Management Tools: Systems Manager

AWS Systems Manager is a collection of features that enable IT Operations that we will explore throughout this lab.

There are set up tasks and pre-requisites that must be satisfied prior to using Systems Manager to manage your EC2 instances or on-premises systems in hybrid environments.

  • You must use a supported operating system
    • Supported operating systems include versions of Windows, Amazon Linux, Amazon Linux 2, Ubuntu Server, Debian Server, RHEL, Oracle Linux, CentOS, SLES, and Raspbian (Jessie and Stretch).
  • The SSM Agent must be installed.
    • The SSM Agent for Windows also requires PowerShell 3.0 or later to run some SSM documents.
  • Your EC2 instances must have network connectivity to Systems Manager endpoints (via the internet or VPC endpoints).
  • You must access Systems Manager in a supported region.
  • Systems Manager requires IAM roles.
    • for instances that will process commands.
    • for users executing commands.

SSM Agent is preinstalled, by default, on instances created from the following Amazon Machine Images (AMIs):

  • Windows Server 2008-2012 R2 AMIs published in November 2016 or later
  • Windows Server 2016 and 2019
  • Amazon Linux and Amazon Linux 2
  • Ubuntu Server 16.04 and Ubuntu Server 18.04
  • Amazon ECS-Optimized

With AWS Systems Manager, you pay only for what you use on priced features, as you use them. There are no minimum fees or upfront commitments. Features that are provided at no additional charge are listed on the pricing page. Limits may apply.

3.1 Setting up Systems Manager

  1. Use your administrator account to access the Systems Manager console at
  2. Choose Managed Instances from the navigation bar. If you have not satisfied the pre-requisites for Systems Manager, you will arrive at the AWS Systems Manager Managed Instances page.
    • As a user with AdministratorAccess permissions, you already have User Access to Systems Manager.
    • The Amazon Linux AMIs used to create the instances in your environment have the SSM Agent installed by default.
    • If you are in a supported region the remaining step is to configure the IAM role for instances that will process commands.
  3. Create an Instance Profile for Systems Manager managed instances:
    1. Navigate to the IAM console
    2. In the navigation pane, choose Roles, and then choose Create role.
    3. In the Select type of trusted entity section, verify that the default AWS service is selected.
    4. In the Choose a use case section, select the first reference to EC2 (EC2 Allows EC2 instances to call AWS services on your behalf).
    5. Choose Next: Permissions.
    6. In the Attach permissions policies page, search for AmazonSSMManagedInstanceCore, select the check-box, and then choose Next: Tags.
    7. Optionally add tags for the IAM role and then choose Next: Review.
    8. In the Review section, enter a Role name, such as ManagedInstancesRole.
    9. Accept the default in the Role description.
    10. Choose Create role.
  4. Apply this role to the instances you wish to manage with Systems Manager:
    1. Navigate to the EC2 Console and choose Instances.
    2. Select the first instance and then choose Actions, Instance Settings, and Attach/Replace IAM Role.
    3. Under Attach/Replace IAM Role, select ManagedInstancesRole from the drop down list and choose Apply.
    4. After you receive confirmation of success, choose Close.
    5. Repeat this process, assigning ManagedInstancesRole to each of the 3 remaining instances.
  5. Return to the Systems Manager console and choose Managed Instances from the navigation bar. Periodically choose Managed Instances until your instances begin to appear in the list. Over the next couple of minutes your instances will populate into the list as managed instances. If the instance does not register after several minutes, you can reboot the EC2 instance by selecting Actions, Instance State, Reboot, within the EC2 console.

If desired, you can use a more restrictive permission set to grant access to Systems Manager.

3.2 Create a Second CloudFormation Stack

  1. Create a second CloudFormation stack using the procedure in 2.1 with the following changes:
    • In the Specify Details section, define a Stack name, such as OELabStack2.
    • Specify the InstanceProfile using the ManagedInstancesRole you defined.
    • Define the Workload Name as Prod.

Systems Manager: Inventory

You can use AWS Systems Manager Inventory to collect operating system (OS), application, and instance metadata from your Amazon EC2 instances and your on-premises servers or virtual machines (VMs) in your hybrid environment. You can query the metadata to quickly understand which instances are running the software and configurations required by your software policy, and which instances need to be updated.

3.3 Using Systems Manager Inventory to Track Your Instances

  1. Under Instances & Nodes in the AWS Systems Manager navigation bar, choose Inventory.

    1. Scroll down in the window to the Corresponding managed instances section. Inventory currently contains only the instance data available from the EC2.
    2. Choose the InstanceID of one of your systems.
    3. Examine each of the available tabs of data under the Instance ID heading.
  2. Inventory collection must be specifically configured and the data types to be collected must be specified.

    1. Choose Inventory in the navigation bar.
    2. Choose Setup Inventory in the top right corner of the window.
  3. In the Setup Inventory screen, define targets for inventory:

    1. Under Specify targets by, select Specifying a tag.

    2. Under Tags specify Environment for the key and OELabIPM for the value.

      You can select all managed instances in this account, ensuring that all managed instances will be inventoried. You can constrain inventoried instances to those with specific tags, such as Environment or Workload. Or you can manually select specific instances for inventory.

  4. Schedule the frequency with which inventory is collected. The default and minimum period is 30 minutes. For Collect inventory data every, accept the default 30 Minute(s).

  5. Under parameters, specify what information to collect with the inventory process. Review the options and select the defaults.

  6. (Optional) If desired, you may specify an S3 bucket to receive the inventory execution logs (you will need to create a destination bucket for the logs and add a custom policy for S3 bucket access to the EC2 IAM instance profile role prior to proceeding):

    1. Check the box next to Sync inventory execution logs to an S3 bucket under the Advanced options.
    2. Provide an S3 bucket name.
    3. (Optional) Provide an S3 bucket prefix.
  7. Choose Setup Inventory at the bottom of the page (it can take up to 10 minutes to deploy a new inventory policy to an instance).

  8. To create a new inventory policy, from Inventory, choose Setup inventory.

  9. To edit an existing policy, choose State Manager in the left navigation menu, select the association, and choose Edit.

You can create multiple Inventory specifications. They will each be stored as associations within Systems Manager State Manager.