2.2.3.5. Automating the Configuration of Software Applications to the Desired State (OpsWorks, Systems Manager State Manager)

2.2.3.5. Automating the Configuration of Software Applications to the Desired State

Desired state configuration ensures infrastructure self-corrects when it drifts. Instead of one-time scripts, you declare what the system should look like and let automation continuously enforce it.

SSM State Manager associates SSM documents with targets on a schedule:

• If CloudWatch agent stops, State Manager reinstalls it on the next run
• If a config file is modified manually, State Manager overwrites it
• Compliance dashboard shows which instances match desired state

SSM Automation runbooks for multi-step enforcement:

schemaVersion: '0.3'
mainSteps:
  - name: installApache
    action: aws:runCommand
    inputs:
      DocumentName: AWS-RunShellScript
      Parameters:
        commands:
          - yum install -y httpd
  - name: configureApache
    action: aws:runCommand
    inputs:
      DocumentName: AWS-RunShellScript
      Parameters:
        commands:
          - aws s3 cp s3://config-bucket/httpd.conf /etc/httpd/conf/httpd.conf
          - systemctl restart httpd && systemctl enable httpd
  - name: verifyApache
    action: aws:runCommand
    inputs:
      DocumentName: AWS-RunShellScript
      Parameters:
        commands:
          - curl -s http://localhost/ | grep -q "Welcome"

AWS Config + SSM Automation creates a closed-loop: Config detects non-compliance → triggers SSM Automation remediation → Config re-evaluates → marks compliant.

Exam Trap: State Manager associations are eventually consistent — they run on a schedule (e.g., every 30 minutes). For real-time enforcement, combine with Config rules that trigger remediation immediately on detection.