AWS Systems Manager Overview
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Systems Manager: A Comprehensive Guide to Operational Excellence
In the modern era of cloud computing, managing infrastructure at scale is one of the most significant challenges engineering teams face. As your environment grows from a handful of virtual machines to hundreds or thousands of distributed resources, manual configuration, patching, and troubleshooting become unsustainable. AWS Systems Manager (SSM) serves as the centralized control plane that allows you to manage these resources effectively. By providing a unified interface to view operational data and automate tasks, SSM helps you maintain stability and security across your entire AWS footprint.
Understanding Systems Manager is critical because it shifts the paradigm from "snowflake" servers—where each instance is manually configured and unique—to a model of automated, repeatable configuration management. Without a tool like SSM, you are likely relying on fragmented scripts, manual SSH sessions, and inconsistent documentation. This lesson will dive deep into the architecture, core capabilities, and practical implementation of AWS Systems Manager, providing you with the knowledge to bring order to your infrastructure.
What is AWS Systems Manager?
At its core, AWS Systems Manager is a collection of capabilities that allows you to gain visibility into your AWS resources and control them through a single management interface. Instead of logging into individual instances to run commands, you use SSM to send instructions to groups of instances based on tags or resource groups. It works across EC2 instances, on-premises servers, virtual machines in other clouds, and even IoT devices.
The value proposition of SSM lies in its ability to decouple the management layer from the underlying infrastructure. By installing the SSM Agent on your machines, you create a secure, authenticated bridge between your environment and the AWS API. This agent handles the execution of commands, the collection of inventory data, and the orchestration of complex workflows, all without requiring open inbound ports like SSH or RDP.
Callout: The SSM Agent - Your Infrastructure's Agent The SSM Agent is the software component that makes Systems Manager possible. It runs on your instances and communicates with the AWS Systems Manager service via HTTPS. Because the agent initiates the connection outbound, you do not need to open inbound ports in your security groups. This design significantly improves the security posture of your network, as you can completely disable SSH access to your production fleet.
Core Capabilities of Systems Manager
Systems Manager is not a single tool; it is a suite of integrated services. To master SSM, you must understand the primary components that make up the platform. We will focus on the most impactful features that provide the highest return on investment for operations teams.
1. Run Command
Run Command is perhaps the most widely used feature in the suite. It allows you to execute scripts or commands on one or many instances simultaneously. You can use predefined documents provided by AWS (like installing an agent or clearing logs) or create your own custom documents.
2. State Manager
State Manager is the engine of configuration management in SSM. It allows you to define the desired state of your instances—for example, ensuring that a specific package is installed, a configuration file has a certain value, or a service is running. State Manager continuously checks the configuration and automatically applies the necessary changes if a drift is detected.
3. Patch Manager
Patch Manager automates the process of patching managed instances with both security-related and other types of updates. It supports both OS-level patching and application-level updates. You can define "patch baselines" that determine which patches are approved and when they should be applied, ensuring your fleet remains compliant with security policies.
4. Inventory
The Inventory feature collects metadata from your managed instances. This includes information about installed applications, network configurations, dependent services, and custom metadata. This data is stored centrally, allowing you to query your entire fleet to answer questions like "Which instances have version 2.1 of Apache installed?"
5. Automation
Automation is a workflow engine that allows you to build multi-step processes. You can use it to perform complex operations, such as creating an Amazon Machine Image (AMI), rotating credentials, or restarting a cluster of instances in a specific order. Automation documents can be triggered manually, by a schedule, or by an event.
Getting Started: Setting Up Your Environment
Before you can use Systems Manager, you must ensure that your instances are properly configured to communicate with the service. This involves two main requirements: the SSM Agent and an IAM Instance Profile.
Step-by-Step: Preparing an EC2 Instance
- IAM Role Configuration: Create an IAM role that includes the
AmazonSSMManagedInstanceCoremanaged policy. This policy provides the necessary permissions for the SSM Agent to communicate with the AWS Systems Manager service. - Attach the Role: Attach this IAM role to your EC2 instance. Without this, the agent will not be able to authenticate with the service, and the instance will show as "Offline" or "Not Managed" in the console.
