AWS Systems Manager Demonstration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello friends welcome to this video in this video we'll learn about aws systems manager so agenda for this video is understanding the systems manager the system manager services assistant agent and then we will have a lab or a demo on systems manager let's understand what is aws systems manager aws system manager is as a service that you can use to view control your infrastructure on aws system manager helps you to perform basic operational activities on aws resources such as remote login patching remote command execution bulk tagging and package distribution okay so let's take an example you have hundreds of ec2 and you would like to execute a particular command on all the ec2 instances how would you do that the one way is you log into each of this ec2 and go and execute that particular command right which is a time consuming process as well as it could also lead to an human errors right whereas systems manager will help you to execute that particular command without even logging to each of these ec2's as well as you will also get to know the status whether the command has executed successfully or know the same way remote login for example you want to log into an ec2 and try to do something how do you do that so you have to find a pen file of it login use some of the utilities like putty are similar to the uh put the tools and then you log in and you should know the credentials then you will log in and you perform certain activities right so if you want to do it instantly take a remote control of that particular ec2 and do certain activities how do you do that systems manager will help you to do that the same way it also help you to do the patching and bulk tagging for example you have a group of services not just ec2 you also have other services such as s3 or any other service that maybe you uh that you you may be using for your projects right and you want to give a type stating that this these are all the services are related to a project project one how would you do that so manually if you try to do you have to go to each of the service and then you have to enable the tagging for that systems manager will help you to do the bulk tagging and then package distribution for example uh you have an agent to be installed a certain software to be installed on all the ec tools hundreds of the ec2 how would you do that then your systems manager will help you in that as well so to perform all these basic operations the system manager will help you to do that the services that i have rested or the examples that i have listed here are very minimal system manager does more than what has been written here as well system manager is there in the aws system from quite some time it used to call as ssm that's the amazon simple systems manager and recently aws changed its name and called as aws systems manager some of its capabilities i said system manager has lot of capabilities some of its capabilities are all these capabilities have been grouped under different packets so it has operations management application management actions and change instances and notes and shared resources so it has so many capabilities included as part of a bundle of system manager and they have been categorized like this for this particular demo and for this particular video we are limiting ourselves or we are restricting ourselves to only few of the aws system managers services one is the manage instances we will come to know how to get an instance in under the management of system manager by installing an agent or by enabling an agent session manager we will see how to take a remote session of a ec2 without even knowing the without even without even having a pen file of it how do we execute a remote command how do you do the compliance and the patch management and then finally we will end up in doing a distribution as well we will try to install a package remotely to the managed instances but to do all these things you need to have an agent system manager is an agent based solution it means any resources that you want to manage under system manager has to have a agent and that agent is called as an ssm agent as it used to known as ssm earlier so the agent is still known as an ssm so you need to have an ssm agent to have the management under the system manager one good thing about system ssm agent is system manager can have the instances not only from aws you can also have the management on your on-premises so i can have this ssm agent installed on your on on premise servers on your virtual servers and you can manage them under your system manager so the same functionalities that we said the system manager or the run command or the patching or the complaints can be executed even on the on-premise or the virtual servers that you have it on your on-premise ssm agent so it can be installed on amazon easy to on-premise servers and virtual machines ssm agent one one of the good thing about ssm agent is it is pre-installed on many of the amis many of the operating systems that aws brings to you for example amazon linux the first version uh 2017-09 and later edition any uh linux amazon linux easy tools that you create it has a pre-built ssm agent installed links to ubuntu and amazon ecs optimized instances so these instances already have the ssm agent already installed we will login we will launch a server uh and we will log in and see how this ssm agent looks like and whether it is really installed or not you can also do a manual installation of ssm agent on other easy tools for example you you go ahead and launch any other service or maybe it is a custom ami where you do not have an ssm agent you still have a possibility of having it installed manually the ssm agent the name of the agent is called as an amazon hyphen system hyphen agent this is what is what you will see even in the easy tools when you log in and check for the agent status the downloadable path as we said for for certain amis it is inbuilt it means aws has already included the agent as part of the easy two or the ami for certain