Using AWS Systems Manager (SSM) to automatically deploy and install packages to Windows EC2
Recently we got a task from the Company’s CISO, from one of our customers where we manage the AWS infrastructure, to install a Nessus agent which will be used to perform centralized security scans for all active Windows EC2 instances. On itself installing a piece of software is not that challenging at all when taking into consideration only one or two instances, but in a bunch of some ten’s of instances, imagine the effort to log in each of one of those instances and installing manually the agent.
Manually installing software is definitely not an option so, let’s use a software distribution tool, we could use a tool such as Microsoft SCCM or other products, but why introduce another product when AWS Systems Manager has this feature out of the box? In this blog you will find our solution to this package installation problem, based on AWS SSM.
So, what is actually AWS SSM?
AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and act on your groups of resources. Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your infrastructure securely at scale.
There are a lot of different services which are offered in AWS Systems Manager, but the one which will be useful in this case is the. A small explanation of this service:
AWS Systems Manager Distributor lets you package your own software — and find AWS-provided agent software packages, such as AmazonCloudWatchAgent, or third-party packages such as Trend Micro — to install on AWS Systems Manager managed instances. Distributor publishes resources, such as software packages, to AWS Systems Manager managed instances. Publishing a package advertises specific versions of the package’s document — a Systems Manager document that you create when you add the package in Distributor — to managed instances that you identify by managed instance IDs, AWS account IDs, tags, or an AWS Region.
Perfect, so let’s start, first thing to do in order to be able to use SSM distributor, we need to add the EC2 instance to the SSM managed instances. We will not cover this step in this blog, but you can follow the AWS documentation link for this step here: https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html
Lucky for us our instances were already available in the managed instances from SSM, our managed instances looks like this:
So the whole process of creating packages and distributing it on the instances with SSM Distributor, was easy and straightforward.
We will be showing you the example on how we did it:
By clicking on the Create packages in Distributor you will get this option:
We choose the Simple, remember we wanted to have it as fast and as simple as possible, yes you can select advance and do it partially yourself.
To continue, we added the details like name and version but the option version is optional, also added the location of the s3 bucket were the package should be stored.
After we filled the details and location, now is time to upload the software, by clicking on the option upload the software and selecting our software package, the result is as shown below.
The manifest script is automatically created as shown below, to wrap it up we click on create package.
We got this message:
After all is set and green we can proceed with installing the newly created package on our resources.
We navigated to the packages and clicked on our Nessus-install package, by selecting it there are two options to choose on how to distribute the package, one is install on schedule which Run association at cron/rate intervals, and the second option is the install on time when configuring a one-time installation, Distributor uses AWS Systems Manager Run Command to perform the installation, we select on this task to use the install on time because it will be only one installation needed.
We will be redirected to another service from AWS which is Run Command, a small explanation of the Run Command:
AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost.
For more information visit the
https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html
Now we select the instances on which we want to install the package, for this step we have chosen manually the instances as we didn’t create any groups or similar.
We have let all other settings on default and then clicked on the run command, at the first it will be in progress. The package deployment was a success like in our case.
Then that’s it, we successful deployed our package to Windows ec2 Instances and after logging in to the instance and checking we found out that all is installed and working.
With this small demonstration we showed how to easily distribute packages using AWS Systems Manager. We have done this through the web console, in a production scenario with hundreds of clients this would be done through the cli with scripts to automate the process.
Automation is a key element to every IT infrastructure deployment. We understand that by applying SysOps and DevOps principles to infrastructure management we reduce the gap between deploy, application code and operations, driving agility and reducing the operational overhead and risks that manual changes introduce.
