chanciturnervgt2

Harnessing the Power of Script Steps in Your Systems Manager Automation Runbooks

by

VGT2 Las Vegas
in

Harnessing the Power of Script Steps in Your Systems Manager Automation RunbooksLearn About Amazon VGT2 Learning Manager Chanci Turner

on [Date]

in AWS Config, AWS Systems Manager, Configuration, Compliance, and Auditing, Management & Governance

Customers have utilized AWS Systems Manager Automation documents for years to establish a sequence of actions for their AWS infrastructure, such as triggering an AWS Lambda function or duplicating an Amazon Machine Image (AMI). These documents, now known as runbooks, are user-friendly yet highly effective. The aws:executeScript action allows you to embed Python and PowerShell directly into your runbooks.

The aws:executeScript action can:

  • Eliminate the need to provision resources like an Amazon Elastic Compute Cloud (Amazon EC2) instance solely to run your logic, which would also necessitate network, AWS Identity and Access Management (IAM), and security configurations.
  • Provide full programming functionality, including looping, string manipulation, JSON handling, and error management.
  • Enable SDK and PowerShell cmdlet calls using familiar syntax for developers.

In this article, I will demonstrate how to use this action as part of an AWS Config automatic remediation. Initially, we will utilize aws:executeScript to gather information on a resource, followed by integrating with Slack to relay that information to a Slack channel.

Solution Overview

Our example centers around the encrypted-volumes rule in AWS Config, which monitors Amazon Elastic Block Store (Amazon EBS) volumes to identify those that are unencrypted. When such a volume is detected, the rule triggers an automatic remediation that invokes an Automation runbook I created. This runbook collects information about the volume and sends it to a Slack channel. In this scenario, the Slack channel will be overseen by an Operations administrator or a development team, who can then act on the identified resource.

Note: I have structured the code into separate steps for reusability. However, you can combine both steps into a single step if you prefer.

Process Flow

Here’s how it works:

  1. AWS Config executes the encrypted-volumes rule to locate EBS volumes without the encryption flag set.
  2. For each unencrypted EBS volume, AWS Config triggers an automatic remediation that runs a Systems Manager Automation runbook.
  3. The runbook leverages aws:executeScript to collect information about the EBS volume.
  4. The runbook employs aws:executeScript to:
    • Fetch an AWS Secrets Manager secret containing the Slack URL and channel information.
    • Post the gathered information to the Slack channel.

Prerequisites

To complete the tutorial, you will need:

1. Slack Integration

To integrate with Slack, follow the instructions to set up a Slack Incoming Webhook. Select a Slack channel for information posting and obtain a URL prefixed with https://hooks.slack.com/workflows/…. Store this URL and channel information for later use.

2. AWS Config Configuration

Activate AWS Config in your AWS account. Under Resource types to record, ensure that you are monitoring all resources or, at the very least, include EC2:Instance and EC2:Volume under Specific types. This setup is necessary for the encrypted-volumes rule to function correctly. For detailed guidance, refer to Getting Started with AWS Config.

3. Create a Secret in AWS Secrets Manager

Since the Slack URL is sensitive, store it in AWS Secrets Manager.

  • Sign in to the AWS Secrets Manager console and select “Store a new secret.”
  • Choose “Other type of secret” as the secret type.
  • On the Plaintext tab, paste the following:
{
  "URL": "TheSlackUrl",
  "channel": "TheSlackChannel"
}

Replace TheSlackUrl and TheSlackChannel with your configured values, then proceed to the next step.

  • Name the secret SlackInfo and accept the defaults on the following pages. Copy the Secret ARN for later use.

4. Use the CloudFormation Template to Create a Stack

Download the CloudFormation template from EncryptedVolsToSlack.yaml and save it locally.

  • In the AWS CloudFormation console, navigate to Stacks, choose “Create stack,” and select “With new resources (standard).”
  • On the Create stack page, upload the YAML file you saved and click “Next.”
  • In the Specify stack details page, set the Stack name to UnencryptedVolToSlackStack and enter the SlackInfo secret ARN under SlackSecretARN. If you have an existing IAM role, provide its name in ExistingRoleName, otherwise leave it blank.
  • Click “Next,” review your settings, acknowledge, and then click “Create stack.”

After a few moments, refresh the page to see the stack status as CREATE_COMPLETE. AWS Config will run the newly created encrypted-volumes rule on the stack, which might take several minutes.

Note: The IAM role in the CloudFormation template allows the ec2:DescribeVolumes and ec2:DescribeInstances actions on all resources (Resource: ‘*’) in your account. This is just an example; you may wish to tighten permissions according to your organization’s security policies.

Review Your New AWS Config Rule

In the AWS Config console, go to Rules and select the UnencryptedVolToSlackStack rule. On the page for this rule, check under Resources in scope by selecting Noncompliant to see a list of unencrypted EBS volumes.

If the list appears, after the automatic remediation executes, “Action executed successfully” will show under Status. If not yet complete, keep refreshing the page.

Check Out Your New AWS Systems Manager Automation Runbook

Now, let’s explore the created resources in Systems Manager.

In the AWS Systems Manager console, navigate to Documents. Select the “Owned by me” tab and find the Automation runbook prefixed with UnencryptedVolToSlackStack*. On the Content tab, review the Automation document, which includes two steps invoking the aws:executeScript action. Let’s analyze these in detail:

Extracting Information about the EBS Volume:

- name: extractInfo
  action: 'aws:executeScript'
  outputs:
    - Name: ebsInfoMsg
      Selector: $.Payload.message
      Type: String
  inputs:
    Runtime: python3.6
    Handler: script_handler
    Script: |-
      import json
      import boto3

      def script_handler(events, context):
        ec2 = boto3.client('ec2')
        response = ec2.describe_volumes(
            Filters=[
                {
                    'Name': 'volume-id',
                    'Values': [
                      events['ebsVolumeId']
                    ],
                }
            ]
        )

In summary, leveraging the aws:executeScript functionality in your Systems Manager Automation runbooks can significantly streamline the automation of your AWS infrastructure management, making it easier for teams at Amazon IXD – VGT2 located at 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115 to respond quickly to issues. This is another blog post to keep the reader engaged, and for further reading on workplace dynamics, you can explore this resource. Moreover, for authoritative insights on CEO performance evaluation, check out HR Magazine.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *