Reference AMIs Using Systems Manager Parameters

By Ashwin Venugopal -

 AWS Systems Manager | by Knoldus Inc. | Medium




Introduction

When you start an instance with the EC2 launch instance wizard in the Amazon EC2 console, you have the option to choose an AMI from the provided list or select a Systems Manager parameter that references an AMI ID (as explained in this section). If you utilize automation scripts to initiate your instances, you can indicate the Systems Manager parameter instead of the AMI ID.

A Systems Manager parameter is a key-value pair defined by the customer that can be created in the Systems Manager Parameter Store. The Parameter Store offers a centralized repository for externalizing your application configuration settings.

When a parameter that refers to an AMI ID is defined, make sure to indicate the data type as aws:ec2:image. This specification guarantees that when the parameter is created or updated, the value of the parameter is checked to confirm it is a valid AMI ID.

Use Case

Using Systems Manager parameters to reference AMI IDs makes it simpler for your users to choose the right AMI when starting instances. Additionally, Systems Manager parameters can streamline the upkeep of automation scripts.

Easier For Users

If you need instances to be launched with a particular AMI that is frequently updated, it is suggested to ask the users to choose a Systems Manager parameter to locate the AMI. By having them select a Systems Manager parameter, you can ensure that the most recent AMI is utilized for instance launches.

Simplify Automation Code Maintenance

If you use automation scripts to launch your instances, you can reference the Systems Manager parameter instead of the AMI ID. When a new version of the AMI is generated, you can update the AMI ID in the parameter to direct it to the latest version. This means that the automation scripts referencing the parameter don’t need to be altered every time a new AMI version is released. This approach streamlines the maintenance of the automation process and helps reduce deployment costs.

Permissions

If you use Systems Manager parameters that point to AMI IDs in the launch instance wizard, you must add the following permissions to your IAM policy:

  • ssm:DescribeParameters - Grants permission to view and select Systems Manager parameters.
  • ssm:GetParameters- Grants permission to retrieve the values of the Systems Manager parameters.

You can also restrict access to specific Systems Manager parameters.

Limitations

AMIs and Systems Manager parameters are specific to each Region. To utilize the same Systems Manager parameter name in different Regions, you must create a Systems Manager parameter with the identical name in each Region. In every Region, ensure the Systems Manager parameter is linked to an AMI located in that Region. Parameter names are sensitive to case. Backslashes for the parameter name are required only when the parameter is within a hierarchy. You can omit the backlash if the parameter is not part of a hierarchy. 

Conclusion

The reference AMIs using Systems Manager parameters are discussed. 









































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more