- Install the Agent: Most modern AWS-provided AMIs (like Amazon Linux 2023 or Ubuntu) come with the SSM Agent pre-installed. If you are using a custom or older image, you will need to install the agent manually.
- Verify Connectivity: Once the instance is running, navigate to the AWS Systems Manager console and open "Fleet Manager." You should see your instance listed there.
Note: Always use the latest version of the SSM Agent. AWS frequently releases updates that include performance improvements and security patches. You can automate the update process by using a State Manager association to ensure the agent is always up-to-date.
Deep Dive: Mastering Run Command
Run Command is your primary tool for day-to-day operations. It replaces the need for "jump boxes" or bastion hosts. Instead of SSHing into five different servers to check a log file, you can run a single command across all of them at once.
Example: Running a Shell Script
Suppose you need to check the disk space on all your web servers. Rather than logging into each one, you can use the AWS-RunShellScript document.
The CLI approach:
aws ssm send-command \
--document-name "AWS-RunShellScript" \
--targets "Key=tag:Role,Values=WebServer" \
--parameters 'commands=["df -h"]' \
--output-s3-bucket-name "my-logs-bucket"
In this command:
--document-namespecifies the task type.--targetsuses tags to select the instances. This is a best practice—never target by instance ID directly if you can avoid it, as tags allow your automation to scale as your fleet grows.--parameterscontains the actual script to execute.--output-s3-bucket-nameis optional but highly recommended; it saves the stdout and stderr of the command to S3 for later auditing.
Best Practices for Run Command
- Use IAM Policies: Restrict who can execute commands and which documents they can use. Use the
ssm:SendCommandaction with resource-level permissions. - Enable Logging: Always send output to S3 or CloudWatch Logs. This is essential for auditing and troubleshooting failed executions.
- Use Tags: Group your instances logically. Tags like
Environment:ProductionorDepartment:Financemake targeting much safer and more predictable.
Advanced Configuration with State Manager
State Manager is the "declarative" part of AWS Systems Manager. While Run Command is imperative (do this now), State Manager is declarative (ensure this is always true).
Use Case: Ensuring Nginx is Always Running
You can create an association in State Manager that targets your web servers and ensures the Nginx service is running. If someone manually stops the service, State Manager will detect the mismatch and restart it automatically based on your defined frequency (e.g., every 30 minutes).
Creating a State Manager Association:
- Navigate to State Manager in the SSM console.
- Select "Create association."
- Choose the
AWS-ApplyAnsiblePlaybooksorAWS-RunShellScriptdocument. - Define the parameters (e.g.,
systemctl start nginx). - Set the schedule (e.g.,
rate(30 minutes)). - Apply to targets filtered by your tags.
Warning: Be cautious when using State Manager to manage critical system configurations. If you define an association that overwrites a configuration file, it will do so every time it runs. Ensure your scripts are idempotent—meaning they check if the state is already correct before attempting to change it, to avoid unnecessary service restarts.
Patching at Scale with Patch Manager
Patching is often a source of anxiety for system administrators. Patch Manager removes the manual labor by orchestrating the process across your fleet. It works by defining "Patch Baselines."
How Patch Baselines Work
A Patch Baseline defines which patches are approved for installation. You can create a baseline that automatically approves all security patches after a 7-day delay. This gives you a "buffer" period to ensure that a new patch doesn't break your applications.
- Patch Groups: You can associate instances with a "Patch Group" tag. This allows you to patch your "Development" instances on Tuesday and your "Production" instances on Thursday, preventing a bad patch from taking down your entire environment at once.
- Maintenance Windows: Combine Patch Manager with Maintenance Windows to ensure that patching only occurs during off-peak hours.
| Feature | Run Command | State Manager | Patch Manager |
|---|---|---|---|
| Purpose | Ad-hoc tasks | Configuration enforcement | Automated updates |
| Logic | Imperative | Declarative | Policy-based |
| Execution | Manual / Triggered | Scheduled / Continuous | Scheduled |
Security and Compliance Best Practices
When managing infrastructure, security must be the foundation. Systems Manager offers several features to help you maintain a secure environment.
1. Principle of Least Privilege
Do not grant ssm:* permissions to your users or CI/CD pipelines. Create granular IAM policies that restrict access to specific documents or specific instance tags. For example, a developer should be able to run diagnostic scripts but not change critical system configurations.
