Server Fleet Management at Scale
Server Fleet Management at Scale

Architecture Overview

Deploying this solution builds the following environment in the AWS Cloud.


        Server Fleet Management at Scale architecture Diagram

Figure 1: Server Fleet Management at Scale architecture

The AWS CloudFormation template deploys AWS Systems Manager, Amazon Inspector, an Amazon Simple Storage Service (Amazon S3) bucket, an AWS Key Management Service (AWS KMS) key, an AWS Identity and Access Management (IAM) role, an Amazon CloudWatch event, an AWS Lambda function, and an Amazon Simple Notification Service (Amazon SNS) topic.

Systems Manager specifies patch compliance thresholds, defines the schedule for when patching tasks should be run, and defines the Systems Manager associations used to periodically ensure that servers remain in compliance with established configurations. Systems Manager artifacts, including patching and server execution histories and inventories, are stored in the Amazon SNS bucket and encrypted with an AWS KMS key.

A CloudWatch event triggers Amazon Inspector to run daily security assessments on your fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances. Amazon Inspector defines the rules packages for assessments and identifies the target Amazon EC2 instances for assessment runs. When the assessment is complete, Amazon Inspector publishes a message to an Amazon SNS topic that has two subscribers; an AWS Lambda function, and the provided email address. The function then queries Amazon Inspector for the agent IDs of the agents within the assessment run, and sends a message for each agent ID to a second Amazon SNS topic. A second Lambda function receives a notification for each agent ID and queries Amazon Inspector for the findings for each agent, sorts them by vulnerabilities, and updates the Systems Manager Inventory data for the instance under management. Note that the maximum number of agents that can be included in the assessment target of an assessment run is 500.

This solution is designed to allow you to use your own server fleet, but it also includes a sample server fleet you can deploy for testing purposes. For more information, see Appendix A.