AWS Systems Manager (SSM)
AWS Systems Manager is a centralized operational hub that allows you to manage your AWS resources and on-premises infrastructure at scale. It provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your resources.
The Analogy: The “Universal Remote & Smart Home Hub”
Imagine you own a massive hotel. Instead of going to every single room to adjust the thermostat, check the locks, or update the firmware on the smart TVs, you use a Universal Management Hub at the front desk. This hub allows you to push updates to all rooms at once, log into a room’s security system without needing a physical key, and store all the master passwords in a secure vault. AWS Systems Manager is that front-desk hub for your thousands of servers.
Core Concepts & The Well-Architected Framework
Operational Excellence: Automation at Scale
Systems Manager enables Automation through documents (SSM Documents). Instead of manually running scripts, you define “Runbooks” that can be executed across thousands of EC2 instances or on-premises servers simultaneously. This reduces human error and ensures consistency.
Security: The End of Bastion Hosts
Through Session Manager, Systems Manager aligns with the Security pillar by providing secure, audited instance management without the need to open inbound port 22 (SSH) or 3389 (RDP). It uses IAM policies to control access, effectively eliminating the need for Bastion hosts and managing SSH keys.
Comparison: Parameter Store vs. Secrets Manager
| Feature | SSM Parameter Store | AWS Secrets Manager |
|---|---|---|
| Primary Use | General configuration & simple secrets. | Critical secrets (DB passwords, API keys). |
| Cost | Free (Standard) / Pay-per-use (Advanced). | Paid ($0.40 per secret/month). |
| Rotation | No native auto-rotation. | Built-in Lambda-based auto-rotation. |
| Cross-Account | More complex to share. | Easier cross-account access. |
Decision Matrix: When to use what?
| If the requirement is… | Use this SSM Feature… |
|---|---|
| Update OS patches on a schedule across a fleet. | Patch Manager |
| Run a shell script on 50 instances at once. | Run Command |
| Access an EC2 instance via CLI without SSH keys. | Session Manager |
| Ensure an instance keeps its specific config (e.g. Antivirus). | State Manager |
| Store an AMI ID for a CI/CD pipeline. | Parameter Store |
🎯 Exam Tips: SAA-C03 Golden Nuggets
- Hybrid Environments: To manage on-premises servers, you must install the SSM Agent and create a Managed Instance Activation.
- IAM Role: EC2 instances MUST have an IAM role with the
AmazonSSMManagedInstanceCorepolicy attached to communicate with SSM. - Session Manager Logging: Sessions can be logged to S3 or CloudWatch Logs for auditing purposes.
- Patch Baselines: Patch Manager uses “Patch Baselines” to define which patches are approved for installation.
AWS Systems Manager Visual Overview
Architectural Flow
Communication occurs over HTTPS (Port 443) via the SSM Agent.
Key Services
- Inventory: Collects metadata about your fleet (apps, OS, files).
- Maintenance Windows: Schedules tasks to avoid impacting peak hours.
- Compliance: Scans fleet for patch or configuration drift.
Common Pitfalls
- No SSM Agent: Forgetting to install/start the agent on non-Amazon Linux AMIs.
- Missing IAM: Instance role lacks permissions to “talk” to the SSM service.
- Network: No outbound internet or VPC Endpoint for SSM.
Quick Patterns
- Secure Access: Session Manager + CloudWatch Logs = Full Audit Trail.
- Config Management: Store DB endpoints in Parameter Store (SecureString).
- Auto-Remediation: Config Rule triggers SSM Automation.