2.2.1.3. Configuration Management Services & Strategies

2.2.1.3. Configuration Management Services & Strategies

Configuration management ensures that every server, container, and service is configured consistently and stays that way. The challenge isn't the initial setup — it's preventing drift over months of patches, hotfixes, and manual changes.

AWS Systems Manager State Manager enforces desired-state configuration by applying associations on a schedule. An association links a target (EC2 instances by tag, all instances, specific instance IDs) to an SSM document that defines the desired state. If an instance drifts, State Manager reapplies the configuration automatically.

AWS OpsWorks provides managed Chef and Puppet. Use Chef cookbooks or Puppet manifests to define configuration as code. OpsWorks runs recipes/manifests at lifecycle events (setup, configure, deploy, undeploy, shutdown). Best for teams already invested in Chef/Puppet.

AWS AppConfig manages application configuration (feature flags, tuning parameters) separately from infrastructure. It deploys configuration changes with safety controls — gradual rollout, automatic rollback on CloudWatch alarm breach, and validation via Lambda or JSON schema.

# SSM State Manager: Ensure CloudWatch agent is always running
aws ssm create-association \
  --name "AWS-ConfigureAWSPackage" \
  --targets "Key=tag:Environment,Values=Production" \
  --parameters '{"action":["Install"],"name":["AmazonCloudWatchAgent"]}' \
  --schedule-expression "rate(1 day)"

Exam Trap: State Manager associations run on a schedule — they don't prevent drift in real-time. For immediate drift detection and remediation, use AWS Config rules with automatic remediation via SSM Automation. State Manager is for enforcing desired state; Config is for detecting deviations.