aws re:invent 2016: how to manage inventory, patching, and system images for your hybrid cloud with...
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Taylor Anderson
Senior Product Manager, Amazon EC2
Amjad Hussain
Senior Manager, Amazon EC2
December 2, 2016
How to Manage Inventory, Patching, and System Images for Your Hybrid Cloud with AWS Management
Capabilities
WIN401
What to Expect from the Session
Learn how to:
• Automate AMI building and deployment
• Monitor fleet configuration and inventory
• Ensure instances are patch compliant
What we heard from customers
• Traditional IT tools not built for the cloud
• Managing resources at scale is difficult
• Lack of visibility into configuration and
execution history
• Multiple vendors; complex licensing
Managing cloud and hybrid environments using
traditional tools is complex and costly
Introducing Amazon EC2 Systems Manager
A set of capabilities that enable automated configuration and
ongoing management of systems at scale, across all your
Windows and Linux workloads, running in Amazon EC2 or
on-premises
Systems Manager Capabilities
Run Command Maintenance
Windows
Inventory
State Manager Parameter Store
Patch Manager
Automation
Configuration,
Administration
Update and
TrackShared
Capabilities
Automation
Automation – What we heard
Automation pain point: AMI building
• Triggers: patching, hardening, application bake-in
• Never-ending
• Time consuming, especially when builds fail
• Overhead of maintaining build service
Automation
Introducing Automation
• Simplified automation solution
• Perfect for AMI updates, instance deployment & config
• Pro-active event notifications
• AWS optimized (EC2 Run Command, AWS Lambda, AWS
CloudTrail, IAM, and Amazon CloudWatch integrations)
Automation – Getting Started
1. Create an
automation
document
2. Run automation 3. Monitor your
automation
Automation
Demo
Automation - Documents
Input & output parameters
• Create default values, or assign at run-time
• Parameter Store integration
• System Variables (DATE, DATE_TIME, REGION,
EXECUTION_ID)
Demo examples
Document
Parameter Name
Default Value
sourceAMIid “{{ssm:sourceAMI}}”
targetAMIname “patchedAMI-{{global:DATE_TIME}}”
Automation - Documents
Automation Steps
• Action types:
• runInstances, changeInstanceState, createAMI
• runCommand, invokeLambdaFunction
• Flow control: retries, timeouts, continue/abort
Public Automation Documents
• AWS-UpdateWindowsAmi
• AWS-UpdateLinuxAmi
Automation – IAM Setup
1. Create a Service Role for Automation
• Permission for Automation service to operate in your account
2. Attach PassRole policy to user’s account
3. Launch instances with SSM role (AmazonEC2RoleforSSM)
Automation – Monitoring
• Amazon CloudWatch Events
• Publish notifications to an Amazon SNS topic
• Step-level & automation-level notifications
Inventory
Inventory
What we heard:
• Accurate software inventory is critical for understanding fleet
configuration and license usage
• Legacy solutions not optimized for cloud
• Self-hosting requires additional overhead
Inventory
Introducing Inventory
• End-to-end inventory collection (EC2/on-premises/Workspaces)
• Windows/Linux
• Powerful query
• Extensible inventory schema
• Integrated with AWS services
Inventory – System Diagram
SSMAgent
EC2
Windows
Instance
SSMAgent
EC2
Linux
Instance
SSMAgent
On-
Premises
Instance
AWS SSM Service
State Manager
EC2 Inventory
SSM document
Inventory
Store
EC2 Console,
SSM CLI/APIs
AWS Config
AWS Config
Console + CLI/APIs
Inventory – Getting Started
1. Configure Inventory
policy
2. Apply Inventory
policy
3. Query inventory
Inventory
Demo
Inventory – Configuration
Create an Inventory association
1. Select instances (by instance ID or tag)
2. Select scan frequency (hours, minutes, days, NOW)
3. Select Inventory Types to gather
• Instance information
• Applications
• AWS Components
• Network configuration
• Windows Updates
• Custom Inventory
Inventory – Custom Inventory Type
Custom Inventory Collection
• Extensible: record any attribute for a given instance
• Examples: rack location, BIOS version, firewall settings
Two ways to record custom inventory types
1. Agent/on-instance: Write a cron job to record custom
inventory files to a predefined path
2. API: Use PutInventory API
Inventory Manager
Query
• Search by inventory attribute
• Partial and inverse searches
• Windows 2012 r2 instances running SQL Server 2016 where
Windows Update KB112342 is not installed
Integration with AWS Config
• Record inventory changes over time
• Use AWS Config Rules to monitor changes, notify
• Meet compliance and governance mandates
Patch Manager
Patch Manager
What we heard about patching enterprise systems:
• Time consuming, tedious, repetitive
• Existing solutions are inadequate
• Enterprise patching is manual and complex
• Errors result in downtime, compliance issues
Patch Manager
Announcing Patch Manager
• End-to-End Patching
• Easy to Automate
• Integrated with other AWS Services
• First release: Windows OS patching
Patch Manager – Getting Started
1. Create a Patch
Baseline to define
approved patches
3. Maintenance
Window executes
patching
4. Audit results
with Patch
Compliance
2. Create a
Maintenance Window
to schedule patching for
a set of instances
Patch Manager - Overview
Instance A
Patch Group:Prod
Patch Baseline
- Critical, High
- 5 days or older
1
Maintenance Window
- Sundays @ 1AM
- 2 hrs. long
- Task: Patching
2 3
Patch Compliance
2up to
date
0missing
updates
1error
4
Instance B
Patch Group:Prod Patch Group:Prod
Patch Manager – Patch Baseline
• Auto-approval rules for patches
• Rule criteria
• Product (WS2012 R2)
• MSRC Classification (Critical)
• Approve After (5 days)
• Approved and Rejected patches (KB2032276, KB2124261)
• Register target instances using Patch Group tags
• Example: For Patch Group:Prod instances, approve all Critical
updates for Windows Server 2012 R2 5 days after release, except for
KB2032276
Patch Manager – Maintenance Window
• Define and control when disruptive operations occur
• Schedule (2nd Tuesday of the month)
• Duration
• Target instances (tags or instance IDs)
• Tasks (Run Command)
Patch task uses Run Command with AWS-ApplyPatchBaseline
max instances to patch at a time, error threshold
Patch Manager – Patching your instances
• Register the instances you want to patch as targets
• Register the AWS-ApplyPatchBaseline command as a
task
• Patching will happen during maintenance window
• Patch compliance data collected
Patch Manager – Patch Compliance
• Fleet-wide summary of patch status
• Dashboard shows counts of compliant and non-compliant
instances
Patch Manager
Demo!
Wrapping Up
• Systems Manager available in multiple Regions
• We’d love to hear your feedback
• Join us at the booth!
Thank you!
Remember to complete
your evaluations!