amis it is not available for those things you can download from here and you can install it the windows version of the ssm agent is also available for the download the one that has listed is only the linux version of it linux service operations so you can start the service you can stop the service you can check the status and the name of the agent is amazon ssm agent it maintains the log files in the var file in the in the rare folder of the linux machines then agent service role is amazon easy to roll for ssm so why this role is important because your ssm manager is executing the remote commands is trying to take a connection by passing all the other restrictions right so it is agent and server based communication so you need to give a appropriate privilege or appropriate authorization for an ssm manager to go and do to do the activities on that agent right and that's why you require a role and the role that is required is called as an amazon easy to roll for ssm so this particular role is already policies already available you need to create a role and use this policy applied to that particular role and then assign it to the ec2 now we will quickly jump on to the demo and we will see how to work with this ssm agent uh in this particular demo we will log into the ec2 to check the ssm agent so we will create an easy to i currently do not have any institutes running so i'll create an ec2 and we will see that check the running status of an agent create and attach the required rule check if the instance is part of the system manager whether it comes as part of the managed instances then we will try to run a command remotely then we will take a remote session without a third party tool such as putty then we will check the patch status sorry for the spelling mistake here it's a patch status compliance and updating the patch and then finally we will try to distribute a ready package to ec2 so we'll do all these activities as part of this particular demo please note that as part of this demo we assume that you already have a knowledge on aws console and other services such as ec2 and im please refer to our other videos if you want to learn more about these services we do not cover basics of these services in this video so for this particular demo i'll just keep it here just for the step 6 and i will go to my chrome browser where i have already logged into my aws so this is my account and this is the region so i'm currently working in the mumbai region i will go to ec2 and if i say if i look at the status of the running instances i do not have anything right so if i go to click on the instances i do have a couple of them but they are in stock mode i do not have anything as such right so what we will do now we will go to i'll just open up another tab and we'll try to open the systems manager to do that i'll go to services and i will type system and systems manager appear here if you already opened it you will get it in the history now currently i do not have it in the history so i will open it in the systems manager and now as you can see there are several features available with system manager so operations management application management actions and change instance and nodes and shared resources so there are many services those have been implemented as part of the systems manager we are not going to do all the demos today because it will take a very long time uh we will have other videos to cover the rest of the features of system manager now we will work with instances and nodes the first thing is we will check if there are any instances part of the systems manager so just click on this manage instances get started i'll just click on this get started sorry for that close this window let me reopen it so it says correctly we do not have any of the systems as part of the systems manager and that's the reason why we are getting this okay so we need to have how it works is you have to verify the prerequisite install on ssm agent configure the instance role and then finally you will get that particular instance as part of this list since we do not have any systems part of the system management it is not it is just giving this welcoming screen so we will go back to our ec2 and we will launch an instance and i will choose an amazon linux one so i said 2018 this is 2018.03 and i said any ami of amazon which is after 2017 already has an ssm agent so let's launch this and log in and see whether um it already has an agent so i'll just go with the default one i don't change anything i just say add storage i'll go the default one i won't change anything i'll give a name tag name as ssm test i'll call it as ssm test server one i'll go to configure this one i'll go to my default uh security group i already have it called as linux which open three ports 80 22 and 443 from anywhere i'll review and launch and i'll say launch now it'll ask me for the pen file i have a pam file already created so i'll just click and launch instance and as i'm telling you that we do not cover how to launch an ec2 and how to create a role as part of this particular demo we are assuming that you already knows know those services so if you want to learn more about this ec2 and im please feel free to go to our other videos and learn about them before this video so this is the ssm test it is in a pending state maybe next few seconds you will get it online yeah it is into the running state so i'll just take the ip address of it i will go to my putty and i will load the saved aws session with the pen file that i have created earlier and i'll give the host name and i'll say open yeah and i will go to ec2 user the default username of an ec2 and i will elevate my privileges to the root now i am in root account the first thing that we will check is whether the agent is already installed we said all the amis uh certain amis of aws including amazon 1 amazon 2 as well as ubuntu version are pre-installed with ssm agent so let's check whether we already have those agents installed so what is the command for that if i have to go back to my slide so the command is sudo you can use pseudo you