Configuration Management

AWS Systems Manager support for Configuration Management

AWS Systems Manager natively supports various Domain Specific Languagues (DSLs), including Ansible, Salt States, and PowerShell DSC. There is also support for security configuration platforms, with support of Chef Inspec.

Desired State Configuration provides the ability maintain the state and security of your systems. Terefore, you need to be able to define what constitutes a system secure. The objective of this section is to define a policy, continously monitor it, and ensure the sytem remains compliant to the desired configuration according to the policy defined. We will use AWS Systems Manager to monitor and remediate Linux and Windows instances, using common industry standard Domain Specific Languagues (DSLs), PowerShell DSC and Ansible, respectively. We will first begin with Linux and Ansible, then we can move to Windows and PowerShell DSC, if needed.

The AWS Systems Manager service also supports Chef Inspec and Salt States, so those platform can also be leveraged in the same manner to meet compliance, security, and policy requirements.


In this scenario we setup a desired state configuration for an Amazon Linux instance using Ansible. Ansible Playbooks are able to run natively on AWS Systems Manager because the service has the runtime engine required to execute the instructions of the playbooks. The benefit for using this approach is that as a customer, you no longer need to worry about managing an Ansible Tower infrastructure.

Executing Ansible Playbooks - Linux

In this first example, we will use an Ansible playbook to define a configuration and optionally remediate the configuration for non-conpliance. We will also use AWS Systems Manager Session Manager, which allow us to remotely manage a system, without needing network connectivity or needing to manage SSH keys.

6.1 Getting Started

To begin, we will login to the AWS Console and provision resources required for this hands-on lab.

  1. Go to the Event Engine Dashboard.
  2. When prompted, enter your 12 digit hash.
  3. Once authenticated, click on the AWS Console link.
  4. When prompted, click on the Open AWS Console link.
  5. Ensure you are using the US West (Oregon) us-west-2 Region.

6.2 Launching Resources

In this section, we will create some resources to work with, including 2 EC2 instances running Amazon Linux and an S3 bucket.

  1. Open a new browser window and download the following CloudFormation template and download the dsc.yml file. Save it some place where you can easily find it.
  2. Then, go to the CloudFormation Console.
  3. Click on the Create Stack link.
  4. Select the Upload a template file and upload the dsc.yml file. Click Next.
  5. Enter DSC as the Stack Name and Click Next.
  6. On the next window, click Next.
  7. Click Create Stack.

6.3 Setting up AWS Systems Manager

AWS Systems Manager has various requirements, including the SSM Agent, creating an IAM Instance Profile Role, and connectivity to the Systems Manager endpoints. In this section, we will use the Quick Setup feature to set up the requirements, as well as some of the operations needed to begin using the service.

  1. To begin, we’ll go to Quick Setup.
  2. Select all the default settings and click on the Setup Systems Manager link.

6.4 Preparing the EC2 Instances

Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your managed instances.

In this section, we will use an Ansible Playbook to define the state of our instances based on an internal compliance policy, which is to ensure the SSH service disabled. The idea here is to replace all SSH based interactive access to the servers with Session Manager.

  1. Go to Session Manager to install the Ansible components, which will make sure our systems remain compliant to our policy. This is done to demonstrate how Session Manager works.
  2. Then, we will click on the Start session button to connect to the EC2 instance we just created.
  3. From the Start a session page, click on the EC2 instance we just created, with the name dsc-linux-prod, and click on the Start Session button.
  4. Once a new tab is open and the session with the EC2 instance has been established, run the following commands to install Ansible.
    sudo pip install ansible

6.5 Disabling SSH at scale

  1. Once all components are installed, we will go to State Manager.
  2. From that page, we will click on the Create association button.
  3. In the Name field, we will type AnsibleDisableSSH.
  4. In the Document section, we will select the AWS-RunAnsiblePlaybook document.
  5. In the Parameters section, we will type following URL in the Playbookurl section. The playbook used in this example disables SSH port 22, which is the desired configuration in this scenario. Copy and paste the location of the .yml definition file:
  6. In the Targets section, we will enter dsc-linux-prod as the target.
  7. Leave the defaults in the Specify schedule section. Note: Although the association runs every 30 minutes, any new instances matching the resource tags, will have the desired state configuration in the Ansible playbook applied within a few minutes.
  8. In the Advanced options setting, select Critical for the Compliance severity. This will help us easily identify any EC2 instances that are not within our compliance requirements in the Compliance capability of Systems Manager.
  9. All other settings can be left default. Click on the Create Association button.
  10. Once the State Manager association is created, we will check whether our EC2 instance is within compliance or not. To do this, we will go to Compliance within the Systems Manager Console.
  11. Once there, we will focus on the Compliance resources summary. In our scenario, since we configured Ansible to alert of anything out of compliance, then we will see anything out of compliance in this dashboard.
  12. Don’t mind other associations depicted, in this case we only care about the Critical resources compliance alert that we configured in previous steps.
  13. In the Compliance dashboard, we can see that the instance we created is now compliant and there are no non-compliant Critical resources. If you click on Compliant resources, we can see our instance is Compliant with the overall severity of Critical.

Contents of the ansible.yml file:

    - hosts: localhost
        - name: stopping ssh service
           name: sshd
           state: stopped
           enabled: no
      become: yes

6.6 Execute complex Ansible playbooks

You can execute a series of playbooks that are zipped or stored in a directory structure on GitHub or Amazon S3, while controlling the execution velocity and responding to errors. With this capability, you can use complex playbooks to manage and enforce the desired state of your Amazon Elastic Compute Cloud (Amazon EC2) and on-premises instances. During execution of a playbook, State Manager will also automatically pre-install dependencies on instances.

To get started, choose the AWS-ApplyAnsiblePlaybooks document from State Manager or Run Command.

6.7 Conclusion and Optional Content

You have now configured Desired State Configuration with AWS Systems Manager and Ansible Playbooks, defined state, assigned targets, and validated successful execution. If you need support for other DSLs, the following can be used in a similar fashion, with the same usability and benefits.

End of Lab Exercises

Thank you for using this lab.