AWS Configuration Management: Systems Manager, Config, and OpsWorks

Learning Objectives

After studying this guide, you should be able to:

• Evaluate and recommend AWS Systems Manager (SSM) components for operational automation.
• Design strategies for AWS Config to track resource drift and implement automated remediation.
• Distinguish between the three flavors of AWS OpsWorks (Chef, Puppet, and Stacks).
• Implement Change Manager workflows for cross-account, multi-region operational changes.
• Optimize patching and secret management across large-scale EC2 fleets.

Key Terms & Glossary

• Configuration Drift: The phenomenon where the actual state of a resource deviates from its intended or "golden" state over time.
• Managed Instance: Any machine (EC2 or on-premises) that has the SSM Agent installed and is authorized to communicate with AWS Systems Manager.
• State Manager: An SSM tool that automates the process of keeping managed instances in a defined state (e.g., ensuring specific software is always installed).
• Patch Baseline: A set of rules that define which patches are approved for installation on managed instances (e.g., only 'Critical' security updates).
• Maintenance Window: A defined schedule for when disruptive operations (like patching or reboots) can occur.

The "Big Idea"

In a modern cloud environment, manual configuration is a liability. The "Big Idea" is Immutable Infrastructure and Automated Governance. By using AWS Systems Manager and AWS Config, an organization can treat infrastructure as a living system that automatically heals from drift, patches itself against vulnerabilities, and maintains a rigorous audit trail without human intervention. This shifts the role of the Architect from "system administrator" to "policy engineer."

Formula / Concept Box

Hierarchical Outline

• I. AWS Systems Manager (The Operational Hub)
  • Node Management: SSM Agent, Managed Instances, and Inventory.
  • Change Management:
    • Change Manager: Approval workflows for standard vs. emergency changes.
    • Automation: Low-code workflows for common tasks.
  • Application Management:
    • AppConfig: Feature flags and runtime configuration.
    • Parameter Store: Centralized, hierarchical storage for secrets and config data.
• II. AWS Config (The Governance Engine)
  • Resource Timeline: History of every configuration change for an AWS resource.
  • Managed Rules: Pre-built compliance checks (e.g., "Check for public SSH").
  • Remediation: SSM Automation documents triggered by non-compliant rules.
• III. AWS OpsWorks (Managed Configuration Tools)
  • Chef Automate / Puppet Enterprise: Fully managed configuration servers.
  • OpsWorks Stacks: Layer-based infrastructure management (Legacy).

Visual Anchors

Change Management Flow

Resource Drift Monitoring

\begin{tikzpicture} \draw[thick, ->] (0,0) -- (6,0) node[anchor=north] {Time}; \draw[thick] (0,1) -- (2,1) node[midway, above] {Golden State}; \draw[red, thick] (2,1) -- (3,0.5) -- (5,0.5) node[midway, below] {Drifted State}; \draw[dashed] (5,0.5) -- (5,2) node[anchor=south] {Config Rule Triggered}; \draw[green, thick, ->] (5,0.5) -- (5.2,1) -- (6,1) node[anchor=south] {Remediated}; \node at (1,1.5) {Initial Config}; \node at (3.5,0.2) {Unauthorized Change}; \end{tikzpicture}

Definition-Example Pairs

• SSM Parameter Store: A secure, hierarchical storage service for configuration data and secrets.
  • Example: Storing a database connection string as /prod/myapp/db_url so multiple Lambda functions can retrieve it without hardcoding.
• AWS Config Remediation: The ability to automatically fix a non-compliant resource.
  • Example: If an S3 bucket is made public, an AWS Config rule detects it and triggers an SSM Automation document to immediately set the bucket to private.
• AppConfig Configuration Profile: A document defining settings for an application that can be updated independently of the code.
  • Example: A retailer uses AppConfig to change a "Sale Discount" percentage from 10% to 20% across all web servers instantly during Black Friday.

Worked Examples

Scenario 1: Automated Patching of 500 EC2 Instances

1. Tagging: Tag all instances with Patch Group: WebServers.
2. Define Baseline: Create a Patch Baseline in SSM that approves all security patches for Amazon Linux 2 after a 7-day delay.
3. Maintenance Window: Create a window for Sunday at 2:00 AM. Register the instances using the Patch Group tag.
4. Task Registration: Register the AWS-RunPatchBaseline task to the maintenance window.
5. Outcome: Instances are scanned and patched automatically; reports are sent to the SSM Compliance dashboard.

Scenario 2: Tracking Secret Rotation with Config

1. Enable AWS Config: Ensure recording is on for AWS::SecretsManager::Secret.
2. Apply Rule: Use the managed rule secretsmanager-using-cmk to ensure secrets are encrypted with customer-managed keys.
3. Remediation: Link a rule to an SSM Automation document that notifies the security team via SNS if a secret has not been rotated in 90 days.

Checkpoint Questions

1. How does SSM Change Manager differ from simple SSM Automation?
2. What is the main difference between AWS Config and AWS CloudTrail?
3. When should you choose OpsWorks over AWS Systems Manager for configuration management?
4. True or False: SSM AppConfig requires a code deployment to update application settings.
5. Which service would you use to track the 2-year history of a specific Security Group's rules?

Muddy Points & Cross-Refs

• SSM Parameter Store vs. Secrets Manager: Parameter Store is often free (for standard parameters) and handles simple config. Secrets Manager costs money but offers automatic rotation for databases and built-in integration with RDS. For SAP-C02, choose Secrets Manager if "Rotation" is a requirement.
• Config vs. CloudTrail: CloudTrail tells you who did what (API logs). Config tells you what the resource looks like now and its history (Resource state). They are often used together for forensics.
• Managed Instances: Remember that on-premises servers can be Managed Instances! You just need to install the SSM Agent and create an IAM Service Role for the hybrid activation.

Comparison Tables

AWS OpsWorks Flavors

Systems Manager vs. AWS Config