AWS Systems Manager
User Guide

Systems Manager Documentation Update History

The following table describes important changes to the documentation since the preceding release of AWS Systems Manager.

  • API version: 2014-11-06

  • Last update: March 15, 2018

Change Description Release Date
New section

To provide a single source for reference information in the AWS Systems Manager User Guide, a new section has been introduced, AWS Systems Manager Reference. Additional content will be added to this section as it becomes available.

March 15, 2018
New topic

The new topic Package Name Formats for Approved and Rejected Patch Lists details the package name formats you can enter in the lists of approved patches and rejected patches for a custom patch baseline. Sample formats are provided for each operating system type supported by Patch Manager.

March 9, 2018
New topic

Systems Manager now integrates with Chef InSpec. InSpec is an open-source, runtime framework that enables you to create human-readable profiles on GitHub or Amazon S3. Then you can use Systems Manager to run compliance scans and view compliant and noncompliant instances. For more information, see Using Chef InSpec Profiles with Systems Manager Compliance.

March 7, 2018
New topic

The new topic Using Service-Linked Roles for Systems Manager describes how to use an AWS Identity and Access Management (IAM) service-linked role with Systems Manager. Currently, service-linked roles are only required when using Systems Manager Inventory to collect metadata about tags and Resource Groups.

February 27, 2018
New and updated topics

You can now use Patch Manager to install patches that are in a different source repository than the default one configured on the instance. This is useful for patching instances with updates not related to security; with the content of Personal Package Archives (PPA) for Ubuntu Server; with updates for internal corporate applications; and so on. You specify alternative patch source repositories when you create a custom patch baseline. For more information, see the following topics:

In addition, you can now use Patch Manager to patch SUSE Linux Enterprise Server instances. Patch Manager supports patching SLES 12.* versions (64-bit only). For more information, see the SLES-specific information in the following topics:

February 6, 2018
New topic

The new topic Upgrade the Python Requests Module on Amazon Linux Instances That Use a Proxy Server provides instructions for ensuring that instances created using an Amazon Linux AMI have been updated with a current version of the Python requests module. This requirement is to ensure compatibility with Patch Manager.

January 12, 2018
New topic

The new topic Overview of SSM Documents for Patching Instances describes the seven SSM documents currently available to help you keep your managed instances patched with the latest security-related updates.

January 10, 2018
Important updates regarding Linux support

Updated various topics with the following information:

  • SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later.

  • You must manually install SSM Agent on other versions of Linux, including non-base images like Amazon ECS-Optimized AMIs.

January 9, 2018
New topic

A new topic, About the SSM Document AWS-RunPatchBaseline, provides details of how this SSM document operates on both Windows and Linux systems. It also provides information about the two available parameters in the AWS-RunPatchBaseline document, Operation and Snapshot ID.

January 5, 2018
New topics A new section, How Patch Manager Operations Work, provides technical details that explain how Patch Manager determines which security patches to install and how it installs them on each supported operating system. It also provides information about how patch baseline rules work on different distributions of the Linux operating system January 2, 2018
Retitled and moved the Systems Manager Automation Actions Reference

Based on customer feedback, the Automation Actions Reference is now called the Systems Manager Automation Document Reference. Furthermore, we moved the reference into the Shared Resources > Documents node so it is closer to the SSM Document Plugin Reference. For more information, see Systems Manager Automation Document Reference.

December 20, 2017

New Monitoring chapter and content

A new chapter, Monitoring Instances with AWS Systems Manager, provides instructions for sending metrics and log data to Amazon CloudWatch Logs. A new topic, Send Logs to CloudWatch Logs (CloudWatch Agent), provides instructions for migrating on-instance monitoring tasks, on 64-bit Windows Server instances only, from SSM Agent to the CloudWatch Agent.

December 14, 2017

New chapter A new chapter, Authentication and Access Control for AWS Systems Manager, provides comprehensive information about using AWS Identity and Access Management (IAM) and AWS Systems Manager to help secure access to your resources through the use of credentials. These credentials provide the permissions required to access AWS resources, such as accessing data stored in Amazon S3 buckets and sending commands to and reading the tags on Amazon EC2 instances. December 11, 2017

Changes to the left navigation

We changed the headings in the left navigation of this user guide to match the headings in the new AWS Systems Manager console.

December 8, 2017

Multiple changes for re:Invent 2017

  • Official launch of AWS Systems Manager: AWS Systems Manager (formerly Amazon EC2 Systems Manager) is a unified interface that allows you to easily centralize operational data and automate tasks across your AWS resources. You can access the new AWS Systems Manager console here. For more information, see What Is AWS Systems Manager?

  • YAML Support: You can create SSM documents in YAML. For more information, see AWS Systems Manager Documents.

November 29, 2017

Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes

Using Run Command, you can take application-consistent snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 Windows instances. The snapshot process uses the Windows Volume Shadow Copy Service (VSS) to take image-level backups of VSS-aware applications, including data from pending transactions between these applications and the disk. Furthermore, you don't need to shut down your instances or disconnect them when you need to back up all attached volumes. For more information, see Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes.