2. Audit Trails with CloudTrail
Every action taken via Systems Manager is logged in AWS CloudTrail. This is a powerful feature for compliance. If a server is changed, you can look at the CloudTrail logs to see exactly who executed the command, what the command was, and when it happened.
3. Session Manager
Session Manager is a feature within Systems Manager that allows you to open a shell session to an instance through the browser or the AWS CLI. It replaces the need for SSH keys. Because the session is managed by AWS, you can log every keystroke to an S3 bucket or CloudWatch Logs, providing a full audit trail of what was done on the server.
Callout: Session Manager vs. SSH Traditional SSH requires managing private keys, opening port 22, and maintaining a bastion host. Session Manager requires no keys, no open inbound ports, and integrates directly with IAM for authentication. It is the industry-standard way to access instances securely in AWS.
Common Pitfalls and How to Avoid Them
Even with a powerful tool like SSM, there are common mistakes that can lead to operational headaches.
Over-relying on "Run Once" Scripts
Many engineers start by using Run Command for everything. While it is easy to use, it is not reproducible. If you need to rebuild a server, you have to remember every command you ever ran against it. Use State Manager for core configurations and keep those configurations in version control (like a Git repository).
Neglecting the SSM Agent
If you don't monitor the status of the SSM Agent, you might assume your patches are being applied when, in fact, the agent has crashed or stopped communicating. Always set up an Amazon EventBridge rule to alert you if an instance loses connectivity to Systems Manager for an extended period.
Ignoring Idempotency
When writing custom scripts for SSM, always write them to be idempotent. A script should check if an action has already been performed before running again. For instance, instead of mkdir /var/log/myapp, use mkdir -p /var/log/myapp. This prevents errors if the script runs multiple times.
Not Using Tags Effectively
If you manage your fleet by instance ID, you will eventually make a mistake. Instance IDs are ephemeral and hard to remember. Always use tags for targeting. If your instance is tagged App:Database, your automation should target Key=App,Value=Database.
Integrating SSM into the CI/CD Pipeline
Systems Manager is not just for manual operations; it is a critical component of automated pipelines. You can trigger SSM documents from your CI/CD tools (like Jenkins, GitHub Actions, or AWS CodePipeline).
Example: Automated Deployment Workflow
- Build: Your CI/CD pipeline builds your application and pushes an artifact to S3.
- Deploy: The pipeline triggers an SSM Automation document.
- Execute: The Automation document uses Run Command to download the artifact from S3, stop the application service, replace the files, and restart the service.
- Verify: The Automation document runs a health check command. If the check fails, it can automatically roll back to the previous version.
This workflow turns your deployment process into a reliable, repeatable sequence of events that doesn't require human intervention.
Advanced Feature: Parameter Store
While not always grouped directly with automation, the Parameter Store is a vital part of the Systems Manager suite. It provides a centralized, hierarchical store for configuration data and secrets.
Why use Parameter Store?
- Centralization: Store database connection strings, API keys, and feature flags in one place.
- Security: Integrate with AWS KMS (Key Management Service) to encrypt sensitive data at rest.
- Dynamic Configuration: Applications can query the Parameter Store at runtime to get their configuration, allowing you to change settings without redeploying your code.
Example: Storing a Secret
aws ssm put-parameter \
--name "/production/db/password" \
--value "SuperSecretPassword123" \
--type "SecureString" \
--key-id "alias/my-kms-key"
By referencing /production/db/password in your application, you keep the actual secret out of your source code, significantly reducing the risk of accidental exposure.
Step-by-Step: Creating a Custom Automation Document
Automation documents are written in JSON or YAML. They define a series of steps that the SSM service executes.
Scenario: Creating an AMI for Backup
- Define the Document: Create a YAML file that specifies the
AWS-CreateImageaction. - Upload: Upload the document to SSM.
- Execute: Run the document against your target instance.
