Operations Management

Fleet Management with AWS Systems Manager - Automating Patch Management, Inventory, and Run Command

Automate patch management with Patch Manager, streamline remote operations with Run Command, and enable SSH-free shell access with Session Manager.

約 3 分で読めます

Key Features of Systems Manager

Systems Manager is a service that unifies operational management of EC2 instances and on-premises servers. Instances with the SSM Agent installed are managed as managed nodes, providing capabilities such as patch management, command execution, session connections, inventory collection, and parameter management. The SSM Agent comes pre-installed on Amazon Linux 2, Amazon Linux 2023, Ubuntu, and Windows Server AMIs. Systems Manager itself is free to use, with only EC2 instance charges applying.

Patch Management with Patch Manager

Patch Manager automates OS and application patching. Patch baselines define which patch classifications (security, bug fix, enhancement) and severities (Critical, Important, Medium, Low) to apply, along with approval rules (e.g., auto-approve 7 days after release). Maintenance windows define patching schedules (e.g., every Sunday at 2:00 AM) for automatic execution outside business hours. The patch compliance dashboard provides a fleet-wide view of patch status, making it easy to identify non-compliant instances. You can also configure automatic snapshot creation before patching, enabling rollback if issues arise after patch application.

Run Command and Session Manager

Run Command remotely executes SSM documents (predefined command sets) on managed nodes. AWS-RunShellScript executes shell commands, and AWS-RunPowerShellScript executes PowerShell commands. Targets can be specified by tags, resource groups, or manual selection, allowing commands to be sent to thousands of instances simultaneously. Session Manager provides browser-based shell access, eliminating the need for SSH key management and opening SSH ports in security groups. Session logs are automatically recorded to S3 or CloudWatch Logs, providing an audit trail of who executed which commands and when. For more on Systems Manager, you can also explore related books on Amazon.

Systems Manager Pricing

The core features of Systems Manager (Patch Manager, Run Command, Session Manager, Inventory) are free to use. There is no additional charge for installing and running the SSM Agent. Costs are incurred only for advanced features such as Advanced parameters (Parameter Store parameters over 8 KB, approximately $0.05/parameter/month), OpsCenter OpsItems (approximately $2.97 per 1,000 items), and Change Manager change requests (approximately $0.326 per 1,000 requests). There is no reason not to enable the free core features in every environment running EC2.

Summary

Systems Manager is a service that unifies and automates EC2 fleet operational management. Patch Manager automates patching, Run Command streamlines remote operations, and Session Manager provides secure shell access. It is free to use and recommended for adoption in every environment running EC2.

Related Services

AWS Systems ManagerAn operations management service for centrally managing AWS resources and on-premises serversAmazon EC2A compute service that provides virtual servers in the cloudAmazon CloudWatchA service that provides monitoring, log management, and alarms for AWS resources and applications

Related Articles

AWS Secrets Manager - Automatic Rotation and Application IntegrationAutomatically rotate RDS and Aurora passwords with Lambda functions and seamlessly retrieve secrets from applications using the SDK caching library. Also covers when to use Parameter Store instead.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Eliminate SSH Key Management with EC2 Instance Connect - Secure Connections from Browser and CLILearn about keyless SSH connections with EC2 Instance Connect, IAM-based access control, and Endpoint usage.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

Streamlining Systems Operations - Building a Unified Operations Platform with Systems ManagerLearn how to design systems operations management with AWS Systems Manager, including patch management, Parameter Store, and operational automation using Run Command.AWS Systems ManagerA service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSHAWS Systems Manager Operational Automation - A Unified Operations Platform from Patch Management to Session ManagementExplain the advantages of AWS Systems Manager as a unified operational automation platform, focusing on Patch Manager, Inventory, Run Command, and Session Manager, compared with Azure Automation.Eliminate SSH Key Management with EC2 Instance Connect - Secure Connections from Browser and CLILearn about keyless SSH connections with EC2 Instance Connect, IAM-based access control, and Endpoint usage.