Remediating non-compliant AWS resources is a key component of cloud governance. One of the goals of cloud governance is creating policies to control costs and minimize security risks. Automated remediation is the best way to enforce policies, or guardrails. AWS Systems Manager is one tool that AWS provides to automatically remediate non-compliant resources.
What is AWS Systems Manager?
AWS Systems Manager, formerly called Amazon Simple Systems Manager or SSM, is a service that allows you to manager your applications and infrastructure. Systems Manager helps to automate application and resource management.
Systems Manager can be used for application management, change management, node management, operations management, and quick setup. Here are a few examples of how Systems Manager accomplishes these:
- Application Management – Application Manager helps DevOps engineers investigate and remediate issues related to their applications. AppConfig helps you create, manage, and deploy applications. Parameter Store lets you store hierarchical configuration data and secrets.
- Change Management – Change Manager is an enterprise change management framework for requesting, approving, implementing, and reporting on operational changes. You can use Automation to automate common maintenance and deployment tasks. Change Calendar lets you set up times when actions can or can’t be performed. Maintenance Windows allows you to set up recurring schedules for managed instances to run administrative tasks.
- Node Management – You can use Compliance to scan your fleet of managed nodes for patch compliance and configuration inconsistencies. Fleet Manager is a unified user interface (UI) experience that helps you remotely manage your nodes. Inventory automates the process of collecting software inventory from your managed nodes. Session Manager helps you to manage your edge devices and Amazon Elastic Compute Cloud (Amazon EC2) instances. You can use Run Command to remotely and securely manage the configuration of your managed nodes at scale. State Manager helps you to automate the process of keeping your managed nodes in a defined state.
- Operations Management – Incident Manager is an incident management console that helps users mitigate and recover from incidents affecting your applications. Explorer is a customizable operations dashboard that reports information about your AWS resources. OpsCenter provides a central location where operations can view, investigate, and resolve operational work items. Amazon CloudWatch Dashboards are customizable pages in the CloudWatch console that you can use to monitor your resources, across regions, in a single view.
- Quick Setup – Quick Setup can help you to configure frequently used AWS services and features with recommended best practices.
What is AWS Config?
AWS Config is a service that records configuration changes to your AWS resources. This includes recording how resources are connected to one another, such as an EBS volume attached to an EC2 instance. Because changes are recorded, you can see how resources were configured in the past. For a full list of supported AWS resource types, see the AWS documentation.
You can learn more about AWS Config at our post about Cloud Governance and Cloud Security using AWS Config.
How does Systems Manager work with Config?
When AWS Config finds a non-compliant resource, you can apply a remediation using AWS Systems Manager Automation documents. An Automation document defines the actions to be performed on the non-compliant resource. You can associated Systems Manager Automation documents in the AWS Config console or using the APIs.
Through the Config Console, you can choose to remediate resources either manually or automatically through the Config console. You do this when you associate the Systems Manager automation to the config rule.
To use AWS Systems Manager for remediation, AWS provides an extensive list of AWS managed remediation runbooks. Many of these runbooks correspond to the AWS managed config rules. For example, there is an AWS config rule to check if ALB drop invalid headers is enabled and a corresponding remediation for the same. If you are unable to find a managed automation, AWS allows you to create your own using a YAML or JSON. You can extend automation using custom Python or PowerShell scripts.