Systems Manager Incident Manager – Incident Response – SCS-C02 Study Guide

Systems Manager Incident Manager

AWS has a native tool that allows you to track, respond to incidents, and even alert those responsible for responding to the incidents, all from a single service: Systems Manager Incident Manager.

Before an incident ever happens, you need to prepare for it. This involves the formulation and analysis of escalation and response plans, the creation of System Manager Automation runbooks, and coordination with contacts at the three levels, all of which can be seen in the flow chart in Figure 4.11:

Figure 4.11: Systems Manager Incident Manager flow

One of the critical things to know about Incident Manager is how the runbooks are created. This is done from System Manager documents. There is a template that can be used as a response runbook in Incident Manager available for customization that includes four predefined steps: triage, diagnosis, mitigation, and recovery.

When creating your runbook, you need to clone and customize this template for your IR scenario.

You need to set up a System Manager Incident Manager to be able to respond to an incident. Before going through the Incident Manager service, you must create an IAM role for the service. If you do not complete this step and don’t have a role that the Incident Manager can use, you will have to go back and create the role as you are trying to develop your response plan. To complete this process, perform the following steps:

  1. Open up the AWS Console in the IAM Service from https://console.aws.amazon.com/iam/.
  2. Choose Roles from the left-hand navigation and then choose Create role.
  3. On the Select trusted entity screen, choose AWS service as the Trusted entity type.

Figure 4.12: Trusted entity types

  • From the Use cases for other AWS services: dropdown, select Incident Manager.

Figure 4.13: AWS services use cases dropdown

  • Click on the Next button at the bottom of the page to advance.
  • Choose Create policy, and then choose the JSON tab.
  • Use the following base policy but remember to replace the account number with your own account number. Once that is all in the JSON editor, click the Next: Tags button:

{

“Version”: “2012-10-17”,

“Statement”: [

{

“Effect”: “Allow”,

“Resource”: “arn:aws:ssm:*:1234567890:automation-definition/*”,

“Action”: “ssm:StartAutomationExecution”

},

{

“Effect”: “Allow”,

“Resource”: “arn:aws:iam::*:role/AWS-SystemsManager-AutomationExecutionRole”,

“Action”: “sts:AssumeRole”

},

{

“Effect”: “Allow”,

“Resource”: “arn:aws:ssm-incidents:*:*:*”,

“Action”: “ssm-incidents:*”

},

{

“Effect”: “Allow”,

“Resource”: “arn:aws:ssm-contacts:*:*:*”,

“Action”: “ssm-contacts:*”

}

]

}

  • Click on the Next:Review button to move to the screen where you can name your policy. Name your policy Incident-Manager-Policy and add a description if you wish. Click on the Create policy button at the bottom of the page.

Your IAM role is now ready, and you can go forward with setting up Incident Manager:

  1. If you haven’t already, open the AWS Console in the System Manager Service.
  2. In the left-hand menu, under Operations Management, click on Incident Manager.
  3. If you have never used the Incident Manager service, click the Get prepared button on the main screen.

This will take you to a screen where you can start with the general settings. Put in the contact details of whoever you want to be contacted in case of an incident, then define your escalation plans and your response plan.

Figure 4.14: Incident Manager—How it works

  • To start the process of entering your general settings, click the Set up button under General Settings. You must agree to the terms and conditions by clicking the checkbox and then the Next button.

At this point, you will be taken to a screen to select the regions where you want the Incident Manager to be active. The default region will be the AWS region that you are currently in. In this example, this region is US EAST (Ohio), and this is the only region that will be set up now.

Figure 4.15: Incident Manager—Regions

  • Located at the bottom of the same page are the KMS encryption settings and optional tags settings. For this demonstration, select Use AWS owned key.

Figure 4.16: The Incident Manager KMS key selection

When you have finished setting this up, click on the orange Create button at the bottom of the screen.

  • You will be brought back to the How it works screen, where it should take about a minute to configure the General Settings. Once these settings have been configured, you can define a contact to respond to an incident by clicking the Create contact button directly to the right.
  • In the Contact details box, enter the name of your first contact. You will also need to add an alias for each contact.

Figure 4.17: Contact details screen

  • Then, under Contact Channel, choose from Email, SMS, or Voice. For this example, name the channel called Tier1 and select SMS.

Figure 4.18: The Contact channel screen for Incident Manager

  • Under the Engagement Plan, choose when this set of contacts gets notified. Since this is the first tier of support, have them notified in 1 minute. Set the Engagement time to 1 Minutes after stage start.
  • With all the details set for your initial contact, press the orange Create button at the bottom of the page.
  • After creating your contact, you will return to the How it works screen. At this point, move to the right side of the graphic for the column named Response plan and click the orange button called Create response plan.
  • Now, on the Create response plan page, in the Response plan details box, enter your response plan’s name. For your particular response plan that you are creating, you will be shutting down an EC2 instance when you receive an alert as part of a containment strategy.

Figure 4.19: Response plan details for Incident Manager

  1. Now, fill out the Incident defaults. This will tell anyone running your response plan what will happen and what steps to take.

Figure 4.20: Incident defaults for Incident Manager

  1. Next, scroll down on the page until you reach the box labeled Engagements. Here, click on the dropdown and select the contact you added before, Joe Jones, so he can be a part of this IR.

Figure 4.21: Engagements for Incident Manager

  1. Finally, choose Clone runbook from template in the Runbook section. Keep the same runbook name as the one you have been using for your response plan, EC2-Shutdown-US-EAST-2. Since you previously created your role, you should be able to choose it from the dropdown.

Figure 4.22: Role selection for Incident Manager

  1. For Execution Target, choose Response plan owner’s account.
  2. At this point, you can scroll to the bottom of the page and click the orange button labeled Create response plan.

You have just gone through how to set up AWS System Manager Incident Manager to prepare it to respond to incidents in your AWS Account. Next, we will examine other ways to automate your responses to incidents in your AWS accounts.