the ssm agents on each of those who will report directly to the ssm service and register with them. If an instance cannot be controlled by ssm, it’s probably an issue with the ssm agent or the im role. So we need to make sure that the easy two instances, for example, have a proper iam role to allow ssm actions. So that’s it just for the overview. Now let’s go into the quick setup. So I’m going to type ssm or Systems Manager and get straight to it.
So we are greeted with ssm and there’s a quick setup in here. So we’ll click on it and this will help us create the necessary roles to get started with ssm. So we’ll create a default role, for instance Profile and it will create that role that we can use quickly for our instances. We’ll also use a default role for the Systems Manager and there will be the service role that will allow it to securely run commands on our instances. Next, for the quick setup options, I’m actually going to untick everything because I want to set up these things manually and go through the process so you get to learn it. So let’s untick all these quick setup options. And for the targets right now, we can choose instances.
I’m just going to choose one of them randomly so it doesn’t fail. I want to click on Create but we’ll set up instances on our own in the next lectures. So just select one of those, any one of those and then click on Set up Systems Manager and we are done with this setup. As you can see, only one instance is Managed. Managed. And then we have no inventory, no ssm Agent configuration, no patch compliance, no Cloud Watch interject and so on because we will set these up ourselves. Okay, so that’s it. We just have two iam roles ready for us to use. So I will see you in the next lecture.
2. SSM – EC2 Setup
So now let’s go ahead and set up some EC Two instances to be registered with Systems Manager. So I’m going to the left hand side and I’m going to look at my managed instances on the left hand side. So as we can see, there’s no instances in there. So let’s see how that works. We need to install the ssm agent if not installed already by default, then configure the instance role and then the instance should appear here. So let’s go to Services and let’s go to EC two two. And I’m going to go. Ahead and create some easy two instances for us. So there are two running instances that I can stop because they’re not really relevant for my thing. So I’ll just stop this one. I’ll go ahead and stop this logging. Instance.
Okay, here we go. So I launched instances and I’ll choose Amazon linux Two. And on Amazon linux Two, by default it comes with the ssm agents already installed and running. So this is true for linux Two and you need to check the documentation to see other kind of OS that do have this already. I’ll choose it to do micro and for the instance detail I will say it’s one instance. And for the im role I will choose the role that was done for ssm. So Amazon ssm role for Quick instance for instance is Quick setup. And this is the role that was created by the Quick setup before. So let’s have a look at what that role is doing. So let’s go to iam and we will find that role. It was called quick. So little trick in here.
If you click on search I am, you can just type quick and it will find the role for you. So this is the role that was created for us. So the Amazon ssm role, for instance, is quick setup. And the policy attached to it is Amazon ssm managed instance score which allows us to do a few ssm api calls for our instance. For example, to be able to put itself in its inventory and so on. Okay, so we are good to go. I will click on next add storage. Next add tags and for security group for the tags, let’s just say, okay, the name is ssm, so I can remember. It is an ssm instance. And the environment is going to be called development. So that we have a development. Instance. And for security groups, I will just create a new one, launch a review and launch this instance.
And as well, I’m going to do the same thing. So I’m going to click on this launch more like this. And instead I’m going to change a few things. The one thing I’m going to change is that I want two instances this time. And I will click on storage tags. And so the environment is going to be production. Okay? Excellent. Then Security group we’ll use the existing one region launch launch and we are good to go. So now we have three instances that are started that are called ssm. So here they are, the three of them. I’m going to wait for those to be all launched. So my instances are now in the green so they’re all running.
So if I go back to Systems Manager and refresh this page, hopefully I should see my three instances in ssm. So here we go, they are in here, they’re registered and so we have the name, we have the instance ID, the pink status, so they’re online the platform, the platform name, the version of the agent, the IP address and so on. So a lot of good information and they all registered so why did they register? Because number one, they have an im role, this one that was created by the Quick setup and that allows the instance to talk to Systems Manager. And number two, if we connect to this easy to instance to quickly check what’s happening on it, we can do a pseudo system ctl and then what is the command.
I have it pasted here so pseudo systemctl status, amazon ssm agent and this shows you that the agent is already active and running on the EC two instance. The reason being that the Amazon linux OS already comes with the ssm agent installed but if it doesn’t come with it you would need to go ahead and install that Amazon ssm agent onto the OS and then you’ll be able to get started. So that’s it, we have three instances managed by ssm. This is a great start and in the next lecture we’ll see how we can register on premise instances as well because it’s important to know going into the exam. So see you in the next lecture.
3. SSM – On-Premise Setup
So so far we have three easy to instances that are managed by SSM but it is possible to do something called a hybrid activation which is to activate on premise instances or virtual machines or nonada based cloud servers or other devices with aws Systems Manager. And so you need to know how that works going into the exam. So we’ll need to create an activation and before we go ahead and create this activation we first need to go ahead and set up that vm that will activate. So first thing we have to do is to look at the documentation and so what we can see in this document in here is that we can have managed instances and the Amazon EC two instances that are managed using Systems Manager start with an I.
So if we go back to session to manage instances sorry, if we go back to managed instances in here and then we look at the instance ID, it has an I. So this is corresponds to the instance ID of the EC two instances. So that makes sense. But if we use a hybrid instance, then it will have the prefix mi. Okay? And we’ll see this afterwards. Also we have a whole tutorial here around how activations work but don’t worry, we’ll go with this step by step together. So let’s get started. We are going to launch a new instance and for this one we’ll use something like the Red Hat linux Enterprise which is pretty eligible because I think it doesn’t have the SSM agent installed on it.
