Skip to content

Node Tools

Table of Contents

  1. Introduction to AWS Systems Manager

  2. Prerequisites

  3. AWS Systems Manager Node Tools Overview

  4. 1. Compliance

  5. 2. Distributor

  6. 3. Fleet Manager

  7. 4. Hybrid Activations

  8. 5. Inventory

  9. 6. Patch Manager

  10. 7. Run Command

  11. 8. Session Manager

  12. 9. State Manager

  13. Best Practices and Tips

  14. Summary

1. Introduction to AWS Systems Manager (SSM)

AWS Systems Manager helps you automatically apply OS patches, collect software inventory, configure OS and applications at scale, and automate operational tasks on AWS EC2 instances, on-premises servers, and virtual machines (VMs).

Node Tools are components of Systems Manager that help manage individual instances (nodes).

2. Prerequisites

  • AWS Account with appropriate permissions (SSM roles/policies).

  • EC2 instances with SSM Agent installed and running.

  • IAM roles attached to EC2 instances (e.g., AmazonSSMManagedInstanceCore).

  • AWS CLI configured or AWS Management Console access.

  • (For hybrid) On-premises servers or VMs reachable with Hybrid Activation.

3. AWS Systems Manager Node Tools Overview

Tool Description
Compliance Assess and enforce configuration compliance of your instances.
Distributor Distribute software packages and scripts to managed nodes.
Fleet Manager Centralized management console for your managed instances' OS and applications.
Hybrid Activations Manage on-premises servers or VMs with Systems Manager.
Inventory Collect metadata about your instances and installed software.
Patch Manager Automate patching of OS and software on instances.
Run Command Execute commands or scripts remotely on instances.
Session Manager Securely connect to instances without SSH/RDP.
State Manager Automate configuration management and maintain desired states.

4. Compliance

Overview

Compliance allows you to scan instances for compliance against policies (patching, configuration, etc.) and take remediation actions.

Practical Steps

  1. Define Compliance Items:

  2. Use predefined compliance types (e.g., patch compliance).

  3. Custom compliance can be created with AWS Config or custom scripts.

  4. View Compliance:

  5. Go to AWS Console > Systems Manager > Compliance.

  6. See compliance summary and details per instance.

  7. Example: Create Patch Compliance

  8. Use Patch Manager to define patch baselines.

  9. Apply baselines to patch groups.

  10. View patch compliance reports.

5. Distributor

Overview

Distributor lets you package and distribute software or scripts to managed nodes.

Practical Steps

  1. Create a Distributor Package:

  2. Prepare your software/script and package as .zip.

  3. Go to Systems Manager > Distributor > Create Package.

  4. Upload your package and define install/uninstall commands.

  5. Distribute Package:

  6. Target instances or tags.

  7. Monitor distribution progress.

  8. Example: Distribute a Custom Script

  9. Create a script (e.g., install_myapp.sh).

  10. Package it with a manifest.

  11. Distribute and verify installation via Run Command.

6. Fleet Manager

Overview

Fleet Manager provides a unified UI to view and manage your fleet of instances.

Practical Steps

  1. Access Fleet Manager:

  2. AWS Console > Systems Manager > Fleet Manager.

  3. Select instance, view instance info (CPU, disk, memory), users, processes.

  4. Manage Instances:

  5. View logs, files, and perform common management tasks.

  6. Connect to instance shells using Session Manager.

  7. Example: Use Fleet Manager to troubleshoot an instance

  8. View running processes.

  9. View disk usage.

  10. Connect to shell for manual inspection.

7. Hybrid Activations

Overview

Allows you to register on-premises servers or VMs as managed instances.

Practical Steps

  1. Create Hybrid Activation:

  2. Systems Manager > Hybrid Activations > Create activation.

  3. Download activation code and ID.

  4. Install SSM Agent on on-prem servers:

  5. Use activation code & ID to register on-prem server with AWS.

  6. Verify Managed Instance:

  7. Confirm hybrid instance shows up in Systems Manager > Managed Instances.

8. Inventory

Overview

Collects metadata (OS, applications, network configs) from your managed nodes.

Practical Steps

  1. Enable Inventory Collection:

  2. Go to Systems Manager > Inventory > Setup Inventory.

  3. Choose target instances or tags.

  4. View Collected Data:

  5. Access Inventory reports showing installed applications, network config, etc.

  6. Example: Collect Inventory of Installed Packages

  7. Enable AWS-RunInventory document.

  8. View inventory data in console or query via AWS CLI.

9. Patch Manager

Overview

Automates patching of operating systems and software.

Practical Steps

  1. Create Patch Baseline:

  2. Go to Systems Manager > Patch Manager > Patch Baselines.

  3. Use AWS predefined baseline or create custom.

  4. Assign Patch Group:

  5. Tag instances with patch group tag.

  6. Associate patch baseline with patch group.

  7. Run Patch Compliance Scan:

  8. Manually or scheduled via maintenance windows.

  9. Example: Schedule Patching

  10. Create maintenance window.

  11. Register patch task.

  12. Automate patch deployment and compliance reporting.

10. Run Command

Overview

Run shell commands/scripts remotely on your instances.

Practical Steps

  1. Run a Command:

  2. Systems Manager > Run Command > Run a command.

  3. Select command document (AWS-RunShellScript).

  4. Specify instances or tags.

  5. Provide script/commands.

  6. View Results:

  7. Check command status and output in console or via CLI.

  8. Example: Update Packages

sudo yum update -y
  • Run this as a command on your Linux instances.

11. Session Manager

Overview

Securely connect to instances without SSH keys or open ports.

Practical Steps

  1. Start Session:

  2. Systems Manager > Session Manager > Start session.

  3. Select instance.

  4. Connect via CLI:

aws ssm start-session --target instance-id
  1. Advanced: Enable port forwarding or logging.

12. State Manager

Overview

Maintain and enforce instance configuration at scale.

Practical Steps

  1. Create Association:

  2. Define document (e.g., AWS-ConfigureWindowsUpdate).

  3. Target instances or tags.

  4. Set schedule or event trigger.

  5. Example: Enforce NTP settings

  6. Use a custom SSM document or predefined.

  7. Apply via State Manager association.

  8. Monitor compliance via console or CLI.

13. Best Practices and Tips

  • Use IAM roles properly: Ensure instances have AmazonSSMManagedInstanceCore.

  • Tagging: Use consistent tagging for patch groups, inventory, and associations.

  • Use Maintenance Windows: For patching and configuration changes to avoid disruptions.

  • Logging & Auditing: Enable SSM Session Manager logging to CloudWatch or S3.

  • Security: Use Session Manager instead of SSH, disable SSH inbound ports.

14. Summary

Tool Key Use Case
Compliance Audit instance compliance
Distributor Deploy software packages
Fleet Manager Manage instance health and OS info
Hybrid Activations Register on-prem servers as managed instances
Inventory Collect system and software metadata
Patch Manager Automate patching
Run Command Execute commands remotely
Session Manager Secure shell access without SSH
State Manager Enforce configuration at scale