AWS Systems Manager
User Guide

Working With Configuration Compliance

Configuration Compliance collects and reports data about the status of Patch Manager patching, State Manager associations, and custom compliance types. This section includes details about each of these compliance types and how to view Systems Manager compliance data. This section also includes information about how to view compliance history and change tracking.

Note

Systems Manager now integrates with Chef InSpec. InSpec is an open-source, runtime framework that enables you to create human-readable profiles on GitHub or Amazon S3. Then you can use Systems Manager to run compliance scans and view compliant and noncompliant instances. For more information, see Using Chef InSpec Profiles with Systems Manager Compliance.

About Patch Compliance

After you use Systems Manager Patch Manager to install patches on your instances, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API actions.

For each patch, the system reports one of the following compliance status values:

  • Installed: Either the patch was already installed, or Patch Manager installed it when the AWS-RunPatchBaseline document was run on the instance.

  • Installed_Other: The patch is not in the baseline, but it is installed on the instance. An individual might have installed it manually.

  • Missing: The patch is approved in the baseline, but it's not installed on the instance. If you configure the AWS-RunPatchBaseline document task to scan (instead of install) the system reports this status for patches that were located during the scan, but have not been installed.

  • Not_Applicable: The patch is approved in the baseline, but the service or feature that uses the patch is not installed on the instance. For example, a patch for a web server service would show Not_Applicable if it was approved in the baseline, but the web service is not installed on the instance.

  • Failed: The patch is approved in the baseline, but it could not be installed. To troubleshoot this situation, review the command output for information that might help you understand the problem.

Note

If you want to assign a specific patch compliance status to an instance, you can use the put-compliance-items CLI command or the PutComplianceItems API action. Assigning compliance status is not supported in the console.

About State Manager Association Compliance

After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to AWS CLI commands or corresponding Systems Manager API actions. For associations, Configuration Compliance shows statuses of Compliant or Non-compliant and severity of Unspecified.

About Custom Compliance

You can assign compliance metadata to a managed instance. This metadata can then be aggregated with other compliance data for compliance reporting purposes. For example, say that your business runs versions 2.0, 3.0, and 4.0 of software X on your managed instances. The company wants to standardize on version 4.0, meaning that instances running versions 2.0 and 3.0 are non-compliant. You can use the PutComplianceItems API action to explicitly note which managed instances are running older versions of software X. Currently you can only assign compliance metadata by using the AWS CLI, AWS Tools for Windows PowerShell, or the SDKs. The following CLI sample command assigns compliance metadata to a managed instance and specifies the compliance type in the required format Custom:.

aws ssm put-compliance-items --resource-id i-1234567890 --resource-type ManagedInstance --compliance-type Custom:SoftwareXCheck --execution-summary ExecutionTime=AnyStringToDenoteTimeOrDate, --items Id=Version2.0,Title=SoftwareXVersion,Severity=CRITICAL,Status=NON_COMPLIANT

Compliance managers can then view summaries or create reports about which instances are or aren't compliant. You can assign a maximum of 10 different custom compliance types to an instance.

For an example of how to create a custom compliance type and view compliance data, see Configuration Compliance Walkthrough (AWS CLI).

Viewing Current Compliance Data

This section describes how to view compliance data in the AWS Systems Manager console and by using the AWS CLI. For information about how to view patch and association compliance history and change tracking, see Viewing Compliance Configuration History and Change Tracking.

Viewing Current Compliance Data (Console)

Use the following procedure to view compliance data in the Systems Manager console.

To view current compliance reports in the Systems Manager console

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Compliance.

    -or-

    If the AWS Systems Manager home page opens first, choose the menu icon ( ) to open the navigation pane, and then choose Compliance in the navigation pane.

  3. In the Corresponding managed instances area, choose an instance ID to view its detailed configuration compliance report.

Note

For information about fixing compliance issues, see Remediating Compliance Issues.

Viewing Current Compliance Data (CLI)

You can view summaries of compliance data for patching, associations, and custom compliance types in the in the AWS CLI by using the following AWS CLI commands.

list-compliance-summaries

Returns a summary count of compliant and non-compliant association statuses according to the filter you specify. (API: ListComplianceSummaries)

list-resource-compliance-summaries

Returns a resource-level summary count. The summary includes information about compliant and non-compliant statuses and detailed compliance-item severity counts, according to the filter criteria you specify. (API: ListResourceComplianceSummaries)

You can view additional compliance data for patching by using the following AWS CLI commands.

describe-patch-group-state

Returns high-level aggregated patch compliance state for a patch group. (API: DescribePatchGroupState)

describe-instance-patch-states-for-patch-group

Returns the high-level patch state for the instances in the specified patch group. (API: DescribeInstancePatchStatesForPatchGroup)

Note

For an illustration of how to configure patching and view patch compliance details by using the AWS CLI, see Systems Manager Patch Manager Walkthroughs.

Viewing Compliance Configuration History and Change Tracking

Systems Manager Configuration Compliance displays current patching and association compliance data for your managed instances. You can view patching and association compliance history and change tracking by using AWS Config. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. To view patching and association compliance history and change tracking, you must enable the following resources in AWS Config:

  • SSM:PatchCompliance

  • SSM:AssociationCompliance

For information about how to choose and configure these specific resources in AWS Config, see Selecting Which Resources AWS Config Records in the AWS Config Developer Guide.

Note

For information about AWS Config pricing, see Pricing.