AWS Certified SysOps Administrator - Associate (SOA-C02)

Use AWS Systems Manager Automation runbooks to take action based on AWS Config rules.

#AWS Certified SysOps Administrator - Associate (SOA-C02)

AWS Systems Manager Automation is a powerful tool that you can leverage to automatically respond to AWS Config rule triggers. This feature can be especially useful for an AWS Certified SysOps Administrator who wants to take immediate action when a resource is detected as non-compliant with their specified AWS Config rules.

Table of Contents

What are AWS Config Rules and AWS Systems Manager Automation?

AWS Config is a fully managed service that provides you with AWS resource inventory, configuration history, and configuration change notifications. You can set desired configurations with AWS Config rules and AWS Config will then evaluate your AWS resources for compliance with these rules.

On the other hand, AWS Systems Manager Automation simplifies common maintenance and deployment tasks. You can create runbooks to automate operational tasks, eliminating the potential for human error and ensuring consistent execution.

Now, combining the power of these two services enables you to automatically respond to compliance changes in your AWS environment.

Using AWS Systems Manager Automation with AWS Config

When a resource becomes non-compliant with an AWS Config rule, it can trigger an AWS Systems Manager Automation runbook. This runbook can take corrective action to bring the resource back to compliance or can trigger other operational tasks.

Here are steps to setup AWS Systems Manager Automation with AWS Config:

  1. Create an SSM Document: First, you need to create a Systems Manager (SSM) document, which is a JSON or YAML formatted document that represents a single automation workflow. You can customize the document to define the actions you want the runbook to perform.
  2. Configure an AWS Config Rule: Setup a Config rule for a resource and desired configuration state. Select “Yes” to automatically remediate non-compliant resources and specify the ARN for the SSM document you created in step 1.
  3. Test AWS Config rule and SSM runbook: Make a change to your resource that deviates from the AWS Config rule you established. AWS Config will detect the change and recognize the resource as non-compliant. This should trigger the SSM document you set as the remediation action. Check Systems Manager Automation execution history to verify if the runbook successfully ran and corrected the non-compliant resource.

Here is a sample JSON formatted SSM Document:

{
"schemaVersion": "0.3",
"description": "Sample SSM Document",
"parameters": {
"InstanceId": {
"type": "String",
"description": "(Required) The ID of the EC2 instance."
}
},
"mainSteps": [
{
"action": "aws:runShellScript",
"name": "runShellScript",
"inputs": {
"runCommand": [
"sudo yum -y update"
],
"instanceIds": [
"{{InstanceId}}"
]
}
}
]
}

This example SSM Document updates an Amazon EC2 instance with the latest software patches when it becomes non-compliant with an AWS Config rule.

Closing Note

By using AWS Systems Manager Automation runbooks and AWS Config, you can effectively automate responses to configuration changes in your AWS environment. This alleviates the need for ongoing manual interventions, provides a consistent response to configuration changes, and improves your overall operational efficiency.

Practice Test

True or False: AWS Systems Manager Automation allows IT administrators to observe and respond to changes in AWS resources.

  • True
  • False

Answer: True

Explanation: AWS Systems Manager Automation allows you to automate operational activities, making it easier for admins to respond to changes in resources.

The ______ AWS Systems Manager document allows combining multiple AWS services tasks into a consolidated runbook.

  • A. AWS-RunShellScript
  • B. AWS-RunRemoteScript
  • C. AWS-RunPowerShellScript
  • D. AWS-ExecuteAutomation

Answer: D. AWS-ExecuteAutomation

Explanation: AWS-ExecuteAutomation document allows you to combine several operational tasks, which are put together into a runbook. This runbook can automate tasks across multiple AWS services.

True or False: AWS Systems Manager Automation runbooks cannot interact with AWS Config rules.

  • True
  • False

Answer: False

Explanation: AWS Systems Manager Automation runbooks can indeed interact with AWS Config, allowing you to automate tasks based on the changes identified by AWS Config.

Which of the following can be used to trigger automation runbooks?

  • A. AWS CloudWatch
  • B. AWS Config rules
  • C. Both A and B
  • D. Neither A nor B

Answer: C. Both A and B

Explanation: Both AWS CloudWatch and AWS Config rules can be used to trigger automation runbooks when certain conditions are met.

True or False: AWS Systems Manager Automation runbooks cannot audit across multiple AWS accounts and regions.

  • True
  • False

Answer: False

Explanation: AWS Systems Manager Automation runbooks can be used to audit compliance status and apply automation corrective steps across multiple AWS accounts and regions.

AWS Config rules can trigger AWS Systems Manager Automations based on ________.

  • A. Compliance status of your resources
  • B. Time of day
  • C. Both A and B
  • D. Neither A nor B

Answer: A. Compliance status of your resources

Explanation: AWS Config rules are designed to respond based on the compliance status of your resources, not the time of day.

What do AWS Systems Manager Automation runbooks allow you to execute?

  • A. a series of commands on an instance
  • B. a single command on an instance
  • C. Neither A nor B
  • D. Both A and B

Answer: D. Both A and B

Explanation: AWS Systems Manager Automation runbooks allow you to execute a series of commands or just a single command on an instance, depending on your needs.

True or False: Runbooks, once created, cannot be modified or deleted.

