Organizations manage an increasingly diverse IT infrastructure, one that spans cloud and on-premises environments and uses different tools and services. Managing these diverse hybrid environments can be complicated and resource-intensive. Fleet Manager, a new feature in AWS Systems Manager, makes it easy and cost-effective to remotely manage Windows and Linux servers running across AWS, on-premises, or in other cloud providers. This feature reduces your operational overhead and streamlines server fleet management without the need to spend time navigating through multiple services and consoles. With Fleet Manager, customers can view the health and performance status of their entire server fleet and easily drill down to individual servers to perform common troubleshooting and management tasks. This simplified UI experience can potentially eliminate recurring licensing costs of the expensive management tools you have used before.

Solution overview

In this blog post, I explain some of the server management capabilities that Fleet Manager provides:

  • Registry operations: You can view and modify registry values on your Windows servers.
  • User administration and security: You can view a list of users with access to a server and change user permissions.

Prerequisites

When you deploy a new Amazon EC2 instance with the AWS Systems Manager Agent (SSM Agent) and AWS Identity and Access Management (IAM) instance profile roles, your instance can be auto-discovered and managed through Fleet Manager. If an instance is not discovered by Fleet Manager, follow the steps in setting up AWS Systems Manager in the AWS Systems Manager user guide. You can also use Systems Manager Quick Setup to quickly configure the required permissions.

If you own on-premises servers and virtual machines (VM) in what is called a hybrid environment, follow the steps in setting up AWS Systems Manager for hybrid environments in the AWS Systems Manager user guide. To provide improved security posture of the managed instances, configure AWS Systems Manager to use an interface VPC endpoint. For more information, see use AWS PrivateLink to set up a VPC endpoint for Session Manager in the AWS Systems Manager user guide.

After you have configured the prerequisites, Fleet Manager provides an aggregate view of your server fleet and offers a set of tools that you can use on instances that need attention. Fleet Manager identifies the OS and environment of the selected server and provides a filtered list of applicable actions. You can perform multiple common OS operations on your server, including:

  • Explore and tail files.
  • Update user access permissions.
  • View the CPU and disk utilization metrics.
  • Collect and audit logs and change registry values.

Registry operations

It is a common practice for Windows administrators to change Windows registry keys to do things like improve application performance, update limits, or enable debug settings. If the application uses a large fleet of servers and you want to update a server that’s being added to the application workload, Fleet Manager provides a simple UI to make these registry changes. For example, consider a use case where you want to update the time zone persistently on your server to match the scheduled task timing of your critical workloads. You can do this by updating the RealTimeIsUniversal registry key in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\TimeZoneKeyName registry path of your server.

Follow these steps to perform this registry operation on your managed Windows instances.

  1. Sign in to the AWS Systems Manager console, and from the left navigation pane, choose Fleet Manager.
    Fleet Manager is displayed in the left navigation pane under Node Management.

    Figure 1: Fleet Manager feature in the AWS Systems Manager console

  2. On Managed instances, you can view the list of managed instances.

    Managed instances displays a list of instances and their details, including instance name, SSM Agent ping status, operating system, and SSM Agent version.Figure 2: Managed instances

  3. Choose the Windows instance whose registry key needs to be updated. From Instance actions, choose Manage Windows registry.

    The Fleet_Manager_Windows instance is selected. Manage Windows registry is selected from the Instance actions menu.Figure 3: Manage Windows registry selected in the console

  4. Under Windows registry, choose the registry that has the required registry key. To update the time zone registry key, use Fleet Manager to go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\TimeZoneKeyName path of your server.

    Under Windows registry, TimeZoneKeyName is selected. It has a registry type of String and a registry value of UTC. Figure 4: Registry path of managed instance

  5. On Update registry entry, for Value, enter PST or a timezone of your choice.

    On Update registry entry, the value of TimeZoneInformation registry entry is set to PST.Figure 5: Fleet Manager update registry entry

  6. You can now find the updated registry values as shown in the following picture.

    The updated TimeZoneKeyName regsitry value is now PST.Figure 6: Updated Windows registry value

User administration and security

System administrators must often manage the users and groups and their permissions on instances to make sure that right access control mechanisms are in place. Fleet Manager provides efficient user administration of your managed instances to help your organization follow the principle of least privilege, a security best practice. Consider a use case where you want to provide a new teammate read-only permissions to your production instances.

Follow these steps to use Fleet Manager to create and manage a user.

  1. In the AWS Systems Manager console, choose the instance where you want to create a new user. In my example, I choose an instance named Fleet_Manager_Linux1.
  2. From Instance actions, choose Manage users and groups.

    Under Managed instances, the Fleet_Manager_Linux1 instance is selected.Figure 7: Manage users and groups selected from the Instance actions menu

  3. In Users and groups, choose Create new user.

    Local users displayed for the selected managed instance. The list includes columns for user, user ID, group ID, Gecos comments, home directory, and shell.Figure 8: Local users of managed instance

  4. On the Create new user page, enter a name and optional description. In my example, for Name, I enter new_user and then select Create a home directory for the new user and Set password.

    On the Create new user page, new_user is displayed in the Name field. In the Description field, the displayed text reads, "User with read only access to application files on the server."Figure 9: Create new user page

  5. After you choose Create new user, enter a password for the new user in the terminal. The terminal session is encrypted. For more information about the encryption of Session Manager data, see enable AWS KMS key encryption of session data in the AWS Systems Manager user guide.
  6. In Set password for new user, enter and confirm the password, and then choose Done. This creates the new user.

    In Set password for new user, the user has been created and indicates that all authentication tokens have been updated successfully.Figure 10: Session for creating new user and password

  7. Choose the group with the required read-only permissions, and then add the user to the group. In my example, I add new_user to the readonly group.
  8. On the Groups tab, choose the group, and from Actions, choose Modify group.

    Under Local groups, there is a ist of OS groups in the managed instance. The readonly group has 8 members.Figure 11: Local groups list includes readonly

  9. On the Modify group: readonly page, from the Group members list, select new_user, and then choose Modify group.

    new_user is selected from the Group members list. Figure 12: Adding new_user to a group

  10. The readonly group now includes new_user.

    Under Local groups, the readonly group now has 9 members. A success message indicates the group has been successfully modified.Figure 13: readonly group with new user

With just a few clicks in Fleet Manager, you have simplified the user administration of your managed instances.

You can also run the Fleet Manager operations by using Systems Manager documents (both Command and Sessions documents). These are available with the prefix AWSFleetManager-*.

Cleanup

Fleet Manager is free of charge on AWS. For servers running on external environments, Fleet Manager follows a tiered pricing model. For more information, see the Systems Manager pricing page.

Conclusion

In this post, I showed how Fleet Manager makes it easy to manage Windows and Linux servers across multiple environments. Fleet Manager provides an intuitive GUI that you can use to perform common operations. For more information about Fleet Manager, see the AWS Systems Manager user guide.

About the Author

Webp.net resizeimage

Harshitha Putta is a Cloud Infrastructure Architect with AWS Professional Services in Seattle, WA. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and hiking.