運用管理

AWS Systems Manager

A service that centralizes operational management of EC2 instances and on-premises servers, enabling patch application, command execution, parameter management, and session connections securely without SSH

About 3 min read

Overview

AWS Systems Manager (SSM) is a suite of services that unifies operational management of AWS resources and on-premises servers. For instances with the SSM Agent installed, it provides shell access without opening SSH ports (Session Manager), remote command execution (Run Command), automated OS patching (Patch Manager), software inventory collection (Inventory), and secure storage of configuration parameters (Parameter Store). Parameter Store centrally manages configuration values and connection strings, with KMS encryption applied for the SecureString type. The free tier is generous - standard parameters in Parameter Store are free for up to 10,000 entries.

Session Manager - Eliminating the Need for SSH

Session Manager provides shell access to EC2 instances through IAM authentication. It eliminates the need for SSH key management and removes the requirement to open port 22 in security groups. All session input and output is logged to CloudTrail and S3/CloudWatch Logs, providing a complete audit trail of who executed what and when. This level of auditing is difficult to achieve with SSH. Session Manager can be used from the browser-based console or the AWS CLI. The port forwarding feature even lets you connect to an RDS instance in a private subnet from a local database client. More and more organizations are retiring bastion hosts in favor of Session Manager.

Choosing Between Parameter Store and Secrets Manager

Parameter Store and Secrets Manager both store configuration values and secrets, but they serve different purposes. Parameter Store is primarily for centralized configuration management, with a generous free tier (up to 10,000 standard parameters for free) and the ability to organize parameters in a hierarchical structure (paths like /app/prod/db-host). Secrets Manager is primarily for secret rotation, with built-in automatic rotation for RDS, Redshift, and DocumentDB passwords. Pricing is $0.40 per secret per month plus $0.05 per 10,000 API calls. For secrets that don't require automatic rotation, Parameter Store's SecureString is sufficient and more cost-effective. The Azure equivalent is a combination of Azure Automation and Azure Key Vault.

Practical Use Cases

Systems Manager's Patch Manager automates OS patching for EC2 instances. You define which patches to apply using patch baselines and set application schedules with maintenance windows. Patch compliance reports give you an overview of the patching status of each instance. Run Command executes commands simultaneously across multiple instances. You can specify targets by tag, allowing you to run commands across all instances with an Environment=Production tag at once. Automation lets you define operational tasks as runbooks and execute them automatically. Routine tasks such as instance restarts, AMI creation, and EBS snapshot capture can all be automated. For a systematic study of Systems Manager from basics to advanced topics, books on Amazon are a great resource.

共有するXB!

Related Terms

Amazon EC2AWS IAMAWS KMSAmazon CloudWatch

Related Services

Amazon EC2AWS KMS

Related Articles

Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.Amazon EBS Encryption and Snapshot Sharing - Cross-Account and Cross-Region DesignA comprehensive guide covering default encryption setup, cross-account snapshot sharing, and cross-region copy for DR design.Confidential Data Processing with AWS Nitro Enclaves - Encryption and Attestation in an Isolated EnvironmentLearn how to process sensitive data in the isolated environment of Nitro Enclaves, and control encryption key access through KMS integration and attestation.Why Auto Scaling Scales Out Fast but Scales In Cautiously - The Design Intent Behind Asymmetric Decision LogicThis article explains why EC2 Auto Scaling executes scale-out immediately while applying a cooldown period for scale-in, the flapping prevention mechanism, and the internal logic of target tracking scaling.Demand-Driven Infrastructure with AWS Auto Scaling - Designing and Optimizing Scaling PoliciesLearn how to use target tracking, predictive, and scheduled scaling policies effectively, and optimize costs with mixed instances policies that leverage Spot Instances.

Similar Terms and Articles

Fleet Management with AWS Systems Manager - Automating Patch Management, Inventory, and Run CommandAutomate patch management with Patch Manager, streamline remote operations with Run Command, and enable SSH-free shell access with Session Manager.AWS Systems ManagerAn operations management service for centrally managing AWS resources and on-premises serversStreamlining Systems Operations - Building a Unified Operations Platform with Systems ManagerLearn how to design systems operations management with AWS Systems Manager, including patch management, Parameter Store, and operational automation using Run Command.AWS Systems Manager Operational Automation - A Unified Operations Platform from Patch Management to Session ManagementExplain the advantages of AWS Systems Manager as a unified operational automation platform, focusing on Patch Manager, Inventory, Run Command, and Session Manager, compared with Azure Automation.Managing Configuration and Secrets with AWS Systems Manager Parameter Store - Hierarchical Structure and EncryptionLearn how to manage configuration values and secrets with Parameter Store, design hierarchical parameter structures, and choose between Parameter Store and Secrets Manager.