AWS Systems Manager Automation is a powerful capability within AWS Systems Manager that enables you to safely automate common and repetitive IT operations and management tasks across your AWS resources. It provides a framework for creating runbooks that define a series of steps to perform administr…AWS Systems Manager Automation is a powerful capability within AWS Systems Manager that enables you to safely automate common and repetitive IT operations and management tasks across your AWS resources. It provides a framework for creating runbooks that define a series of steps to perform administrative tasks automatically.
Automation uses documents called runbooks (previously known as Automation documents) written in YAML or JSON format. These runbooks contain predefined steps that execute actions such as creating AMIs, patching instances, managing snapshots, and remediating compliance drift. AWS provides over 100 pre-built runbooks for common tasks, and you can create custom runbooks tailored to your specific requirements.
Key features of Systems Manager Automation include:
1. **Runbook Types**: Support for both AWS-managed runbooks and custom runbooks that you author and maintain.
2. **Integration with EventBridge**: Automation can be triggered by CloudWatch Events or EventBridge rules, enabling event-driven remediation when specific conditions are detected.
3. **Approval Workflows**: Built-in approval actions allow you to pause automation execution until manual approval is granted, ensuring human oversight for critical operations.
4. **Rate Controls**: You can specify concurrency limits and error thresholds to control how automation executes across multiple resources safely.
5. **Cross-Account and Cross-Region**: Automation supports executing tasks across multiple AWS accounts and regions from a central location.
For SysOps Administrators, Automation is essential for implementing self-healing infrastructure and maintaining operational efficiency. Common use cases include automatic instance recovery when health checks fail, scheduled AMI creation and lifecycle management, patching workflows, and responding to security findings from AWS Config or Security Hub.
Automation integrates seamlessly with other AWS services like CloudWatch Alarms, AWS Config rules, and Security Hub findings to create comprehensive automated remediation pipelines that reduce manual intervention and improve system reliability.
Systems Manager Automation - Complete Guide for AWS SysOps Administrator Associate
What is AWS Systems Manager Automation?
AWS Systems Manager Automation is a capability within AWS Systems Manager that simplifies common maintenance, deployment, and remediation tasks for AWS resources. It allows you to create and run automation workflows, called runbooks (formerly called Automation documents), that perform actions on your AWS resources at scale.
Why is Systems Manager Automation Important?
Systems Manager Automation is critical for several reasons:
• Operational Efficiency: Automates repetitive tasks such as patching AMIs, creating snapshots, and managing instances • Consistency: Ensures standardized processes across your entire infrastructure • Error Reduction: Eliminates human error in routine maintenance tasks • Compliance: Helps maintain compliance by automating security patches and configurations • Cost Optimization: Automates start/stop schedules for EC2 instances • Incident Response: Enables automated remediation when issues are detected
How Systems Manager Automation Works
Core Components:
1. Runbooks (Automation Documents): YAML or JSON documents that define the actions to perform. AWS provides pre-built runbooks, or you can create custom ones.
2. Actions: Individual steps within a runbook that perform specific tasks such as: • aws:executeScript - Run Python or PowerShell scripts • aws:runCommand - Execute commands on managed instances • aws:createImage - Create an AMI • aws:approve - Pause for manual approval • aws:executeAwsApi - Call any AWS API
3. Parameters: Input values that customize runbook execution
4. Targets: Resources the automation will act upon (can use tags, resource groups, or specific resource IDs)
Execution Modes:
• Simple Execution: Run on a single resource • Rate Control: Control the concurrency and error threshold when running on multiple resources • Multi-Account and Multi-Region: Execute across multiple AWS accounts and regions • Manual Execution: Includes approval steps for human intervention
Common Use Cases:
• Golden AMI Pipeline: Automate the creation and patching of AMIs • Instance Remediation: Automatically restart unhealthy instances • Snapshot Management: Create and manage EBS snapshots on schedule • Security Remediation: Automatically remediate non-compliant resources detected by AWS Config • Disaster Recovery: Automate failover procedures
Integration with Other AWS Services:
• Amazon EventBridge: Trigger automations based on events • AWS Config: Auto-remediate non-compliant resources • Amazon CloudWatch: Trigger automations based on alarms • AWS Lambda: Invoke Lambda functions within runbooks
Exam Tips: Answering Questions on Systems Manager Automation
Key Concepts to Remember:
1. Runbooks vs Run Command: Automation uses runbooks for multi-step workflows, while Run Command uses command documents for single commands on instances
2. AWS-Managed Runbooks: Know that AWS provides pre-built runbooks starting with AWS- prefix (e.g., AWS-UpdateLinuxAmi, AWS-RestartEC2Instance)
3. Rate Control Parameters: • Concurrency - How many resources to target simultaneously • Error Threshold - How many failures before stopping the automation
4. Change Calendar Integration: Automation can check Change Calendar to prevent executions during restricted periods
5. IAM Requirements: Automation requires an IAM service role (Assume Role) with permissions to perform the actions in the runbook
Common Exam Scenarios:
• Scenario: Need to patch AMIs regularly and create new golden images Answer: Use Systems Manager Automation with AWS-UpdateLinuxAmi or AWS-UpdateWindowsAmi runbooks
• Scenario: Automatically remediate EC2 instances when CloudWatch alarm triggers Answer: Configure CloudWatch alarm to trigger EventBridge rule that invokes Systems Manager Automation
• Scenario: Need approval before critical automation steps Answer: Use the aws:approve action in your runbook for manual approval gates
• Scenario: Auto-remediate non-compliant resources from AWS Config rules Answer: Configure AWS Config remediation action using Systems Manager Automation runbook
Watch Out For:
• Questions about cross-account automation - requires proper IAM roles and resource sharing • Questions mentioning maintenance windows - Automation can be scheduled through maintenance windows • Understand the difference between Automation (orchestration workflows) and State Manager (desired state configuration) • Remember that Automation executions are logged in the Automation execution history and can be tracked