Group of services giving visibility into infrastructure, most using SSM Agent
- Can be installed and configured on EC2 and on-premises instances, or VMs
- Preinstalled by default on Amazon Linux 1 and 2, Ubuntu Server 16.04, 18.04, and 20.04
Compliance: shows if you have missing patches
- Run command across instances and collect output
- Different "documents" to choose from, e.g., run shell script, configure Docker, Ansible playbooks, Windows updates, etc.
- Provides central store for config or passwords
- String, StringList, and SecureString, must use
--with-decryptionin CLI for SecureString.
- Connect to instances through browser or CLI without SSH
- Uses IAM as centralized access control, no need to open port 22, have public IP, or VPN
- Allows logging and auditing of sessions
- Scan for missing patches based on patch baseline, display them, and then apply security and other patches
- Custom and managed
- Can create patch baselines with different classifications, auto-approval delays, severities, etc.
- Schedule recurring or one-time maintenance windows for patching
- Applied to patch baselines
- Simplifies common EC2 and other AWS resource maintenance and deployment tasks, e.g., attach IAM role, create AMI, etc.
- Visibility into EC2 and on-premises instances for things like anti-virus, apps installed and versions, etc.
- To centralize, send all data to S3 and use Athena
- Status of different associations, e.g., patching, inventory, etc.
CloudWatch Unified Agent
- Allows for centralized logging
- Keeping logs on instance has disadvantages
- Need instance access to view them
- Lost if terminated
- Cannot easily alarm on certain conditions
- To install,
- IAM role with
- Create EC2 instance using role
- Install CloudWatch Agent
- Run CloudWatch Agent configuration Wizard
- Start Unified CloudWatch Agent
- IAM role with