AWS Security Compliance

-

1)  Secrets Manager

Protect secrets needed to access your applications and services. Easily rotate, manage, and retrive datgabase credentials, API keys, and other secrets throughhout thier lifecycle.


-Secrets is mostly used to store and automatically rotate database credentials.

    * RDS

    * Redshift

    * DocumentDB

    * OtherDatabases 

    * Key/Value

- Has to be encrypted at rest

- Enforces encryption at-rest by using KMS

- Pricing 

    * $0.40 per secret per month 

    * $0.05 per 10 000 API calls

- CloudTrail can monitor credentials access in case you need to audit.

a)  Secrets Manager - Automatic Rotation

- You can setup automatic rotation for any database credentials.

- You can rotate up to 365 days (1 year)

- Rotation is performed via a Lambda function

- You can rotate the password for the superuser or for a developer programmatically accessing the database.

b) Secrets Manager CLI

aws secretmanager describe-secret --secret-id enterprise/ShipDatabase

-

c) Secrets Manager - Use Case



d)

e)

f)

g)

h)

i)

j)

k)

2) Systems Manager

AWS Systems Manager is also known as AWS Simple Systems Manager (SSM) is an umbrella of AWS services used to automate the management of Virtual Machines

- Function

    * Patching (apply security updates) to VMs

    * Supplying Configuration to VMs

    * Running Linux/Windows Commands on VMs

    * Monitoring VMs

    * Securely connecting to VMs 

    * Maintaining a configured state of a VMs

-What can be done:

    * Operations Management

        ** Explorer

        ** OpsCenter

        ** CloudWatch Dashboard

        ** Trusted Advisor

        ** Personal Health Dashboard

    * Application Management

        ** Resource Groups

        ** AppConfig

        ** Parameter Store

    * Actions & Change

        ** Automation

        ** Change Calendar

        ** Maintenance Window

    * Instances & Nodes 

        ** Compliance

        ** Inventory

        ** Managed Instances

        ** Hybrid Activations

        ** Session Manager

        ** Run Command

        ** State Manager

        ** Patch Manager

        ** Distributor

    * Shared Resources

        ** SSM Documents

- This is the hidden cost of Traditional Architure. Serverless Architect eliminates the need for most of these operations services.

- In order for VMs to use SSM you need two things:

    * 1. SSM Agent installed on the EC2 instances

    * 2. SSM AWS Managed Policy attached to your EC2 IAM Role

a) SSM Agent

AWS Systems Manager Agent (SSM Agent) is software package that you need to install on your Virtual Machine's operating system in order to interact with SSM

Installed by Default

    * SSM Agent is preinstalled on the AWS managed AMIs:

        ** Amazon Linux 2

        ** Amazon Linux (EOL 31 2020)

        ** Ubuntu Server 18.04

        ** Ubuntu Server 16.04

        ** Windows Server 2008-2012 R2 (after 2016)

        ** Windows Server 2016 and 2019

        ** Amazon ECS Optimized

Manual Installation

    * 1. You need to download the package for your OS from S3 an URL:

        ** linux_amd64/amazon-ssm-agent.rpm

        ** linux_386/amazon-ssm-agent.rpm

        ** debain_amd64/amazon-ssm-agent.deb

        ** debain_386/amazon-ssm-agent.deb

        ** debain_arm/amazon-ssm-agent.deb

    * 2. Install with you package manager

    * 3. Start the SSM Agent Service



b) SSM Managed Policy

- In order for your EC2 instance to have permissions to use SSM. You need to attach the AWS Managed Policy to the EC2 IAM Role either:

    * AmazonEC2RoleforSSM (soon to be deprecated)

    * AmazonSSMManagedInstanceCore (new policy)

c) SSM Explorer

SSM Explorer is a customizable operations dashboard that reports information about your AWS resources

OpsData displays an aggregated view of operations data.

OpsItems Metadata about EC2 instances, patch compliance details, and operational work items

Widgets The induvial report boxes that show data, graphs or charts.

