AWS Systems Manager: Complete Guide for AWS Security Specialty Exam
Why AWS Systems Manager is Important
AWS Systems Manager (SSM) is a critical service for infrastructure security because it provides a unified interface to view, manage, and secure your AWS resources at scale. In the context of the AWS Security Specialty exam, Systems Manager is a foundational service that intersects with multiple security domains including patch management, configuration compliance, secret management, remote access security, and operational hygiene. Understanding Systems Manager is essential because it eliminates the need for direct SSH or RDP access to instances, enforces least-privilege principles, and enables automated security remediation across your fleet.
What is AWS Systems Manager?
AWS Systems Manager is a collection of capabilities that helps you manage your applications and infrastructure running in AWS. It provides operational data from multiple AWS services, allows you to automate operational tasks, and helps maintain security and compliance. Systems Manager works with both EC2 instances and on-premises servers through the installation of the SSM Agent.
Key components relevant to security include:
1. Session Manager
Provides secure, auditable shell access to EC2 instances without opening inbound ports, managing SSH keys, or using bastion hosts. All session activity can be logged to Amazon S3 and CloudWatch Logs, providing a full audit trail. This is a major security improvement over traditional SSH/RDP access.
2. Parameter Store
A secure, hierarchical storage for configuration data and secrets management. Parameter Store supports both standard and SecureString parameters. SecureString parameters are encrypted using AWS KMS keys. It integrates with IAM for fine-grained access control and supports parameter policies for automatic expiration and notification.
3. Patch Manager
Automates the process of patching managed instances with security-related updates. You can define patch baselines that specify which patches should be auto-approved, set maintenance windows, and generate compliance reports. This is critical for maintaining a secure infrastructure posture.
4. State Manager
Ensures that your instances are configured in a defined state. You can create associations that define the desired state (e.g., ensuring antivirus is installed, specific ports are closed) and State Manager will automatically apply and maintain that configuration.
5. Inventory
Collects metadata about your managed instances including installed applications, network configurations, Windows updates, and more. This data is essential for security auditing and compliance verification.
6. Run Command
Allows you to remotely and securely execute commands on managed instances without SSH access. All executions are logged and can be controlled through IAM policies. This eliminates the need for bastion hosts for command execution.
7. Automation
Enables you to create automated workflows (runbooks) for common maintenance and deployment tasks. Security use cases include automated remediation of non-compliant resources, automated incident response, and integration with AWS Config rules for auto-remediation.
8. Compliance
Scans your fleet of managed instances for patch compliance and configuration inconsistencies. Results are aggregated and can be viewed in the Systems Manager console or exported for further analysis.
9. OpsCenter
Aggregates and standardizes operational issues (OpsItems) across services, helping security teams investigate and remediate issues from a centralized location.
How AWS Systems Manager Works
SSM Agent: The SSM Agent is the software component installed on EC2 instances or on-premises servers that enables Systems Manager to manage them. The agent is pre-installed on many Amazon Machine Images (AMIs) including Amazon Linux 2, Amazon Linux 2023, Ubuntu Server, and Windows Server AMIs. For other operating systems, you must install it manually.
IAM Instance Profile: For EC2 instances, an IAM instance profile with the AmazonSSMManagedInstanceCore managed policy (or equivalent permissions) must be attached. This allows the SSM Agent to communicate with the Systems Manager service. This is a very common exam topic — if an instance is not appearing in Systems Manager, the most likely causes are a missing or misconfigured IAM instance profile or the SSM Agent not running.
Communication Flow: The SSM Agent communicates with the Systems Manager service endpoints over HTTPS (port 443). No inbound ports need to be opened. For instances in private subnets without internet access, you can use VPC endpoints (PrivateLink) for Systems Manager — specifically, you need endpoints for ssm, ssmmessages, and ec2messages.
Hybrid Activations: On-premises servers can be managed by creating a hybrid activation in Systems Manager, which generates an activation code and ID. The on-premises server uses these credentials along with the installed SSM Agent to register with Systems Manager.
Integration with KMS: SecureString parameters in Parameter Store are encrypted using AWS KMS. You can use the default AWS-managed key (aws/ssm) or a customer-managed KMS key (CMK) for enhanced control. Session Manager can also be configured to encrypt session data using KMS.
Integration with CloudWatch and S3: Session Manager logs can be sent to CloudWatch Logs and/or S3 for auditing. Run Command output can also be stored in S3. These integrations are essential for meeting compliance and audit requirements.
Integration with AWS Config: Systems Manager Automation documents can be used as remediation actions for AWS Config rules, enabling automatic correction of non-compliant resources.
