Fix SSM Agent Automatic Update
Opportunity Name:
Fix SSM Agent Automatic Update
AWS Resource Type:
AWS Account / Region
Opportunity Description:
Enabling automatic updates of (previously installed) SSM agents to unlock future savings (this FF does not save money).
Criteria for identifying the opportunity:
For each AWS Account / Region found in CUR:
- Check for missing “AWS-UpdateSSMAgent” State Manager Association (this is how automatic SSM agent updates are enabled).
- Check for more than one such association (only one should exist).
- Check if no existing association has a wildcard target (i.e., covers all nodes) and a scheduled interval <= 14 days.
Potential savings (range in % on annual basis):
This FF does not save money, it unlocks future savings.
What happens when the Fixer is executed?
The fixer does the following for each AWS Account / Region:
- Get all State Manager associations with the document name “AWS-UpdateSSMAgent”.
- Check the associations for one with a wildcard target and a schedule with an interval <= 14 days.
- If not found, create an association with the document name “AWS-UpdateSSMAgent”, wildcard target, and a scheduled interval of 14 days.
- Remove all the associations except the one found or created above.
Is it possible to rollback once CloudFix implements the fixer?
Yes, it can be manually rolled back by removing the “AWS-UpdateSSMAgent” association either using the DeleteAssociation API or the delete-association CLI command.
Can CloudFix implement the fix automatically once I accept the recommendation?
Yes
Does this fix require downtime?
No. SSM Agent update involves minimum disruption to the affected AWS node. In the rare case of this concern, one can limit the workload disruption by creating a Systems Manager maintenance window. This will perform the agent installation/update during designated periods.
Comments
0 comments
Please sign in to leave a comment.