AWS SSM Simple System Management

Managing Windows instances in the Cloud

Sponsors

Presented by Adam Book from

Find me on LinkedIn

News Recap 2014

Automatically join the server back to a domain so that users can long in with usernames and passwords?

Have you ever wanted to:{Easily}

Enable monitoring of logs and metrics on Windows instances so that logs can be saved to CloudWatch Logs

Install an Application automatically at instance startup without writing a Chef recipe or Puppet Manifest

Simple Systems Manager (SSM) enables you to remotely manage the configuration of your Amazon EC2 instance. Using SSM, you can run scripts or commands using either EC2 Run Command or SSM Config.

(SSM Config is currently available only for Windows instances.)

SSM Simple System Management

Is SSM really Simple?

Image by http://www.gratisography.com/

Yes

Noand

SSM – Commands

Command DescriptionAWS-JoinDirectoryServiceDomain Joins an AWS Directory

AWS-RunPowershellScript Runs PowerShell commands or scripts

AWS-UpdateEC2Config Updates the EC2Config service

AWS-InstallApplication Installs, repairs, or uninstalls software using a MSI package

AWS-InstallPowershellModule Installs Powershell Modules

AWS-ConfigureCloudWatch Configures CloudWatch logs and can be used to monitor applications and systems.

Where does SSM Work?

Region Name Region EndpointUS East (N Virginia) us-east-1 ssm.us-east-1.amazonaws.com

US West (Oregon) us-west-2 ssm.us-west-2.amazonaws.com

US West (N California) us-west-1 ssm.us-west-1.amazonaws.com

EU (Ireland) eu-west-1 ssm.eu-west-1.amazonaws.com

EU(Frankfurt) eu-central-1 ssm.eu-central-1.amazonaws.com

Asia Pacific (Singapore)

ap-southeast-1 ssm.ap-southeast-1.amazonaws.com

Asia Pacific (Tokyo) ap-northeast-1 ssm.ap-northeast-1.amazonaws.com

Asia Pacific (Sydney) ap-southeast-2 ssm.ap-southeast-2.amazonaws.com

South America (Sao Palo)

sa-east-1 ssm.sa-east-1.amazonaws.com

IAM and SSM

For more info http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssm-iam.html

In order for SSM to have the permissions that it needs you will need to attach an IAM Role to your instances with either one of the managed policies below or a policy that has the correct SSM permissions.

IAM and SSM

For more info http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssm-iam.html

In order for SSM to have the permissions that it needs you will need to attach an IAM Role to your instances with either one of the managed policies below or a policy that has the correct SSM permissions.

IAM and SSM

Here is an example of the Role created that we will be using in our examples for our instances

When joining a domain using SSM we will need to find out some information about our Directory so that we can create the JSON document.

Joining a Domain

Notice the highlighted line where we see the distinguished name that shows the:

Joining a Domain

CN -> Common NameDC -> Domain ControllerOU -> Organizational Unit

{ "schemaVersion": "1.0", "description": "Sample configuration to join an instance to a domain", "runtimeConfig": { "aws:domainJoin": { "properties": { "directoryId": "d-1234567890", "directoryName": "test.example.com", "directoryOU": "OU=test,DC=example,DC=com", "dnsIpAddresses": [ "198.51.100.1", "198.51.100.2" ] } } }}

Joining a DomainCreating the Document

Using the AWS CLI you can create the document once for reuse in your SSM endeavors

(we’ll save our json from before as test-domain.json )

SSM Creating the Document

Using the AWS CLI you can create the document once for reuse in your SSM endeavors

(we’ll save our json from before as test-domain.json )

SSM Creating the Document

$ aws ssm create-document –content file://test_domain.json --name “Test_Domain” --region eu-west-1

If we think we have already created the document to join the domain previously then we can use the AWS CLI to ask it what documents are currently available with the List-Documents command.

SSM Creating the Document

$ aws ssm list-documents --region eu-west-1

Now we’re ready to launch our instanceWe’ll use a STOCK Windows 2012 server AMI first run.

Joining a Domain

<powershell>Import-Module AWSPowerShell $web = New-Object Net.WebClient $InstanceId = $web.DownloadString("http://169.254.169.254/latest/meta-data/instance-id")$AvailabilityZone = $web.DownloadString("http://169.254.169.254/latest/meta-data/placement/availability-zone") $Region = $AvailabilityZone.Substring(0,$AvailabilityZone.Length-1) New-SSMAssociation -InstanceId $InstanceId -Name ”Test_Domain" -Region $Region </powershell>c

Joining a Domain A closer look – User Data<powershell>Import-Module AWSPowerShell $web = New-Object Net.WebClient $InstanceId = $web.DownloadString("http://169.254.169.254/latest/meta-data/instance-id")$AvailabilityZone = $web.DownloadString("http://169.254.169.254/latest/meta-data/placement/availability-zone") $Region = $AvailabilityZone.Substring(0,$AvailabilityZone.Length-1) New-SSMAssociation -InstanceId $InstanceId -Name ”Test_Domain" -Region $Region </powershell>

By using the EC2 system log we can see the progress of the SSM and the Domain Join

Joining a Domain How can we tell it joined?

Joining a Domain How can we tell it joined?

SSM Demo Time

Photo curtesyof Stephen Radford via http://snap.io

What happens when you don’t have a domain

One of the easiest solutions is to use the Simple AD service from AWS and create a *.local domain to add your users

Joining a Domain

What happens when you don’t have a domain

One of the easiest solutions is to use the Simple AD service from AWS and create a *.local domain to add your users

Joining a Domain

mycorp.local

From the Simple AD service:Click on your directory id -> And you should see a details screen like the one below

Finding your DNS on AWS Simple AD

When using existing images you need to make sure that User Data is turned on beforecreating the image to use with SSM

Using Existing Images

If you don’t do this then the scripting done in the userdata box will not work.

The Role of sysprep

For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

1) Generalize 2) Specialize 3) Creates an Out-of-Box Experience

The Role of sysprep Generalize

For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

Generalize: The tool removes image-specific information and configurations. For example, Sysprep removes the security identifier (SID), the computer name, the event logs, and specific drivers, to name a few. After this phase is completed, the operating system (OS) is ready to create an AMI.

The Role of sysprep Specialize

For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

Specialize: Plug and Play scans the computer and installs drivers for any detected devices. The tool generates OS requirements like the computer name and SID. Optionally, you can execute commands in this phase.

The Role of sysprep Create an OOB Experience

For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html

Out-of-Box Experience (OOBE): The system runs an abbreviated version of Windows Setup and asks the user to enter information such as a system language, the time zone, and a registered organization. When you run Sysprep with EC2Config, the answer file automates this phase.

Questions?

Image by http://www.gratisography.com/