Date: April 12, 2021
Amazon Simple Systems Manager or SSM as we’ll refer to it throughout this article, is a great example of an important feature in the Amazon Web Services toolset that we try to highlight for our clients because of its DevOps, compliance and security benefits. As AWS partners recognized for our customer service and expertise, we are often asked about the implications of specific AWS features and their benefits.
If you aren’t already familiar with SSM, or could just use a refresher, it is a feature that sysadmins should really be aware of. Amazon defines it as,
Simple Systems Manager (SSM) enables you to remotely manage the configuration of your Amazon EC2 instance. Using SSM, you can run scripts or commands using either EC2 Run Command or SSM Config. Simply put, SSM allows sysadmins to run commands remotely on to EC2 instances that are running inside AWS. SSM currently supports both Windows and Linux. Indeed, Amazon just announced that the Linux version of the on-instance SSM agent is now available on GitHub.
SSM Use Case
We expect this feature to be extremely useful in a couple of cases. First, it will be especially useful for large enterprises with very tight security requirements. Second, we see this feature being quite helpful for organizations of all sizes who operate in the financial services, healthcare or similar industries where strict regulations are at play. The reason both of these groups will benefit from SSM is that it actively reduces the number of users who have the ability to run commands on a given server.
At Quantum we encourage our clients to treat servers as cattle, not pets. Typically the reason people treat servers as pets (with given names vs. generic numbering, for example) is because they want to allow their users to log into the server. Hence, the server better have a constant domain name or an IP address that they can log into in order to remotely run their command.
Eradicating the Need for Remote Access
The question we almost always ask our clients is: “Why do you need to have access into the server at all?” The two answers we most typically get are
Fortunately, SSM provides a great solution to both of these reasons. SSM allows you to a run remote command on a group of servers concurrently through a single unified interface while creating the audit trail we discussed above. It does this while not requiring users to have direct access to the server through SSH or remote desktop.
This enables the best of both worlds: users can do something that is not yet been fully automated and the servers at the same time can be treated as cattle. In the process, SSM delivers a major DevOps benefit in the form of automation while providing significant security and compliance benefits.
If you are interested in understanding how SSM could help better secure your environment and generate better audit outcomes through improved logs, then contact our DevOps consultants today; we’d be happy to have a conversation about how SSM can help automate, secure, and provide greater auditability for your environment.