Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Taylor AndersonSenior Product Manager, Amazon EC2
Amjad HussainSenior Manager, Amazon EC2
December 2, 2016
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud with AWS Management
Capabilities
WIN401
What to Expect from the Session
Learn how to: • Automate AMI building and deployment • Monitor fleet configuration and inventory• Ensure instances are patch compliant
What we heard from customers
• Traditional IT tools not built for the cloud• Managing resources at scale is difficult• Lack of visibility into configuration and
execution history • Multiple vendors; complex licensing
Managing cloud and hybrid environments using traditional tools is complex and costly
Introducing Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all your Windows and Linux workloads, running in Amazon EC2 or
on-premises
Systems Manager Capabilities
Run Command Maintenance Windows
Inventory
State Manager Parameter StorePatch Manager
Automation
Configuration,Administration
Update andTrack
Shared Capabilities
Automation
Automation – What we heard
Automation pain point: AMI building• Triggers: patching, hardening, application bake-in• Never-ending• Time consuming, especially when builds fail• Overhead of maintaining build service
Automation
Introducing Automation • Simplified automation solution• Perfect for AMI updates, instance deployment & config• Pro-active event notifications • AWS optimized (EC2 Run Command, AWS Lambda, AWS
CloudTrail, IAM, and Amazon CloudWatch integrations)
Automation – Getting Started
1. Create an automation document
2. Run automation 3. Monitor your automation
Automation
Demo
Automation - Documents
Input & output parameters• Create default values, or assign at run-time• Parameter Store integration• System Variables (DATE, DATE_TIME, REGION,
EXECUTION_ID)
Demo examples
Document Parameter Name
Default Value
sourceAMIid “{{ssm:sourceAMI}}”targetAMIname “patchedAMI-{{global:DATE_TIME}}”
Automation - Documents
Automation Steps• Action types:
• runInstances, changeInstanceState, createAMI• runCommand, invokeLambdaFunction
• Flow control: retries, timeouts, continue/abort
Public Automation Documents• AWS-UpdateWindowsAmi• AWS-UpdateLinuxAmi
Automation – IAM Setup
1. Create a Service Role for Automation• Permission for Automation service to operate in your account
2. Attach PassRole policy to user’s account
3. Launch instances with SSM role (AmazonEC2RoleforSSM)
Automation – Monitoring
• Amazon CloudWatch Events• Publish notifications to an Amazon SNS topic• Step-level & automation-level notifications
Inventory
Inventory
What we heard:• Accurate software inventory is critical for understanding fleet
configuration and license usage• Legacy solutions not optimized for cloud• Self-hosting requires additional overhead
Inventory
Introducing Inventory• End-to-end inventory collection (EC2/on-premises/Workspaces)• Windows/Linux• Powerful query• Extensible inventory schema• Integrated with AWS services
Inventory – System Diagram
SSMAgent
EC2 Windows Instance
SSMAgent
EC2 Linux
Instance
SSMAgent
On-Premises Instance
AWS SSM Service
State Manager
EC2 Inventory SSM document
Inventory Store
EC2 Console, SSM CLI/APIs
AWS Config
AWS Config Console + CLI/APIs
Inventory – Getting Started
1. Configure Inventory policy
2. Apply Inventory policy
3. Query inventory
Inventory
Demo
Inventory – Configuration
Create an Inventory association1. Select instances (by instance ID or tag) 2. Select scan frequency (hours, minutes, days, NOW)3. Select Inventory Types to gather
• Instance information• Applications• AWS Components • Network configuration• Windows Updates • Custom Inventory
Inventory – Custom Inventory Type
Custom Inventory Collection• Extensible: record any attribute for a given instance• Examples: rack location, BIOS version, firewall settings
Two ways to record custom inventory types1. Agent/on-instance: Write a cron job to record custom
inventory files to a predefined path2. API: Use PutInventory API
Inventory Manager
Query• Search by inventory attribute• Partial and inverse searches• Windows 2012 r2 instances running SQL Server 2016 where
Windows Update KB112342 is not installed
Integration with AWS Config• Record inventory changes over time • Use AWS Config Rules to monitor changes, notify• Meet compliance and governance mandates
Patch Manager
Patch Manager
What we heard about patching enterprise systems:• Time consuming, tedious, repetitive• Existing solutions are inadequate• Enterprise patching is manual and complex• Errors result in downtime, compliance issues
Patch Manager
Announcing Patch Manager• End-to-End Patching• Easy to Automate• Integrated with other AWS Services• First release: Windows OS patching
Patch Manager – Getting Started
1. Create a Patch Baseline to define approved patches
3. Maintenance Window executes patching
4. Audit results with Patch Compliance
2. Create a Maintenance Window to schedule patching for a set of instances
Patch Manager - Overview
Prod Environment
Instance A
Patch Group:Prod
Patch Baseline
- Critical, High- 5 days or older
1
Maintenance Window
- Sundays @ 1AM- 2 hrs. long- Task: Patching
2 3
Patch Compliance
2up to date
0missingupdates
1error
4
Instance B
Patch Group:Prod Patch Group:Prod
Patch Manager – Patch Baseline
• Auto-approval rules for patches• Rule criteria
• Product (WS2012 R2)• MSRC Classification (Critical) • Approve After (5 days)
• Approved and Rejected patches (KB2032276, KB2124261)• Register target instances using Patch Group tags
• Example: For Patch Group:Prod instances, approve all Critical updates for Windows Server 2012 R2 5 days after release, except for KB2032276
• Patch Baseline• Maintenance Windows & Patching• Patch Compliance
Patch Manager – Maintenance Window
• Define and control when disruptive operations occur • Schedule (2nd Tuesday of the month)• Duration• Target instances (tags or instance IDs)• Tasks (Run Command)
Patch task uses Run Command with AWS-ApplyPatchBaselinemax instances to patch at a time, error threshold
Patch Manager – Patching your instances
• Register the instances you want to patch as targets • Register the AWS-ApplyPatchBaseline command as a
task• Patching will happen during maintenance window• Patch compliance data collected
Patch Manager – Patch Compliance
• Fleet-wide summary of patch status• Dashboard shows counts of compliant and non-compliant
instances
Patch Manager
Demo!
Wrapping Up
• Systems Manager available in multiple Regions• We’d love to hear your feedback• Join us at the booth!
Thank you!
Remember to complete your evaluations!
