5. SSM – Run Command
So back in Systems Manager we have our four instances being managed by SSM and we want to run some stuff on them. So why don’t we go and start with the Run Command. So Run Command, as the name indicates, allows you to run commands on the instances that are managed by SSM. So we’ll click on Run a Command and see how we can do things. So these are command documents and as you can see there’s a lot of of them, there’s about a lot of pages. There’s about four pages right now of them. So these are owned by Amazon, but you could obviously create your own documents. So let’s talk about these documents for a second.
Okay? So in the left hand side I’m going to open a new tab and under Shared Resources we have these documents. So these documents look just like json documents. So they can be either owned by Amazon or owned by me, or even shared with me. And so amongst them I have four different kinds of documents. So four different types. We have commands, automation, policy and session. And so commands will be used when we do Run Command. Automation will be used when we do automation and we will not use the Policy and Session once. So let’s look into command. And as we can see, we have a lot of those here.
For example, there is Configure docker and if we go to the contents of this document we see it’s a json document that shows us some description of the parameter of the document itself, some parameters for it and the main steps. So it looks a little bit like cloud formation in that regard. As in we have some parameters and then it will do some stuff out of it. So you could play around and look at all the documents. But what I wanted to show you here is that you have four different document types and you could also go ahead and create your own document if you’re required to do so. But for now, let’s get back to Run Command and look at the command documents owned by Amazon that we can use.
So there’s two that are really cool. This is the aws update. So let’s look at it of this update SSM Agent which is a document that we could run to update the Amazon SSM Agent on all the instances to the latest or specified version. Or there’s another one that we couldn’t run and that we will run this time, which is the Run command. So here we have run shell script. Here we go. aws run shell script. And so this is a shell script that we specify and that will run onto our instances. So let’s click on it to have a look at the details of this run shell script. As we can see the parameters, there are three of them and two of them are optional.
One of them is required and if we look at the contents, we can see that the parameters were defined as adjacent. And then what we’ll do at runtime is that it will run a shell script on the instances. So without further ado, let’s play with it. So I’m going back into my run command and have selected run shell script. I scroll down and then I need to specify a shell script or a command to run. So I’ll do pseudo yum install minus y httpd to install apache on all my instances. And then the working directory, we could set it to whatever we want, but we’re not going to set it to add to anything because we don’t need to be in a special directory to run this command.
And then I will scroll down, and here we can choose either the instance to run on by instance tags manually or by choosing a resource group. So this is why I created a resource group in the previous lecture. It was to show you that I’m able to choose a resource group to run this on, but I can also specify instance tag and say, okay, environment development and you’re going to run this on this environment specifically. So we have a rate control, which is okay, how fast do we want to install Httpd? So maybe we want to say that you want to do one target at a time, so one target at a time. Or we could specify a percentage and say, okay, only 20% of the instances at a time should have a task being executed.
So because we don’t have that many instances, I’m going to choose one target at a time and in case the task fails after zero errors. So after zero errors you should fail, but you could say, okay, maybe we can have two errors if you have a big fleet and maybe some of them will error out for some reason. Okay, so here after zero, meaning that any time a task fails, the entire run command should stop and then the output itself could be returned to an S three bucket. And I could choose a bucket name from the list and I could choose this bucket, for example, and we could have a prefix. So SSM run command and this is good. And we could also write the output to Cloud Watch if we wanted to. We could send sms notifications to send notifications about the statuses of this run command.
And finally, this is really nice. Atovis gives us the type of cli command we would need to run if we wanted to automate this task. So this is really nice to have. I wish this was on every single page in aws. So let’s click on Run and see how that works. So there’s an error, obviously. So what is the error? We need to specify the instance tag. I need to click on add. Here we go. So now the instances have been added. So I will click on Run and hopefully this works. So here we go. The detail is in progress. So this one instance, my Manage instance, is being updated right now. And because we have a rate control of one instance at a time, and this one is pending, meaning that it’s waiting for this one to be completed before we move on to my EC two instance.
