Systems Manager is a set of AWS tools that offers comprehensive configuration management of fleets of servers. We discuss AWS Systems Manager in more detail in Chapter 7, “Provisioning Resources.”
An important part of Systems Manager is Systems Manager Automation, which allows you to perform the following common IT tasks:
Automating provisioning and configuration of instances
Performing complex and disruptive operations such as replacing an image for your instances in a scalable, secure, and orchestrated manner
Enhancing the security of your environment by implementing automated responses to security-related events
Reacting to changes in your environment through integration with Amazon EventBridge support
You can select Systems Manager as a target type when creating an EventBridge rule by simply specifying the automation document that will be targeted based on the event pattern.
Having the ability to tie the EventBridge service with Systems Manager is invaluable in any systems operations environment because it enables you to treat the infrastructure as a programmatically addressable resource that can respond to events in a similar manner that serverless applications do. You therefore can create much more flexible, resilient, and reliable infrastructure even when your application is not ready to go entirely serverless.
CramQuiz
Answer this question. The answer follows the question. If you cannot answer the question correctly, consider reading this section again until you can.
1. You need to be able to detect a change in the number of EC2 instances running in your application and send the information about the change to your Zendesk ticketing platform. Which service would allow you to achieve this functionality? (Choose all that apply.)
A. EventBridge
B. CloudWatch Events
C. EC2 AutoScaling
D. Systems Manager Automation
1. Answer: A is correct. A third-party SaaS provider like Zendesk provides the ability to integrate AWS events with their applications through EventBridge.
This section covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam domains:
Domain 1: Monitoring, Logging, and Remediation
Domain 4: Security and Compliance
CramSaver
If you can correctly answer these questions before going through this section, save time by completing the Cram Quiz at the end of the section.
1. Your organization requires you to capture a comprehensive auditable log of the state of your AWS account over time. What would be the simplest way to capture the state for auditing purposes?
2. What would be the easiest way to perform remediation of an issue found in AWS Config?
Answers
1. Answer: Enable AWS Config Configuration Recorder to start collecting configuration snapshots on your account. AWS Config snapshots allow you to maintain an auditable record of the state of your infrastructure in AWS.
2. Answer: You can enable remediation directly in AWS Config if the remediation is supported as an action for the config rule. In case there is no remediation supported, you can create a notification to another service that will perform remediation or notify an administrator for human intervention.
So far, we have covered how to monitor, troubleshoot, and react to alarms and events at the infrastructure and account level. However, there is a missing aspect to the troubleshooting and reaction story that is needed in any IT environment: the state. Capturing the state of your application is a crucial part of tracking how your application changes over time and for ensuring you have a manageable audit trail. Recording the state of your application environment is also a crucial factor in determining compliance and increasing the security of your platform over time; this is where AWS Config comes in.
With AWS Config, you can create a configuration snapshot of your environment so you can easily assess, audit, and evaluate the state of all the AWS resources within your account or organization. Over time, configuration snapshots can be compared against a desired state, thus allowing you to maintain an auditable record of compliance for your application infrastructure in AWS.
AWS Config also can detect any resource changes by continuously performing checks against the infrastructure through preconfigured or custom AWS Config rules. When a rule is created, you can also define a remediation action for the rule, thus enabling you to alert or autoremediate the state of the environment when remediation is supported by AWS Config.