4.2.1. Systems Manager: The Operations Platform
š” First Principle: Before Systems Manager, operating a fleet of EC2 instances meant SSH access: connecting to each instance individually, running commands, checking outputs, repeating. At scale, this doesn't work. Systems Manager provides a secure, auditable, agent-based management plane that replaces SSH with API-driven operations ā no bastion hosts, no open port 22.
Systems Manager is a broad service ā it's actually a collection of capabilities, each solving a specific operational problem. The exam tests knowledge of which capability to use in which scenario.
Systems Manager Capabilities ā The Exam-Critical Set:
| Capability | What It Does | Key Exam Scenario |
|---|---|---|
| Run Command | Execute scripts/commands on instances without SSH | "Run a patch script on 500 instances" |
| Session Manager | Browser/CLI-based shell access without port 22 or bastion hosts | "Securely access instance without SSH" |
| Patch Manager | Automated OS patching per schedule and baseline | "Ensure all instances are patched within 72 hours" |
| State Manager | Continuously enforce a desired configuration state | "Ensure CloudWatch agent is always running" |
| Automation | Multi-step workflows (covered in Phase 2) | "Stop instance, snapshot, resize, restart" |
| Parameter Store | Secure storage for config and secrets | "Store DB connection string for app to retrieve" |
| Inventory | Collect instance metadata (installed software, network config) | "What version of nginx is running across our fleet?" |
| OpsCenter | Centralized view of operational issues (OpsItems) | "Track and resolve operational incidents" |
| Fleet Manager | GUI-based instance management | "View Windows Event Logs without RDP" |
| Distributor | Package deployment across fleet | "Install a custom agent on all instances" |
Session Manager ā Why It Matters:
Session Manager is the recommended replacement for SSH and RDP. It requires no inbound ports, no bastion hosts, and no key pairs. Access is controlled entirely through IAM policies. Every session is logged to CloudWatch Logs or S3.
| SSH | Session Manager |
|---|---|
| Requires port 22 open | ā No inbound ports required |
| Requires key pair management | ā No key pairs |
| Hard to audit | ā Full session logging |
| Requires bastion host for private instances | ā Works on private instances via SSM endpoint |
| IAM-based access control | ā IAM policy controls who can start sessions |
Patch Manager:
Patch Manager automates OS patching using a patch baseline (which patches to approve) and a maintenance window (when to apply them).
| Component | Description |
|---|---|
| Patch Baseline | Rules defining which patches are approved (by severity, classification, age) |
| Patch Group | A tag (Patch Group: production) that associates instances with a specific baseline |
| Maintenance Window | A scheduled time window during which patching runs |
| Compliance Report | Shows which instances are patched, which are missing patches |
AWS provides pre-defined baselines for common OSes (Windows, Amazon Linux, Ubuntu, RHEL). You can create custom baselines for stricter or more permissive requirements.
Parameter Store vs. Secrets Manager:
| Feature | Parameter Store | Secrets Manager |
|---|---|---|
| Cost | Free (standard tier) | ~$0.40/secret/month |
| Automatic rotation | ā No | ā Yes (Lambda-based) |
| Cross-account access | Limited | ā Yes |
| Max size | 4KB (standard), 8KB (advanced) | 64KB |
| Versioning | ā Yes | ā Yes |
| Use for | Config values, non-secret parameters | Passwords, API keys, database credentials requiring rotation |
Use Parameter Store for non-sensitive configuration and Secrets Manager for credentials that must be rotated automatically.
ā ļø Exam Trap: Systems Manager requires the SSM Agent to be installed and running on instances, and instances need an IAM instance profile with the AmazonSSMManagedInstanceCore managed policy. Without these, instances won't appear in Systems Manager. New Amazon Linux 2 and Windows instances include the SSM Agent by default, but you must still attach the correct instance profile.
Reflection Question: A compliance audit requires that no EC2 instances in the production environment have port 22 open and that all shell access be logged and auditable. Currently, engineers use a bastion host for SSH access. What Systems Manager capability replaces the bastion host, and what three things must be configured to make it work?