- Filter information in Explorer to focus on items that are relevant to you and that require action

- When high priority issues identified in Explorer use SSM OpsCenter to resole issues

- Explore data across multiple AWS accounts and across multiple Regions via different modes:

    * Single-account/single-Region (default)

    * Single-account/multi-Region

    * Multi-account/multi-Region

Reporting you can export reports to a CSV stored in an S3 Bucket

- Explorer is free but the underlying resources and API calls are not

- You are charged on the number of OpsItems per month and number of API calls per month to:

    * GetOpsItem, DescribeOosItem, UpdateOpsItem, GetOpsSummary


d) SSM OpsCenter

- What are operational work items?

Some from of work that needs to performed on an EC2 instance.

- OpsCenter is a consolidation of your operational work items (OpsItems) for you IT team to: View, Investigate, Resolve

-OpsItems can be manually created, or automatically created via services such as AWS Config, CloudWatch Events, CloudWatch Application Insights for. NET and SQL Server


aws ssm create-ops-item --title "EC2 instance disk full"

 --description "Log clean up may have failed due to full disk"

 --priority 2

 --source ec2

 --operational-data '{"EC2":{"Value":"1", "Type":"SearchableString"}}'

 --notifications Arn="arn:aws:sns:us-east-1:12345678:LeadOpsUser"

 --tags "Key=EC2,Value=Prod"

- Examples of OpsItems

    * EC2 instance disk full

    * RDS instance not responding to Ping

    * EC2 instance terminated

    * EC2 instance stopped

    * Autoscaling instance launch failed 

    * EBS snapshot copy failed


e) SSM OpsItems

- An OpsItems can hold the following status:

    * Open Active, but not being worked on.

    * In-Progress Active, and being worked on 

    * Resolve Not active, available to search in past history

-An OpsItem can be given priority between 1-5. The priority is defined by the company and has no explicit meaning.

Related Resources 

Other AWS resources can be associated with an OpsItems to create deep link to information about the resource

Operational Data

Custom Data can be applied to an OpsItem in the form of a Key/Value. You can make certain  key/value pairs searchable

Reducing Duplication

OpcCenter uses a combination of built-in logic and configurable deduplication strings to help avoid creating duplicate OpsItem

Related OpsItems

An OpsItems can be associated by the user with up to 10 other related OpsItems. So when a user investigates a item they leverage the history of those ticks.

Similar OpsItems

AWS will automatically recommend similar OpsItems. This Serves the same purpose as  related OpsItems

f)  SSM Remedition

What is Remediating issues?

Remediation means to make right, to fix. So when we say we are remediating OpsItems, we are putting into action. The act of fixing the reported issues on our infrastructure.

What is a runbook?

A runbook is document that contains a series of instructional steps to perform an operation. They can be describe regular maintenance, remediation due to misconfiguration, or procedure resulting in an unexpected incident


SSM Automation is a service that allows you to define documents (runbooks) that Execute a sequence of commands carrying out the runbook actions.


SSM Automation Documents can be associated to with OpsItems, so when you an OpsItems appear in your SSM Explorer Dashboard or your OpsCenters OpsItems list that requires action, you can press a button to carry out that runbook.

g)  SSM OpsCenter - Related Resources

- OpsCenter automatically creates a deep link to the original resource page when you specify the Amazon Resource Name (ARN) for a related resource to an OpsItem

- This enables you to view detailed information about your impacted related resources without having to leave OpsCenter.

- Supported resource types include:

    * CloudFront distributions

    * CloudFormation stacks

    * CloudWatch alarms

    * CodeBuild projects

    * DynamoDB tables

    * EC2 instances

    * AWS Elastic Beanstalk applications

    * IAM users & groups

    * Lambda function

    * RDS database instances

h) SSM AppConfig

- Use AppConfig to create, manage , and quickly deploy application configuration

-When you need to rollout changes to your application configuration files, and need to avoid errors such as typos that could break your production environment

- Supports controlled deployments to app of any size 

- Includes built-in validation checks and monitoring 

-Use with apps hosted on EC2 instances , AWS Lambda, containers, mobile applications, or IOT devices

-

i)  SSM Anatomy of AppConfig

Environments

A group of AWS resource intended for deployment

Deployments

The act of deploying application configuration changes

    * Configuration Profile

        Where the configuration is located and how to validate it.

