AWS Explained
    Management & Governance
    📊Management & Governance

    AWS Systems Manager

    Unified interface for viewing operational data from AWS services

    Systems Manager is like a Swiss Army knife for managing your AWS infrastructure. It's a collection of tools for common operational tasks: run commands on multiple servers simultaneously (no SSH needed), patch servers automatically, store configuration parameters securely, create maintenance windows, and track inventory. Instead of logging into each server individually, you use Systems Manager to manage hundreds of servers from one interface. It's like having a remote control for your entire infrastructure; you can see what's running, make changes, and automate routine tasks without touching individual servers.

    Systems Manager consists of multiple capabilities: Run Command (execute scripts on instances), Session Manager (browser-based SSH alternative), Patch Manager (automate OS patching), Parameter Store (secure configuration storage), State Manager (maintain instance configuration), Automation (workflow automation), and OpsCenter (centralized operational issue management). Instances must have SSM agent installed and IAM role with Systems Manager permissions.

    Key Capabilities

    Key features: no inbound ports required (agent connects outbound), CloudTrail logging (audit all actions), and cross-account/cross-region management.

    Gotchas & Constraints

    Gotcha #1: SSM agent must be installed and running; Amazon Linux 2 includes it, but other OSes require manual installation. Gotcha #2: Parameter Store has free tier (10,000 parameters, standard throughput) and paid tier (advanced parameters, higher throughput). Constraints: Run Command limited to 50 concurrent executions per account per region, Session Manager sessions timeout after 20 minutes of inactivity, and Parameter Store values limited to 8KB (standard) or 8KB-4MB (advanced).

    A company manages 500 EC2 instances across 10 AWS accounts. Previously, they used SSH with bastion hosts: slow, insecure (SSH keys everywhere), and hard to audit. They migrate to Systems Manager: install SSM agent on all instances, create IAM roles with Systems Manager permissions, and remove SSH access. For patching, they use Patch Manager with maintenance windows; patch dev instances every Sunday at 2 AM, prod instances every Saturday at 3 AM. For configuration, they store database connection strings in Parameter Store (encrypted with KMS) and reference them in applications; no hardcoded secrets. When they need to update a configuration file on all web servers, they use Run Command to execute a script on 100 instances simultaneously. For troubleshooting, they use Session Manager to access instances via browser; no SSH keys, no bastion hosts, and all sessions logged to CloudTrail.

    The Result

    90% reduction in operational overhead, improved security (no SSH keys), and full audit trail of all actions.

    Official AWS Documentation