can say start status right stop and shatter so let me just copy this and put it here yes it is running correct can you see here it is running the ssm agent is running so any ami amazon emi that you take after 2017 uh that has an ssm agent already installed so this already has an agent right but still it is not coming as part of my um under the managed distances why because of the third thing one is you do not have any role assigned to this particular ec2 unless and until there is a role this agent will not be able to communicate with the systems manager right so let's create a rule so i'll open up another tab here and i'll go to services and i'll go to i am you can type i am here or you can go to uh under history and you can click on that i'll just choose here i am and i will go to roles let's create a role here so let me repeat so under the rule i already have several roles here created for different demos and usage so just create role here and i will choose ec2 as my use case it's in experiments and i will type ssm here and there is a first thing that you need to choose amazon easy to roll for ssm right so this is the one that you need to use as a rule then i'll say next tax and i won't give tax i'll say next review i'll give a role name and i will call this one as ec2 ssm role and i'll say create root now the role is created okay now we need to assign this role to our ec2 i'll come back to the first tab and i'll choose the ec2 i'll go to actions instant settings and say attach replace i am root and now i will choose this ec2 ssm rule that we just created and i'll say apply and i'll close it got applied and i'll close that now if i click here and come to the description of it i am roll you can see that it has been attached now we will go to the server and we will try to stop and start that because after the role you need to stop it and then restart it so that it starts communicating with the systems manager server so we just stopped it and started let's come to system manager and we will see if we have it available here and there we go i just refresh the screen and you'll see that we have it listed under our manage instances okay and you'll see this is pink status is online it's able to communicate and agent version and computer name and then association status and then easy transitions and config so we have it ready correct so this is this was our first activity where we created an ec2 instance uh we checked whether the ssm agent is already installed or not and then we created a im rule we assigned that role to the instance and as soon as we assigned and restarted the service we started getting as part of our managed instances okay so let's try to do something with this so i'll just scroll down and the first thing that we will do is let's uh use session manager and i will show you what is session manager so session manager as i explained earlier session manager is a uh it will help you to take a uh remote control of this particular ec2 now as you have seen that if i need to take a control sorry if i need to login to this particular server this ssm test server what i need to do i need to take the public ipr to the soffit yeah and then i need to identify what is the pem file of it then i need to identify what is whether the security group is enabled or no then i have to come back and open a tool such as putty on windows on a linux based client you already have an ssh client already installed so you need to in the case of windows you need to convert uh your pem file into an ppk file and then add it into the p session and then you need to start so you need to do all these activities right at least for the first time you need to do all these activities and later stage you just need to take the ip address and keep putting it on the uh putty and just open it right so is there a better way i said system manager will help you to do that right so i'll come to system manager and i'll say start session then it'll ask me which is the server you may be having 100 servers so all the 100 servers will be listed down here so you can choose that you can search as well here if you have hundreds of the servers you can search on their i am role on the instance id instance name and everything now currently we have only one so i'll just choose that and i'll say start session yeah can you see i have already logged in it is already logged in as well it didn't even ask me for the credential because the user that i have the the i logged in into the aws account as an ad as a root right and this root already has an access to work with ssm right and that's the reason why it did not even ask for and uh a credential to log into this ec2 so directly logged in so i'll say sudo su here elevated i'll eliminate my permissions now i became a root let's see if we can install something m install httpd and i will say give why solid yes there we go see from here i'm able to install let's try to remove something yeah there we go i can do all the administration activities from this particular session then i will terminate as well and if i just have to go back here it will show you how many sessions are currently running see this session is currently connected so just as an administrator when you see that there are certain activities which are running you can go ahead and you can terminate yourself as well right or i can terminate from here so i'll say terminate and terminate and now if i refresh i don't have any sessions running okay as you being an administrator if you want to see how many sessions are being using by your other users you can see from these sessions they should show the running live sessions okay now what we did we went ahead and took a remote session of that particular ec2 now you may be wondering are you you may be thinking that all my ports are open as part of my security group and that's the reason why i'm not able to why i'm able to connect right so we'll do one thing i'll just close this session again i'll go to my security group i just scroll down and you can see the security group as linux right and if i say view inbound rules it has port number 22 also