Remediating compliance issues - AWS Systems Manager

Remediating compliance issues

You can quickly remediate patch and association compliance issues by using Systems Manager Run Command. You can target either instance IDs or Amazon EC2 tags and run the AWS-RunPatchBaseline document or the AWS-RefreshAssociation document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command executions did not resolve the problem.

For more information about patching, see AWS Systems Manager Patch Manager and About the SSM document AWS-RunPatchBaseline.

For more information about associations, see Working with associations in Systems Manager.

For more information about running a command, see Running commands using Systems Manager Run Command.

Specify Configuration Compliance as the target of a CloudWatch Events event

You can also configure CloudWatch Events to perform an action in response to Configuration Compliance events. For example, if one or more instances fail to install Critical patch updates or run an association that installs anti-virus software, then you can configure CloudWatch to run the AWS-RunPatchBaseline document or the AWS-RefreshAssocation document when the Configuration Compliance event occurs.

Use the following procedure to configure Configuration Compliance as the target of a CloudWatch event.

To configure Configuration Compliance as the target of a CloudWatch event (console)

  1. Sign in to the AWS Management Console and open the CloudWatch console at

  2. In the left navigation pane, choose Events, and then choose Create rule.

  3. Choose Event Pattern. Event Pattern lets you build a rule that generates events for specific actions in AWS services.

  4. In the Service Name field, choose EC2 Simple Systems Manager (SSM)

  5. In the Event Type field, choose Configuration Compliance.

  6. Choose Add target.

  7. In the Select target type list, choose SSM Run Command.

  8. In the Document list, choose an SSM document to run when your target is invoked. For example, choose AWS-RunPatchBaseline for a non-compliant patch event, or choose AWS-RefreshAssociation for a non-compliant association event.

  9. Specify information for the remaining fields and parameters.


    Required fields and parameters have an asterisk (*) next to the name. To create a target, you must specify a value for each required parameter or field. If you don't, the system creates the rule, but the rule won't be run.

  10. Choose Configure details and complete the wizard.