So hopefully, by the end of this command. Both instances will have Httpd installed on them and we’ll be able to test that out very quickly. And we are done. The command has succeeded on both targets, so both are completed. There was zero error. And so if I go and on the ssh terminal do a curl local host 80 I should have a web page started. So of course I need to do sudo systemctl httpd start or start httpd to start apache and because it was installed, then this command succeeded. And now I can just look for local hosts. Here we go. And now we get a web page in return. So excellence. So this run command definitely worked on both. My instances. And this is what I wanted to show you.
Now, the run command. As you can see, there’s a ton of those. And you could look at those. The name is pretty explicit. For example, configure cloud watch. Configure docker, install application configure, Windows updates and whatever and this works on both linux and Windows so this is quite handy and so this is a way to do one off commands run at some right control onto all your managed instances, be it on premise or EC, two instances in SSM. And finally, you have a nice command history of all the commands that you have run within your account, which gives you a nice audit trail as well. So that’s it for this lecture. I hope you liked it and I will see you in the next lecture.
6. SSM – Parameter Store
So now we are going to look at parameterstore and this is a service we’ve been using fairly consistently in this course. So we already have three parameters being created, but let’s go through the process of recreating them just to make sure we fully understand those. So we are able to enter a custom name for our parameters and so it’s really free about how you want to name those, but I’ve seen the pattern where you have My app and then the environment, for example dev and then DB url. This is a common pattern where you have the application, the environment and then the name of the parameter. Okay, so this is a standard parameter and this could be of any of the three types string, string, list or secure string.
So the first two are plain text and the last one is secure and so secure means that it’s encrypted and it’s good to store secrets, whereas plaintext is used to store nonsensitive values such as AMI ids or a database url for example. So here it could be mysql and then fubar 3306, okay, and we’ll go ahead and create that parameter so excellent, now we could go and create the same parameter in prod, so we’ll do Myapprodburl and again this could be a string and this one will be mysql and then Fubarprod 3306. So we have created two of these parameters and we could go ahead, the parameter is not N, so obviously here we go, we are good to go and then finally we’ll create another one.
So this one will be devdb password and this one is a secure string, meaning that we can encrypt sensitive data using kms key and so we’ll use My current account and we’ll use the ssm kms key for this and so here, this is a super secrets dev password excellence. We’ll create this parameter and finally we’ll create one last parameter which is my DV password but for prod. So I’ll do Prod and remove the last slash and again secure string and this is super secret prod password. So we have created four of these parameters and they are in our parameter store now and we can have a look at one of them. For example, this one, it’s version one.
It was last modified by this user here’s style. And so if I edit it, for example, and change to fubar Dev 3306, I can save the changes. And now it’s at version two, so I can go in here and see it’s at version two and we can look at the history of the values and we can see how it has evolved over time and when it has evolved and who has last modified these parameters. So we get a nice audit trail for our parameters. So why would you do this? Well, we have full auditability, we have encryption so we can store secrets securely, we can protect them using iam, so we can only authorize a few instances to retrieve some parameters.
So the amid was really helpful.We wanted to have instances retrieved from cloud formation, the latest AMI this easy to instance type could be good for some common parameters. We’ve seen one parameter store being used for the Amazon Cloud Watch linux agent to store the configuration of the Cloud Watch linux agent as well. So this is good. We could have some kind of could build process receive at runtime based on the environment it’s building the right parameter from parameter store. So this is something we could do. So we have a lot of different options and finally we could retrieve these parameters using the cli so we can have a look.
For example at this command this is ssm get parameters and we’ll use the profile aviation devops. So it’s saying okay, get the parameters from ssm, get the dev DB, url and the devdb password. So I’ll press Enter and as we can see they’re coming back to me. So one is a string and it’s plain text, but one is a secure string and so I haven’t asked for decryption, so if I do minus minus with decryption, then it’s going to decrypt these parameters for me in here. Now I can see my super secret dev password so that makes sense. This is one type of API call we can do. But we can also do some kind of different API call where instead of calling out the parameters individually we could say, get parameters by path.
And in this case, it will return all the parameters under the myapp dev tree. And so therefore, it will return my devdb password and my devdburl. And this is why we would use this kind of get parameters by path. And so if I go one level up and just ask for my app, it’s going to return zero parameter because there’s nothing under my app. But you can have recursive and with recursive doing recursive in here, you get all the parameters recursively under this directory and so we get 1234. And if you wanted to decrypt these secrets, we’ll say with decryption.
