System Manager Automation

AWS Systems Manager's new just-in-time node access feature, combined with Amazon Q Developer integration, offers a powerful way to implement automation workflows in your organization while maintaining security and control. Here's how you can leverage these capabilities:

1. Enable just-in-time node access: As an administrator, you'll need to enable this feature in AWS Systems Manager. This allows you to define precise access controls through approval policies across your AWS Organization.

2. Create approval policies: Set up manual approval or condition-based auto-approval policies using the Cedar policy language. These policies determine how access requests are handled.

3. Define access controls: Specify which Organization Units and AWS Regions are targeted by your policies, ensuring granular control over node access.

4. Integrate with communication tools: Just-in-time node access integrates with Slack and Microsoft Teams through Amazon Q Developer. This allows for easy notification of approvers when there are pending access requests.

5. Set up EventBridge integration: Configure Amazon EventBridge to receive status updates about just-in-time node session access requests. This can be used to route notifications to Amazon SNS or integrate with your internal systems.

6. Implement roles: Establish three key roles in your organization - Administrator (to enable and configure the feature), Operator (to initiate access requests), and Approver (to review and authorize requests).

7. Use Amazon Q Developer: Leverage the natural language capabilities of Amazon Q Developer to quickly gather information about managed nodes, investigate issues, or initiate automation tasks.

8. Monitor and audit: Take advantage of the logging capabilities, which can record commands run during sessions and actions taken during RDP sessions, providing additional visibility into operator activities.

9. Automate remediation: Create custom automation documents using Amazon Q Developer to resolve non-compliant resource statuses, further enhancing your automation capabilities.

By implementing these steps, you can create a robust automation workflow that ensures least-privilege access, improves operational efficiency, and maintains strong security controls across your organization. The integration with Amazon Q Developer simplifies the process of creating and managing these automation tasks, allowing you to use natural language queries to gather information and initiate actions within your AWS environment.

Sources
Introducing Just-in-Time Node access using AWS Systems Manager | AWS Cloud Operations Blog
Introducing a new experience for AWS Systems Manager | AWS News Blog
Simplifying remediation using AWS Systems Manager with Amazon Q Developer | AWS Cloud Operations Blog