ā²ļø Schedule AWS SSM Runbooks šŸ“š

Set it and forget it with AWS EventBridge Scheduler SSM Automation

Good day. This is Unlimited Leave, the AWS Governance and Automation newsletter that shares resources to deploy in your environment(s). Then you forget they are there and your settings keep getting overwritten.

This week's topics

  • Automated SSM Runbooks for Anything

  • Recent Announcements

  • Visualize, Inventory, and Map your Resources with Workload Discovery

Automated SSM Runbooks for Anything

Do you ever know you could do something if the need arises but never actually do it?

Well, this week was one of those times.

I finally had a need to create something I figured I could. I've created AWS EventBridge Rules. I've also created custom SSM Automation Docs. I've never paired them together to remediate an open issue with just a few clicks.

Automation is great. You can find dozens of ways to run pretty much anything in AWS.

Here is a CloudFormation solution that schedules the (re)enabling of Default EBS Encryption every 24 hours. Right now there is no reason to not have it enabled. However, in the future, I see this evolving to check a parameter store to not disable an exception on an account/region pair or something else. Currently, users can just disable or delete the Scheduler, but for now, it does what I need it to do.

This solution, deployed with my GitLab pipeline, closed the pesky AWS Foundational Best Practice and PCI check across 4 AWS Organizations and over 40 child accounts all with a merge to my main branch.

Damn, I love automation. I have about 6 more solutions in the works.

Why use an SSM Run Doc instead of a Lambda?

Previously I would have used a Lambda, but now users can run the automation on their own very easily in the console if needed. Lambdas need event payloads, and you need to get really close to the source. Run Documents are contained and packaged nicely.

This is just the tip of the iceberg.

Bonus: since EventBridge Scheduler is a relatively recent service feature, I had a hard time converting from EventBridge Scheduled Rules to the AWS::Schedule::Scheduler Resource. Finding the ARN for the StartAutomationExecution was a bear. After about an hour of digging, I finally came across this (Universal Targets) gem and used it to piece together the Target Arn for the schedule. I hope that helps.

Announcements

No surprises here. Still quiet in Cloud Operations and Governance. Here are a couple of posts that bubbled to the top.

  • The CloudFormation team tweaks how !FindInMap supports intrinsic functions and default values. If you thought Mappings, !Splits, !Joins, !Subs, and !Refs were complicated before, just get a load of this.

  • Changes to AWS Billing and Cost Management permissions to more fine-grained permissions. I'm doubling down on my stance that more centralized management of multi-org is on its way. Even if it is just with regards to consolidated billing and sharing of things like `reserved` resources, AMIs, Snapshots, Backup Vaults, etc. You'd have to assume certain account-level changes are required before going bigger and outside of the org. Still. If I'm wrong here, this is a great update so teams can finally get more granular spending details out of their accounts without seeing the really important numbers.

Visualize, Inventory, and Map your Resources with Workload Discovery

These `aws-solutions` are sometimes hit and miss. Ultimately some of these solutions become actual service features. Regardless, I appreciate teams putting in the effort to pump out great tools for governance. In this case, DISCOVERABILITY, and on top of that ā€” sexy diagrams to boot

Check out this GitHub repo for 'Workload Discovery on AWS'

Workload Discovery on AWS is a tool that quickly visualizes AWS Cloud workloads as architecture diagrams. You can use the solution to build, customize, and share detailed workload visualizations based on live data from AWS. This solution works by maintaining an inventory of the AWS resources across your accounts and Regions, mapping relationships between them, and displaying them in a web user interface (web UI).

README.md

SHARE THE LOVE

Alight. You are all back from your holiday time off hopefully. It is time to get back to inbox zero. One great way to do that is to delegate the work to someone else.

Does something in this issue look useful? Forward it to someone to implement. Then delete. It's as simple as that.

We could use a bolus of new subscribers to motivate us to complete the central repository for all these resources I find and share. It's not going to be an OnlyFans I promise.

Send your family, friends, and colleagues here šŸ‘‡

If your mom is in her 80s, send her here šŸ‘‡

Review past issues HERE | Share with others HERE
Disclaimer: The resources and topics shared within this newsletter are for informational use only. Any resources deployed or tools implemented are done so at your own risk. Do your own research and testing prior to the implementation of any resource or service deployed for any workload.