The superiority of cloud-driven operations lie in the provider’s ability to deliver advanced infrastructure on-demand to help meet an enterprise’s functional and application operation needs. Quite in tandem, Amazon’s Elastic Compute Cloud (EC2) is an on-demand virtual computing service extended by the Amazon Web Services (AWS) cloud. Its primary advantages lie in its high scalability, upward or downward – thus being ‘elastic’ – and users can create virtual servers called ‘instances’ from Amazon Machine Images (AMI) that serve as templates. Two objectives that organizations might seek to fulfil with respect to managing EC2 instances are automating their resource operations administration on the AWS and ensuring that their systems are secure and compliant. AWS Systems Manager and AWS Config solutions offered by Amazon greatly help in achieving them.
Executing Commands Remotely with AWS Systems Manager
AWS Systems Manager allows you to automate tasks like executing scripts or patching software over multiple EC2 instances. This can be performed concurrently without logging on to each instance and simplifies the process while ensuring uniformity. There are certain prerequisites that need to be fulfilled before this functionality can be used. When launching the instance, a configured Identity and Access Management (IAM) role must be specified with the AmazonEC2RoleforSSM policy attached. An SSM agent must be installed in each of the instances. SSM agents are installed by default on Linux AMI and certain Ubuntu AMI. Lastly ensure that the operating system is supported, as is the SSM in the region of operation.
Log In and Choose Instances
To perform the above task, log onto the AWS Systems Manager Console, and choose Run Command. There is a plethora of operations that are available in the command document list, AWS-RunRemoteScript, AWS-ConfigureDocker, and AWS-RunShellScript. You can choose which instances to run the commands on, either manually, or through a specific tag or resource group. There are various parameters that can be controlled during the execution of these commands. The number or proportion of instances to concurrently run the command on can be specified, as can the execution timeout and error threshold. You can also add in comments about the task.
Record Outputs and Monitor Outcomes
Finally, you can record the output in an S3 bucket to monitor the outcome. Of course, you can choose not to do this as well, but the output preview that can be viewed on the AWS Systems Manager Console is truncated at 2500 characters. Alternatively, you can log on to an instance to verify the outcome. You can also enable SNS notifications to receive updates about the status of the execution of the command. When you run the command, it will execute simultaneously on all selected instances, whether 5, 10, 100, or more, according to the rate of concurrence specified.
AWS Systems Manager simplifies executing such tasks, especially when operating at scale. Not only do you not need to log in to each instance manually, you can also prevent errors that may occur when performing updates and installations one by one. Additionally, the control you have over the execution of your commands ensures that the process is secure and compliant. Systems Manager enables you to do this and much more in a simple and secured manner.
Ensuring Compliance with AWS Config
One of the major challenges of managing systems can be ensuring continued compliance. This can become increasingly tedious when the cloud environment is scaled up as manual methods are difficult to sustain. Frequent changes can result in inaccurate assessments that miss events, thus resulting in policy violations. On the one hand, the commitment to demonstrate compliance can become resource draining, and on the other, it rarely provides adequate feedback to target necessary issues to rectify. AWS Config can address these concerns and much more by automating resource audits to make it a continuous and comprehensive process with great scalability.
Introducing Compliance-as-Code
AWS Config is a managed service that allows users to track and monitor changes in resources within an AWS environment. It uses a Compliance-as-code framework to create and deploy rules that govern the functioning of your resources. Compliance requirements can be codified as Config rules that evaluate the resources and remedial actions can be specified as necessary. There are several rules built into AWS Config and available by default, though one can also use custom rules by creating a Lambda function on AWS Lambda that is invoked by the rule. AWS Config also provides a chronological log of events and a detailed trail of continuous deployment changes. Finally, it enables enterprises to automate the handling of non-compliant resources using an API or console.
Custom Rules for Configuration
AWS Config has over 100 built-in rules that cover most generic needs of your enterprise. However, as stated earlier, custom rules can be created using AWS Lambda functions, which can allow you to customize either the requirement or the remediation process. When trying to monitor EC2 instances, the following built-in rules can come in handy:
- DESIRED INSTANCE TYPE
- EC2 INSTANCE DETAILED MONITORING ENABLED
- EC2 INSTANCE NO PUBLIC IP
- EC2 INSTANCE PROFILE ATTACHED
- EC2 MANAGEDINSTANCE APPLICATIONS REQUIRED
- EC2 RESOURCES PROTECTED BY BACKUP PLAN
- EC2 STOPPED INSTANCE
These and many more rules are extremely useful in monitoring EC2 instances. You can also create custom rules to check for other things, for example, whether a key pair was attached to the EC2 instance at the time of launch. If not, it is good to quickly identify non-compliant instances, as they can only be attached during launch, and are recommended to use over passwords. Such problems can be quickly identified and resolved by AWS Config without requiring manual intervention. Finally, AWS Config also keeps you updated on changes in your cloud environment or compliance through SNS.
When using AWS Config, it is good to adopt certain best practices to manage your resources efficiently and securely. Firstly, it is helpful to consolidate all data and information, especially if using multiple AWS accounts. This aids in managing access, while making auditing easier. Then, developing standard tagging for various instance groups can help in identifying resources, costing, and automating various tasks, including checking for and remedying compliance issues and running remote commands using Systems Manager. Finally, it is useful to validate the functioning of Config rules that have been set up and test them on a handful of EC2 instances.
Conclusion: Think and Run Smart with AWS and Cloud4C
Let’s face it, cloud is the ideal answer to all ITSM visions in the present and upcoming future. The use of AWS Systems Manager and AWS Config, in this case for instance, allows your enterprise to automate and standardize various processes to ensure that your EC2 instances are both efficient and compliant. This enables you to fully benefit from the scalability of EC2 without having to invest too much into managing and monitoring each instance manually, thus eliminating unnecessary risks along with time consuming and costly interventions. That’s a power too illustrious to ignore and something that could be best implemented and managed with Cloud4C’s extensive DevOps on AWS practice including Infrastructure as Code, containerization and microservices, CI-CD deployment, serverless designs, DevSecOps implementation, and more. Click here to explore and design the route to smart DevOps.
Give us a shout at info@cloud4c.com if your vision is to think and run like a pro.
