AWS Systems Manager

Concepts Covered

• AWS Systems Manager
• Managed instances
• SSM Agent
• Session Manager
• Run Command
• Parameter Store
• Patch Manager
• Automation documents
• Inventory
• SAA-C03 operations traps

1. Plain-English Mental Model

AWS Systems Manager is an operations hub for managing AWS resources, especially EC2 instances and hybrid servers.

It helps you connect to instances, run commands, automate operational tasks, patch operating systems, collect inventory, and store configuration parameters.

The simple model is:

managed instance + SSM Agent + IAM role -> Systems Manager operations

Systems Manager is not one feature. It is a family of operational capabilities. For SAA-C03, the most visible pieces are Session Manager, Run Command, Parameter Store, Patch Manager, and Automation.

The big architectural shift is this: you do not need inbound SSH or RDP open to the internet just to operate instances.

2. Why This Service Exists

Traditional server operations rely heavily on direct login.

Engineers open SSH, copy scripts, inspect files, restart services, patch packages, and make emergency changes. That becomes risky in AWS because every public admin port is a potential attack path. It also scales poorly across hundreds of instances.

Systems Manager exists to make operations more controlled, auditable, and automatable.

Session Manager allows shell access through the AWS control plane using IAM. Run Command executes commands across instances without logging in manually. Patch Manager helps patch fleets. Automation documents encode repeatable workflows. Parameter Store stores configuration values and secure strings.

For the exam, Systems Manager appears when a question says "connect to private EC2 without SSH", "run commands on many instances", "patch instances", "store configuration parameters", "avoid bastion hosts", or "manage instances at scale."

3. The Naive Approach And Where It Breaks

The naive pattern is a bastion host and open SSH:

admin laptop -> bastion host -> private EC2

This can be designed securely, but it adds host management, key management, network exposure, logging complexity, and operational overhead.

An even worse pattern opens SSH or RDP directly to every instance from the internet. Security groups may start narrow but drift wider. Keys are copied between people. Session logs may not exist.

Another naive pattern manually patches instances. It works until the fleet grows, maintenance windows are missed, and no one knows which instances are compliant.

Systems Manager reduces these problems by using agents, IAM, documents, and managed APIs.

4. Core Primitives

A managed instance is an EC2 instance, on-premises server, or VM configured for Systems Manager.

The SSM Agent runs on the managed instance and communicates with Systems Manager.

The instance profile grants the instance permission to communicate with Systems Manager services.

Session Manager starts interactive shell sessions without opening inbound ports.

Run Command executes commands or scripts across one or many managed instances.

Parameter Store stores configuration data and secrets as String, StringList, or SecureString parameters.

Patch Manager automates patching. Automation uses documents to run repeatable operational workflows.

VPC interface endpoints can let private instances use Systems Manager without internet or NAT.

5. Architecture Use Cases

Use Session Manager for administrative access to private EC2 instances:

operator -> IAM-authenticated SSM session -> private EC2 instance

Use Run Command to run scripts across a fleet, such as checking service status or rotating local configuration.

Use Patch Manager to apply operating system patches during maintenance windows.

Use Parameter Store for application configuration values, especially non-secret configuration or lower-cost secure strings.

Use Automation documents for repeatable tasks such as AMI creation, instance remediation, or operational runbooks.

Use Inventory to collect software and configuration details for fleet visibility.

7. Security Model

Systems Manager security depends on IAM, instance roles, agent trust, and logging.

Operators need IAM permission to start sessions or run commands. Instances need an IAM role that allows communication with Systems Manager.

Session Manager can log session activity to CloudWatch Logs or S3. This is a major improvement over unmanaged SSH.

Use VPC endpoints for private instances that should not use NAT or public internet paths for Systems Manager traffic.

Restrict documents and commands that operators can run. Permission to run arbitrary shell commands can be highly privileged.

Parameter Store SecureString values use KMS. KMS permissions matter for decrypt.

8. Reliability And Resilience

Systems Manager improves operations by reducing dependency on bastion hosts and manual scripts.

However, it depends on SSM Agent health, IAM role configuration, network access to Systems Manager endpoints, and service availability in the Region.

If agents are stopped or outdated, instances may not be manageable.

If VPC endpoints are missing in a locked-down VPC, private instances may fail to connect to Systems Manager.

Use automation carefully. A bad Run Command can affect many instances quickly.

Keep break-glass access patterns for cases where Systems Manager itself is unavailable, but avoid making insecure paths normal.

9. Performance And Scaling

Systems Manager is designed for fleet operations, but commands and automation should be scoped.

Target instances by tags, resource groups, or explicit IDs. Avoid running broad commands accidentally.

Run Command concurrency and error thresholds help control blast radius.

Patch Manager can use maintenance windows to avoid patching everything at once.

Parameter Store has throughput considerations. High-frequency secret retrieval may need caching or Secrets Manager depending on use case.

Automation documents should be modular and tested before wide use.

10. Cost Model

Many Systems Manager capabilities have no additional charge for standard AWS resource use, but advanced features, higher parameter tiers, OpsCenter, Incident Manager, or related services can have costs depending on configuration.

Parameter Store standard parameters are a common low-cost configuration option. Advanced parameters and high-throughput use can cost more.

VPC endpoints add interface endpoint hourly and data processing charges.

Systems Manager can reduce cost by removing bastion hosts and manual operations.

Cost should include operational risk: unmanaged SSH and manual patching can be far more expensive during incidents.

12. SAA-C03 Exam Signals

"Connect to private EC2 without SSH or bastion" points to Session Manager.

"Run a command across many EC2 instances" points to Run Command.

"Patch a fleet of instances" points to Patch Manager.

"Store configuration values" can point to Parameter Store.

"SecureString parameter" points to Parameter Store with KMS.

"Private instances need Systems Manager without NAT" points to interface VPC endpoints.

"Automate operational runbooks" points to Systems Manager Automation.

13. Common Exam Traps

Do not open SSH to the world when Session Manager fits.

Do not forget the SSM Agent and instance profile.

Do not assume private instances can reach Systems Manager without internet, NAT, or VPC endpoints.

Do not confuse Parameter Store with Secrets Manager rotation features.

Do not give every operator permission to run arbitrary commands everywhere.

Do not forget session logging if audit matters.

15. Related Topics

Review Amazon EC2, VPC Endpoints And PrivateLink, Amazon CloudWatch, and AWS Secrets Manager.

Official AWS references:

• AWS Systems Manager User Guide
• Start a Session Manager session
• Working with Parameter Store