Integration with EventBridge: Systems Manager events (such as parameter changes, automation execution status changes, and compliance state changes) are sent to Amazon EventBridge, enabling event-driven security workflows.
Security Best Practices with Systems Manager
• Use Session Manager instead of SSH/RDP to eliminate the need for open inbound ports and SSH key management
• Enable Session Manager logging to S3 and CloudWatch Logs for complete audit trails
• Use KMS encryption for Session Manager sessions and SecureString parameters
• Use Parameter Store with SecureString for secrets instead of hardcoding them in applications (though for rotation capabilities, consider AWS Secrets Manager)
• Implement parameter policies to enforce expiration of secrets
• Use Patch Manager with defined baselines and maintenance windows to maintain patch compliance
• Use VPC endpoints for Systems Manager in private subnets to avoid exposing traffic to the internet
• Apply least-privilege IAM policies to control who can execute which documents on which instances
• Use resource tags to scope Run Command and Session Manager access to specific instances
• Leverage Systems Manager Automation for automated security incident response
Parameter Store vs. Secrets Manager
This is a frequently tested comparison:
• Parameter Store: Free for standard parameters (up to 10,000), supports SecureString with KMS encryption, no built-in automatic rotation, supports parameter hierarchies and policies. Best for general configuration data and secrets that don't require automatic rotation.
• Secrets Manager: Costs per secret per month plus per API call, built-in automatic rotation with Lambda, native integration with RDS/Redshift/DocumentDB for database credential rotation. Best for database credentials and secrets requiring automatic rotation.
• Parameter Store can reference Secrets Manager secrets, providing a unified API for retrieving both configuration and secrets.
Exam Tips: Answering Questions on AWS Systems Manager
Tip 1 — Instance Not Appearing in Systems Manager: If an exam question describes an instance that is not showing up as a managed instance, check for: (a) missing or incorrect IAM instance profile with SSM permissions, (b) SSM Agent not installed or not running, (c) no network connectivity to Systems Manager endpoints (need internet access, NAT gateway, or VPC endpoints).
Tip 2 — Eliminating SSH/Bastion Hosts: When a question asks about secure remote access without bastion hosts or SSH keys, the answer is almost always Session Manager. Remember that Session Manager requires no inbound security group rules and provides full audit logging.
Tip 3 — VPC Endpoints for Private Subnets: If instances are in a private subnet with no internet access and need to use Systems Manager, you need to create VPC interface endpoints for ssm, ssmmessages, and ec2messages. If using KMS encryption, you also need a kms endpoint. If logging to S3, you need an S3 gateway endpoint or interface endpoint.
Tip 4 — Secrets and Encryption: When a question asks about storing secrets securely and the requirements include automatic rotation, choose Secrets Manager. When automatic rotation is not required, or when cost optimization is a concern, Parameter Store with SecureString is usually the answer. If a question mentions both configuration data and secrets, Parameter Store's hierarchical structure is often the right choice.
Tip 5 — Patch Compliance: For questions about ensuring instances are patched and compliant, the answer involves Patch Manager with patch baselines and maintenance windows. For reporting on patch compliance, use Systems Manager Compliance or integrate with AWS Config.
Tip 6 — Automated Remediation: When questions describe a scenario where non-compliant resources need to be automatically fixed, look for answers combining AWS Config rules with Systems Manager Automation runbooks as remediation actions.
Tip 7 — Audit and Logging: For audit-related questions, remember that Session Manager can log to CloudWatch Logs and S3, Run Command output can be stored in S3, and all API calls to Systems Manager are logged in CloudTrail. Parameter Store changes also generate CloudTrail events and EventBridge events.
Tip 8 — On-Premises Management: When a question involves managing on-premises servers with Systems Manager, remember that hybrid activations are required. The on-premises server will appear with a managed instance ID starting with mi- instead of i-.
Tip 9 — Least Privilege with Run Command and Session Manager: IAM policies can restrict which SSM documents a user can execute and on which instances (using tags or instance IDs). This is important for implementing least-privilege access. Questions about restricting who can run commands on which instances should be answered with tag-based IAM conditions.
Tip 10 — Maintenance Windows: When questions ask about scheduling patching or command execution during specific times, the answer is Systems Manager Maintenance Windows. These define schedules, targets, and tasks to execute.
Tip 11 — Think Holistically: Many exam questions combine multiple Systems Manager capabilities. For example, a complete patching solution might involve Patch Manager (for patching), Maintenance Windows (for scheduling), Compliance (for reporting), and EventBridge + SNS (for notifications on non-compliance). Be prepared to identify the correct combination of capabilities.
