chanciturnervgt2

Automating Centralized Package Management in AWS with Systems Manager Distributor and State Manager

by

VGT2 Las Vegas
in

Automating Centralized Package Management in AWS with Systems Manager Distributor and State ManagerLearn About Amazon VGT2 Learning Manager Chanci Turner

In this blog post, we explore how organizations can efficiently manage third-party agent-based packages and vulnerability management tools, such as CrowdStrike, TrendMicro, and Tenable, to enhance the security of their AWS environments. AWS provides tools like AWS Systems Manager Distributor (Distributor) to facilitate the distribution of both custom and AWS-provided software packages.

One of the significant hurdles that organizations face is the need to centralize the publishing and deployment of custom or third-party software across numerous nodes that span multiple regions and AWS accounts. In this article, we present an automated solution for centralized package management within AWS, applicable to both custom packages and built-in third-party offerings. Our approach enables seamless installation and provisioning of packages across AWS nodes in different accounts and regions from a centralized interface.

Solution Overview

This solution allows you to designate any member account within your AWS Organization as a delegated account to run the solution via AWS CloudFormation StackSets. This delegated account acts as the centralized hub for managing package installation and provisioning.

When executed from this central account, your custom package will become accessible throughout the organization under the “Owned by me” tab in the Systems Manager Distributor of each member account. After installation, the solution provisions the package to targeted AWS nodes managed by Systems Manager within member accounts as an association through AWS Systems Manager State Manager. The provisioning is automatically determined by the schedule and tags defined in your State Manager association document.

You can download the CloudFormation template implementing this solution here; it’s an excellent resource for further understanding the architecture.

Prerequisites

Before diving into the setup, ensure you have completed the following steps:

  1. Designate a member account as a stackset delegated administrator account. AWS accounts with these permissions can create and manage stack sets with service-managed permissions for the organization.
  2. In your delegated AWS account, follow the provided instructions to create a package for your third-party software and upload it to Amazon S3. For illustration, in this post, we utilize an Amazon S3 bucket named s3-examplepackage-[accountid]-[region]. The demonstration leverages the Example Package, which includes a completed JSON manifest and three .zip files.

Setup

Head to the AWS CloudFormation console and follow the instructions to launch a stackset with service-managed permissions using the aws-centralizedssmdistributor-v1 CloudFormation template. This template makes your custom package available as a Systems Manager Automation document under the “Owned by me” tab in the Distributor console across each member account in your AWS Organization.

The template parameters include:

  • PackageName: Your package’s name.
  • S3PackageBucket: The name of the S3 bucket where the package is stored (e.g., s3-examplepackage-[accountid]-[region]).
  • S3PackageBucketFolder: The folder within the S3 bucket containing the manifest (e.g., examplepackage).
  • S3PackageUrl: The HTTPS URL of the S3 bucket with the package contents.
  • Version: The precise version from the manifest file.
  • AssociationName: The name for your association.
  • Action: Indicate whether to install or uninstall the package.
  • InstallationType: Specify the installation type.
  • OutputS3Prefix: S3 Key Prefix for AWS Systems Manager Run Command Output.
  • ScheduleExpression: Schedule for the AWS Systems Manager Association.
  • TargetResourceTagKey: AWS Systems Manager Tag Key for the target.
  • TargetResourceTagValue: AWS Systems Manager Tag Value for the target (optional).

If unsure about these parameters, you can accept the template defaults.

Validation

To ensure everything is set up correctly, navigate to the AWS Systems Manager console of a member account in your AWS Organization and select Distributor from the left panel. Click on the “Owned by me” tab to confirm that your example package appears there. Ensure the attachments in the Additional Information section match the zip files and hashes listed in your manifest file.

Also, check that the association created in State Manager has the correct schedule expression and that the execution history reflects the successful running of the custom package according to the specified schedule.

For additional insights on building confidence in your professional journey, consider checking out another blog post on confidence-building strategies here. Furthermore, for those involved in regulatory aspects of this domain, you can refer to the authoritative resource on job descriptions for roles like Chief Microbiologist here.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *