Amazon EC2 Systems Manager
User Guide

Systems Manager Documentation Update History

The following table describes important changes to the documentation since the preceding release of Systems Manager.

  • API version: 2014-11-06

  • Last update: October 3, 2017

Change Description Release Date

Support for Tagging Systems Manager Documents

You can now use the the AddTagsToResource API, the AWS CLI, or the AWS Tools for Windows to tag Systems Manager documents with key-value pairs. Tagging helps you quickly identify specific resources based on the tags you've assigned to them. This is in addition to existing tagging support for managed instances, Maintenance Windows, Parameter Store parameters, and patch baselines. New topics include Tagging Systems Manager Documents and Controlling Access to Documents Using Tags.

October 3, 2017

Various Documentation Updates to Fix Errors or Update Content Based on Feedback

October 2, 2017

Troubleshoot Unreachable Windows Instances by Using the EC2Rescue Automation Workflow

EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Windows Server instances. You can run the tool as a Systems Manager Automation workflow by using the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue. For more information, see Run the EC2Rescue Tool on Unreachable Instances.

September 29, 2017

SSM Agent Installed By Default on Amazon Linux

SSM Agent is installed, by default, on Amazon Linux AMIs dated 2017.09 and later. You must manually install SSM Agent on other versions of Linux, as described in Installing and Configuring SSM Agent on Linux Instances.

September 27, 2017

Run Command Enhancements

Run Command includes the following enhancements.

  • You can restrict command execution to specific instances by creating an IAM user policy that includes a condition that the user can only execute commands on instances that are tagged with specific Amazon EC2 tags. For more information, see Restricting Run Command Access Based on Instance Tags.

  • You have more options for targeting instances by using Amazon EC2 tags. You can now specify multiple tag keys and multiple tag values when sending commands. For more information, see Sending Commands to a Fleet.

September 12, 2017

Systems Manager Supported on Raspbian

Systems Manager can now run on Raspbian Jessie and Rasbpian Stretch devices, including Raspberry Pi (32-Bit). For more information, see Raspbian.

September 7, 2017

Automatically Send SSM Agent Logs to Amazon CloudWatch Logs

You can now make a simple configuration change on your instances to have SSM Agent send log files to CloudWatch. For more information, see Sending SSM Agent Log Files to Amazon CloudWatch Logs.

September 7, 2017

Encrypt Resource Data Sync

Systems Manager Resource Data Sync lets you aggregate Inventory data collected on dozens or hundreds of managed instance in a central Amazon S3 bucket. You can now encrypt Resource Data Sync by using an AWS Key Management Service key. For more information, see Using Resource Data Sync to Aggregate Inventory Data.

September 1, 2017

New State Manager Walkthroughs

Added two new walkthroughs to the State Manager documentation:

Walkthrough: Automatically Update the SSM Agent

Walkthrough: Automatically Update PV Drivers on EC2 Windows Instances

August 31, 2017

Systems Manager Configuration Compliance

Use Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. For more information, see Systems Manager Configuration Compliance.

August 28, 2017

New Automation Action: aws:executeAutomation

Executes a secondary Automation workflow by calling a secondary Automation document. With this action, you can create Automation documents for your most common workflows, and reference those documents during an Automation execution. This action can simplify your Automation documents by removing the need to duplicate steps across similar documents. For more information, see aws:executeAutomation.

August 22, 2017

Automation as the Target of a CloudWatch Event

You can start an Automation workflow by specifying an Automation document as the target of an Amazon CloudWatch event. You can start workflows according to a schedule, or when a specific AWS system event occurs. For more information, see Optional: Configure Automation as a CloudWatch Events Target.

August 21, 2017

State Manager Association Versioning and General Updates

You can now create different State Manager association versions. There is a limit of 1,000 versions for each association. You can also specify names for your associations. Also, the State Manager documentation has been updated to address outdated information and inconsistencies. For more information, see Systems Manager State Management.

