AWS Systems Manager natively supports various Domain Specific Languagues (DSLs), including Ansible, Salt States, and PowerShell DSC. There is also support for security configuration platforms, with support of Chef Inspec.
Desired State Configuration provides the ability maintain the state and security of your systems. Terefore, you need to be able to define what constitutes a system secure. The objective of this section is to define a policy, continously monitor it, and ensure the sytem remains compliant to the desired configuration according to the policy defined. We will use AWS Systems Manager to monitor and remediate Linux and Windows instances, using common industry standard Domain Specific Languagues (DSLs), PowerShell DSC and Ansible, respectively. We will first begin with Linux and Ansible, then we can move to Windows and PowerShell DSC, if needed.
The AWS Systems Manager service also supports Chef Inspec and Salt States, so those platform can also be leveraged in the same manner to meet compliance, security, and policy requirements.
In this scenario we setup a desired state configuration for an Amazon Linux instance using Ansible. Ansible Playbooks are able to run natively on AWS Systems Manager because the service has the runtime engine required to execute the instructions of the playbooks. The benefit for using this approach is that as a customer, you no longer need to worry about managing an Ansible Tower infrastructure.
In this first example, we will use an Ansible playbook to define a configuration and optionally remediate the configuration for non-conpliance. We will also use AWS Systems Manager Session Manager, which allow us to remotely manage a system, without needing network connectivity or needing to manage SSH keys.
To begin, we will login to the AWS Console and provision resources required for this hands-on lab.
In this section, we will create some resources to work with, including 2 EC2 instances running Amazon Linux and an S3 bucket.
dsc.ymlfile. Save it some place where you can easily find it.
AWS Systems Manager has various requirements, including the SSM Agent, creating an IAM Instance Profile Role, and connectivity to the Systems Manager endpoints. In this section, we will use the Quick Setup feature to set up the requirements, as well as some of the operations needed to begin using the service.
Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.
In this section, we will use an Ansible Playbook to define the state of our instances based on an internal compliance policy, which is to ensure the SSH service disabled. The idea here is to replace all SSH based interactive access to the servers with Session Manager.
sudo pip install ansible
Contents of the ansible.yml file:
- hosts: localhost tasks: - name: stopping ssh service service: name: sshd state: stopped enabled: no become: yes
You can execute a series of playbooks that are zipped or stored in a directory structure on GitHub or Amazon S3, while controlling the execution velocity and responding to errors. With this capability, you can use complex playbooks to manage and enforce the desired state of your Amazon Elastic Compute Cloud (Amazon EC2) and on-premises instances. During execution of a playbook, State Manager will also automatically pre-install dependencies on instances.
To get started, choose the AWS-ApplyAnsiblePlaybooks document from State Manager or Run Command.
You have now configured Desired State Configuration with AWS Systems Manager and Ansible Playbooks, defined state, assigned targets, and validated successful execution. If you need support for other DSLs, the following can be used in a similar fashion, with the same usability and benefits.
End of Lab Exercises
Thank you for using this lab.