            ** Configuration Sources

                 The location of the new application configuration changes 

                    *** Amazon S3 Object

                    *** SSM Document

                    *** SSM Parameter (from Parameter Store)

            ** Validators

                Will check if the configuration is valid for deployment Either a Lambda or JSON file


Deployment Strategy

    * Deployment Type: Linear / Exponential

    * Deployment Time: Duration for this deployment

    * Bake Time: Amount of time to wait before completing the deployment

 


j) SSM Automation

- SSM Automation simplifies common maintenance and deployment tasks of EC2 instances and other AWS resources

- Build Automation workflows to configure and manage instances and AWS resources

- Create custom workflows or use pre-defined workflows maintained by AWS

- Receive notifications about Automation tasks and workflows by using Amazon CloudWatch Events.

- Monitor Automation progress and execution details by using the amazon EC2 or the AWS System Manager console.

k) SSM Automation - Use Case

AWS-StopEC2InstanceWithApproval - Automation Document Request that one or more IAM user approve the instance stop action

    * 1. Launch Automation Task

    * 2. SNS Topic  Requests Approval from IAM users 

    * 3. EC2 Instance State Changes to Stopped

l) SSM - Anatomy of Automation

Automation Documents

    * Known as runbooks or operational playbooks.

    * Defined as JSON or YAML Files

    * Defines of a series of actions (Automation workflow)

    * AWS has pre-defined documents

    * You you can create your own document

- Automation Actions

    * An individual step in an automation document as part of a workflow. Actions determines the following at each step:

        ** Input 

        ** Output

        ** Behaviors

    * Steps are defined in mainSteps section of your Automation Document Automation supports 20 distinct action types 

- Automation Queue

    * A queue that holds Automations being currently executed.

        ** AWS account can run 25 Automations simultaneously

        ** A maximum of 75 child Automations

        ** Additional Automations will be in a pending state

        ** The queue can hold 1000 Automation Executions


m)  SSM Automation - Automation Document

schemaVersion - Always 0.3 for Automation Documents

assumeRole - The IAM role the Automation Document will assume

parameters - Variables you can use within your Automations Document

mainSteps - contains a series of steps

Action - Defines what should happen at this step. Affects what inputs and outputs are available

    * Inputs - defines variables used in this step

    * Outputs - defines variables outputted from this step

nextStep - defines the next action that should be executed

n) SSM Automation - Document Actions

- aws:approve - Pause an execution for manual approval

- aws:assertAwsResourceProperty - assert an AWS resource state or event state

- aws:branch - run conditional automation steps

- aws:changeInstanceState - change or asset instance state

- aws:copyImage - copy or encrypt an Amazon Machine Image

aws:createImage - create an Amazon Machine Image

aws:createStack - create an AWS CloudFormation Stack

aws:createTags - create tags for AWS resources

aws:deleteImage - delete an Amazon Machine Image

aws:deleteStack - delete an AWS CloudFormation stack

aws:executeAutomation - run another automation execution

aws:executeAwsApi - call and run AWS API actions

aws:executeScript - run a script

aws:executeStateMachine - run an AWS Step Functions state machine

aws:invokeLambdaFunction - invoke an AWS Lambda function

aws:pause - pause an automation execution

aws:runCommand - run a command on a managed instance

aws:runInstances - launch an EC2 instance

- aws:sleep - delay an automation execution

aws:waitForAwsResourceProperty - wait on an AWS resource property


-Properties shared by all actions:

 main Steps:

    name: name

    action: action

    maxAttempts: value

    timeoutSeconds: value

    onFailure: value

    inputs:



o) SSM Change Calendar

SSM Change Calendars allows you to define when SSM Automations are allowed or not allowed to be executed by your team.

