AWS Explained
    Management & Governance
    📊Management & Governance

    AWS Systems Manager

    Unified interface for viewing operational data from AWS services

    Systems Manager is like a Swiss Army knife for managing your AWS infrastructure. It's a collection of tools for common operational tasks: run commands on multiple servers simultaneously (no SSH needed), patch servers automatically, store configuration parameters securely, create maintenance windows, and track inventory. Instead of logging into each server individually, you use Systems Manager to manage hundreds of servers from one interface. It's like having a remote control for your entire infrastructure; you can see what's running, make changes, and automate routine tasks without touching individual servers.

    Systems Manager consists of multiple capabilities: Run Command (execute scripts on instances), Session Manager (browser-based SSH alternative), Patch Manager (automate OS patching), Parameter Store (secure configuration storage), State Manager (maintain instance configuration), Automation (workflow automation), and OpsCenter (centralized operational issue management). Instances must have SSM agent installed and IAM role with Systems Manager permissions.

    Key Capabilities

    • Session Manager provides browser and CLI shell access to EC2 instances and on-premises servers without SSH keys or open inbound ports
    • Run Command executes scripts and commands across fleets of instances simultaneously without logging in to each one individually
    • Patch Manager automates OS and application patching across EC2 and on-premises servers on a configurable maintenance schedule
    • Parameter Store provides free storage for configuration values and secrets (up to 4KB standard tier) with optional KMS encryption
    • Automation runbooks orchestrate multi-step operational tasks such as AMI creation, instance remediation, and cross-account operations
    • Inventory collects metadata about installed software, network configuration, and running services across managed instances for visibility and compliance reporting

    Gotchas & Constraints

    Gotcha #1: SSM agent must be installed and running; Amazon Linux 2 includes it, but other OSes require manual installation. Gotcha #2: Parameter Store has free tier (10,000 parameters, standard throughput) and paid tier (advanced parameters, higher throughput). Constraints: Run Command limited to 50 concurrent executions per account per region, Session Manager sessions timeout after 20 minutes of inactivity, and Parameter Store values limited to 8KB (standard) or 8KB-4MB (advanced).

    A company manages 500 EC2 instances across 10 AWS accounts. Previously, they used SSH with bastion hosts: slow, insecure (SSH keys everywhere), and hard to audit. They migrate to Systems Manager: install SSM agent on all instances, create IAM roles with Systems Manager permissions, and remove SSH access. For patching, they use Patch Manager with maintenance windows; patch dev instances every Sunday at 2 AM, prod instances every Saturday at 3 AM. For configuration, they store database connection strings in Parameter Store (encrypted with KMS) and reference them in applications; no hardcoded secrets. When they need to update a configuration file on all web servers, they use Run Command to execute a script on 100 instances simultaneously. For troubleshooting, they use Session Manager to access instances via browser; no SSH keys, no bastion hosts, and all sessions logged to CloudTrail.

    The Result

    90% reduction in operational overhead, improved security (no SSH keys), and full audit trail of all actions.

    Official AWS Documentation