SSM combined with Simple AD are powerful tools that can help you and your organization get away from things like every user using the Administrator username and password to get into the instances. These slides are from the AWS Atlanta Meetup group's February 2016 meeting -http://www.meetup.com/AWS-Atlanta/

1. AWS SSM
Simple System Management
Managing Windows instances in the Cloud

2. Sponsors

3. Presented by Adam Book
from
Find me on LinkedIn
News Recap 2014

4. Automatically join the server back to a domain so that
users can long in with usernames and passwords?
Have you ever wanted to:
{Easily}
Enable monitoring of logs and metrics on Windows
instances so that logs can be saved to CloudWatch Logs
Install an Application automatically at instance startup
without writing a Chef recipe or Puppet Manifest

5. Simple Systems Manager (SSM) enables you to
remotely manage the configuration of your
Amazon EC2 instance. Using SSM, you can run
scripts or commands using either EC2 Run
Command or SSM Config.
(SSM Config is currently available only for Windows instances.)
SSM
Simple System Management

6. Is SSM really Simple?
Image by http://www.gratisography.com/
Yes
No
and

7. SSM – Commands
Command Description
AWS-JoinDirectoryServiceDomain Joins an AWS Directory
AWS-RunPowershellScript Runs PowerShell commands or scripts
AWS-UpdateEC2Config Updates the EC2Config service
AWS-InstallApplication Installs, repairs, or uninstalls software using
a MSI package
AWS-InstallPowershellModule Installs Powershell Modules
AWS-ConfigureCloudWatch Configures CloudWatch logs and can be
used to monitor applications and systems.

8. Where does SSM Work?
Region Name Region Endpoint
US East (N Virginia) us-east-1 ssm.us-east-1.amazonaws.com
US West (Oregon) us-west-2 ssm.us-west-2.amazonaws.com
US West (N California) us-west-1 ssm.us-west-1.amazonaws.com
EU (Ireland) eu-west-1 ssm.eu-west-1.amazonaws.com
EU(Frankfurt) eu-central-1 ssm.eu-central-1.amazonaws.com
Asia Pacific (Singapore) ap-southeast-1 ssm.ap-southeast-1.amazonaws.com
Asia Pacific (Tokyo) ap-northeast-1 ssm.ap-northeast-1.amazonaws.com
Asia Pacific (Sydney) ap-southeast-2 ssm.ap-southeast-2.amazonaws.com
South America (Sao Palo) sa-east-1 ssm.sa-east-1.amazonaws.com

9. IAM and SSM
For more info
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssm-iam.html
In order for SSM to have the permissions that it needs you will
need to attach an IAM Role to your instances with either one of
the managed policies below or a policy that has the correct SSM
permissions.

10. IAM and SSM
For more info
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ssm-iam.html
In order for SSM to have the permissions that it needs you will
need to attach an IAM Role to your instances with either one of
the managed policies below or a policy that has the correct SSM
permissions.

11. IAM and SSM
Here is an example of the Role created that we will be using in our
examples for our instances

12. When joining a domain using
SSM we will need to find out
some information about our
Directory so that we can create
the JSON document.
Joining a Domain

13. Notice the highlighted line where we see the
distinguished name that shows the:
Joining a Domain
CN -> Common Name
DC -> Domain Controller
OU -> Organizational Unit

14. {
"schemaVersion": "1.0",
"description": "Sample configuration to join an instance to a
domain",
"runtimeConfig": {
"aws:domainJoin": {
"properties": {
"directoryId": "d-1234567890",
"directoryName": "test.example.com",
"directoryOU": "OU=test,DC=example,DC=com",
"dnsIpAddresses": [
"198.51.100.1",
"198.51.100.2"
]
}
}
}
}
Joining a Domain
Creating the Document

15. Using the AWS CLI you can create the document
once for reuse in your SSM endeavors
(we’ll save our json from before as test-domain.json )
SSM
Creating the Document

16. Using the AWS CLI you can create the document
once for reuse in your SSM endeavors
(we’ll save our json from before as test-domain.json )
SSM
Creating the Document
$ aws ssm create-document –content file://test_domain.json --name
“Test_Domain” --region eu-west-1

17. If we think we have already created the document to
join the domain previously then we can use the AWS
CLI to ask it what documents are currently available
with the List-Documents command.
SSM
Creating the Document
$ aws ssm list-documents --region eu-west-1

18. Now we’re ready to launch our instance
We’ll use a STOCK Windows 2012 server AMI
first run.
Joining a Domain
<powershell>
Import-Module AWSPowerShell
$web = New-Object Net.WebClient $InstanceId =
$web.DownloadString("http://169.254.169.254/latest/meta-data/instance-id")
$AvailabilityZone = $web.DownloadString("http://169.254.169.254/latest/meta-
data/placement/availability-zone")
$Region = $AvailabilityZone.Substring(0,$AvailabilityZone.Length-1)
New-SSMAssociation -InstanceId $InstanceId -Name ”Test_Domain" -Region $Region
</powershell>c

19. Joining a Domain
A closer look – User Data
<powershell>
Import-Module AWSPowerShell
$web = New-Object Net.WebClient $InstanceId =
$web.DownloadString("http://169.254.169.254/latest/meta-data/instance-id")
$AvailabilityZone = $web.DownloadString("http://169.254.169.254/latest/meta-
data/placement/availability-zone")
$Region = $AvailabilityZone.Substring(0,$AvailabilityZone.Length-1)
New-SSMAssociation -InstanceId $InstanceId -Name ”Test_Domain" -Region $Region
</powershell>

20. By using the
EC2 system log
we can see the
progress of the
SSM and the
Domain Join
Joining a Domain
How can we tell it joined?

21. Joining a Domain
How can we tell it joined?

22. SSM
Demo Time
Photo curtesy
of Stephen Radford via
http://snap.io

23. What happens when you don’t
have a domain
One of the easiest solutions is to use the Simple
AD service from AWS and create a *.local domain
to add your users
Joining a Domain

24. What happens when you don’t
have a domain
One of the easiest solutions is to use the Simple
AD service from AWS and create a *.local domain
to add your users
Joining a Domain
mycorp.local

25. From the Simple AD service:
Click on your directory id -> And you should see a
details screen like the one below
Finding your DNS on
AWS Simple AD

26. When using existing images
you need to make sure that
User Data is turned on before
creating the image to use with SSM
Using Existing Images
If you don’t do this then the scripting
done in the userdata box will not
work.

27. The Role of sysprep
For more info
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
1) Generalize
2) Specialize
3) Creates an Out-of-Box Experience

28. The Role of sysprep
Generalize
For more info
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
Generalize: The tool removes image-specific
information and configurations. For example,
Sysprep removes the security identifier (SID), the
computer name, the event logs, and specific drivers,
to name a few. After this phase is completed, the
operating system (OS) is ready to create an AMI.

29. The Role of sysprep
Specialize
For more info
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
Specialize: Plug and Play scans the computer and
installs drivers for any detected devices. The tool
generates OS requirements like the computer name
and SID. Optionally, you can execute commands in
this phase.

30. The Role of sysprep
Create an OOB Experience
For more info
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html
Out-of-Box Experience (OOBE): The system runs an
abbreviated version of Windows Setup and asks the
user to enter information such as a system language,
the time zone, and a registered organization. When
you run Sysprep with EC2Config, the answer file
automates this phase.

31. Questions?
Image by http://www.gratisography.com/