-Calendar Type

    * Open by Default - actions only run during a scheduled event

    * Closed by Default - actions are blocked from running during a scheduled event

p) SSM Maintenance Windows

SSM Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances such as:

    * patching an operating system

    * update drivers

    * installing or patching software

-

1. You define a schedule (Cron job)

2. Register Targets

3. Register Tasks

-

r) SSM Compliance

SSM Configuration Compliance scans your fleet of managed instances for patch compliance and configuration inconsistencies.

    * Choose how to filter your resources

    * See a summary based on compliancy

    * View the specific resources selected in the resource summary


s) SSM Inventory

SSM Inventory provides visibility into your Amazon EC2 and on-premises computing environment

-Use inventory to collect metadata from your management instances

- Store metadata in S3 and then use built in tools to query the data and quickly determine which instances are running the software and configuration required by your software policy, and which instances need to be updated.

t) SSM Activation

SSM Activations allows you to register external resources to be managed by AWS Systems Managers

    * on-premises servers and virtual machines (VMs)

    * non-AWS Cloud servers

    * and other devices with AWS Systems Manager

- Create Activations that issue you a Code and ID that functions like an EC2 Access ID and Secret Key to provide secure access to the Systems Manager service from your managed instances

-Once the instance is registered it will show up under the activation

- Set an Activation Expiry date as far as 30 days in the future.

u) SSM Sessions Manager

What is a session ?

Sessions are based on a secure bi-directional communication channel between the client (you) and the remote managed instance that streams inputs and outputs for commands

How are sessions secured?

Traffic between a client and a managed instance is encrypted using TLS 1.2, and requests to create the connection are signed using Sigv4. You can also use an Key Management Service (KMS) encrypt data beyond the defaults TLS encryption

How do session work?

This two-way communication enables interactive bash or PowerShell access to instances.

-SSM Session Manager lets you manage your EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI

- Positive

    * Centralized access control to instances using IAM policies

    * No open inbound ports

    * No need to manage bastion hosts or SSH keys

    * One-click access to instances from the console and CLI

    * Port forwarding

    * Cross-platform support for both Windows and Linux

    * Logging and auditing session activity

        ** AWS CloudTrail

        ** Amazon S3

        ** CloudWatch Logs

        ** CloudWatch Events and Amazon SNS

w) SSM Run Command

- SSM Run Command lets you remotely and securely manage the configuration of your managed instances.

- What is a managed instance?

A managed instance is any EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager.

- Automate commons administrative  tasks and perform ad hoc configuration changes at scale

- You can use AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs.

- You can perform the following types of tasks on their managed instances:

    * install or bootstrap applications, build a deployment pipeline

    *capture log files when an instance is terminated from an AutoScaling group

    * and join instances to a Windows domain, to name a few

-With Run Commands you can: 

    * Install Applications on Windows Machines

    * Run Chef Recipes or Ansible Playbooks

    * configure AWS Packages (Installing CloudWatch Agent)

    * Install Windows Update

    * Execute a Bash or PowerShell Command

    * Run a Docker Action

    * ...

x) SSM  State Manager

- SSM State Manager is a secure and scalable configuration management service that automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define.

    * Bootstrap instances with specific software at start-up 

    * Download and update agents on a defined schedule , including SSM Agent

    * Configure network settings

    *Join instances to a Windows domain (Windows Server instances only)

    * Patch instances with software updates throughout their lifecycle

    * Run scripts on Linux and Windows managed instances throughout their lifecycle

    * State Manager integrates with AWS CloudTrail


1. Determine the state you want to apply to your managed instances

2. Determine if a preconfigured SSM document can hlep you create the State Manager association

3. Create the association

4. Monitor and update

- The state manager is really just a service to run a Command or Automation Document on a schedule.

-When they AWS says "monitor" they really mean run this command on schedule.

- When they say "determine the state", its up to the Command or Automation Document's code to determine that.

- In SSM State Manager you are going to choose an Automation or Command Document

- You need to associate the document to targets

- You are going to run it on a schedule.


y)  SSM Patch Manager

SSM Patch Manager automates the process of patching managed instances with both security related and other types of updates. 

