AWS Cloud Operations Blog
Manage instances using AWS Systems Manager Quick Setup across AWS Organization
Are you an operations administrator trying to enable common configurations such as agent updates or patch scanning across your company? AWS Systems Manager Quick Setup now supports AWS Organizations. With this feature, Organization master accounts can now easily define configurations for Systems Manager to engage on your behalf across accounts in your Organization. You can enable Quick Setup across your entire Organization or choose specific AWS Organization Units (OU). This post demonstrates how to use Quick Setup to deploy best practice configuration options to multiple accounts in an Organization.
The results of Quick Setup operations can be checked from the Systems Manager Explorer dashboard of the Organization master account. Quick Setup also automatically aggregates the Explorer data from those accounts and Regions. From the Organization master account Quick Setup console, you can centrally view the status of your Quick Setup configuration options.
Prerequisites
In order to use Quick Setup configuration options like patching and agent updates, you need the Systems Manager agent to be installed on instances you want to configure. As long as you are in an Organization master account, Quick Setup creates any roles or permissions required to set up the configuration options as part of a service-linked role. A Resource Data Sync called “SSMQuickSetupResourceDataSync_{timestamp}” and AWS CloudFormation StackSet called ‘SSMQuickSetup’ are created during setup in the Organization master account.
Getting Started
Quick Setup enables customers to easily deploy any of the following best practice configuration options to accounts in your Organization:
- Scheduled, biweekly updates of Systems Manager agent
- Scheduled collection of inventory metadata every 30 minutes
- Daily scan of your instances for missing patches
- One-time installation and configuration of the Amazon CloudWatch agent
- Schedule monthly update of the Amazon CloudWatch agent
Quick Setup creates a new IAM instance profile with permissions required for Systems Manager. For more details, check the permissions roles section of Quick Setup documentation.
Let’s start with inventory collection across your Organization using Quick Setup. To enable the configuration options, first deploy the Quick Setup Organization Setup. From the Systems Manager console in Organization master account, select Quick Setup. Select setup type as Organization and choose the required configuration option. In this section, we select collect inventory from your instances every 30 minutes:
Next, select the target OUs, accounts, and Regions and select Enable. For this example, we are using us-west-2 as our primary workload Region and applying the configuration to both Sandbox and Developers OUs.
After setup is complete, you can view the deployment status and any configured associations for your Organization.
Additionally, you can verify that the AWS CloudFormation StackSets have been deployed to each account:
Collect inventory from your instances
You can use Systems Manager Inventory to collect metadata from managed instances in your environment. Additionally, you can view Systems Manager inventory details in each account for further quick analysis.
Next, let us discuss how to schedule Systems Manager agent updates from an Organization master account using quick setup. We edit the current Quick Setup configuration to include this new configuration option.
Update Systems Manager agent
The Systems Manager agent processes tasks on your instances, such as inventory collection or patching. AWS periodically releases updates to the Systems Manager agent when adding new capabilities or updating existing ones. For this reason, we recommend enabling this configuration option to keep your instances up to date with our latest software and capabilities.
Now that inventory is enabled, we can see the Systems Manager agent versions by inspecting the managed instances in each account. Upon inspection from the individual member account’s managed instances console, we can see that one of the member accounts, which is part of the Sandbox OU in AWS Organization, has outdated Systems Manager agents deployed:
Now let us check how Quick Setup can be used to update the Systems Manager agents from a centralized account.
First, modify the Quick Setup Organization Setup. From the Systems Manager console in the Organization master account, select Quick Setup followed by Edit configuration:
Now enable the configuration option Update the Systems Manager agent every two weeks and select Update:
After the setup has completed, you can inspect the agent versions in the member account to verify. These have been updated to the latest version (2.3.1319.0):
Now, let’s discuss how to schedule daily scanning of your instances for missing patches.
Scan instances for missing patches
Enabling this configuration option enables daily patch scanning on instances via Systems Manager Patch Manager. Patching details can be viewed from Systems Manager Explorer and Compliance features. From the Systems Manager console in the Organization master account, select Quick Setup followed by Edit configuration. Now enable the configuration option Scan instances for missing patches daily and select Update:
You can view your non-compliant status in your explorer view, in addition to getting a detailed view. Below is an example of the Non-compliant instances for patching widget from Explorer:
From the Organization master account, you can apply the required baseline patches to select accounts, OUs, or Regions using the Systems Manager automation feature. For more information, check the post on how to use Systems Manager automation for multi-account and multi-Region patching.
Lastly, let us discuss how to use Quick Setup to configure the Amazon CloudWatch agent and periodic updates.
Install and configure the CloudWatch agent
Amazon CloudWatch collects monitoring and operational data as logs, metrics, and events using CloudWatch agent. To automate the installation, configuration and update of CloudWatch agents, edit the Quick Setup configuration to enable install and configure the CloudWatch agent and Update the CloudWatch agent once every 30 days using Quick Setup, as shown:
You now have metrics available for your running instances in your CloudWatch metrics console in each account.
Update the CloudWatch agent
Enabling this option configures Systems Manager to automatically check every 30 days for the latest version of the CloudWatch agent. If a new version is found, Systems Manager automatically updates the agent on your running instances to the latest released version. We encourage you to choose this configuration option to ensure that your instances are running the most up-to-date version of the CloudWatch agent.
Quick Setup results
This blog post describes how the Systems Manager Quick Setup feature helps enterprises deploy best practice configurations across multiple accounts and Regions in your Organization. This section can be used to troubleshoot if any of the Quick Setup configuration options fail to deploy in any of the targeted accounts. Below is a screenshot of Quick Setup results from the Organization master account.
When you select each account under the Configuration details section, you can view the results from each account as follows:
Quick Setup compliance status from Explorer
Systems Manager Explorer dashboard provides a widget that gives you the compliance status of your Quick Setup associations. To view this, select the corresponding Resource Data Sync from the Explorer console and check the Desired state compliance status widget on the console:
Cleaning up
You can remove the Quick Setup using the Actions followed by the Delete Quick Setup option:
Note that you must remove all selected OUs and Regions before deleting the Quick Setup. After you have removed all OUs and Regions, you can choose Actions and then Delete Quick Setup and verify the delete action to complete cleanup. The Quick Setup resources like StackSets are then removed from the accounts in that OU:
There is no additional charge for Quick Setup usage. You pay for the AWS resources managed by Quick Setup based on their AWS pricing.
Conclusion
This blog post describes how the Quick Setup Organizations support feature helps enterprises with multiple account setup and automate configuration options. These configuration options include agent updates, software inventory collection, and patch scanning across accounts and Regions from a central account. We also discussed single view provided in Explorer to see the status of these configuration options across your accounts and Regions. To learn more, check the Systems Manager Quick Setup official documentation.
About the Authors
Harshitha Putta is a Cloud Infrastructure Architect with AWS Professional Services in Seattle, WA. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and hiking.
Caleb Collins is a Cloud Infrastructure Architect with AWS Professional Services in Denver, CO. Caleb helps customers execute their cloud vision with speed and scale. He is an avid Lego builder with his two daughters and wife.