open which is for ssh so we'll do one thing we'll go to linux and let me remove that ssh i delete i'll delete and i'll save it yeah and now let me try logging it using putty no we are not able to connect the reason is from security group we have removed the ssh permission now you will not be able to take a remote session using an ssh because we blocked this port network error connection time dot right so i'll just close it but let's go back and check from our aws from our system manager whether we will still be able to connect to that i'll say start session and i'll choose the server that i have and i'll say start session yes i still be able to log in so your systems manager because it's an agent and server based communication it does not have dependency on the security group the system another another advantage of this is even if your server is in a private subrate of a vpc where it doesn't have a public ip even in that case you still be able to connect to that server or take a remote session of that server using the systems manager right so that is one of the uh advantage that you have you don't from your console itself immediately you can take a remote session and perform the activities that you really want to do now let's i'll go back and i will no let it be like that so i'll go to run command and let's try to execute a command okay and there are no commands running i'll just say run command then the run command will give you so many options like you know it has many things as a pre-built command it has many things for example you can apply a chef recipes you can apply a you know a patch based lane you can apply install application there are a lot of things that you can do so there are these are inbuilt applications are the commands the set of commands which are already available for you to go and write you cannot customize them you cannot change them right so you have something called as so i'll go to the next slide you have something called as [Music] see there are windows based commands as well there we go this is called as a run shell script okay in the case of windows you can choose run powershell script if you have a long script for example you want to do certain activities with a long script with multiple commands and all you can use for windows you can run powershell script for linux you can use a run shell script so i'll choose this when i choose this sorry that's a documentation i'll choose this and when i click on that i should not click here i should click on this option button or radio button and then it will ask you document version if you want to maintain the version of this particular command that you are executing and here is the command so you have the complete ide either you can copy paste your content or you can start typing here so let's do one thing let's try to create a file with an echo command echo i'll say welcome to aws systems manager and i will write that into a file here in under tmp slash under tmp and it is a sample file i'll call it as sample.txt okay then let's also execute another thing uh hope this is interesting and i will this time i will append to temp slash sample dot txt same file okay and i'll scroll down and then it will ask what directory if you have anything then execution time i mean the maximum time that you can give then which are your targets you can specify the instant tax so you may be having 100 servers out of 100 servers you want to pick only uh you know certain ec2s based on your instance tax you can do that otherwise you can choose it manually in our case we have only one server so i can choose it manually as well otherwise you can choose a resource group resource group is nothing but a bundle of multiple institutes grouped together for a certain uncertain conditions so in in this case i will choose manually i'll choose this okay and scroll down if there are any comment and all you can write here there is a timeout as well and then there is a rate control concurrency how many targets and all as i said this what we are doing is only for one easy to imagine a situation where you have hundreds of the ec2 and you want to execute this command to all the easy twos uh simultaneously right and this is where the rate control how many sets you want to do it uh concurrently and error threshold and up right you just scroll down here if you want to output the enable to s3 you you want to capture the output whether the command has successfully executed or know what was the error and all you can send it to s3 i do not want to do that or you can also make it to cloud watch output so you can you can send a command and you can uh you can you can send a command and you will also it will send a log to the cloud watch stating that stating that what is the output of it what command has been executed so i do not want to do that you can also go ahead and do the sns notification if um i mean on the on the successor on the field of this particular command you will get a notification using an sns service of aws or email so just run command now and it is in progress and i just say refresh and it is success right so what we did we executed a very small command on one of the server and the same command can be executed on hundreds of the servers as well right so you will get the report as well so targets one completed one how many errors how many delivery time route okay you will get to know all these things so what we will do now we can we do not have ssh right so let's go to session manager and let's try to start a session there i'll log in here it's a start session i will eliminate my credentials and where did we write we wrote it in temp right so if i say ls there is a sample.txt if i say this one the two lines welcome to aws systems manager and hope this is interesting so how long it took it probably take few seconds just to execute this particular command so it could be a larger script as well and based on the time that you are based on the commands that you are executing in that script it may take whatever the time that that is actually required but ultimately these commands will get executed or attempt