- use Patch Manager to apply patches for both operating systems and applications. Windows Server, application support is limited to updates for Microsoft applications.

-Install Service Packs on Windows instances and perform minor version upgrades on Linux instances.

- You can patch fleets of EC2 instances or your on-permises servers and virtual machines (VMs) by operating system type.

- Supported versions of:

    * Windows Server

    * Amazon Linux

    * Amazon Linux2

    * CentOS

    * Debian 

    * Oracle Linux

    * Red Hat Enterprise Linux (RHEL)

    * SUSE Linux Enterprise Server (SLES)

    * Ubuntu Server

-Patch Manager uses patch baselines, which include rules for auto approving patches within days of thier release, as well as a list of approved and rejected patches.

-You can install patches on a regular basis by scheduling patching to run as a Systems Manager maintenance window task.

- You can also install patches individually or to large groups of instances by using Amazon EC2 tags.

- You can add tags to your patch baselines themselves when  you create or update them.

z) SSM Distributor

SSM Distributor lets you packages your own software or install AWS-provided agent software packages, such as AmazonCloudWatchAgent to install on AWS System Manager managed instances

- Upload a .msi, .deb, or .npm file to create a custom installation package that can be loaded on supported operating systems

What is a Software Packages?

An archive of files that contain source code, an application and configuration specific to type of operating system.

    * .msi (Windows Installer Package) Windows updates, third-party soft-ware

    * .deb (Debian packages) A unix archive (ar) that contains two tar archives. One to hold control information and the other installable data

    * .npm (Node Package manager) An archived file containing javascript files for NodeJS

-Software Packages can be installed /uninstalled one time or they can be installed/uninstalled on a schedule

-Disrtributor Packages support versioning

-You can share packages to other AWS accounts

aa) SSM Distributor - Manifest File

The Schema Version - The version of manifest file. Its always 2.0

Publisher - the name of publishers eg. Your Org.

Platform, Version and Architecture - You can choose supported platforms and which install archive to use.

Version - Your own defined versioning

-  Packages - A list of different platform the package can be installed upon 

Files - You supply a checksum to ensure the package does not fail during installation 

ab) SSM Distributor Platforms

- In your manifest file you can specify the following Operation Systems and Architectures


Platform                            Code value in Manifest file     Architecture

Windows Server               windows                                   x86_64 or 386

Debian                               debian                                      x86_64 or 386

Ubuntu                              ubuntu                                      x86_64 or 386 or arm 64 ( Ubuntu 16 and later, A1 instance types)

Red Hat Enterprise            redhat                                       x86_64 or 386 or arm 64 (RHEL 7.6 and later , A1 instance types)

Linux (RHEL)

Centos                               centos                                       x86_64 or 386

Amazon Linux (AL)         amazon                                     x86_64 or 386 or arm64 (AML2, A1 instance types)

Amaon Linux 2 (AL2)

SUSE Linux Enterprise.  suse                                            x86_64 or 386 

Server (SLES)

openSUSE                       opensuse                                     x86_64 or 386

openSUSE Leap              opensuseleap                               x86_64 or 386

Oracle Linux                    oracle                                          x86_64 

ac) SSM Documents

What is Management as Code (MaC)?

The processing of handling code changes for a fleet of remotely managed images to ensure resources meet the desired state.

- SSM Documents are variety of code management documents relating to different SSM Services. SSM Documents are either YAML or JSON files with parameters and a series of steps. SSM Documents console consolidates all your documents into one place.

