Organizations manage an increasingly diverse IT infrastructure, one that spans cloud and on-premises environments and uses different tools and services. Managing these diverse hybrid environments can be complicated and resource-intensive. Fleet Manager, a new feature in AWS Systems Manager, makes it easy and cost-effective to remotely manage Windows and Linux servers running across AWS, on-premises, or in other cloud providers. This feature reduces your operational overhead and streamlines server fleet management without the need to spend time navigating through multiple services and consoles. With Fleet Manager, customers can view the health and performance status of their entire server fleet and easily drill down to individual servers to perform common troubleshooting and management tasks. This simplified UI experience can potentially eliminate recurring licensing costs of the expensive management tools you have used before.
In this blog post, I explain some of the server management capabilities that Fleet Manager provides:
- Registry operations: You can view and modify registry values on your Windows servers.
- User administration and security: You can view a list of users with access to a server and change user permissions.
When you deploy a new Amazon EC2 instance with the AWS Systems Manager Agent (SSM Agent) and AWS Identity and Access Management (IAM) instance profile roles, your instance can be auto-discovered and managed through Fleet Manager. If an instance is not discovered by Fleet Manager, follow the steps in setting up AWS Systems Manager in the AWS Systems Manager user guide. You can also use Systems Manager Quick Setup to quickly configure the required permissions.
If you own on-premises servers and virtual machines (VM) in what is called a hybrid environment, follow the steps in setting up AWS Systems Manager for hybrid environments in the AWS Systems Manager user guide. To provide improved security posture of the managed instances, configure AWS Systems Manager to use an interface VPC endpoint. For more information, see use AWS PrivateLink to set up a VPC endpoint for Session Manager in the AWS Systems Manager user guide.
After you have configured the prerequisites, Fleet Manager provides an aggregate view of your server fleet and offers a set of tools that you can use on instances that need attention. Fleet Manager identifies the OS and environment of the selected server and provides a filtered list of applicable actions. You can perform multiple common OS operations on your server, including:
- Explore and tail files.
- Update user access permissions.
- View the CPU and disk utilization metrics.
- Collect and audit logs and change registry values.
It is a common practice for Windows administrators to change Windows registry keys to do things like improve application performance, update limits, or enable debug settings. If the application uses a large fleet of servers and you want to update a server that’s being added to the application workload, Fleet Manager provides a simple UI to make these registry changes. For example, consider a use case where you want to update the time zone persistently on your server to match the scheduled task timing of your critical workloads. You can do this by updating the RealTimeIsUniversal registry key in the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\TimeZoneKeyName registry path of your server.
Follow these steps to perform this registry operation on your managed Windows instances.
- Sign in to the AWS Systems Manager console, and from the left navigation pane, choose Fleet Manager.
Figure 1: Fleet Manager feature in the AWS Systems Manager console
- On Managed instances, you can view the list of managed instances.
Figure 2: Managed instances
- Choose the Windows instance whose registry key needs to be updated. From Instance actions, choose Manage Windows registry.
Figure 3: Manage Windows registry selected in the console
- Under Windows registry, choose the registry that has the required registry key. To update the time zone registry key, use Fleet Manager to go to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\TimeZoneKeyNamepath of your server.
Figure 4: Registry path of managed instance
- On Update registry entry, for Value, enter PST or a timezone of your choice.
Figure 5: Fleet Manager update registry entry
- You can now find the updated registry values as shown in the following picture.
Figure 6: Updated Windows registry value
User administration and security
System administrators must often manage the users and groups and their permissions on instances to make sure that right access control mechanisms are in place. Fleet Manager provides efficient user administration of your managed instances to help your organization follow the principle of least privilege, a security best practice. Consider a use case where you want to provide a new teammate read-only permissions to your production instances.
Follow these steps to use Fleet Manager to create and manage a user.
- In the AWS Systems Manager console, choose the instance where you want to create a new user. In my example, I choose an instance named Fleet_Manager_Linux1.
- From Instance actions, choose Manage users and groups.
Figure 7: Manage users and groups selected from the Instance actions menu
- In Users and groups, choose Create new user.
Figure 8: Local users of managed instance
- On the Create new user page, enter a name and optional description. In my example, for Name, I enter new_user and then select Create a home directory for the new user and Set password.
Figure 9: Create new user page
- After you choose Create new user, enter a password for the new user in the terminal. The terminal session is encrypted. For more information about the encryption of Session Manager data, see enable AWS KMS key encryption of session data in the AWS Systems Manager user guide.
- In Set password for new user, enter and confirm the password, and then choose Done. This creates the new user.
Figure 10: Session for creating new user and password
- Choose the group with the required read-only permissions, and then add the user to the group. In my example, I add new_user to the readonly group.
- On the Groups tab, choose the group, and from Actions, choose Modify group.
Figure 11: Local groups list includes readonly
- On the Modify group: readonly page, from the Group members list, select new_user, and then choose Modify group.
Figure 12: Adding new_user to a group
- The readonly group now includes new_user.
Figure 13: readonly group with new user
With just a few clicks in Fleet Manager, you have simplified the user administration of your managed instances.
You can also run the Fleet Manager operations by using Systems Manager documents (both Command and Sessions documents). These are available with the prefix
Fleet Manager is free of charge on AWS. For servers running on external environments, Fleet Manager follows a tiered pricing model. For more information, see the Systems Manager pricing page.
In this post, I showed how Fleet Manager makes it easy to manage Windows and Linux servers across multiple environments. Fleet Manager provides an intuitive GUI that you can use to perform common operations. For more information about Fleet Manager, see the AWS Systems Manager user guide.
About the Author
Harshitha Putta is a Cloud Infrastructure Architect with AWS Professional Services in Seattle, WA. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and hiking.