AWS Systems Manager Explorer is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data (OpsData) for your AWS accounts and across AWS Regions. Explorer provides context into how operational issues are distributed, trend over time, and vary by category.
In this blog post, we explain how AWS Systems Manager Explorer creates an aggregated view of the compliance status of AWS Config rules and operational work items (OpsItems) in your AWS accounts across AWS Regions.
AWS Systems Manager OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve OpsItems related to AWS resources.
AWS Config is used to assess, audit, and evaluate the configuration of your AWS resources. You can use a set of AWS Config managed rules for common compliance scenarios or you can create your own rules for custom scenarios.
The following diagram shows the architecture of the solution.
Figure 1: Creating an aggregated view of operational Items with AWS Systems Manager Explorer
In this post, we’ll show you how to perform the following steps:
- Use Quick Setup in the AWS Systems Manager console to set up Explorer and OpsCenter and create an aggregated view of your operational data across the accounts and AWS Regions in your organization.
- Create OpsItems automatically with Amazon CloudWatch alarms.
- Create OpsItems manually through OpsCenter to track and remediate your operational tasks like routine backups, creating an Amazon Machine Image (AMI), and more.
- Create AWS Config rules. Explorer gathers the compliance status of AWS Config rules and resources in your AWS account.
- View aggregated operations data in a Systems Manager Explorer dashboard.
Set up Explorer and OpsCenter
You can view Explorer operational data across multiple accounts and Regions from a delegated administrator account in your organization, in addition to the master account in AWS Organizations. This helps you improve security and flexibility by making it possible to dedicate a separate operations account for viewing operations data and investigating issues across your organization. The master account from the organization can now designate one member account in the same organization as a delegated administrator.
The OpsCenter setup is now integrated with the Explorer setup. For more information, see Getting started with Systems Manager Explorer and OpsCenter.
Systems Manager Quick Setup simplifies setup by automating common or recommended tasks across multiple accounts and AWS Regions by integrating with AWS Organizations.
- From the left navigation pane in the Systems Manager console, choose Quick Setup, and then choose Create.
Figure 2: AWS Systems Manager Quick Setup
- For Configuration type, choose Host Management, and then choose Next.
Figure 3: AWS Systems Manager Quick Setup configuration type
- On Customize Host Management configuration options, leave the defaults, and then choose Create.
Figure 4: Customize Host Management configuration options
You can also follow the steps in the Manage instances using AWS Systems Manager Quick Setup across organizations in AWS Organizations blog post.
The next step is to aggregate OpsData and OpsItems across the Regions and AWS accounts in your organizationTo do that, create a resource data sync.
Explorer supports a maximum of five resource data syncs. You can use one resource data sync for all accounts, one for a subset of Organizational Units (OUs), one for a subset Regions, and so on.
- On Create resource data sync, for Resource data sync name, enter a name (for example,
- Under Add accounts, choose Include all accounts from my AWS Organizations configuration.
- Under Regions to include, select the Include all current and future regions and All regions You can also choose Regions as appropriate for your requirements.
- Choose Create resource data sync.
Figure 5: Create resource data sync
You can choose which OpsData sources and widgets to include in your Explorer dashboard. You can use the Category menu to filter OpsData sources by availability, security, cost savings, and governance.
Figure 6: Configure OpsData sources and widgets
You have now successfully completed the setup of Systems Manager Explorer and OpsCenter.
Create OpsItems with Amazon CloudWatch alarms
You can configure Amazon CloudWatch to create an OpsItem in Systems Manager OpsCenter when an alarm enters the ALARM state. Doing so enables you to quickly diagnose and remediate issues with AWS resources from a single console.
Now you’ll configure an alarm to create an OpsItem if there is a spike in EC2 instance CPU with a CPU metric greater than 70%. The OpsItem includes contextually relevant information, such as the instance name and ID of the monitored AWS resource, alarm details, alarm history, and an alarm timeline graph.
- From the left navigation pane of the Amazon CloudWatch console, choose Alarms, and then choose Create alarm.
- To create an alarm that will be triggered when the CPU utilization on an EC2 instance is greater than 70%, under Specify metric and conditions, choose Select metric.
- On Select metric, choose EC2, and then double-click Per-Instance Metrics to populate all EC2 metrics.
- Enter the EC2 instance ID in Per-Instance Metrics search box, choose the CPUUtilization metric, and then choose Select metric.
Figure 7: Selecting CloudWatch metric
- On Specify metric and conditions, leave the defaults.
- Under Conditions, for the threshold value, enter
Figure 8: Specify CloudWatch metric and conditions
- On Configure actions, for Alarm state trigger, choose In alarm.