- Types of SSM Documents and how it is used with SSM services

    * Command Document

        ** Run Command - uses Command Documents to apply run commands on targets

        ** State Manager uses Command Documents to apply configuration on targets

        ** Maintenance Windows use Command Documents to apply configuration on a schedule

    * Automation Document 

        ** Automation uses Automation Documents to perform maintance tasks based on a resources lifecycle

        ** State Manager - uses Automation Documents apply to configuration

        ** Maintance Windows - uses Automation Documents to apply configuration on a schedule.

    * Packages Document 

        ** Distributor - uses packaged document to install software onto managed instances 

    * Session Document

        ** Session Manager - uses AWS-GatherSoftwareInventory Policy Document to collect inventory data from managed instances

    * Policy Document 

        ** State Manager - uses AWS-GatherSoftwareInventory Policy Document to collect inventory data from managed instances

    * Change Calendar Document 

         ** Calendar Change - uses Change Calendar Document to calendar data to prevent automations and actions on specific calendar periods

ad)  System Manager CheatSheet

AWS Systems Manager is also known as AWS Simple Systems Manager (SSM)

- AWS SSM is an umbrella of AWS services used to automate the management of Virtual Machines. 

- In order for VMs to use SSM you need two things:

    * 1. SSM Agent - installed on the EC2 instances

        ** Already installed on AWS Management AMIs eg. Amazon Linux 1/2 , Ubuntu 16/18

    * 2. SSM AWS Managed Policy - attached to your EC2 IAM Role (AmazonSSMManagedInstanceCore)

SSM Explorer - is a customizable operations dashboard that reports information about your AWS resources

OpsCenter is a consolidation of your operational work items (OpsItems) for you IT team to: View, Investigate, Resolve

    * OpsItems represents operational work that needs to performed eg. "EC2 instance disk full"

SSM Run Command lets you remotely and securly manage the configuration of your managed instances.

    * Execute a Bash or PowerShell Command , Run Chef Recipes or Ansible Playbooks ...

SSM Automation is a service that allows you to define documents (runbooks) that execute a sequence of commands carrying out the runbook actions.

     * A runbook is document that contains a series of instructional steps to perform an operation.

AWS Tags are words or phrases that act as metadata for organizing your AWS resources

-Resource Groups are a collection of AWS resources that share one or more tags

- Resource Groups can display details about a group of resource based on Metrics, Alarms and Configuration Settings

-SSM AppConfig is used to create, manage, and quickly deploy application configuration

    * When you need to rollout changes to your application configuration files , and need to avoid erroes such as typos that could break your production environment

-SSM Change Calendars allows you to define when SSM Automations are allowed not allowed to be executed by your team

SSM Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, installing or patching software

SSM Configuration Compliance scans your fleet of managed instances for patch compliance and configuration inconsistencies

SSM Inventory provides visibility into your Amazon EC2 and on-premises computing environment.

SSM Activations allows you to register external resources to be managed by AWS Systems Managers

    * Activations issue you a Code and ID that functions like an EC2  Access ID and Secret to your managed external instances.

SSM Session Manager lets you manage your EC2 instances , on-premises instances, and virtual machines (VMs) through an interactive one-click browser based shell or through the AWS CLI.

SSM State Manager - is a secure and scalable configuration management service that automates the process of keeping your Amazon EC2 and hybrid infrastructure in a state that you define.

SSM Patch Manager automates the process of patching managed instances with both security related and other types of updates.

SSM Distributor lets you package your own software or install AWS-provided agent software packages , such as AmazonCloudWatchAgent to install on AWS Systems Manager managed instances.

SSM Documents are variety of code management documents relating to different SSM Services. 

    * SSM Documents are either YAML or JSON files with parameters and a series of steps.

    * SSM Documents console consolidates all your documents into one place.

ae)

af)

ag)

ah)

ai)

aj)

ak)

al)

am)

an)




3) SSM Parametr Store

- You can store data such as passwords, database strings , and license codes as parameter values.

- Store configuration data and secure strings in hierarchies and track versions

- You can encrypt parameters using KMS

- You group parameters together based on the naming convention by using forwards slashes. This is how you create hierarchies. This allows you to fetch all parameters at different levels. Eg. /exampro/application/prod

- You choose a tier which limits how many parameters and the size of the values.

