I am managing a set of instances in AWS Systems Manager (SSM), which are logically grouped into development, beta, and production environments. For each environment, I've created an SSM document that fetches a specific parameter value and writes it to a defined path on the respective instances' filesystems.
My objective is to ensure that the file created on these instances is always in sync with the current parameter value. Specifically, I want a system that automatically updates the file whenever the parameter value changes, or alternatively, checks periodically for changes and updates the file if necessary.
Currently, I'm considering adding this process to an after-install hook in AWS CodeDeploy. However, I'm also exploring the possibility of creating SSM State Manager associations for this purpose.
Additionally, I've been looking into AWS AppConfig as a potential solution, but I'm not sure if or how it could be used for this particular use case.
What would be the recommended approach to ensure that these files are always up-to-date with their corresponding parameter values? Does a specific AWS service, feature or combination that may be best suited for this task come to mind?
Parameter Store event-based triggers seems the way to go here indeed, and as OP mentions, they could also do the check on SSM to assure compliance and/or trigger the same action in case of a non-compliant resource.
Thank you for your suggestions. I can see how setting up notifications or trigger actions based on Parameter Store events, or using cron jobs to check the parameter store value periodically, could be useful for ensuring the parameter value is correctly propagated to the file on the instances.
However, my primary concern is not changes to the parameter value itself, but changes to the file on the instances' filesystems. Specifically, I want to be notified if the file is modified or deleted, and have a mechanism in place to automatically restore the file to its intended state.
I am aware that I could potentially use a Linux package, like audit, to monitor the file, but ideally, I would like to achieve this through an AWS service, if possible. This way, the monitoring and remediation process would be managed entirely through AWS, rather than having a separate mechanism on the instance itself.
Is there an AWS service or feature that could monitor a specific file on an EC2 instance and trigger a specified action if the file is modified or deleted?