And so this is quite nice because we have an sdk access, we have iam protection, kms encryption, version audits and so on so all of this is really helpful and quite a nice way to really make sure that you can automate in your environment without manually changing scripts or maintaining different versions of documents. Just by just referencing parameters in the parameter store you are able to perform some nice automations and so the parameter store at the exam will come up as a way for example to simplify an architecture or to centralize a parameter and so on and store a secret. So this is the kind of questions you should looking at going into the exam. So I hope that was helpful for you and I will see you in the next lecture.
7. SSM – Patch Manager
So I told you that ssm was used also for patching instances. So let’s get into the patch manager. So in Patch manager we can get here and we can instead of clicking on configure patching we’re going to click on View predefined patch baselines. So these are a bunch of baselines defined by aws in your accounts that tell the patch manager how to patch by default. ubuntu, suz, linux, wayne windows the default patch baseline for Windows, amazon, linux, cento, S and so on. Okay? And so each of these patch baseline will have an operating system attached to it and whether or not it’s the default baseline. Meaning when these systems are patched, which baseline patch will be applied to it.
Okay, so one patch we should be looking at for example is Amazon linux Two. So this doesn’t work. So obviously we’ll have to scroll down. Here is the Amazon linux two patch baseline. So this is provided by aws and we can see it’s the default baseline. And there are some rules of approval of patches. There’s no patch exceptions and there is no other patch sources. So this is just a default baseline for aws. But let’s go ahead and we are going to create our own patch. So for this you are going again to click on View predefined patch baselines and we’re going to create a patch baseline.
Now for this I’ll call it custom. Amazon linux two baseline. And this is a baseline we’ll be creating ourselves. So the operating system is going to be Amazon linux Two. And then we are able to set this as the default patch baseline for Amazon linux Two instance. That means that if we set this patch as the past baseline, all the patching of Amazon linux Two instances will be patched according to this new baseline. Okay, let’s scroll down here. We have approval rules for operating systems so we’re able to say which products we want to patch. So we’ll select all the severity. So whether or not we want all critical, medium, important and low.
We’ll select all and the classification if it’s a security, a bug fix and enhancements and so on, we’ll select all if there is an auto approval delay. So welter to zero days but we’re able to add days to wait before a patch is released and the compliance reporting will do unspecified. We could include non security updates in here and we could add another nine remaining rule if we wanted to. Okay, let’s scroll down. Here are patch exceptions and so we can see the approved patches as well as the rejected patches. And the way to understand what to put in there is that if you go to the package name formats for approved and rejected patch list you will see that for linux operating systems in here for example, you could specify this kind of format.
So we’re saying, okay, if I go here and say this cve thing is rejected or this example package in here is accepted and so on. So you could specify your own packages according to this list. Now this is more details around how patches are named and so on. You could as well cards. But what you need to remember is that within your own custom baseline, you are able to specify a list of approved and rejected patches. Okay, next we can go to patch sources, and this is really important. The one reason why we would have a custom patch baseline in here is that we can specify our own patch sources. So right now all the updates are coming directly from Amazon.
But maybe we want to add our own source and saying, okay, we want to be able to distribute some patches as well from our own sources. So this is where in the patch sources you would add your another source. So I’m not going to customize it much, I’m just going to create this patch baseline and it’s been created. And now if I go in my list, I can see that my custom Amazon linux two baseline is now the default patch baseline and the one from before this one is not. So now let’s go through applying this patch. And for this I will go to create a maintenance window, and in this maintenance window will define what can happen.
So we’ll create a maintenance window and we’re saying, okay, we need to provide a name so demo maintenance window, and we can allow unregistered targets and we can say how often do we want this window to happen? So it could be a cron a rate or a cron rate dispersion. So we can say every 30 minutes, every 1 hour, every day at 02:00 A. m. , and so on. So you have different ways. So we’ll just do every 30 minutes. And you can say how long the duration of the window will be. So is it one, two, three? How many hours you want? Up to 24. And if you want to stop initiating task, how many hours before the window closes? So, for example, we’ll have a three hour window, and 1 hour before the window closes, we will stop running patches.