So we’ll select this one and we’ll choose T two micro and we configure the instance details. We’re not going to attach any im role because we imagine that it is an on premise server okay, even though it isn’t but we imagine it is one. We’ll use this device in here, we’ll add tags and this one is going to be named on premise. This is our on premise instance and the environment is going to be development. For example okay, configure Security Group this is fine. We’ll review and launch, launch and acknowledge and here we go. Our on premise server is starting. So imagine this is an on premise even though it’s launched on aws we’re not going to use EC two instance roles.
So as such this is in some ways an on premise instance. So for this we cannot use EC two instance Connect. So I need to use ssh so I’m going to pick up the public IP and open a terminal window directly into it. So let’s just do an ssh and I’m going to put in the public IP and we still have the EC two user so we are in the machine and we are good to go. As a check we can do pseudo system ctl status and an Amazon SSM agent to see if it’s installed and as you can see it says this unit could not be found. So we are good to go. So next we’ll go ahead and download the agent to install it. So we’ll make a directory in tamp SSM. So here we go. Then we will download the agent rpm file into this temp SSM directory.
So using curl. So now if we go into the temp SSM directory we have this amazon SSM agent rpm file. Excellent. And then we’ll do pseudo yum install to install that agent onto the machine. So it’s going through the install and now we’re done. And finally we’ll stop the agent just in case it is started. So let’s stop the agent. Okay, now it’s stopped. And now we need to go ahead and configure the agents. So this is where we run this pseudo SSM command. So here it is. And we need to provide an activation code and an activation ID as well as a region. So let’s do all these things. So back into my console, I am going to system manager and I’m going to go to hybrid activations and I’m going to create an activation code and I’m going to call it demo for vm and I’m going to create one activation.
Okay. And as you can see here, if you register more than 1000 managed instances, then you will have some cost. So the maximum amount of instances under the free tier is 1000. And afterwards you need to increase the limits and then you will also incur some cost. So this activation is linked to an iam role and that I am role will be used by the agent onto our onpremise instance. So we’ll create a system default command execution role that has all the required permission to do this. And so the new role that will be created is called Amazon EC to run command role for manage instances. And then it will use other type of roles in there. So we can have an expiry date for the activation but I’m not going to put anything.
And then the default instance name, we’re not going to put anything as well. I’ll create this activation and as you can see I get an activation code and an activation ID. Now this is like the secret access key and the access key ID in aws. Therefore you should not share it with everyone. And once you use it, it will be used by the SSM agent. So for the activation code I’m going to replace it in my command in here. So I’ll replace the activation code right here. And then for the activation ID, I’m going to copy this entire blob of uuid. Here we go. And I’m going to add it here as far as the region. Because this activation was created in Ireland. This is EU West One.
So here we’re running the Amazon SSM agent to register this code and this ID, I’ll press Enter and it says okay, successfully register the instance with Amazon SSM using this manage instance ID mi and something. So as you can see here the instance ID starts with Mi and so finally when we’re done we need to start the SSM agent so we’ll do pseudosystem ctl start Amazon SSM agent and it is started how can we make sure? Then we’ll do status and it says status is that the agent is running. So excellent, this should be all good. And so back in here, if I refresh this page, you’ll see this will go away so I lost this will go away one day but so I could lose it. So I go here and this is the ID it was for my activation and there was one registered instance and that was the limit as well.
So I only allowed one instance to be registered and my instance has not been indeed registered and it’s active and this activation has a service role. Okay, so back into my managed instances as we can see now we have three easy two instances and we have one managed instance right here which starts by Mi and it did recognize that it’s a Red Hat Enterprise linux in here. So really helpful. We have just done our first on premise setup for SSM even though that was a vm that I launched as an easy to instance but it wasn’t detected as such and so that completes the setup for on premise instances onto SSM and this is something you need to know and remember going into the exam.
Finally, always good to know if you click on the managed instance itself and that’s a hybrid instance, I’m able to still tag it so I can definitely add some tags in here and say the environment is dev Lovement and the name is going to be on premise so let me edit name and here we go. So we definitely are able to add tags to even our on premise instances using this ui and this is good to know because now we have the name SSM from my escape instances and on premise for the onpremise instance that I just registered. All right, that’s it for this lecture. I will see you in the next lecture.
4. SSM – Resource Groups
Now let’s go ahead and set up our first resource group. So it’s at the very top of the screen. You can go ahead and create a group. This is also something you can access by clicking on the resource group on the left hand side and create a resource group as well. So resource groups are away as to as the name indicates to group resources together. And there’s two groups type there is the tag based or the cloud formation stack based. So if you have your confirmation stack you can group group all the things that were created by this confirmation tag stack together or tag based if you specify a tag. So for example in here I could say my EC two instances I want to group them based on the tag environment and the value being developments and this will represent a group of all the EC Two instances that have this tag in it.
Okay, this looks good. Then the group detail I call it my EC two development instances and here we go. I will create the group and we’ll be done. And this is our first group. As you can see we have four instances in there in this group and this is great. This is a good start for us and this is something we can absolutely do as well. On the other instances for prod so I’ll go to EC two instance and then I’ll say environment should be production add and we have created our second resource group. So my EC two production instances and create the group. And here is our second group that has been created being matched to five other easy two instances. So in our saved resource group now we have the dev instances and the prod instances and this will be helpful when going into the next lecture to of ssm. So I will see you in the next lecture.
