Menu
AWS Systems Manager
User Guide

Getting Started with Configuration Compliance

To get started with Configuration Compliance, complete the following tasks.

Task For More Information

Configuration Compliance works with Patch Manager patch data, State Manager associations, and custom compliance types on Systems Manager managed instances. Verify that your Amazon EC2 instances and hybrid machines are configured as managed instances by verifying Systems Manager prerequisites.

Systems Manager Prerequisites

Update the SSM Agent on your managed instances to the latest version.

Installing and Configuring SSM Agent

If you plan to monitor patch compliance, verify that you've configured Systems Manager Patch Manager. You must perform patching operations by using Patch Manager before Configuration Compliance can display patch compliance data.

AWS Systems Manager Patch Manager

If you plan to monitor association compliance, verify that you've created State Manager associations. You must create associations before Configuration Compliance can display association compliance data.

AWS Systems Manager State Manager

(Optional) Create custom compliance types.

Systems Manager Configuration Compliance Manager Walkthrough

(Optional) Create a Resource Data Sync to aggregate all compliance data in a target Amazon S3 bucket.

Creating a Resource Data Sync for Configuration Compliance

Creating a Resource Data Sync for Configuration Compliance

You can use Systems Manager Resource Data Sync to send compliance data from all of your managed instances to a target Amazon S3 bucket. When you create the sync, you can specify managed instances from multiple AWS accounts, AWS Regions, and your on-premises hybrid environment. Resource Data Sync then automatically updates the centralized data when new compliance data is collected. With all compliance data stored in a target Amazon S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data. Configuring Resource Data Sync for configuration compliance is a one-time operation.

The following graphic shows how Resource Data Sync aggregates all data from different accounts, Regions, and your hybrid environment to a central repository.


                    Resource Data Sync for SSM Configuration Compliance

Use the following procedure to create a Resource Data Sync for Configuration Compliance by using the Amazon EC2 console.

To create a Resource Data Sync for Configuration Compliance

  1. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. Create a bucket to store your aggregated compliance data. For more information, see Create a Bucket in the Amazon Simple Storage Service Getting Started Guide. Make a note of the bucket name and the AWS Region where you created it.

  3. Choose the Permissions tab, and then choose Bucket Policy.

  4. Copy and paste the following bucket policy into the policy editor. Replace Bucket-Name and Account-ID with the name of the Amazon S3 bucket you created and a valid AWS account ID. Optionally, replace Bucket-Prefix with the name of an Amazon S3 prefix (subdirectory). If you didn't create a prefix, remove Bucket-Prefix/ from the ARN in the policy.

    Copy
    { "Version": "2012-10-17", "Statement": [ { "Sid": "SSMBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::Bucket-Name" }, { "Sid": " SSMBucketDelivery", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:PutObject", "Resource": ["arn:aws:s3:::Bucket-Name/Bucket-Prefix/*/accountid=Account-ID/*"], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control" } } } ] }
  5. Open the Amazon EC2 console, expand Systems Manager Shared Resources in the navigation pane, and choose Managed Instances.

  6. Choose Resource Data Syncs, and then choose Create a Resource Data Sync.

  7. In the Sync Name field, type a name for the sync configuration.

  8. In the Bucket Name field, type the name of the Amazon S3 bucket you created at the start of this procedure.

  9. (Optional) In the Bucket Prefix field, type the name of an Amazon S3 bucket prefix (subdirectory).

  10. In the Bucket Region field, choose This region if the Amazon S3 bucket you created is located in the current AWS Region. If the bucket is located in a different AWS Region, choose Another region, and type the name of the Region.

    Note

    If the sync and the target Amazon S3 bucket are located in different regions, you may be subject to data transfer pricing. For more information, see Amazon S3 Pricing.

  11. Choose Create.