August 21, 2017

Changes to Maintenance Windows

Maintenance Windows include the following changes or enhancements:

  • Previously, Maintenance Windows could only perform tasks by using Run Command. You can now perform tasks by using Systems Manager Automation, AWS Lambda, and AWS Step Functions.

  • You can edit the targets of a Maintenance Window, specify a target name, description, and owner.

  • You can edit tasks in a Maintenance Window, including specifying a new SSM document for Run Command and Automation tasks.

  • All Run Command parameters are now supported, including DocumentHash, DocumentHashType, TimeoutSeconds, Comment, and NotificationConfig.

  • You can now use a safe flag when you attempt to deregister a target. If enabled, the system returns an error if the target is referenced by any task.

For more information, see Systems Manager Maintenance Windows.

August 16, 2017

New Automation Action: aws:approve

This new action for Automation documents temporarily pauses an Automation execution until designated principals either approve or reject the action. After the required number of approvals is reached, the Automation execution resumes.

For more information, see Systems Manager Automation Actions.

August 10, 2017

Automation Assume Role No Longer Required

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's privileges on a resource, but you want the user to execute an Automation workflow that requires higher privileges. In this scenario, you can create a service role with higher privileges and allow the user to execute the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

For more information, see Setting Up Automation.

August 3, 2017

Configuration Compliance

Use Amazon EC2 Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. For more information, see Systems Manager Configuration Compliance.

August 8, 2017

SSM Document Enhancements

SSM Command and Policy documents now offer cross-platform support. This means that a single SSM document can process plugins for Windows and Linux operating systems. Cross-platform suppport enables you to consolidate the number of documents you manage. Cross-platform support is offered in SSM documents that use schema version 2.2 or later.

SSM Command documents that use schema version 2.0 or later can now include multiple plugins of the same type. For example, you can create a Command document that calls the aws:runRunShellScript plugin multiple times.

For more information about schema verion 2.2 changes, see Systems Manager Documents. For more information about SSM plugins, see Systems Manager Plugins.

July 12, 2017

Linux Patching

Patch Manager can now patch the following Linux distributions:

64-Bit and 32-Bit Systems

  • Amazon Linux 2014.03, 2014.09, or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5 or later

64-Bit Systems Only

  • Amazon Linux 2015.03, 2015.09, or later

  • Red Hat Enterprise Linux (RHEL) 7.x or later

For more information, see Systems Manager Patch Management.


  • To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update the SSM Agent in Executing Commands from the EC2 Console.

  • The AWS-ApplyPatchBaseline SSM document is being replaced by the AWS-RunPatchBaseline document.

July 6, 2017

Resource Data Sync

You can use Systems Manager Resource Data Sync to send Inventory data collected from all of your managed instances to a single Amazon S3 bucket. Resource Data Sync then automatically updates the centralized data when new Inventory data is collected. With all Inventory data stored in a target Amazon S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data.For more information, see Configuring Resource Data Sync for Inventory. For an example of how to work with Resource Data Sync, see Using Resource Data Sync to Aggregate Inventory Data.

June 29, 2017

Systems Manager Parameter Hierarchies

Managing dozens or hundreds of Systems Manager parameters as a flat list is time-consuming and prone to errors. You can use parameter hierarchies to help you organize and manage Systems Manager parameters. A hierarchy is a parameter name that includes a path that you define by using forward slashes. Here is an example that uses three hierarchy levels in the name to identify the following:

/Environment/Type of computer/Application/Data


For more information, see Organizing Parameters into Hierarchies. For an example of how to work with parameter hierarchies, see Manage Parameters Using Hierarchies.

June 22, 2017

SSM Agent Support for SUSE Linux Enterprise Server

You can install the SSM Agent on 64-bit SUSE Linux Enterprise Server (SLES). For more information, see Installing and Configuring SSM Agent on Linux Instances.

June 14, 2017