to get executed on all the managed instances right and you will get a report as well fine ah then we will see the compliance so we also have an inventory here let me just quickly show that inventory report may not be that attract you know because we have only one instance otherwise if you assume that you have on hundreds of the institutes if i just by clicking an inventory of it you will get to know uh the different versions the different operating systems that you have and everything the entire inventory about that particular ec2 will be visible here so it will also show you you know which are the different components of the aws how many are enabled and disabled with the ssm and then custom inventory types then you have top five os versions like you you probably have a combination of windows linux linux to ubuntu then it will display the number of servers as well saying that amazon linux amis one uh ubuntu could be two servers windows could be 10 servers and all that then server rules fi applications so as i said this report may not be looking as attractive now because we have only one instance but you know if you have more number of instances then obviously this particular report is very interesting and i know very useful to everyone we can also have a detailed view and i know you can see resource data type what you have you can create a resource data uh sync and then you can pull a lot deeper uh data for this particular inventory then we will go to compliance compliance is nothing but it's about a software patches okay so in terms of software patches if you look at the compliance now currently the compliance resources one so it has already installed all the packages as per the standards and uh it is in the compliance resources now so let me just go back to the patch here so this shows only the compliance report how many of your instances are currently uh available for the patching how many are successful how many are from what state so if i just go here and if i click on this patch see you do not have any uh thing so although it's all updated it's compliant so it is not giving any status as such yeah it's giving a detailed inventory about it i just click on that dc2 instance id and it's giving a description what role it has taken what is the key pair and everything as part of the inventory and inventory it is showing what all the different softwares that i have installed on that architecture and everything in that case lot of details see and what all the tags have been assigned an associations patches last updated needed nothing is done okay so these are the different inventory that you will get from the managers manage instances so let me go back to patch manager and show you something so the patch manager you have um something called as a batch baseline now what is patch baseline baseline is a thing but you want to uh mention that these are the set of patches and is your baseline for all your ec2's okay and that's what you mentioned as part of your baselines and if you look at it here uh for different versions of the linux it has a different baseline so oracle linux dbin windows ubuntu amazon amazon 2 and all okay and this is the default one so i'll just click on this amazon ec2 and it will show me so there are also approvals so you do not want to uh you so let me just start from description so this is a baseline id the description when was it created and what is the patch group's name and what is the operating system that it supports then you have an approval rules so you do not usually apply the patches immediately as soon as it is released and that's why you have something called the security sorry classification and the severity so based on the classification and severity you will you will take a judgment how soon that patch has to be rolled out or if uh or to be installed on that ec2 so anything that is critical and important so it waits seven days before approving so it means even after the patch is released by the respective vendor for example microsoft or linux or amazon you still wait for seven days before it actually applies to the ec2 and anytime you can comment look into this and you will see you know how many patches are required to be done uh to be updated you will see that you can also have patched exceptions okay now currently this is in a just a read mode because this is created by aws and we cannot really modify anything but you also have an exception for example you you can take a call on saying that any kernel patches should not be updated on the ec2 on the production so you can take a call on that you can also specify the path sources okay so as i said this is aws default created uh baseline so we will not be able to do anything here for a testing purpose let me just go to the patch manager and create a patch baseline ourselves let's create our patch baseline i'll create a cache line i have to give a name description and it asks for operating system let's say i choose amazon linux and then i can also make this one as a default it means all the amazon linux machines will see this one as your baseline for the patching then i can keep writing the rules i can say product uh the different versions of the linux let's choose this okay and severity let's say critical and auto approval approve after how many days basically our problem is how um how immediately how soon it has to be updated onto the ac2 after the patch is generated or created by the oems okay so you can you can specify after so many days after probably one day after two days after seven days depending on your requirement okay so you specify then classification whether it is cva security patch or whether it is a bug fixed patch you can you can define these rules right and then you can also you can also add multiple rules it is not just one rule you can add multiple rules then patch exceptions so these are approved patches these are rejected patches rejected means exception for example i do not want to update any patches related to kernel which affect sorry which affects the kernel okay any any bug fixes anything that is released as a patch i do not