2.2.3.1. AWS Services for Task Automation (Systems Manager, Lambda, Step Functions)
2.2.3.1. AWS Services for Task Automation (Systems Manager, Lambda, Step Functions)
The choice between SSM, Lambda, and Step Functions depends on what you're automating and how complex the orchestration is.
Systems Manager automates tasks on managed instances (EC2 + on-premises with SSM Agent):
- Run Command: Execute scripts on multiple instances simultaneously, no SSH required
- Automation: Multi-step runbooks with conditional logic, approvals, and cross-service API calls
- Maintenance Windows: Schedule automation during approved time periods
# Run a command across all production instances
aws ssm send-command \
--document-name "AWS-RunShellScript" \
--targets "Key=tag:Environment,Values=Production" \
--parameters 'commands=["yum update -y","systemctl restart httpd"]'
Lambda automates event-driven tasks not targeting specific instances: CloudWatch alarm responses, S3 event processing, custom CodePipeline validation.
Step Functions orchestrates multi-step workflows with branching, parallel execution, retries, and error handling. Express workflows for high-volume short tasks; Standard for long-running.
| Automation Need | Tool | Why |
|---|---|---|
| Patch 500 EC2 instances | SSM Patch Manager | Fleet-targeted, scheduled, compliance reporting |
| Rotate API key + update apps | Step Functions + Lambda | Multi-step orchestration with error handling |
| React to a CloudWatch alarm | Lambda | Event-driven, stateless, fast |
| Run maintenance script weekly | SSM Maintenance Window | Scheduled, audited, instance-targeted |
Exam Trap: SSM Run Command requires the SSM Agent installed and the instance registered as a managed instance. If an instance doesn't appear in SSM, check: (1) IAM instance profile has AmazonSSMManagedInstanceCore, (2) SSM Agent is running, (3) network path to SSM endpoints exists.
