{"id":20697441,"url":"https://github.com/epomatti/aws-systems-manager","last_synced_at":"2025-06-13T09:09:09.500Z","repository":{"id":108712178,"uuid":"528034857","full_name":"epomatti/aws-systems-manager","owner":"epomatti","description":"AWS Systems Manager sandbox","archived":false,"fork":false,"pushed_at":"2024-01-31T01:48:25.000Z","size":246,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-11T02:51:11.606Z","etag":null,"topics":["authorized-keys","aws","aws-security","aws-sms","aws-systemsmanager","ec2","linux","parameter-store","patch-manager","run-command","ssh","ssm"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epomatti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-08-23T14:44:33.000Z","updated_at":"2024-08-30T11:08:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"dd1ee871-ffb1-42f7-ba11-f60ca1abf5de","html_url":"https://github.com/epomatti/aws-systems-manager","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/epomatti/aws-systems-manager","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-systems-manager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-systems-manager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-systems-manager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-systems-manager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epomatti","download_url":"https://codeload.github.com/epomatti/aws-systems-manager/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Faws-systems-manager/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259616381,"owners_count":22884883,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorized-keys","aws","aws-security","aws-sms","aws-systemsmanager","ec2","linux","parameter-store","patch-manager","run-command","ssh","ssm"],"created_at":"2024-11-17T00:18:05.076Z","updated_at":"2025-06-13T09:09:09.457Z","avatar_url":"https://github.com/epomatti.png","language":"HCL","readme":"# \u003cimg src=\".assets/icons/ssm.png\" width=40 /\u003e AWS Systems Manager\n\nShort reference implementation for key capabilities of Systems Manager components:\n\n| Icon | SSM Feature     | Example scenarios |\n|-| ----------------|---------|\n| \u003cimg src=\".assets/icons/ssm-automation.png\" width=30 /\u003e| Automation      | Controlling the state (start, stop, restart) EC2 instances. |\n| \u003cimg src=\".assets/icons/ssm-runcommand.png\" width=30 /\u003e | Run Command     | 1. Find and apply Windows updates. \u003cbr/\u003e 2. Update SSH authorized keys on Linux machines.  |\n| \u003cimg src=\".assets/icons/ssm-inventory.png\" width=30 /\u003e | Inventory       | Dashboard with in-depth information collected about the fleet |\n| \u003cimg src=\".assets/icons/ssm-patchmanager.png\" width=30 /\u003e | Patch Manager   | Scan and install security patches. |\n| \u003cimg src=\".assets/icons/ssm-compliance.png\" width=30 /\u003e | Compliance      | Compliance items registered for instances.|\n| \u003cimg src=\".assets/icons/ssm-statemanager.png\" width=30 /\u003e | State Manager |  Document associations with instances. |\n| \u003cimg src=\".assets/icons/ssm-distributor.png\" width=30 /\u003e | Distributor |  Install the CloudWatch Agent package. |\n\n\n## \u003cimg src=\".assets/icons/ec2.png\" width=30 /\u003e Instances setup\n\nStart by copying the `.auto.tfvars` file template:\n\n\u003e 💡 The sample config AMIs already include the SSM Agent\n\n```sh\ncp samples/sample.tfvars .auto.tfvars\n```\n\nGenerate a temporary key pair:\n\n```sh\nmkdir keys\nssh-keygen -f keys/temp_key\n```\n\nCreate the sandbox infrastructure:\n\n```sh\nterraform init\nterraform apply -auto-approve\n```\n\nEnter the Systems Manager console and check the Fleet Manager blade.