1 00:00:06,950 --> 00:00:09,050 - In this section, we're gonna look 2 00:00:09,050 --> 00:00:11,820 at the five different categories 3 00:00:11,820 --> 00:00:16,820 of features within SSM, the simple Systems Manager service. 4 00:00:18,480 --> 00:00:20,220 And then we're gonna look at an example 5 00:00:20,220 --> 00:00:22,430 within each of those categories. 6 00:00:22,430 --> 00:00:26,730 And let's start with SSM operations management. 7 00:00:26,730 --> 00:00:30,160 So the features that fall under this category 8 00:00:30,160 --> 00:00:34,313 are the Incident Manager, the SSM Explorer, 9 00:00:35,510 --> 00:00:37,850 OpsCenter which allows you to create 10 00:00:37,850 --> 00:00:42,850 tickets called OpsItems, CloudWatch dashboards, 11 00:00:43,530 --> 00:00:46,430 Trusted Advisor dashboards, 12 00:00:46,430 --> 00:00:48,980 and the Personal Health Dashboard. 13 00:00:48,980 --> 00:00:50,470 And each of these can be used 14 00:00:50,470 --> 00:00:51,870 for slightly different purposes, 15 00:00:51,870 --> 00:00:54,510 but all towards the same goal 16 00:00:54,510 --> 00:00:57,540 of managing operations within the service. 17 00:00:57,540 --> 00:01:01,773 And so let's take a look at the SSM Explorer as an example. 18 00:01:02,660 --> 00:01:05,970 The Explorer shows up as a dashboard, 19 00:01:05,970 --> 00:01:10,960 where you can create and move widgets around 20 00:01:10,960 --> 00:01:14,170 as they make sense for specific dashboards. 21 00:01:14,170 --> 00:01:15,100 And you can see here 22 00:01:15,100 --> 00:01:18,210 that we have a number of different widgets, 23 00:01:18,210 --> 00:01:23,020 like EC2 instances that are managed by us Systems Manager, 24 00:01:23,020 --> 00:01:26,300 we have those same instances organized by AMI, 25 00:01:26,300 --> 00:01:30,780 we have open OpsItems, and then we have items over time. 26 00:01:30,780 --> 00:01:34,720 And so there's different ways of utilizing these dashboards, 27 00:01:34,720 --> 00:01:37,910 including the ability to utilize filters 28 00:01:37,910 --> 00:01:39,900 so you can make your widgets more specific 29 00:01:39,900 --> 00:01:41,123 or more applicable. 30 00:01:42,110 --> 00:01:46,810 There are direct links to service and resource pages, 31 00:01:46,810 --> 00:01:49,720 so that you can pull up all of the other properties 32 00:01:49,720 --> 00:01:51,093 of those resources. 33 00:01:52,110 --> 00:01:57,110 And it also has multiple region and multi account support, 34 00:01:57,880 --> 00:02:02,520 so that you don't need to have a large number of dashboards 35 00:02:02,520 --> 00:02:04,570 that you then have to maintain access to. 36 00:02:05,570 --> 00:02:09,980 Our second category is application management. 37 00:02:09,980 --> 00:02:12,890 And this one only has a small number of features. 38 00:02:12,890 --> 00:02:16,390 We have the Application Manager, AppConfig, 39 00:02:16,390 --> 00:02:17,870 and Parameter Store. 40 00:02:17,870 --> 00:02:21,650 And let's use Parameter Store as our example. 41 00:02:21,650 --> 00:02:23,710 Parameter Store is an offering 42 00:02:23,710 --> 00:02:28,710 that allows you to store arbitrary structured 43 00:02:28,800 --> 00:02:33,090 or unstructured text and make it available 44 00:02:33,090 --> 00:02:36,690 to other resources in AWS. 45 00:02:36,690 --> 00:02:38,313 It is version controlled. 46 00:02:39,170 --> 00:02:42,910 It also supports resource-based policies 47 00:02:42,910 --> 00:02:44,103 for least privilege. 