How to Automate and Secure Your Environment with AWS Server Fleet Management
AWS recently announced a combination of AWS Systems Manager and Amazon Inspector into a new offering called AWS Server Fleet Management. The goal of this service is to provide a way to secure, automate, and configure a large array of servers through multiple AWS services all working together. Some enterprises already have a config management tool in place, but might be looking for a more AWS-centric way to manage their numerous EC2 servers. Let’s look at how Server Fleet Management works, how it stacks up against other config management tools, and some of the pros and cons of using this solution.
How It Works
AWS Server Fleet Management utilizes quite a few AWS services under the hood. The good news is that you don’t have to deploy these services manually, as there’s a Cloudformation template available that will build the entire stack for you. The services include:
- Amazon Cloudwatch — for kicking off events to trigger other services
- Amazon Inspector — manages the assessment rules for configuration and security
- Amazon SNS — message queue for tracking instance IDs and email addresses
- Amazon Lambda — various tasks, including querying Inspector and updating Systems Manager
- AWS Systems Manager — tracks inventory and configuration for EC2 instances and manages OS patches
- Amazon S3 — secure storage of artifacts
Before deploying the Cloudformation stack, you’ll need to enter a few configuration details. The main configuration detail is the “Managed Instances Tag Value”, which is the tag on your EC2 servers that you’ll place if you want them managed via Server Fleet Management. This can work in conjunction with the “Patch Group” tag in AWS Systems Manager if you want the instance to be automatically patched. Once you specify the tag, an email address, and whether you want a sample fleet to be deployed, you’re ready to create the stack!
Comparison to other tools
In the config management world, there are a few major players, including Chef, Puppet, Ansible, and SaltStack. From a purely configuration perspective, Server Fleet Management doesn’t offer anything new. However, if you’re fully bought-in to running everything within AWS, the flexibility of using Lambda functions in addition to other AWS services can be a huge advantage. On the flip side of that, enterprises that are multi-cloud may want to keep using a cloud-agnostic tool.
Pros and Cons
Along with the possible benefit of being purely within the AWS ecosystem, another major pro of AWS Server Fleet Management is the combination of security enforcement and patch management. Solving both of those problems often requires multiple tools, so this can trim down your list of applications. This solution also has lots of opportunities to tie into other existing AWS solutions or to be customized to fit your use cases.
The expandability can also be considered a con, as the built-in uses are fairly specific and require more customization for larger fleets. Some things that aren’t included are topics like cost management (we’ve got you covered), non-EC2 services that need security audits, application grouping, and cross-account access. There also aren’t any built-in hooks to existing config management tools that are likely already in use.
Automated Security and Patching
All in all, AWS Server Fleet Management is worth looking into if you’ve got a large EC2 deployment. Even if you don’t use the pre-made stack, it might give you some ideas on how to use the underlying AWS services to help secure and manage your fleet. With the included sample fleet, it’s easy to get it set up and try it out!
Originally published at www.parkmycloud.com on November 6, 2018.