Systems Manager
Session Manager, Parameter Store, Patch Manager.
AWS Systems Manager (SSM) is the operational Swiss army knife for managing fleets — access, configuration, patching, and secrets — without SSH keys, bastions, or manual toil. A DevOps engineer leans on it constantly.
Access and configuration without keys
Session Manager gives auditable shell access to instances through the SSM agent and IAM, with no SSH keys and no inbound ports open to the internet — removing a whole class of exposure and producing a logged session record. Run Command executes commands across many instances at once (targeting by tag), and State Manager continuously enforces a desired configuration so instances converge and stay converged, reducing drift. Parameter Store holds configuration and secrets (as encrypted SecureString values) that applications and pipelines fetch at runtime via IAM — so nothing sensitive is hardcoded. Together these replace bastions, key sprawl, and hand-configured servers with managed, auditable operations.
# Shell into an instance with NO SSH key and NO open port — logged via IAM.aws ssm start-session --target i-0abc123# Run a command across every instance tagged Role=web, at once.aws ssm send-command --document-name "AWS-RunShellScript" \--targets Key=tag:Role,Values=web --parameters commands=["systemctl restart nginx"]# Read config/secret at runtime (SecureString decrypted by KMS via the role):aws ssm get-parameter --name /prod/db/password --with-decryption
Patching and operational scale
Patch Manager automates OS patching across the fleet on a schedule using patch baselines, so keeping hundreds of instances current is a policy, not a person’s weekend. Combined with maintenance windows, tag-based targeting, and compliance reporting, it makes patch compliance measurable and continuous. The unifying theme of SSM is removing manual, error-prone operations: keyless auditable access, tag-targeted fleet commands, enforced desired state, centralized config/secrets, and automated patching. This is what lets a small DevOps team operate a large estate consistently — every action is repeatable, IAM-scoped, and logged, which is exactly the operational excellence the professional level expects.