\n\nIf you prefer using Session Manager with the CLI:\n\n```sh\naws ssm start-session \\\n    --target instance-id\n```\n\nCheck if the instance components have been installed:\n\n```sh\ncloud-init status\n\nsudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status\n```\n\n## \u003cimg src=\".assets/icons/ssm-automation.png\" width=30 /\u003e Automation\n\n### Starting \u0026 stopping instances\n\nTo stop an instance using Automation, use a shared Document:\n\n```sh\naws ssm start-automation-execution \\\n    --document-name \"AWS-StopEC2Instance\" \\\n    --parameters \"InstanceId=i-00000000000000000\"\n```\n\nTo start the instance again:\n\n```sh\naws ssm start-automation-execution \\\n    --document-name \"AWS-StartEC2Instance\" \\\n    --parameters \"InstanceId=i-00000000000000000\"\n```\n\nRestart is also an option:\n\n```sh\naws ssm start-automation-execution \\\n    --document-name \"AWS-RestartEC2Instance\" \\\n    --parameters \"InstanceId=i-00000000000000000\"\n```\n\n## \u003cimg src=\".assets/icons/ssm-runcommand.png\" width=30 /\u003e Run Command\n\n### Windows Updates\n\nUse the document `AWS-FindWindowsUpdates` to find updates for Windows:\n\n```sh\naws ssm send-command \\\n    --document-name \"AWS-FindWindowsUpdates\" \\\n    --parameters \"UpdateLevel=All\" \\\n    --targets Key=tag:Environment,Values=Development Key=tag:Platform,Values=Windows\n```\n\nCheck the console for status and execution output.\n\nYou can now use the document `AWS-InstallMissingWindowsUpdates` to install the missing Windows updates:\n\n```sh\naws ssm send-command \\\n    --document-name \"AWS-InstallMissingWindowsUpdates\" \\\n    --parameters \"UpdateLevel=All\" \\\n    --targets Key=tag:Environment,Values=Development Key=tag:Platform,Values=Windows\n```\n\nAfter applying the updates, you can check for missing updates one more time to confirm it all went well.\n\n### Linux - Update SSH authorized keys\n\nUse RunCommand to execute a custom code and edit the `authorized_keys` file.\n\nTest your local connection to an instance:\n\n```sh\nssh -i ./keys/temp_key ubuntu@\u003cpublid-ip\u003e\n```\n\nCreate a **new pair** of keys:\n\n```sh\nssh-keygen -f ./keys/new_temp_key\n```\n\nUsing `AWS-RunShellScript`, backup the `authorized_keys` file:\n\n```sh\naws ssm send-command \\\n    --document-name \"AWS-RunShellScript\" \\\n    --comment \"Backup the key pair\" \\\n    --targets Key=tag:Environment,Values=Development Key=tag:Platform,Values=Linux \\\n    --parameters \"commands='cp /home/ubuntu/.ssh/authorized_keys /tmp/copy_of_authorized_keys'\" \\\n    --output text\n```\n\nNow proceed with method of choice for adding or replacing the actual key.\n\nUse a safe method in production. For this test you can do:\n\n```sh\naws ssm send-command \\\n    --document-name \"AWS-RunShellScript\" \\\n    --comment \"Backup the key pair\" \\\n    --targets Key=tag:Environment,Values=Development Key=tag:Platform,Values=Linux \\\n    --parameters \"commands='echo PUBLIC_KEY \u003e\u003e /home/ubuntu/.ssh/authorized_keys'\" \\\n    --output text\n```\n\n## \u003cimg src=\".assets/icons/ssm-inventory.png\" width=30 /\u003e Inventory\n\nIf you haven't yet, you'll need to [enable inventory][1] to collect data.\n\nWhen you set up Inventory, a new association `AWS-GatherSoftwareInventory` is created on **State Manager**.\n\n\n## \u003cimg src=\".assets/icons/ssm-patchmanager.png\" width=30 /\u003e Patch Manager\n\nFrom the documentation:\n\n\u003e Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed nodes with both security-related updates and other types of updates.\n\nPatch Manager can integration with AWS Organizations or a complete management of patches.\n\nAs of now, there are four options for `Scan` and `Scan and install` operations:\n\n- Patch Policy (recommended)\n- Host Management\n- Maintenance window\n- On-demand\n\nPatches can be managed in many ways. Let's follow this [walkthrough](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-cli-commands.html#patch-operations-cli-commands).\n\nTo run a simple test, connect to the Linux box and do a `sudo apt update`. There should be packages to upgrade.