  • True
  • False

Answer: False

Explanation: Runbooks can be modified or deleted as per the requirements.

AWS Systems Manager Automation runbooks can be automatically triggered by ________.

  • A. AWS CloudTrail
  • B. AWS Config rules
  • C. Both A and B
  • D. Neither A nor B

Answer: B. AWS Config rules

Explanation: Automation runbooks can be automatically triggered by AWS Config rules when a monitored resource goes out of compliance.

True or False: Using AWS Systems Manager Automation runbooks, admins can automate manual, long-running or error-prone tasks.

  • True
  • False

Answer: True

Explanation: AWS Systems Manager Automation allows IT teams to automate tasks which were previously manual, long-running, and prone to errors.

Interview Questions

What is Amazon AWS Systems Manager Automation?

Amazon AWS Systems Manager Automation simplifies common maintenance and deployment tasks of Amazon EC2 instances and other AWS resources.

What is the AWS Config rules’ role when using AWS Systems Manager Automation runbooks?

AWS Config rules evaluate the configuration settings of AWS resources, enabling users to assess configurations for compliance. They can trigger AWS Systems Manager Automation runbooks to take action based on these evaluations.

What services does AWS Systems Manager Automation integrate with?

AWS Systems Manager Automation integrates with several AWS services, including AWS CloudFormation, AWS Lambda, AWS Step Functions, and AWS Config.

How can you utilize AWS Systems Manager Automation with AWS Config to automate responses to configuration changes?

You can map AWS Config rules with AWS Systems Manager Automation documents (also known as runbooks). When AWS Config detects a non-compliant resource, it triggers the associated runbook to remediate the issue automatically.

Can you define AWS Systems Manager Automation runbooks?

AWS Systems Manager Automation runbooks are documents that define the actions that Systems Manager performs on your managed instances and AWS resources.

What is the functionality of AWS Config service?

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It allows you to check for compliance with defined rules and triggers actions based on those rules.

Can you manually invoke an AWS Systems Manager Automation runbook?

Yes, you can manually invoke an AWS Systems Manager Automation runbook from the AWS Management Console, CLI, or SDKs.

How do AWS Config rules trigger AWS Systems Manager Automation runbooks?

When an AWS resource falls out of compliance with a Config rule, the rule triggers an Amazon Simple Notification Service (SNS) topic, which in turn starts the automation execution specified in the rule.

Are AWS Systems Manager Automation runbooks region-specific?

Yes, AWS Systems Manager Automation runbooks are regional, meaning that they exist entirely within the region where they were created.

How granular can the AWS Config rules be?

AWS Config rules can be as specific or as general as you need. They can evaluate resource-specific details, like security group rules, or broader policies, like required tags on all resources.

Can AWS Config monitor changes to AWS Systems Manager Automation runbooks?

Yes, AWS Config can monitor changes to AWS Systems Manager Automation runbooks. It can report these changes and check for compliance based on predetermined rules.

Do you need to write custom scripts to automate actions with AWS Systems Manager Automation runbooks?

No, AWS Systems Manager provides pre-configured runbooks that you can leverage. However, you can also choose to create custom runbooks using JSON or YAML.

What is the role of Amazon SNS in automation with AWS Config and AWS Systems Manager Automation runbooks?

Amazon Simple Notification Service (SNS) is used to bridge AWS Config and Systems Manager. When an AWS Config rule evaluates a resource as non-compliant, it can publish a message to an SNS topic. Subscribers to this topic – in this case, Systems Manager – can then take the appropriate action.

Can AWS Config rules and AWS Systems Manager Automation runbooks help to enforce compliance in an organization?

Yes, by pairing AWS Config rules with AWS Systems Manager Automation runbooks, you can automatically remedy non-compliant resources, helping enforce compliance with organization-wide policies.

What is an example of a use case for using AWS Systems Manager Automation runbooks with AWS Config rules?

An example use case might be an AWS Config rule set up to monitor for EC2 instances that are accidentally made public. If this occurs, the AWS Config rule could trigger a Systems Manager Automation runbook that remediates the problem by making the instance private again.

Related Post

AWS Certified SysOps Administrator - Associate (SOA-C02)

Enable enhanced EC2 capabilities (for example, Elastic Network Adapter, instance store, placement groups).

extutorials.com
AWS Certified SysOps Administrator - Associate (SOA-C02)

Implement IAM features (for example, password policies, multi-factor authentication [MFA], roles, SAML, federated identity, resource policies, policy conditions).

extutorials.com
AWS Certified SysOps Administrator - Associate (SOA-C02)

Differentiate between the use of a single Availability Zone and Multi-AZ deployments (for example, Amazon EC2 Auto Scaling groups, ELB, Amazon FSx, Amazon RDS).

extutorials.com

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

AZ-900 Microsoft Azure Fundamentals

Describe Azure Resource Manager and Azure Resource Manager templates (ARM templates)

AZ-900 Microsoft Azure Fundamentals

Describe virtual networking, including the purpose of Azure Virtual Networks, Azure virtual subnets, peering, Azure DNS, Azure VPN Gateway, and Azure ExpressRoute

AZ-900 Microsoft Azure Fundamentals

Describe the purpose of Azure Arc

AZ-900 Microsoft Azure Fundamentals

Identify appropriate use cases for each cloud service (IaaS, PaaS, SaaS)