This could be something that we could do. And we can run this every day at 02:00 A. m. . So to keep it simple though, I’ll just keep it every 30 minutes and keep this as 1 hour and we’ll keep this as zero. Okay. So we can also specify when the window starts as a date and ends as a date if we wanted to stop this maintenance window after a while, and the time zone and finding some tags. So the maintenance window defines when we want to be able to apply patches and other things into our instances. Right now, I make it super frequent so we can see the effect of it. So let’s create this maintenance window and it has been created. So now we have to register instances into this window, so I can click on it and I can go to Targets.
And as you can see, there is no targets. And so I need to register a target. So the target name, you could name it whatever you want, it’s all optional, so I’m not going to go through this. And how do I get my targets? Well, we can specify instance tags, or we can choose instances manually or choose a resource group. So in here I can say, okay, these four instances right here, this should be part of my instance window, but I could also say specify instance tag and say Environment. And we’re not going to specify a value, we’re just going to say it’s Environment. And similarly it will find my four instances in there, hopefully. So actually not, it will not. So I need to say choose instance manually and I’ll select them all and it will work better.
Edit Targets and now we have four targets in this window, target ID. So excellent. We’ve just registered some instance into the maintenance window and now we can register a Run command. So we’ll register a Run command task and in the command document I can go to aws and I can do Run Patch. And so we can choose the Run patch baseline to run a patch baseline directly on our instances. During this maintenance window, we specify a task priority. So whether or not we want this task to run first on our Institute instances or our Managed instances, because they can be hybrid ones as well and which ones to run first in priority. So the Run patch baseline is definitely something we want high priority.
So one is great. And then we’ll select Register Target. So we’ll select this window Target ID that we’ve just created. The rate control is how many targets at a time do we want to patch. So maybe I want to say I want to patch one target at a time, and if there is zero over zero errors, then you should stop right away which service role to use for this. So we’ll use the service link role for Systems Manager and we can write to S Three and have sns notifications for this, but we’ll skip this now for the parameters, the operation, it could be a scan or an install. So we’ll make it install because it will install the patches that are missing. But if you just wanted to know about compliance, we could have a scan and get that information as well.
So we’ll do install and we’re all good to go. We’ll register this Run command task. Okay, and so now I need to wait a little bit into history to see when it happens and how it will be executed. So I need to wait about 30 minutes until this happens. So I’ll pause the video and get back to you then. And so now I have a witness ID, and this one has failed. So we can view the details of why it has failed and because the maximum error count was exceeded so something did not work in this task. invocation, let’s have a look. And as we can see, four targets, four completed. There was one error. So three of them were a success and that one was not a success. And I think I know why.
So this is my managed instance that was hybrid. And if you remember it, what we did install for our managed instance was Red Hat linux. So this was a Red Hat Enterprise linux and we are running an Amazon linux two patch baseline and therefore obviously the Amazon linux Two patch baseline does not work on the Red Hat Enterprise linux. So this makes sense as to why things failed. So if we go back to the maintenance window and instead we go to the maintenance window ID and for targets we’re going to register targets. But this time we’ll make sure that we can only choose the instances that are managed by ssm and our Amazon linux Two. Here we go.
These are the good ones. And I can go ahead and delete that target group and this will make a lot more sense. So let’s change this task as well. In this task we’re going to edit it and apply it to the right window target. So this one and then click on Edit run command task and I can go to my targets and delete this and we’ll be good. Okay. So now we have a correct window ID. So the last thing I need to realize that we have access to the history for the targets, we can register as many window target ID as we want. And for task we are able to register a run command, an automation, a lambda task or a step function task.
So in these maintenance windows we are able to do quite a lot of things including running a run command that will run the patch baseline for us. So that’s it for this lecture on patching. And if we went into compliance, just to have a look at the compliance of our EC two instances in here we can see that for patches we have three compliant resources because they have been patched at the moment and this will be tracked in the compliance tab of ssm. So that’s it for this long lecture. But hopefully you understand now that patch manager can be used to apply patches to all your instances and you can track the compliance of those in the compliance tab. And I will see you you in the next lecture.