AWS Case Study: AWS Systems Manager Grows AWS Automation, Security
- February 06, 2018
As part of a well-architected AWS environment, AWS Systems Manager effectively streamlines and improves operations and compliance for enterprises. Providing a consolidated view of operational data for monitoring and troubleshooting, AWS Systems Manager helps streamline the management process for many enterprise AWS users as does its ability to automate actions on resource groups. As you’ll see in the following story of two organizations, AWS Systems Manager increases security through its integrated compliance dashboards, automated patching, and data that expedites problem resolution.
Our first story is of a Fortune 500 manufacturer that wanted to simplify the maintenance of its instances to improve security and compliance. SSM was used to accomplish this goal. First, we employed SSM’s encrypted parameter store to handle secrets. As the firm already followed solid IAM practices regarding permissions, this made it easy to provide the necessary separation of KMS keys for encrypted parameters. Next, we used SSM Run Command, using its ability to run scripts from S3, to create an API for handling common administrative tasks. This allowed us to create a common repository of administrative scripts that different users could run on their servers.
We rebuilt their AMI baking process to a serverless setup using SSM Automations triggered by Amazon CloudWatch events. The process started with a base AMI, it ran the Ansible playbook, baked an image, performed tests on the image, and shared the image with other accounts. Finally, the target account had a periodic trigger to search for new images shared with the account, and again using SSM automation it brought up instances with the image with encrypted volumes. Last, it baked the image again as an encrypted image.
We met the customer’s other compliance needs using EC2 Patch Manager, State Manager, and Inventory. We deployed multiple patch groups and baselines for Patch Manager so users can choose the rules appropriate for them using tags. We also created baselines with delays in deploying patches, so users can get a chance to test the updates in development before rolling them out to production. All of this compliance data was ingested into an ElasticSearch cluster.
With AWS Systems Manager, we could have easily grouped the company’s AWS assets and implemented automated patching across the entire group, not just EC2 instances. This fleet-wide automation would have simplified the patching process while providing a more accessible, central console for ease of management and visualization.
The second organization is a leader in the financial services industry. While it had a very solid system in place, it sought continuous improvement for internal and external security compliance, including patch management, creating audit trails, and alerting on suspicious activity. While we used AWS CloudTrail and AWS Config to create an audit trail and alerts on the audit trail, for server patch management we used SSM Patch Manager with it architected to automate the process of patching instances. It was designed to scan for missing patches and/or instances that need updating. Under the design, the firm could easily select the patches it wanted to install and could then automatically install any or all missing patches.
With automated patches (and rules for auto-approving patches) this firm’s systems are patched regularly and on an as-needed basis as well. To further automate the process, we used the AWS Inspector to trigger alerts on common vulnerabilities and exposures. These alerts in turn triggered a Lambda function and used the EC2 run command to update the element. Thus, actively meeting the company’s need for internal and external security policy compliance.
AWS Systems Manager now provides the company with the ability to aggregate its operational data into a single dashboard, including integrating with its existing AWS Config rules, and AWS CloudTrail trails. AWS System Manager’s compliance dashboard is also a boon to this firm, as it can easily see the state of its patches and security controls.
*This was originally written by Flux7 Inc., which has become Flux7, an NTT DATA Services Company as of December 30, 2019