Systems Manager and CloudWatch

Important: this lab builds on the components deployed in Config rule with remediation. You will need to deploy the stack from that lab to continue below.

Ensure the CloudWatch agent is installed on instances

Now we will create a State Manager job that will run on a schedule to make sure the latest version of the CloudWatch agent is installed on our instance. State Manager is a secure and scalable configuration management service that ensures your Amazon EC2 and hybrid infrastructure is in an intended or consistent state.

  1. Go to the Systems Manager Console, and on the left side under Actions click on State Manager.
  2. Click on Create Association
  3. Enter CloudWatchAgentInstall as the association name
  4. Under Document, click the radio button next to AWS-ConfigureAWSPackage command
  5. Under Parameters
    • Action: Install
    • Installation type: In-place update
    • Name: AmazonCloudWatchAgent
  6. Under Targets, select Choose instances manually, and then check to select the EC2 instance that you craeted earlier in the lab.
    • If this is not a shared or pre-existing AWS account then there is likely only a single instance in the list
  7. Under Specify schedule
    • Select Radio Button next to CRON schedule builder
    • Enter Every Day at 22:30
  8. Click on Create Association

AWS Config State Manager Association

This association will run every day at 10:30 PM and make sure the latest version of the CloudWatch Agent is installed. We can then run another association to pull down the configuration from the Parameter Store

What did we learn?

  • How to use State Manager to mensure that the CloudWatch agent is installed and up to date
  • We can use State Manager to ensure a certain state of our EC2 instances

Observe the configuration and compliance timelines

We can view the timeline of compliance and configuration changes for resources inside of your AWS environment from directly within the Config console. To do so, follow these steps:

  1. Go to AWS Config, and click on Resources
  2. Select EC2 instance, and then click Lookup
  3. Click into the instance we deployed earlier in this lab, and then click on Configuration timeline:

  1. Observe the timeline, and the changes that occurred - most especially the Changes and Relationships:

  1. Then click on Managed instance information in the right-hand corner to see the integration data between AWS Config and AWS Systems Manager.

Config maintains an internal database of relationships between resources in your environment. This lab only shows the basic interactions you can have with the Config resource database.

Observe the CloudTrail compliance timeline

  1. Go to Config, and then click on Resources, or if you are already within an instance view, click on Compliance timeline

  1. Select EC2 Instance, and then click Lookup

  2. Click into an EC2 instance we deployed in this lab, then click on Compliance timeline

  1. Observe the timeline, and the compliance changes that occurred. Note that every compliance state change as details that are navigable from directly in the console, informing you as to when exactly a resource became non-compliant.

CloudTrail and CloudWatch Logs Insights

Our final step is to use Cloudwatch Logs Insights to investigate the volume of activity created by our work in the lab today. CloudWatch Logs Insights is a powerful query engine that an analyze activity across CloudWatch log groups, and our labs have generated a great deal of activity that we can investigate.

  1. Navigate to the Amazon CloudWatch Logs console, and then from the left-side click on Insights.
  2. Choose the Log Group you want to work with from the drop down, and then select management-tools-week.
  3. Choose to define a relative time for the past three hours.
  4. On the right, click on Queries, then expand Sample queries, CloudTrail, Number of log entries by service, event, and region, and finally click Apply.

CW Insights ManagementToolsWeek/CloudTrail

  1. Click Run query

To limit your search to only activity related to Config, modify your query to reflect this:

fields @message
| filter eventSource = 'config.amazonaws.com'