Configuration Management at Scale

Explore how AWS Systems Manager transforms configuration management at scale by replacing traditional access methods with centralized automation. Understand how Patch Manager, Run Command, Parameter Store, and Secrets Manager empower you to enforce security, compliance, and operational governance across AWS and on-premises fleets.

We'll cover the following...

Automated patching with Systems Manager Patch Manager
- In-place patching vs. immutable rebuilds
Secure remote execution with Run Command
- Security model and targeting
Parameter Store and Secrets Manager
Multi-account governance and private access
- Delegated administration and organizational controls
- VPC endpoints for private management traffic
Conclusion

Enterprises managing hundreds or thousands of compute nodes across AWS accounts and on-premises environments face a fundamental governance challenge. Host-centric approaches such as SSH bastion hosts, RDP jump boxes, and custom scripts do not scale, expand the attack surface, and fragment operational visibility. Systems Manager addresses this challenge by providing a centralized control planeThe centralized management layer that orchestrates operations across distributed resources without requiring direct network access to each managed node, where the SSM Agent on each managed instance initiates outbound HTTPS connections to the service. This eliminates the need for inbound access, bastions, or public exposure.

This lesson covers core Systems Manager capabilities used for fleet governance. Run Command enables secure, auditable remote execution at scale. Patch Manager enforces OS patching through baselines and maintenance windows, and State Manager continuously enforces desired configuration states. Parameter Store and Secrets Manager handle configuration and secrets management, while hybrid activations extend the same model to on-premises servers. Together, these capabilities establish consistent configuration management across environments and support operational readiness for adopting managed services, aligned with the Well-Architected Framework.

The following diagram illustrates how Systems Manager functions as the centralized control plane across a multi-account, hybrid environment.

With this architectural foundation established, the next sections examine each Systems Manager capability in depth, starting with automated patching.

Automated patching with Systems Manager Patch Manager

Patch Manager addresses one of the most operationally demanding tasks at scale: ensuring that every node in a fleet runs approved security patches within a defined compliance window. The architecture relies on three core constructs.

Patch baselines are policy objects that define which patches are auto-approved, rejected, or deferred based on classification, severity, and age. AWS provides predefined baselines per operating system, but enterprise compliance typically requires custom baselines that enforce organization-specific approval rules, such as auto-approving critical CVE patches within 24 hours while deferring ...