48 00:02:45,390 --> 00:02:50,390 And you can enable encryption to protect your data at rest. 49 00:02:51,290 --> 00:02:53,650 And you can even enforce encryption of data 50 00:02:53,650 --> 00:02:55,610 in transit as well. 51 00:02:55,610 --> 00:02:57,030 And one thing is kind of interesting 52 00:02:57,030 --> 00:03:00,550 about SSM Parameter Store is that you can create 53 00:03:00,550 --> 00:03:05,550 a public parameter that is available for anonymous access 54 00:03:05,960 --> 00:03:10,110 that you could even use for an application to query 55 00:03:10,110 --> 00:03:12,650 to determine whether or not an update 56 00:03:12,650 --> 00:03:15,043 is available for that application. 57 00:03:17,120 --> 00:03:20,700 Our next category is SSM change management. 58 00:03:20,700 --> 00:03:23,630 And this also has kind of a small number of features. 59 00:03:23,630 --> 00:03:28,630 We have the Change Manager, we've got SSM Automation, 60 00:03:28,840 --> 00:03:31,620 we have the Change Calendar, 61 00:03:31,620 --> 00:03:34,100 and we have Maintenance Windows. 62 00:03:34,100 --> 00:03:36,740 And so these are clearly going to be used 63 00:03:36,740 --> 00:03:41,330 in conjunction with other features of SSM, 64 00:03:41,330 --> 00:03:43,750 like Patch Manager that we're gonna talk about 65 00:03:43,750 --> 00:03:44,793 in just a minute. 66 00:03:46,640 --> 00:03:48,430 In terms of Maintenance Windows, 67 00:03:48,430 --> 00:03:52,220 you can define a schedule for tasks 68 00:03:52,220 --> 00:03:54,800 that might be considered to be disruptive. 69 00:03:54,800 --> 00:03:58,460 And then you can issue these tasks using 70 00:03:58,460 --> 00:04:00,500 SSM Run command that we're gonna talk about 71 00:04:00,500 --> 00:04:05,240 in just a moment, SSM Automation workflows, 72 00:04:05,240 --> 00:04:10,240 Lambda functions so you can go completely outside of SSM 73 00:04:10,520 --> 00:04:13,990 or you can trigger an entire step functions 74 00:04:13,990 --> 00:04:15,793 workflow as well. 75 00:04:18,320 --> 00:04:20,690 Our next category is the big one. 76 00:04:20,690 --> 00:04:23,690 This is the one that has a lot of different features, 77 00:04:23,690 --> 00:04:25,210 Node Management. 78 00:04:25,210 --> 00:04:29,453 This is designed around individual OS based resources. 79 00:04:30,860 --> 00:04:33,140 And so the features we have available here 80 00:04:33,140 --> 00:04:36,700 are Fleet Manager, Compliance, 81 00:04:36,700 --> 00:04:39,640 Inventory, Hybrid Activations. 82 00:04:39,640 --> 00:04:42,920 So when we have on-prem resources 83 00:04:42,920 --> 00:04:45,483 that have been connected into Systems Manager, 84 00:04:46,370 --> 00:04:49,698 we have the Session Manager that allows you to connect 85 00:04:49,698 --> 00:04:53,493 to OS based resources without requiring SSH. 86 00:04:54,840 --> 00:04:59,280 We have SSM Run command, State Manager, 87 00:04:59,280 --> 00:05:02,390 Patch Manager, and Distributor. 88 00:05:02,390 --> 00:05:06,320 And each of these fits a slightly different gap 89 00:05:06,320 --> 00:05:10,070 in the management of OS based resources. 90 00:05:10,070 --> 00:05:12,260 But they all have something in common. 91 00:05:12,260 --> 00:05:15,560 All of these require the Systems Manager agent 92 00:05:15,560 --> 00:05:18,720 to be installed on the resource 93 00:05:18,720 --> 00:05:20,653 that you're attempting to manage. 94 00:05:22,310 --> 00:05:27,290 And so an example, within this category is Patch Manager. 95 00:05:27,290 --> 00:05:30,770 And Patch Manager is going to operate 96 00:05:30,770 --> 00:05:32,860 using a specific set of prerequisites. 97 00:05:32,860 --> 00:05:35,313 Now first, you create a patch baseline. 98 00:05:36,200 --> 00:05:37,720 And you can associate this 99 00:05:37,720 --> 00:05:39,853 with one or more operating systems. 100 00:05:40,740 --> 00:05:44,190 And then you create a number of rules 101 00:05:44,190 --> 00:05:48,560 that will determine what types of patches get approved, 102 00:05:48,560 --> 00:05:49,813 and on what schedule. 103 00:05:51,690 --> 00:05:55,580 From there, you create what we call a Patch Group. 104 00:05:55,580 --> 00:06:00,580 And this is simply the value of a Patch Group tag 105 00:06:01,670 --> 00:06:04,440 that is assigned with one or more EC2 instances 106 00:06:04,440 --> 00:06:06,123 or on-prem resources. 107 00:06:07,150 --> 00:06:12,080 And then you actually tag your resources 108 00:06:12,080 --> 00:06:15,830 with a tag named Patch Group with a capital P and capital G. 109 00:06:15,830 --> 00:06:18,710 And then if the value matches 110 00:06:18,710 --> 00:06:21,090 a patch group in Patch Manager, 111 00:06:21,090 --> 00:06:24,950 then you can perform regular tasks 112 00:06:24,950 --> 00:06:27,030 that will run that patch baseline 113 00:06:27,030 --> 00:06:30,840 either to determine what patches are necessary. 114 00:06:30,840 --> 00:06:33,510 Or actually install patches, 115 00:06:33,510 --> 00:06:36,513 which with an optional reboot afterwards. 116 00:06:38,523 --> 00:06:42,960 Now our final category is shared resources. 117 00:06:42,960 --> 00:06:46,400 And for this one, we have SSM documents 118 00:06:46,400 --> 00:06:49,450 that we can use with operations, 119 00:06:49,450 --> 00:06:52,650 automation, and with steps and parameters. 120 00:06:52,650 --> 00:06:57,140 SSM documents is kind of a unique category 121 00:06:57,140 --> 00:07:01,023 that takes up the entirety of this shared resources section. 122 00:07:02,390 --> 00:07:05,250 So let's dig a little bit deeper into SSM documents. 123 00:07:05,250 --> 00:07:07,200 And there are different document types. 124 00:07:08,110 --> 00:07:10,600 The first of these is called a command document. 125 00:07:10,600 --> 00:07:13,220 And this can be used with a number of other features 126 00:07:13,220 --> 00:07:15,600 of systems manager, like Run command, 127 00:07:15,600 --> 00:07:18,193 State Manager or for Maintenance Windows. 128 00:07:19,300 --> 00:07:21,200 We have automation runbooks, 129 00:07:21,200 --> 00:07:23,490 which can be run using the Automation feature, 130 00:07:23,490 --> 00:07:26,320 State Manager or Maintenance Windows. 131 00:07:26,320 --> 00:07:29,520 We have packaged documents which is used for distributor 132 00:07:29,520 --> 00:07:31,140 and that's exactly what it sounds like 133 00:07:31,140 --> 00:07:34,563 the ability to install and maintain individual packages. 134 00:07:35,822 --> 00:07:38,600 We have session documents, 135 00:07:38,600 --> 00:07:42,560 which helped to define and configure the ability to utilize 136 00:07:42,560 --> 00:07:47,150 Session Manager to gain an interactive shell session 137 00:07:47,150 --> 00:07:48,000 with an instance. 138 00:07:49,830 --> 00:07:52,140 We have policy documents, 139 00:07:52,140 --> 00:07:53,580 which are used for State Manager 140 00:07:53,580 --> 00:07:57,280 to help determine if individual resources 141 00:07:57,280 --> 00:08:00,063 are in compliance with that policy. 142 00:08:01,310 --> 00:08:04,880 And we have CloudFormation templates, 143 00:08:04,880 --> 00:08:08,950 which can be applied directly using CloudFormation 144 00:08:08,950 --> 00:08:10,593 with SSM documents. 145 00:08:12,110 --> 00:08:15,630 And finally, we have a document type called 146 00:08:15,630 --> 00:08:19,750 post-incident analysis templates. 147 00:08:19,750 --> 00:08:22,040 And this is used specifically 148 00:08:22,040 --> 00:08:24,830 with the incident manager feature 149 00:08:24,830 --> 00:08:29,830 to help with those root cause analysis and post-mortems.