\n\n\u003cimg src=\".assets/img/ssm-sudo-apt-update.png\" /\u003e\n\nScan the target instance:\n\n```sh\naws ssm send-command \\\n    --document-name 'AWS-RunPatchBaseline' \\\n    --targets Key=InstanceIds,Values='i-00000000000000000' \\\n    --parameters 'Operation=Scan' \\\n    --timeout-seconds 600\n```\n\nCheck the operation status:\n\n\u003cimg src=\".assets/img/ssm-node-missing-patches.png\" /\u003e\n\nIf you check the output, it will be match the `apt update` from before.\n\nTo solve the non-compliance issue, run the patch with the `Install` operation:\n\n```sh\naws ssm send-command \\\n    --document-name 'AWS-RunPatchBaseline' \\\n    --targets Key=InstanceIds,Values='i-00000000000000000 ' \\\n    --parameters 'Operation=Install,RebootOption=RebootIfNeeded' \\\n    --timeout-seconds 600\n```\n\nMake sure you set `--timeout-seconds 600` with a compatible value, updates might take a while to complete.\n\nTo ensure availability of your solution, make sure the `RebootOption` matches your use case. The default option is `RebootOption=RebootIfNeeded`.\n\nAfter the document runs, the non-compliant patches were significantly reduced to a 56 count.\n\n\u003cimg src=\".assets/img/ssm-sudo-apt-upgraded.png\" /\u003e\n\nThe compliance reports should be all green now:\n\n\u003cimg src=\".assets/img/ssm-100compliant.png\" /\u003e\n\nIn can you want to check the status of the agent:\n\n```sh\nsudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status\n```\n\n### Debian\n\nChecking the Debian server components:\n\n```sh\ncloud-init status\nsudo systemctl status amazon-ssm-agent\nsudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -m ec2 -a status\n```\n\nSSM patching was efficient for RAM in a newly created `t4g.nano` instance:\n\n\u003cimg src=\".assets/img/aws-debian-ssm-patch.png\" /\u003e\n\n\n### Auto Scaling Groups (ASG)\n\nThere is an ASG resource available in this Terraform configuration. Enable it for testing.\n\nTo patch instances in an ASG:\n\n```sh\naws ssm send-command \\\n    --document-name 'AWS-RunPatchBaseline' \\\n    --targets Key=tag:Cluster,Values=ASG \\\n    --parameters 'Operation=Install,RebootOption=RebootIfNeeded' \\\n    --timeout-seconds 600\n```\n\n### Patch Policy\n\nCurrently, only the Console supports this via Quick Setup. A good reference for patching is [this article](https://aws.amazon.com/blogs/mt/how-moodys-uses-aws-systems-manager-to-patch-servers-across-multiple-cloud-providers/).\n\nAs per requirements for a [custom instance profile](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-patch-manager.html#patch-policy-s3-bucket-permissions):\n\n- Add policy `AmazonSSMManagedInstanceCore` to the instance profile or service role.\n- Add permissions to access the required `aws-quicksetup-patchpolicy-*` buckets.\n- Add the `QSConfigId-\u003cabcde\u003e=\u003cabcde\u003e` tag to the instance profile or service role.\n\nYou can schedule a policy using crontab. Example:\n\n```\n# Run at 10:00 am (UTC) every day\ncron(30 20 * * ? *)\n```\n\nIf you have issues when deploying stack sets, try deleting [IAM roles and permissions](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-getting-started.html#quick-setup-getting-started-iam) that are used. You might have to delete the StackSet and it's stale stacks prior to that.\n\nIf you run into the [\"Invoke-PatchBaselineOperation : Access Denied\"](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-troubleshooting.html#patch-manager-troubleshooting-patch-policy-baseline-overrides) issue, follow the instructions to fix it. For that, you must understand the [bucket permissions](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-patch-manager.html#patch-policy-s3-bucket-permissions) architecture for this service.