have the software you want them to have and are configured in the way you define. More generally, State Manager can automatically run command and policy documents against your instances, either one time only or on a schedule. For example, you may want to install antivirus software on your instances and then take a software inventory.
To use State Manager, you must create an association that defines the command document to run, any parameters you want to pass to it, the target instances, and the schedule. Once you create an association, State Manager will immediately execute it against the target instances that are online. Thereafter, it will follow the schedule.
There is currently only one policy document you can use with State Manager: AWS‐GatherSoftwareInventory. This document defines what specific metadata to collect from your instances. Despite the name, in addition to collecting software inventory, you can have it collect network configurations, file information, CPU information, and for Windows, registry values.
Insights
Insights aggregate health, compliance, and operational details about your AWS resources into a single area of AWS Systems Manager. Some insights are categorized according to AWS resource groups, which are collections of resources in an AWS region. You define a resource group based on one or more tag keys and optionally tag values. For example, you can apply the same tag key to all resources related to a particular application—EC2 instances, S3 buckets, EBS volumes, security groups, and so on. Insight categories are covered next.
Built‐in Insights
Built‐in insights are monitoring views that Systems Manager makes available to you by default. Built‐in insights include the following:
AWS Config Compliance This insight shows the total number of resources in a resource group that are compliant or noncompliant with AWS Config rules, as well as compliance by resource. It also shows a brief history of configuration changes tracked by AWS Config.
CloudTrail Events This insight displays each resource in the group, the resource type, and the last event that CloudTrail recorded against the resource.
Personal Health Dashboard The Personal Health Dashboard contains alerts when AWS experiences an issue that may impact your resources. For example, some service APIs occasionally experience increased latency. It also shows you the number of events that AWS resolved within the last 24 hours.
Trusted Advisor Recommendations The AWS Trusted Advisor tool can check your AWS environment for optimizations and recommendations related to cost optimization, performance, security, and fault tolerance. It will also show you when you've exceeded 80 percent of your limit for a service.
Business and Enterprise support customers get access to all Trusted Advisor checks. All AWS customers get the following security checks for free:
Public access to an S3 bucket, particularly upload and delete access
Security groups with unrestricted access to ports that normally should be restricted, such as TCP port 1433 (MySQL) and 3389 (Remote Desktop Protocol)
Whether you've created an IAM user
Whether multifactor authentication is enabled for the root user
Public access to an EBS or RDS snapshot
Inventory Manager
The Inventory Manager collects data from your instances, including operating system and application versions. Inventory Manager can collect data for the following:
Operating system name and version
Applications and filenames, versions, and sizes
Network configuration, including IP and media access control (MAC) addresses
Windows updates, roles, services, and registry values
CPU model, cores, and speed
You choose which instances to collect data from by creating a regionwide inventory association by executing the AWS‐GatherSoftwareInventory policy document. You can choose all instances in your account or select instances manually or by tag. When you choose all instances in your account, it's called a global inventory association, and new instances you create in the region are automatically added to it. Inventory collection occurs at least every 30 minutes.
When you configure the Systems Manager agent on an on‐premises server, you specify a region for inventory purposes. To aggregate metadata for instances from different regions and accounts, you may configure Resource Data Sync in each region to store all inventory data in a single S3 bucket.
Compliance
Compliance insights show how the patch and association status of your instances stacks up against the rules you've configured. Patch compliance shows the number of instances that have the patches in their configured baseline, as well as details of the specific patches installed. Association compliance shows the number of instances that have had an association successfully executed against them.
AWS CLI Example
The following example code shows how you can use an AWS CLI command to deploy an EC2 instance that includes many of the features you learned about in this chapter. Naturally, the image‐id, security‐group‐ids, and subnet‐id values are not real. Those you would replace with actual IDs that fit your account and region.
aws ec2 run-instances --image-id ami-xxxxxxxx --count 1 \ --instance-type t2.micro --key-name MyKeyPair \ --security-group-ids sg-xxxxxxxx --subnet-id subnet-xxxxxxxx \ --user-data file://my_script.sh \ --tag-specifications \ 'ResourceType=instance,Tags=[{Key=webserver,Value=production}]' \ 'ResourceType=volume,Tags=[{Key=cost-center,Value=cc123}]'
This example launches a single (‐‐count 1) instance that's based on the specified AMI. The desired instance type, key name, security group, and subnet are all identified. A script file (that must exist locally so it can be read) is added using the user‐data argument, and two tags are associated with the instance (webserver:production and cost‐center:cc123).
If you need to install the AWS CLI, perform Exercise 2.6.
Install the AWS CLI and Use It to Launch an EC2 Instance
Need help? Learn how to install the AWS CLI for your OS here:
docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html
Refer to the previous AWS CLI example for help launching your instance. (Hint: You will need to fill in some xxxxx placeholders with actual resource IDs.)
