CoursesAWS DevOps Engineer ProfessionalConfiguration & automation

Systems Manager

Session Manager, Parameter Store, Patch Manager.

Intermediate30 min · lesson 7 of 15

AWS Systems Manager (SSM) is the operational Swiss army knife for managing fleets — access, configuration, patching, and secrets — without SSH keys, bastions, or manual toil. A DevOps engineer leans on it constantly.

Access and configuration without keys

Session Manager gives auditable shell access to instances through the SSM agent and IAM, with no SSH keys and no inbound ports open to the internet — removing a whole class of exposure and producing a logged session record. Run Command executes commands across many instances at once (targeting by tag), and State Manager continuously enforces a desired configuration so instances converge and stay converged, reducing drift. Parameter Store holds configuration and secrets (as encrypted SecureString values) that applications and pipelines fetch at runtime via IAM — so nothing sensitive is hardcoded. Together these replace bastions, key sprawl, and hand-configured servers with managed, auditable operations.

keyless access and fleet commands
# Shell into an instance with NO SSH key and NO open port — logged via IAM.
aws ssm start-session --target i-0abc123
# Run a command across every instance tagged Role=web, at once.
aws ssm send-command --document-name "AWS-RunShellScript" \
--targets Key=tag:Role,Values=web --parameters commands=["systemctl restart nginx"]
# Read config/secret at runtime (SecureString decrypted by KMS via the role):
aws ssm get-parameter --name /prod/db/password --with-decryption

Patching and operational scale

Patch Manager automates OS patching across the fleet on a schedule using patch baselines, so keeping hundreds of instances current is a policy, not a person’s weekend. Combined with maintenance windows, tag-based targeting, and compliance reporting, it makes patch compliance measurable and continuous. The unifying theme of SSM is removing manual, error-prone operations: keyless auditable access, tag-targeted fleet commands, enforced desired state, centralized config/secrets, and automated patching. This is what lets a small DevOps team operate a large estate consistently — every action is repeatable, IAM-scoped, and logged, which is exactly the operational excellence the professional level expects.

Systems Manager capabilities
access + config
Session Manager
keyless, auditable shell
Run/State Manager
fleet commands, desired state
Parameter Store
config + secrets via IAM
maintain
Patch Manager
scheduled patching + compliance
Automation runbooks
codified ops procedures
SSM replaces bastions, key sprawl, and manual config with managed, tag-targeted, IAM-scoped, logged operations.
Session Manager removes the need for SSH bastions and open ports
Maintaining SSH bastions, key pairs, and inbound 22 rules is both operational overhead and attack surface. Use Session Manager for shell access — it needs no keys and no open ports, authorizes via IAM, and logs every session — closing a common intrusion path while simplifying operations.