Are you an operations administrator looking to implement consistent configurations such as agent updates or patch scans throughout your organization? AWS Systems Manager Quick Setup has now expanded to support AWS Organizations. This new capability allows master accounts within an Organization to easily define configurations for Systems Manager, enabling it to operate on your behalf across various accounts. You have the option to activate Quick Setup for your entire Organization or select specific Organizational Units (OUs). This article illustrates how to leverage Quick Setup to deploy best-practice configurations across multiple accounts within an Organization.
The outcomes of Quick Setup operations can be monitored via the Systems Manager Explorer dashboard accessible from the Organization master account. Notably, Quick Setup automatically aggregates Explorer data from all associated accounts and regions. From the Quick Setup console in the Organization master account, you can centrally monitor the status of your configuration options.
Prerequisites
To utilize Quick Setup for configurations like patching and agent updates, ensure that the Systems Manager agent is installed on the instances you wish to configure. Being in an Organization master account allows Quick Setup to create any necessary roles or permissions through a service-linked role. During the setup, a Resource Data Sync named “SSMQuickSetupResourceDataSync_{timestamp}” and an AWS CloudFormation StackSet labeled ‘SSMQuickSetup’ are generated in the Organization master account.
Getting Started
Quick Setup facilitates the easy deployment of several best-practice configurations across accounts within your Organization, including:
- Scheduled biweekly updates for the Systems Manager agent
- Regular inventory metadata collection every 30 minutes
- Daily scans of instances for missing patches
- One-time installation and configuration of the Amazon CloudWatch agent
- Monthly updates of the Amazon CloudWatch agent
Quick Setup will establish a new IAM instance profile with the necessary permissions for Systems Manager. For further details, refer to the permissions roles section in the Quick Setup documentation.
To start collecting inventory across your Organization using Quick Setup, initiate the Quick Setup Organization Setup. From the Systems Manager console in the Organization master account, select Quick Setup, choose “Organization” as the setup type, and select the desired configuration option. In this instance, we will opt to “collect inventory from your instances every 30 minutes.”
Next, select the target OUs, accounts, and Regions, then click “Enable.” For this example, we will use us-west-2 as our primary workload Region and apply the configuration to both the Sandbox and Developers OUs.
After completing the setup, you can review the deployment status and any configured associations for your Organization. Furthermore, you can confirm that the AWS CloudFormation StackSets have been successfully deployed to each account.
Collect Inventory from Your Instances
You can utilize Systems Manager Inventory to gather metadata from managed instances within your environment. You can also view inventory details in each account for quick analysis.
Next, let’s discuss scheduling Systems Manager agent updates from an Organization master account using Quick Setup. We will edit the current Quick Setup configuration to include this new option.
Update Systems Manager Agent
The Systems Manager agent is responsible for executing tasks on your instances, such as inventory collection and patching. AWS periodically releases updates to enhance the agent’s capabilities. Therefore, we recommend enabling this configuration to keep your instances current with the latest software enhancements.
Now that inventory collection is active, we can check the Systems Manager agent versions by inspecting the managed instances in each account. Upon inspection from an individual member account’s managed instances console, we can see that one member account, part of the Sandbox OU, has outdated Systems Manager agents deployed.
Now let’s explore how Quick Setup can facilitate updating Systems Manager agents from a centralized account.
First, modify the Quick Setup Organization Setup. From the Systems Manager console in the Organization master account, select Quick Setup and then click “Edit configuration.”
Now, enable the configuration option to “Update the Systems Manager agent every two weeks” and click “Update.”
After completing the setup, verify the agent versions in the member account to confirm they have been updated to the latest version (2.3.1319.0).
Next, let’s discuss how to schedule daily scans of your instances for missing patches.
Scan Instances for Missing Patches
By enabling this configuration, daily patch scans on instances will be conducted via Systems Manager Patch Manager. Patching details can be viewed through Systems Manager Explorer and Compliance features. From the Systems Manager console in the Organization master account, select Quick Setup, followed by “Edit configuration.” Enable the option to “Scan instances for missing patches daily” and click “Update.”
You can view your non-compliant status in your Explorer view, along with a detailed overview. Below is an example of the Non-compliant instances for patching widget from Explorer:
From the Organization master account, you can apply the necessary baseline patches to selected accounts, OUs, or Regions using the Systems Manager automation feature. For further insights, check out this other blog post on the topic, as they are an authority on this subject, providing valuable information.
Install and Configure the CloudWatch Agent
Amazon CloudWatch collects operational data, including logs, metrics, and events, utilizing the CloudWatch agent. To automate the installation, configuration, and updates of the CloudWatch agents, edit the Quick Setup configuration to enable the installation and configuration of the CloudWatch agent, along with updates every 30 days, as illustrated:
You now have metrics available for your running instances in your CloudWatch metrics console in each account.
Update the CloudWatch Agent
Enabling this option ensures that Systems Manager automatically checks every 30 days for the latest version of the CloudWatch agent. If a new version is detected, Systems Manager will automatically update the agent on your running instances. We recommend selecting this configuration option to guarantee that your instances are operating with the most recent version of the CloudWatch agent.
Quick Setup Results
This article outlines how the Systems Manager Quick Setup feature aids enterprises in deploying best practice configurations across multiple accounts and Regions within your Organization. This section can serve as a troubleshooting guide if any of the Quick Setup configuration options fail to deploy in any targeted accounts. Below is a screenshot displaying Quick Setup results from the Organization master account.
When you select each account under the Configuration details section, you can access the results from each account accordingly.
For additional insights, this Reddit link offers excellent resources on the onboarding process for part-time flex associates.
Leave a Reply