\n\nSelecting this option should not generate S3 and tags issues:\n\n\u003cimg src=\".assets/img/ssm-patchpolicy-s3.png\" /\u003e\n\nTo deal with such issues, you can ignore tag changes in Terraform:\n\n```terraform\nprovider \"aws\" {\n  region = var.aws_region\n\n  ignore_tags {\n    key_prefixes = [\n      \"QSConfigName-\",\n      \"QSConfigId-\",\n    ]\n  }\n}\n```\n\nAnd add the following policy to the IAM Instance Profile:\n\n```json\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"s3:GetObject\",\n      \"Resource\": \"arn:aws:s3:::aws-quicksetup-patchpolicy-*\"\n    }\n  ]\n}\n```\n\n### Maintenance Windows\n\nThis project creates maintenance windows configurations.\n\nCheck it out in the SSM console when deployed.\n\nTo know more about the [`No Invocations to Execute`](https://repost.aws/knowledge-center/ssm-no-invocations-automation) message.\n\n\u003e I solved the issue above by associating targets as opposed to instance IDs to my task.\n\n\n## \u003cimg src=\".assets/icons/ssm-compliance.png\" width=30 /\u003e Compliance\n\nYou can use SSM Compliance to scan your fleet of managed nodes for patch compliance and configuration inconsistencies\n\nTo simulate a compliance issue, execute this command to require a custom software that is not installed in your instance:\n\n```sh\naws ssm put-compliance-items \\\n    --resource-id i-00000000000000000 \\\n    --resource-type ManagedInstance \\\n    --compliance-type Custom:CorporateSoftware \\\n    --execution-summary ExecutionTime=1597815633 \\\n    --items Id=Version-2.0,Title=CorporateSoftware,Severity=CRITICAL,Status=NON_COMPLIANT \\\n    --region us-east-2\n```\n\nCheck your fleet status, and the targeted instance should appear as non-compliant:\n\n\u003cimg src=\".assets/img/ssm-compliance.png\" /\u003e\n\n## \u003cimg src=\".assets/icons/ssm-statemanager.png\" width=30 /\u003e State Manager\n\nWith State Manager it is possible to introduce association between SSM Documents and instances.\n\nFollowing [this example](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-state-cli.html), it is possible to associate the [`AWS-UpdateSSMAgent`](https://docs.aws.amazon.com/systems-manager/latest/userguide/documents-command-ssm-plugin-reference.html#aws-updatessmagent) document on an instance with a schedule.\n\nTo follow thorough with this, open a session on your Linux instance and check the SSM [agent version](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-get-version.html):\n\n```sh\nsudo snap list amazon-ssm-agent\n```\n\nIt is likely that at least a minor patch needs to be updated.\n\nCreate a State Manager association for the instance:\n\n```sh\naws ssm create-association \\\n\t--name \"AWS-UpdateSSMAgent\" \\\n\t--targets \"Key=instanceids,Values=i-00000000000000000\"\n```\n\nCheck the association status, and if it is successful, the agent will be updated in the instance.\n\nOne strategy is to associate schedulers and let it update the agents periodically:\n\n```sh\n--schedule-expression \"cron(0 2 ? * SUN *)\"\n```\n\n## \u003cimg src=\".assets/icons/ssm-distributor.png\" width=30 /\u003e Distributor\n\nYou can use distributor to install AWS or custom packages.\n\nHere is an example installing the `AmazonCloudWatchAgent` package:\n\n```sh\naws ssm send-command \\\n    --document-name \"AWS-ConfigureAWSPackage\" \\\n    --instance-ids \"i-00000000000000000\" \\\n    --parameters '{\"action\":[\"Install\"],\"installationType\":[\"Uninstall and reinstall\"],\"name\":[\"AmazonCloudWatchAgent\"]}'\n```\n\nWait for the command to execute and test the instance:\n\n```sh\namazon-cloudwatch-agent-ctl -help\n```\n\n---\n\n### 🧹 Clean Up\n\n```sh\nterraform destroy -auto-approve\n```\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-configuring.html\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-systems-manager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepomatti%2Faws-systems-manager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Faws-systems-manager/lists"}