Server Fleet Management at Scale
Server Fleet Management at Scale

Appendix A: Sample Server Fleet

The Server Fleet Management at Scale solution includes a sample server fleet for testing purposes. Deploying this solution with the sample fleet builds the following environment on the AWS Cloud.

Figure 2: Server Fleet Management at Scale with sample fleet

If you choose to deploy the sample servers, the template launches an Amazon Virtual Private Cloud (Amazon VPC) network topology with one public and one private subnet. Four Amazon Elastic Compute Cloud (Amazon EC2) t2.large instances are deployed by an Auto Scaling group in the private subnet, and access the internet through a NAT gateway in the public subnet.

A security group restricts outbound network access to port 443 and port 80, and an AWS Identity and Access Management (IAM) role allows the instances to interact with AWS Systems Manager to receive commands.

Managing Your Fleet

Once the AWS CloudFormation template is deployed, you can test the solution with this sample scenario for managing your fleet of instances.

View Managed Instances

1. Sign in to the AWS Management Console, navigate to the AWS Systems Manger service, and select Managed Instances.

2. Select any Instance ID, and verify in the Associations tab that AWS Systmes Manager documents ManageInspectorAgent and GatherSoftwareInventory have been applied to your instances.

Run Amazon Inspector

This solution creates a daily Amazon Inspector schedule that runs an assessment against a target of specially tagged instances using all available rules packages. Use this procedure to run the assessment manually.

1. In the console, navigate to the Amazon Inspector Console.

2. Select Assessment templates, and select the Sample Fleet.

3. Click Run.

4. Select the Assessment runs link on the left to view the progress of the assessment.

The assessment is configured to run for 15 minutes, when it is completed an Amazon Simple Notification Service (Amazon SNS) notification will be sent to subscribed users with the Systems Manager inventory of findings for each affected instance.

5. After the assessment run completes, navigate to the AWS Systems Manager service, and select Managed Instances.

6. Select any Instance ID, and select the Inventory tab.

7. To view Amazon Inspector agent high severity findings, in the Inventory type drop-down, select Custom:InspectorFindings.

Note that you can extend the inventory of managed instances and create a custom inventory for the Amazon Inspector findings.

Remediate the Amazon Inspector Findings

If Amazon Inspector has any findings they will be remediated in the next maintenance window. However, you can manually update the maintenance window to remediate the findings before the next window.

1. In the AWS Systems Manager console, under Actions, select Maintenance Windows.

2. Select the fleet-wide-weekly-patching maintenace window.

3. Select Edit, navigate to the Schedule pane.

4. Select Cron schedule builder.

5. In the Window startssection, select the Every Day radio button, and enter a time for the near future, and select Save Changes.

This updates the maintenance window at the time you specify. Note that the time should be represented in coordinated universal time (UTC) and in 24-hour format, so you’ll need to adjust this time according to your time zone. For example, if you want to update the maintenance window at 12:30 p.m. ET, enter the time as 17:30.

6. Select the linked Window ID, and select the History tab to verify that the task was triggered. The task should show as In Progress.

The time it takes to complete the task will depend on the number of instances that are being patched and the size of the patches applied. For the sample fleet, the task can take up to 30 minutes to complete.

7. Navigate to the Amazon Inspector console to verify the applied patches were run on the targeted instances.

8. Select Assessment templates, and select the Sample Fleet.

9. Click Run.

10. Select the Assessment runslink on the left to view the progress of the assessment.

11. After the assessment run completes, navigate to the AWS Systems Manager console, and select Managed Instances.

12. Select any Instance ID, and select the Inventorytab.

13. In the Inventory type drop-down, select Custom:InspectorFindings.

The number of high severity vulnerabilities should be fewer than the initial Patch run.

On this page: