Introduction to AWS Systems Manager

In today’s cloud-first world, managing on-premise infrastructure alongside cloud resources can present unique challenges, particularly regarding security, maintenance, and automation. AWS Systems Manager (SSM) provides a robust solution by enabling centralized operational data visibility and control across your hybrid environments, including AWS and on-premise Windows servers. This tool helps administrators manage, automate, and orchestrate administrative tasks efficiently, providing a unified experience for cloud-native and on-premise systems.

Benefits of Using AWS Systems Manager for Hybrid Environments

  1. Unified Management: AWS Systems Manager allows you to manage both EC2 instances and on-premise servers from a single console, eliminating the need for multiple management tools.
  2. Automation: With Systems Manager, you can automate repetitive tasks like patch management, compliance enforcement, and system configuration, significantly reducing administrative overhead.
  3. Security and Compliance: Systems Manager includes capabilities such as Session Manager for secure remote access, making it easy to enforce strict security policies while ensuring compliance with industry standards.
  4. Centralized Monitoring and Logging: Systems Manager aggregates data from your entire infrastructure, providing insights into system performance, patch status, and configuration changes, all in one place.

Configuring Non-EC2 Machines for AWS Systems Manager

For on-premise Windows servers to be managed using AWS Systems Manager, they must be registered with AWS. This process, known as Hybrid Activation, allows AWS to treat your on-premise machines similarly to EC2 instances, enabling seamless integration into Systems Manager.

Here’s a step-by-step guide to configure your on-premise Windows Server for AWS Systems Manager:

1. Creating an IAM Role for Hybrid Environments

To ensure that the Systems Manager can manage your on-premise machines securely, you need to create an IAM role that grants the necessary permissions. The Systems Manager will use this role to perform actions on your Windows servers.

Steps:

  1. Go to the IAM Management Console.
  2. Create a new IAM role with the following policies attached:
    • AmazonSSMManagedInstanceCore: Grants access to use Systems Manager features.
    • AmazonEC2RoleforSSM: Provides the basic permissions for Systems Manager to communicate with EC2 and on-premise instances.
  3. Name the role (e.g., “SSMOnPremRole”) and save it for later use.

2. Initiating Hybrid Activation via AWS CLI

To register your Windows Server with AWS Systems Manager, you must create a Hybrid Activation in the AWS environment. This can be quickly done using the AWS CLI.

Steps:

  1. Open your terminal or AWS CLI.
  2. Run the following command to create a hybrid activation:
    aws ssm create-activation \

–default-instance-name “OnPremWindowsServer” \

–iam-role “SSMOnPremRole” \

–registration-limit 1 \

–expiration-date 2024-12-31T23:59:59Z

This command will return an Activation Code and Activation ID required to register your Windows Server.

3. Installing the SSM Agent on Windows Servers

AWS Systems Manager requires the SSM Agent installed on all managed instances, including on-premise Windows Servers. This agent enables communication between AWS Systems Manager and your Windows servers.

Steps:

  1. Download the latest SSM Agent for Windows from the official AWS documentation.
  2. Install the SSM Agent on your Windows Server:
    msiexec.exe /i https://s3.amazonaws.com/amazon-ssm-region/latest/windows_amd64/AmazonSSMAgentSetup.exe /qn

Replace region with your AWS region (e.g., us-east-1).

4. Verifying SSM Agent Installation and Configuration

Once the SSM Agent is installed, you must register your Windows Server with AWS Systems Manager using the Activation Code and Activation ID obtained earlier.

Steps:

  1. Open PowerShell as an administrator on your Windows Server.
  2. Run the following command to register the instance:

    amazon-ssm-agent.exe -register -code “ActivationCode” -id “ActivationID” -region “region”

Replace ActivationCode, ActivationID, and region with your specific values.

  1. Start the SSM Agent service by running the following PowerShell command:
    Start-Service AmazonSSMAgent
  2. Navigate to the AWS Systems Manager console and check the Managed Instances section to confirm your Windows Server’s registration.

If the server is listed, the configuration is complete. You can now use AWS Systems Manager to monitor and manage your Windows Server, just like an EC2 instance.

Conclusion

AWS Systems Manager simplifies the complexity of managing hybrid environments by providing a centralized platform for monitoring, automation, and maintenance. By registering your on-premise Windows servers with Systems Manager, you can gain better control over system configurations, automate routine tasks, and improve the overall security posture of your infrastructure.

Whether managing a few servers or a large fleet, integrating on-premise Windows machines with AWS Systems Manager ensures efficiency, scalability, and enhanced operational control.

References

Managing servers in hybrid and multi-cloud environments with the Systems Manager

Working with SSM Agent on EC2 instances for Windows Server