Example YAML Structure:
description: "Create an AMI of an instance"
schemaVersion: "0.3"
mainSteps:
- action: "aws:createImage"
name: "createImage"
inputs:
InstanceId: "{{ InstanceId }}"
ImageName: "Backup-{{ InstanceId }}-{{ global:DATE_TIME }}"
NoReboot: true
This simple document, when executed, will create a snapshot of your instance's EBS volumes and register it as an AMI. You can then schedule this document to run daily using a Maintenance Window, providing a simple, automated backup strategy.
Troubleshooting Connectivity Issues
When an instance shows as "Offline" in the Systems Manager console, follow this checklist to resolve the issue:
- Check the SSM Agent Logs: On Linux, check
/var/log/amazon/ssm/amazon-ssm-agent.log. On Windows, checkC:\ProgramData\Amazon\SSM\Logs\. These logs will tell you exactly why the agent cannot talk to the AWS API. - Verify IAM Permissions: Ensure the instance profile has the
AmazonSSMManagedInstanceCorepolicy. - Check Network Path: The SSM Agent needs to reach the SSM endpoints (
ssm.region.amazonaws.com,ssmmessages.region.amazonaws.com, etc.). If your instance is in a private subnet, ensure you have a VPC Endpoint for SSM configured. - Check Proxy Settings: If your instances require a proxy to reach the internet, you must configure the SSM Agent to use that proxy. This is done in the
amazon-ssm-agent.jsonconfiguration file.
The Role of Maintenance Windows
Maintenance Windows allow you to define a recurring schedule for disruptive tasks. Instead of running patches or updates whenever you feel like it, you can define a window (e.g., Sunday from 2 AM to 4 AM) during which SSM is permitted to perform tasks.
- Registration: Register your targets (instances) with the Maintenance Window.
- Tasks: Add tasks (like Patch Manager or Run Command) to the window.
- Concurrency: Control how many instances are updated at once. For example, you can set a concurrency of 20%, meaning only 20% of your fleet is updated at any given time, ensuring high availability during the maintenance window.
Frequently Asked Questions
Q: Is Systems Manager free? A: Many features of Systems Manager (like Run Command, State Manager, and Patch Manager) are free for EC2 instances. However, you are charged for features like Parameter Store (beyond the free tier), Inventory (if you store data in S3), and some advanced Automation tasks. Always check the current AWS pricing page.
Q: Can I use SSM for on-premises servers? A: Yes. By installing the SSM Agent on your local servers and creating an "Activation," you can manage hybrid environments. This allows you to treat your data center servers with the same operational rigor as your cloud instances.
Q: What happens if the SSM Agent fails during a command? A: Systems Manager will report the failure in the command console. You can view the output of the command to diagnose the error. Because SSM tracks the state of each command execution, you can easily identify which instances failed and retry the command only on those specific instances.
Q: Do I need to open port 443 in my security groups? A: No, you do not need to open inbound port 443. The SSM Agent initiates an outbound connection to the AWS service endpoints. As long as your instance can reach the internet (or a VPC Endpoint) via HTTPS, the service will function.
Key Takeaways
As we conclude this deep dive into AWS Systems Manager, here are the essential points to remember:
- Centralized Control: Systems Manager provides a single, unified interface for managing infrastructure, eliminating the need for fragmented scripts and manual access methods.
- Security First: By leveraging the SSM Agent and Session Manager, you can eliminate the need for SSH and RDP, significantly reducing the attack surface of your infrastructure.
- Declarative Management: Use State Manager to define the desired configuration of your fleet and rely on the service to automatically maintain that state, reducing configuration drift.
- Operational Scale: Always use tags to target your instances. This ensures that your automation remains robust as your environment grows from a few instances to a massive fleet.
- Automation as Code: Treat your SSM documents and configurations as code. Keep them in version control and use CI/CD pipelines to deploy changes, ensuring consistency and auditability.
- Idempotency Matters: When writing custom scripts, ensure they are idempotent so they can be run repeatedly without causing side effects or errors.
- Visibility: Use Inventory and CloudTrail to maintain a clear picture of your environment, which is vital for both troubleshooting and meeting security compliance requirements.
By adopting these practices, you transform your infrastructure from a collection of hard-to-manage servers into a cohesive, automated system. AWS Systems Manager is not just a tool; it is the foundation of operational excellence in the cloud. Start small by automating a single patching task, and gradually expand your usage to cover more complex configuration management and orchestration scenarios.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons