© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Dean SamuelsManager, Solutions Architecture

Hong Kong & Taiwan

19th January 2017

New Launch!Amazon EC2 Systems Manager

Hybrid Cloud Management at Scale

What to Expect from the Session

• Overview of Systems Manager and its capabilities

• Learn how to configure and manage your cloud and hybrid IT environments at scale

• Demos

Cloud is the new normal – enterprises of all sizes are moving to the cloud to take

advantage of increased agility, lower costs, and a global reach

Many enterprises often bring their traditional on-premises toolset to manage their cloud and

hybrid environments

What we heard from customers

• Traditional IT tools not built for the cloud• Managing resources at scale is difficult• Lack of visibility into configuration and

execution history • Multiple vendors; complex licensing

Managing cloud and hybrid environments using traditional tools is complex and costly

Introducing EC2 Systems Manager

A set of capabilities that enable automated configuration and ongoing management of systems at scale, across all of your Windows and Linux workloads, running in Amazon EC2 or

on-premises

Why should I care?

Hybrid Cross-platform Scalable

Secure Easy-to-write automation

Reduced TCO

Click icon to add picture Click icon to add picture Click icon to add picture

Click icon to add picture Click icon to add picture Click icon to add picture

Systems Manager capabilities

Run Command Maintenance Window

Inventory

State Manager Parameter Store

Patch Manager

Automation

Deploy, Configure,and Administer

Track andUpdate

Shared Capabilities

Documents

Parameter Store

• Parameters reference-able via a Run Command, State Manager, and Automation Service

• Granular access control limits unwanted data access

• Encrypt sensitive information using your own AWS KMS keys

• Eliminates on-going maintenance challenge of critical enterprise assets

Centralized management of IT assets such as passwords and connection strings

New!

Parameter Store – Getting Started

1. Set parameters as key-value pairs

3. Reuse: In Documents and easily reference at runtime across EC2 Systems manager using {{ssm:parameter-name}}

4. Access Control: Create an IAM policy to control access to specific parameter

2. Secure strings: encrypt sensitive parameters with your own KMS or default account encryption key

Maintenance Window

• Define one or more recurring windows of time during which it is acceptable for disruptive actions to occur

• Built-in integration with Run Command and Patch Manager

• Helps improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time

Schedule disruptive tasks in well-defined window to minimize downtime

New!

Run Command

• Example: Running shell and PowerShell scripts

• Easily define new tasks using simple JSON-based Documents – no specialized skillset required

• Leverage Documents built by AWS and the broader community

• Delegate access, perform audit, receive notifications

• Helps improve security posture by eliminating the need to SSH or RDP

Perform common administrative tasks remotely at scale

Run Command – Getting Started

1. Instance: Setup agent, AWS Identity & Access Management (IAM) role on your instance. On-premise servers: create activation code, deploy agent and activate

3. Command and Command Invocation on target instances and on-premise servers

4. View status and output – granular results

2. Create Document to author your intent, define the plugins to run and parameters to use

State Manager

• Example: Configuring firewall and updating anti-malware definitions

• Define new policies using simple JSON-based Documents

• Control how and when a configuration is applied and maintained

• Helps enforce enterprise-wide compliance of configuration policies

• Re-apply to keep servers from drifting

• Track aggregate status for your fleet

Define and maintain a consistent configuration of OS and applications

New!

State Manager – Getting Started

1. Create Document to author your intent

3. Schedule: When to apply your association

4. Status: Check the state of your association at an aggregate or instance level

2. Association: Binding between a document and a target

Automation Service

• Optimized for building and maintaining Amazon Machine Images (AMIs)

• Start with an AMI perform automation steps like OS patching and drive updates produce a new AMI

• Express your workflow as automation steps in a JSON-based Document

• Support for Run Command, AWS Lambda functions, AWS CloudTrail, IAM and Amazon CloudWatch integrations

• Eliminates the overhead in managing ‘golden’ enterprise images

Automate common tasks using simplified workflowsNew!

Automation – Getting Started

1. Create an automation document

2. Run automation 3. Monitor your automation

Walkthrough Demo

Inventory

• Example: Instance and OS details, network configuration, list of files, installed software and patches

• Collect data from predefined inventory types or write a custom one using JSON Document

• AWS Config integration enables tracking the history of changes

• Simplifies management scenarios, such as licensing usage tracking and identifying zero-day vulnerabilities

Scalable way of collecting, querying, and auditing detailed software inventory information

New!

Inventory – Getting Started

1. Configure Inventory policy

2. Apply Inventory policy

3. Query inventory

Walkthrough Demo

Inventory – System Diagram

SSMAgent

EC2 Windows Instance

SSMAgent

EC2 Linux

Instance

SSMAgent

On-Premises Instance

AWS SSM Service

State Manager

EC2 Inventory SSM document

Inventory Store

EC2 Console, SSM CLI/APIs

AWS Config

AWS Config Console + CLI/APIs

Patch Manager

• Express custom patch policies as patch baselines, e.g., apply critical patches on day 1 but wait 7 days for non-critical patches

• Perform patching during scheduled maintenance windows

• Built-in patch compliance reporting

• Eliminates manual intervention and reduces time-to-deploy for critical updates and zero-day vulnerabilities

Roll out Windows OS patches using custom-defined rules and pre-scheduled maintenance windows

New!

Patch Manager – Getting Started

1. Create a Patch Baseline to define approved patches

3. Maintenance Window executes patching

4. Audit results with Patch Compliance

2. Create a Maintenance Window to schedule patching for a set of instances

Patch Manager - Overview

Prod Environment

Instance A

Patch Group:Prod

Patch Baseline

- Critical, High- 5 days or older

1

Maintenance Window

- Sundays @ 1AM- 2 hrs. long- Task: Patching

2 3

Patch Compliance

2up to date

0missingupdates

1error

4

Instance B

Patch Group:Prod Patch Group:Prod

Best-practices and FAQs

• What OS platforms are supported? • Update your SSM agent today to get started!• What ports or network access do my instances need?• Is there anything different to set up on-premises servers?• Use notifications, velocity control• For disruptive actions, use Run Command with Maintenance

Window• Fine-grained access control through IAM policies on resources (e.g.

documents)• Customize configuration with idempotent scripts for State Manager

Systems Manager availability

• No charge – only pay for AWS resources you manage

• Available in multiple regions

Systems Manager capabilities

Run Command Maintenance Window

Inventory

State Manager Parameter Store

Patch Manager

Automation

Deploy, Configure,and Administer

Track andUpdate

Shared Capabilities

Your Feedback is Important!

• These services are available today• Learn more at

https://aws.amazon.com/ec2/run-command/ • Technical documentation at http://

docs.aws.amazon.com/AWSEC2/latest/UserGuide/run-command.html

• Please send your feedback, improvements, requests to ec2-ssm-feedback@amazon.com

Next steps

• Learn more at https://aws.amazon.com/ec2/systems-manager/

• Join us at the booth! We’d love to hear your feedback.

Remember to complete your evaluations!

Thank you!Dean Samuels

Manager, Solutions ArchitectureHong Kong & Taiwan

18/01/2017