Aws meetup ssm
-
Upload
adam-book -
Category
Technology
-
view
476 -
download
0
Transcript of Aws meetup ssm
AWS SSM Simple System Management
Managing Windows instances in the Cloud
Sponsors
Presented by Adam Book from
Find me on LinkedIn
News Recap 2014
Automatically join the server back to a domain so that users can long in with usernames and passwords?
Have you ever wanted to:{Easily}
Enable monitoring of logs and metrics on Windows instances so that logs can be saved to CloudWatch Logs
Install an Application automatically at instance startup without writing a Chef recipe or Puppet Manifest
Simple Systems Manager (SSM) enables you to remotely manage the configuration of your Amazon EC2 instance. Using SSM, you can run scripts or commands using either EC2 Run Command or SSM Config.
(SSM Config is currently available only for Windows instances.)
SSM Simple System Management
Is SSM really Simple?
Image by http://www.gratisography.com/
Yes
Noand
SSM – Commands
Command DescriptionAWS-JoinDirectoryServiceDomain Joins an AWS Directory
AWS-RunPowershellScript Runs PowerShell commands or scripts
AWS-UpdateEC2Config Updates the EC2Config service
AWS-InstallApplication Installs, repairs, or uninstalls software using a MSI package
AWS-InstallPowershellModule Installs Powershell Modules
AWS-ConfigureCloudWatch Configures CloudWatch logs and can be used to monitor applications and systems.
Where does SSM Work?
Region Name Region EndpointUS East (N Virginia) us-east-1 ssm.us-east-1.amazonaws.com
US West (Oregon) us-west-2 ssm.us-west-2.amazonaws.com
US West (N California) us-west-1 ssm.us-west-1.amazonaws.com
EU (Ireland) eu-west-1 ssm.eu-west-1.amazonaws.com
EU(Frankfurt) eu-central-1 ssm.eu-central-1.amazonaws.com
Asia Pacific (Singapore)
ap-southeast-1 ssm.ap-southeast-1.amazonaws.com
Asia Pacific (Tokyo) ap-northeast-1 ssm.ap-northeast-1.amazonaws.com
Asia Pacific (Sydney) ap-southeast-2 ssm.ap-southeast-2.amazonaws.com
South America (Sao Palo)
sa-east-1 ssm.sa-east-1.amazonaws.com
IAM and SSM
For more info http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssm-iam.html
In order for SSM to have the permissions that it needs you will need to attach an IAM Role to your instances with either one of the managed policies below or a policy that has the correct SSM permissions.
IAM and SSM
For more info http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssm-iam.html
In order for SSM to have the permissions that it needs you will need to attach an IAM Role to your instances with either one of the managed policies below or a policy that has the correct SSM permissions.
IAM and SSM
Here is an example of the Role created that we will be using in our examples for our instances
When joining a domain using SSM we will need to find out some information about our Directory so that we can create the JSON document.
Joining a Domain
Notice the highlighted line where we see the distinguished name that shows the:
Joining a Domain
CN -> Common NameDC -> Domain ControllerOU -> Organizational Unit
{ "schemaVersion": "1.0", "description": "Sample configuration to join an instance to a domain", "runtimeConfig": { "aws:domainJoin": { "properties": { "directoryId": "d-1234567890", "directoryName": "test.example.com", "directoryOU": "OU=test,DC=example,DC=com", "dnsIpAddresses": [ "198.51.100.1", "198.51.100.2" ] } } }}
Joining a DomainCreating the Document
Using the AWS CLI you can create the document once for reuse in your SSM endeavors
(we’ll save our json from before as test-domain.json )
SSM Creating the Document
Using the AWS CLI you can create the document once for reuse in your SSM endeavors
(we’ll save our json from before as test-domain.json )
SSM Creating the Document
$ aws ssm create-document –content file://test_domain.json --name “Test_Domain” --region eu-west-1
If we think we have already created the document to join the domain previously then we can use the AWS CLI to ask it what documents are currently available with the List-Documents command.
SSM Creating the Document
$ aws ssm list-documents --region eu-west-1
Now we’re ready to launch our instanceWe’ll use a STOCK Windows 2012 server AMI first run.
Joining a Domain
<powershell>Import-Module AWSPowerShell $web = New-Object Net.WebClient $InstanceId = $web.DownloadString("http://169.254.169.254/latest/meta-data/instance-id")$AvailabilityZone = $web.DownloadString("http://169.254.169.254/latest/meta-data/placement/availability-zone") $Region = $AvailabilityZone.Substring(0,$AvailabilityZone.Length-1) New-SSMAssociation -InstanceId $InstanceId -Name ”Test_Domain" -Region $Region </powershell>c
Joining a Domain A closer look – User Data<powershell>Import-Module AWSPowerShell $web = New-Object Net.WebClient $InstanceId = $web.DownloadString("http://169.254.169.254/latest/meta-data/instance-id")$AvailabilityZone = $web.DownloadString("http://169.254.169.254/latest/meta-data/placement/availability-zone") $Region = $AvailabilityZone.Substring(0,$AvailabilityZone.Length-1) New-SSMAssociation -InstanceId $InstanceId -Name ”Test_Domain" -Region $Region </powershell>
By using the EC2 system log we can see the progress of the SSM and the Domain Join
Joining a Domain How can we tell it joined?
Joining a Domain How can we tell it joined?
SSM Demo Time
Photo curtesyof Stephen Radford via http://snap.io
What happens when you don’t have a domain
One of the easiest solutions is to use the Simple AD service from AWS and create a *.local domain to add your users
Joining a Domain
What happens when you don’t have a domain
One of the easiest solutions is to use the Simple AD service from AWS and create a *.local domain to add your users
Joining a Domain
mycorp.local
From the Simple AD service:Click on your directory id -> And you should see a details screen like the one below
Finding your DNS on AWS Simple AD
When using existing images you need to make sure that User Data is turned on beforecreating the image to use with SSM
Using Existing Images
If you don’t do this then the scripting done in the userdata box will not work.
The Role of sysprep
For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
1) Generalize 2) Specialize 3) Creates an Out-of-Box Experience
The Role of sysprep Generalize
For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
Generalize: The tool removes image-specific information and configurations. For example, Sysprep removes the security identifier (SID), the computer name, the event logs, and specific drivers, to name a few. After this phase is completed, the operating system (OS) is ready to create an AMI.
The Role of sysprep Specialize
For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
Specialize: Plug and Play scans the computer and installs drivers for any detected devices. The tool generates OS requirements like the computer name and SID. Optionally, you can execute commands in this phase.
The Role of sysprep Create an OOB Experience
For more info http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
Out-of-Box Experience (OOBE): The system runs an abbreviated version of Windows Setup and asks the user to enter information such as a system language, the time zone, and a registered organization. When you run Sysprep with EC2Config, the answer file automates this phase.
Questions?
Image by http://www.gratisography.com/