want to approve or i do not want to send it to the ec2 directly then you can you can mention it in the rejected patches then whether you want the dependency patches to be applied or not applied so that is what you can choose here then you have a patch sources you can add another path source as well from where it is coming from the name which product it is coming from how it is coming we can add these sources from where you are getting this package so you have all these you know different configurations that you can do if you want to set your own baseline otherwise aws has already set a pretty standard baseline for all the operating system that it supports you can use someone among them okay so now what i will do i'll say configure patching and let's try to apply a patch okay so you also have enter instance uh tags are instanced manually are the patch group i'll choose this instances manually now i'll choose our server and then you have an option wherein you can choose an existing maintenance window maintenance window can be configured from uh from actions and change maintenance window so maintenance window you can specify saying that i want to do all the patchings only during the night time during my off pickas or maybe early in the morning during my off because all those windows can be specified under actions and change under my maintenance window or schedule a new maintenance window you can do that as well or i can skip it skip it means you want to do it now currently okay you have two options one is scan and install or scan only i can only scan and check if there are any patches due for installation let's do only scanner and then additional settings is there anything i just say configure patching and now what baseline does it take it takes this amazon linux uh this baseline because the ec2 that we have is an amazon linux one and we do not have any other baseline we have this as a default uh baseline so it just takes it and it goes and checks the patches accordingly and now i'll come back and click on compliance and you already have it combined so in terms of association yes in terms of patch yes it is comply so i can go and click on this and it will show you overall severity patch is compliant as on this particular date so i do not have anything as such to be uh patched to this particular ec2 right this is the latest ec2 that we have taken if at all if we had any older ec2 then probably it would have come into this any of this non-compliant and then after installing the patch it would have been in a compliance state so this is how you manage your patching using assistance manager right so these are the different services that we are seeing and the final one that we will look at is a distributor so what is the distributor distributor is a service within the system manager that will help you to push a particular package to remote easy tools now there are inbuilt packages here there are 910 inbuilt packages which which are already available and you can also create a package like for example you you have a software that that you want to be create a package out of it you can create a package for this particular demo let's go ahead with the package that we have called as cloud watch agent so this is an agent that is available for cloud watch for an additional matrix monitoring of ec2 so what we will do now first we will go and check whether we have this cloud watch um or we'll just push it you know that it is not there so we'll just push it to push it i have to say i just click on that particular package and i'll just say install one time or i can also schedule it as well right so we'll say install one time yeah and then if you look at this it takes me to a run command option so any packages that we have chosen for installation it will internally execute this run command and then it will install that package okay so it will take me to the run command i'll just specify manually that this is the agent this is the linux server on which i want to install and then i will disable the s3 and cloud what notification and i'll say run okay yeah with all these settings i just click on run and it is in progress just refresh and see take some time because it has to actually install the agent it will take some time yep there we go so it is successful yeah the status is success let's quickly go back to our session manager we already i think i have it open here yes there is one session running so let me just go back to that session manager ah there we go so i'm already in the root so let's try to check the status uh amazon cloud watch agent yes there you go it is stopped so i can start it yes it is running and if i do a status yes it is running yeah so this is how it is so this is how you actually install uh using the packages using a system so so we looked at the compliance the inventory the managed distances uh hybrid activation is basically on-premise and local aws ec2 activations uh then session manager we looked at we looked at the run command we looked at the state manager state manager uh basically gives you uh the status of different activities that you are done so you installed a package and then you did that right so it just gives that status and then patch manager we looked at the patch manager um the the existing baselines and the creation of the baselines and then finally we looked at the distributor as well right so these are the different services important services from systems manager there are other services as well so we will have a different video to cover the other services and yeah that's it and uh hope this video was helpful to you to understand how the systems manager work and how to install an agent and work with that so do let us know your comments and the feedback and thank you for watching this video
Info
Channel: Chaturmanas Consultants
Views: 564
Rating: undefined out of 5
Keywords: AWS, chaturmanas, aws systems manager, session manager, patch, compliance, remote command execution
Id: 4wef-xP1Dh8
Channel Id: undefined
Length: 47min 52sec (2872 seconds)
Published: Fri Aug 07 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.