Amazon EC2 Systems Manager
User Guide

What Is Amazon EC2 Systems Manager?

Amazon EC2 Systems Manager is a collection of capabilities that helps you automate management tasks such as collecting system inventory, applying operating system patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems and applications at scale. Systems Manager lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager.


Tasks Details

Run Command

Run Command helps you remotely and securely manage the configuration of your managed instances at scale. Use Run Command to perform ad hoc changes like updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of instances.


Inventory Manager automates the process of collecting software inventory from managed instances. You can use Inventory Manager to gather metadata about OS and system configurations and application deployments.

State Management

State Manager automates the process of keeping your managed instances in a defined state. You can use State Manager to ensure that your instances are bootstrapped with specific software at startup, joined to a Windows domain (Windows instances only), or patched with specific software updates.


Automation automates common maintenance and deployment tasks. You can use Automation to create and update Amazon Machine Images, apply driver and agent updates, and apply OS patches or application updates.

Patch Management

Patch Manager automates the process of patching your managed instances. This feature enables you to scan instances for missing patches and apply missing patches individually or to large groups of instances by using Amazon EC2 instance tags. Patch Manager uses patch baselines that include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. You can install patches on a regular basis by scheduling patching to run as a Systems Manager Maintenance Window task.

Maintenance Windows

Maintenance Windows let you set up recurring schedules for managed instances to execute administrative tasks like installing patches and updates without interrupting business-critical operations.

Parameter Store

Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name you specified when you created the parameter.

Configuration Compliance

Use Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements.

Systems Manager Documents

A Systems Manager Document defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than a dozen pre-configured documents that you can use by specifying parameters at runtime. Documents use JavaScript Object Notation (JSON) and include steps and parameters that you specify. Steps execute in sequential order.

Getting Started

To get started with Systems Manager, verify prerequisites, configure roles and permissions, and install the SSM Agent on your instances. If you want to manage your on-premises servers and VMs with Systems Manager, then you must also create a managed instance activation. These tasks are described in Setting Up Systems Manager.

Accessing Systems Manager

You can access Systems Manager using any of the following interfaces:

  • AWS Management Console— Provides a web interface that you can use to access Systems Manager.

  • AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services, including Systems Manager, and is supported on Windows, Mac, and Linux. For more information, see AWS Command Line Interface.

  • AWS SDKs — Provides language-specific APIs and takes care of many of the connection details, such as calculating signatures, handling request retries, and error handling. For more information, see AWS SDKs.

  • Query API— Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Systems Manager, but it requires that your application handle low-level details such as generating the hash to sign the request, and error handling. For more information, see the Amazon EC2 Systems Manager API Reference.


Systems Manager features and shared components are offered at no additional cost. You pay only for the Amazon EC2 resources that you use.

Systems Manager is also documented in the following references.