Simple Systems Manager (SSM) in AWS is one of the new tools for the big enterprises moving into the cloud. Larger enterprises usually do not have the luxury of only having cloud native applications, and many larger enterprise applications cannot be continously deployed in a cloud-like fashion.

To solve this, we have AWS SSM. With SSM you can install a client on your lift-and-shift environment which makes it then possible to run scripts from within the AWS management interface or from the commandline. You can target groups of instances with this script which means that mass-control of your infrastructure suddenly became so much simpler.

If you already use Chef, Puppet, Ansible or some other configuration management system than this is of course a non-issue.

AWS SSM currently has these services:

• Run command

Run one-off scripts on your instances

• State Manager

Keep your instances in a defined state

• Automations

Automate build workflows, such as creation of a baseline windows AMI with the correct updates

• Patch Baselines

Make sure your instances are patched to a defined degree

• Managed instances

Lists instances with the SSM client installed

• Activations

Use SSM on-prem

• Documents

Scripts to run on your instances. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-ssm-doc.html

• Maintenance Windows

Define re-occurring runs of tasks

• Parameter Store

A place to store sensitive data and variables

• Patches

Lists current Windows Patches

To get an email of the available updates, we’ll be using Maintenance Windows to run a task which will look for new important windows updates and send the results to us using S3 + Lambda + SNS.

Prerequirements

1. Make sure that your instances have the SSM prerequirements met https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/systems-manager-prereqs.html
2. Create a new IAM Role for Maintenance Windows and attach “AmazonSSMMaintenanceWindowRole” policy to it. Ensure that the Trust Relationship is updated with “Service”: “ssm.amazonaws.com” to allow access to SSM endpoint. See: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html
3. Attach “iam:PassRole” the IAM account that you use to launch instances.
4. S3 bucket for the output
5. SNS topic

Get the list of available windows updates from your instances

1. Create a Maintenance Window.
2. Assign Targets to the Maintenance Window. You can specify the instances (using instance IDs) or assign tag to the instances and use that tag to assign target.
3. Assign Tasks to the Maintenance Window. You can select “AWS-FindWindowsUpdates” SSM document and specify the schedule on which you want the scan to be run.
4. Specify an S3 bucket for the output

Create a lambda script

I called my function ssmS3LogsToSNS. Associate a role with the lambda function which can use SNS and access files from your S3 bucket, such as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::your-s3-bucket"
        },
        {
            "Action": [
                "sns:Publish"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:sns:your-sns-topic"
        }
    ]
}

The lambda code is quite simple - it gets triggered from a file creation in the S3 bucket and takes the output of the file and puts it into SNS. You can find it in my github: https://github.com/hmain/awslambda/blob/master/lambda-ssm-s3-logs-to-sns/src/main.py

There is also a cloudformation template which you can use with my packaged bundle, just upload the bundle to S3 and specify the paramters in the cloudformation template:

• https://github.com/hmain/awslambda/blob/master/lambda-ssm-s3-logs-to-sns/cloudformation/function.template

• http://hamin.se/media/awslambda/lambda-ssm-s3-logs-to-sns.zip

Be sure to have the following environment variables defined in the lambda configuration:

1. sns_topic
2. sns_subject

Setup a trigger on the S3 bucket

Add a notification configuration to your S3 bucket. In the notification configuration, you provide the following:

• Event type for which you want Amazon S3 to publish events. For this to work you specify the s3:ObjectCreated:* event type so that Amazon S3 publishes events when objects are created.

• Specify the previously created lambda function to invoke

Configure your SNS topic to send you an email

1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/.
2. In the navigation pane, choose Subscriptions.
3. On the Subscriptions page, choose Create subscription.
4. In the Create subscription dialog box, for Topic ARN, paste the topic ARN that you’re using for your notifications.
5. For Protocol, choose Email.
6. For Endpoint, type an email address that you can use to receive the notification, and then choose Create subscription.
7. From your email application and open the message from AWS Notifications and confirm your subscription.
8. Your web browser displays a confirmation response from Amazon Simple Notification Service.

Back to Home