AWS Systems Manager
User Guide

Viewing Inventory History and Change Tracking

You can view Inventory history and change tracking for all of your managed instances by using AWS Config. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. To view Inventory history and change tracking, you must enable the following resources in AWS Config.

  • SSM:ManagedInstanceInventory

  • SSM:PatchCompliance

  • SSM:AssociationCompliance

Note

By enabling SSM:PatchCompliance and SSM:AssociationCompliance, you can view Patch Manager patching and State Manager association compliance history and change tracking. For more information about compliance management for these resources, see Working With Configuration Compliance.

The following procedure describes how to enable Inventory history and change-track recording in AWS Config by using the AWS CLI. For more information about how to choose and configure these resources in AWS Config, see Selecting Which Resources AWS Config Records in the AWS Config Developer Guide. For information about AWS Config pricing, see Pricing.

Before You Begin

AWS Config requires AWS Identity and Access Management (IAM) permissions to get configuration details about Systems Manager resources. In the following procedure, you must specify an Amazon Resource Name (ARN) for an IAM role that gives AWS Config permission to Systems Manager resources. You can attach the AWSConfigRole managed policy to the IAM role that you assign to AWS Config. For information about how to create an IAM role and assign the AWSConfigRole managed policy to that role, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide.

To enable Inventory history and change-track recording in AWS Config

  1. Download the latest version of the AWS CLI to your local machine.

  2. Open the AWS CLI and run the following command to specify your credentials and a Region. You must either have administrator privileges, or you must have been granted the appropriate permission in AWS Identity and Access Management (IAM).

    aws configure

    The system prompts you to specify the following.

    AWS Access Key ID [None]: key_name AWS Secret Access Key [None]: key_name Default region name [None]: region Default output format [None]: ENTER
  3. Copy and paste the following JSON sample into a simple text file and save it as recordingGroup.json.

    { "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::SSM::AssociationCompliance", "AWS::SSM::PatchCompliance", "AWS::SSM::ManagedInstanceInventory" ] }
  4. Execute the following command to load the recordingGroup.json file into AWS Config.

    aws configservice put-configuration-recorder --configuration-recorder name=myRecorder,roleARN=arn:aws:iam::123456789012:role/myConfigRole --recording-group file://recordingGroup.json
  5. Execute the following command to start recording Inventory history and change tracking.

    aws configservice start-configuration-recorder --configuration-recorder-name myRecorder

After you configure history and change tracking, you can drill down into the history for a specific managed instance by choosing the AWS Config button in the Systems Manager console.


                A button in Systems Manager that opens the AWS Config console.

You can access the AWS Config button from either the Managed Instances page or the Inventory page. Depending on your monitor size, you might need to scroll to the right side of the page to see the button.