- Under Select an SNS topic, choose Select an existing topic, and then under Send a notification to, enter your email address.
- In Systems Manager OpsCenter action, for Severity, choose 2 – High. For Category, choose Availability. Choose Next.
Figure 9: Systems Manager OpsCenter action
- In Add name and description, enter a name for your alarm (for example,
High-CPU), and then choose Next.
Figure 10: Add alarm name
- Review the configuration, and then choose Create alarm to complete the setup.
Simulate a CPU load on your EC2 instance that will trigger the high CPU alarm. You can use the
cat/dev/random > /dev/null command to simulate high CPU on Linux EC2 instances or consume.exe on Windows EC2 instances.
An OpsItem will be created and displayed in the Explorer dashboard, as shown in Figure 10.
Figure 11: OpsItem created by CloudWatch alarm
You have successfully created an OpsItems with an Amazon CloudWatch alarm.
Create OpsItems manually through OpsCenter
You can create OpsItems manually for the issues that aren’t automatically created by Amazon EventBridge or CloudWatch alarms. In this section, you’ll create two OpsItems: one for EC2 instance image creation and one for an RDS snapshot.
When you manually create an OpsItem for an impacted AWS resource, collect information about that resource so that you can create an Amazon Resource Name (ARN). If you specify an ARN when you create an OpsItem, OpsCenter creates a deep link to detailed information about the resource.
- In the left navigation pane of the AWS Systems Manager console, choose OpsCenter.
- On the OpsItems tab, choose Create OpsItem.
- Under OpsItem details, enter the following:
- For Title, enter
Create an image for web-1 EC2 instance.
- For Source, choose EC2.
- For Priority, choose 3.
- For Severity, choose 3-Medium.
- For Category, choose Recovery.
- For Description, enter
Create an image for web-1 EC2 instance.
- For Title, enter
Figure 12: Create OpsItem
- Under Related resources, choose Add. For Resource type, choose AWS::EC2::Instance, and then under Resource ID, enter your instance ID. Choose Add to complete the resource association.
Figure 13: Configuring related resources in Create OpsItem
- Click on Create OpsItem button to complete the OpsItem creation.
Figure 14: Confirming Create OpsItem
- Follow steps 1-5 to create an OpsItem for an RDS snapshot.
You now have three OpsItems. One was created through a CloudWatch alarm. Two were created manually.
Figure 15: Open OpsItems in OpsCenter dashboard
Create AWS Config rules
In this section, you’ll create five simple AWS config rules to enable S3 server-side encryption, s3-bucket-versioning-enabled, rds-instance-deletion-protection-enabled, dynamodb-pitr-enabled , and release unattached EIP.
- Sign in to the AWS Config console and choose Get started.
- Under Settings, leave the defaults. Under Amazon SNS topic, choose Create a topic, and then choose Next.
Figure 16: AWS Config settings
- Under Rules, search for
s3-bucket-server-side-encryption-enabledas shown in Figure 14, and then choose Next.
Figure 17: Searching for S3 bucket server-side encryption enabled AWS Config rule
- On the Review page, review the rules, and then choose Confirm.
Figure 18: Review AWS Config rule
- Repeat steps 1-4 for the s3-bucket-versioning-enabled, rds-instance-deletion-protection-enabled, dynamodb-pitr-enabled, and eip-attached rules.
You can now see the AWS Config rules compliance summary in the console. The Explorer dashboard will display config compliance summary and associated resources information.
Figure 19: AWS Config rules compliance summary
For more information, see the AWS Config Rules – Dynamic Compliance Checking for Cloud Resources blog post.
View aggregated operations data in Systems Manager Explorer
After you complete the steps in this post, you can see an aggregated view of all of your operations data like OpsItems created through OpsCenter, OpsItems created through Cloud Watch alarms, and the AWS Config rules compliance summary in the Explorer dashboard, as shown here.
Figure 20: AWS Systems Manager Explorer dashboard
In this blog post, we showed you how to create OpsItems manually through OpsCenter and automatically through Cloud Watch alarms. We showed you how to configure AWS Config rules and view a rules compliance summary in the Explorer dashboard.
Using the information in this post, you can now build your own aggregated view of all your AWS resources across AWS Regions by using AWS Systems Manager Explorer. For more information about AWS Systems Manager features, see the AWS Systems Manager User Guide.
The following blog posts show you how to use AWS Systems Manager Automation runbooks to resolve OpsItems and remediate noncompliant AWS Config rules:
- Use AWS Systems Manager Automation runbooks to resolve operational tasks
- Remediate noncompliant AWS Config rules with AWS Systems Manager Automation runbooks