    * Standard

    * Advanced

    

- Type can be : 

    * String just a string

    * StringList comma separate string

    * SecureString encrypted String with KMS

- Provided the value

Parameter Tiers

    * Standard

        ** # Number of params / region : 10 000

        ** max size of param value : 4KB

        ** Parameter policies : No

        ** Cost : Free

    * Advanced

        ** # Number of params / region : 100 000

        ** max size of param value : 8KB

        ** Parameter policies : Yes 

        ** Cost : $0.05 per paramether/ month

- You can change a standard parameter to an advanced parameter at any time, but you can't revert an advanced parameter to a standard parameter.

- Reverting an advance parameter to a standard parameter would result in data loss because the system would truncate the size of the parameter from 8KB to 4KB.

a)  SSM Parametr Store - Parameter Policies

- Parameter policies are helpful in forcing you to update or delete passwords.

-Using asynchrononus, periodic scans. After you create a policy, you don't need to perform additional actions to enforce the policy.

- You can assign multiple policies to a parameter

- Types:

    * Expiration - This policy deletes the parameter after a specified date and time.

    * ExpirationNotification - This policy triggers an event in Amazon CloudWatch events that notifies you about the upcoming expiration.

    * NoChangeNotification - this policy triggers an event in CloudWatch if a parameter has not been modified for a specified period of time. This policy type is useful when, for example, a password needs to be changed within a period of time.

b) SSM Parametr Store - CLI Hierarchy Example

aws ssm put-parameter --name "/planets/vulcan/population" --value 4.9B --type String

aws ssm put-parameter --name "/planets/vulcan/gravity" --value 1.4G --type String

aws ssm put-parameter --name "/planets/vulcan/classification" --value M --type String

aws ssm get-parameter-by-path --path /planets/vulcan-

c)


4)

5)

6)

7)

8)

9)

10)

11)

12)

13)

14)

15)

Komentarze

Prześlij komentarz

Popularne posty z tego bloga

Kubernetes

-
Obraz
I. Introduction 1. Kubernetes Overview - Kubernetes = popular container orchestrator  * it lets you schedule containers on a cluster of machines  * you can run multiple containers on one machine  * you can run long running services (like web applications)  * Kubernetes will manage the state of those containers:    ** Can start the container on specific nodeskubectl create -f pod-demo.yml    ** Will restart a container when it gets killed    ** Can move containers from one dnode to another node - you can run Kubernetes anywhere:   *on-premise (own datacenter)   *public (Google cloud, AWS)   *hybrid: public & private -highly modular -open source -backed by google -Container Orchestration = Make many servers act like one -Released by Google in 2015, maintained by large community -Runs on top of Docker (usually) as a set of APIs in containers -Provides API/CLI to managed containers across server...
Czytaj więcej

Helm

-
 0. Overivew - Packet manager 1. Helm Provenance and Integrity - https://github.com/technosophos/k8s-helm/blob/master/docs/provenance.md - Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files. a) Overview   -  I ntegrity is established by comparing a chart to a provenance record. Provenance records are stored in   provenance files , which are stored alongside a packaged chart. For example, if a chart is named   myapp-1.2.3.tgz , its provenance file will be   myapp-1.2.3.tgz.prov .  -  Provenance files are generated at packaging time ( helm package --sign ... ), and can be checked by multiple commands, notable   helm install --verify . b) The workflow This section describes a potential workflow for using provenance data effectively. Prerequisites: A valid PGP keyp...
Czytaj więcej

Ansible Tower / AWX

-
- Ansible Tower provides a web server interface to ansible.  - System rewuierments are somewhat heavy.  - Tower is only free for minimal use. Working with more than a few system requires a paid lincense.  - The two keys benefots of Ansible Tower are user permissioning and the audit trail (only provided with license.  - Only touched on in EX4077  - How is ansible Tower installed on your system? Ansible Tower is provided in a tarball containing binaries, config files, and an installation script that must be ran.  - To populate an Ansible Tower project with source files can be used:        * file system of the Ansible Tower server        * git        * subversion  - features:        * an interface for running Ansible plays and playbooks against target hosts.       * Separate user accounts permissioned for selective access to Tower-managed ...
Czytaj więcej