November 20, 2017

Enhanced Systems Manager Security Available By Using VPC Endpoints

You can improve the security posture of your managed instances (including managed instances in your hybrid environment) by configuring Systems Manager to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, Systems Manager, and EC2 to the Amazon network (managed instances don't have access to the Internet). Also, you don't need an Internet gateway, a NAT device, or a virtual private gateway. For more information, see Setting Up VPC Endpoints for Systems Manager.

November 7, 2017

Inventory Support for Files, Services, Windows Roles, and the Windows Registry

SSM Inventory now supports gathering the following information from your managed instances.

  • Files: Name, size, version, installed date, modification and last accessed times, etc.

  • Services: Name, display name, status, dependent services, service type, start type, etc.

  • Windows Registry: Registry key path, value name, value type, and value.

  • Windows roles: Name, display name, path, feature type, installed state, etc.

Before you attempt to collect information for these inventory types, update SSM Agent on the instances you want to inventory. By running the latest version of SSM Agent, you ensure that you can collect metadata for all supported inventory types. For information about how to update SSM Agent by using State Manager, see Walkthrough: Automatically Update the SSM Agent (CLI).

For more information Inventory, see About Systems Manager Inventory.

November 6, 2017

Updates to Automation documenation

Fixed several issues in the information about setting up and configuring access for Systems Manager Automation. For more information, see Setting Up Automation.

October 31, 2017

GitHub and Amazon S3 Integration

Run remote scripts: Systems Manager now supports downloading and running scripts from a private or public GitHub repository, and from Amazon S3. Using either the AWS-RunRemoteScript pre-defined SSM document or the aws:downloadContent plugin in a custom SSM document, you can run Ansible Playbooks and scripts in Python, Ruby, or PowerShell, to name a few. These changes further enhance infrastructure as code when you use Systems Manager to automate configuration and deployment of Amazon EC2 instances and on-premises managed instances in your hybrid environment. For more information, see Partner and Product Integration.

Create composite SSM documents: Systems Manager now supports running one or more secondary SSM documents from a primary SSM document. These primary documents that run other documents are called composite documents. Composite documents enable you to create and share a standard set of secondary SSM documents across AWS accounts for common tasks such as boot-strapping anti-virus software or domain-joining instances. You can run composite and secondary documents stored in Systems Manager, GitHub, or Amazon S3. After you create a composite document, you can run it by using the AWS-RunDocument pre-defined SSM document. For more information, see Creating Composite Documents and Running Documents from Remote Locations.

SSM document plugin reference: For easier access, we moved the SSM Plugin Reference for SSM documents out of the Systems Manager API Reference and into the User Guide. For more information, see SSM Document Plugin Reference.

October 26, 2017

Support for Parameter Versions in Parameter Store

When you edit a parameter, Parameter Store now automatically iterates the version number by 1. You can specify a parameter name and a specific version number in API calls and SSM documents. If you don't specify a version number, the system automatically uses the latest version.

Parameter versions provide a layer of protection in the event that a parameter is accidentally changed. You can view the values of all versions, and reference older versions if necessary. You can also use parameter versions to see how many times a parameter changed over a period of time. For more information, see Working with Parameter Versions.

October 24, 2017

Support for Tagging Systems Manager Documents

You can now use the AddTagsToResource API, the AWS CLI, or the AWS Tools for Windows to tag Systems Manager documents with key-value pairs. Tagging helps you quickly identify specific resources based on the tags you've assigned to them. This is in addition to existing tagging support for managed instances, Maintenance Windows, Parameter Store parameters, and patch baselines. New topics include Tagging Systems Manager Documents and Controlling Access to Documents Using Tags.

October 3, 2017

Various Documentation Updates to Fix Errors or Update Content Based on Feedback

October 2, 2017

Troubleshoot Unreachable Windows Instances by Using the EC2Rescue Automation Workflow

EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Windows Server instances. You can run the tool as a Systems Manager Automation workflow by using the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue. For more information, see Run the EC2Rescue Tool on Unreachable Instances.

September 29, 2017

SSM Agent Installed By Default on Amazon Linux

SSM Agent is installed, by default, on Amazon Linux AMIs dated 2017.09 and later. You must manually install SSM Agent on other versions of Linux, as described in Installing and Configuring SSM Agent on Linux Instances.

September 27, 2017

Run Command Enhancements

Run Command includes the following enhancements.

  • You can restrict command execution to specific instances by creating an IAM user policy that includes a condition that the user can only execute commands on instances that are tagged with specific Amazon EC2 tags. For more information, see Restricting Run Command Access Based on Instance Tags.

  • You have more options for targeting instances by using Amazon EC2 tags. You can now specify multiple tag keys and multiple tag values when sending commands. For more information, see Sending Commands to a Fleet.

September 12, 2017

Systems Manager Supported on Raspbian

Systems Manager can now run on Raspbian Jessie and Raspbian Stretch devices, including Raspberry Pi (32-Bit). For more information, see Raspbian.

September 7, 2017

Automatically Send SSM Agent Logs to Amazon CloudWatch Logs

You can now make a simple configuration change on your instances to have SSM Agent send log files to CloudWatch. For more information, see Send Logs to CloudWatch Logs (SSM Agent).

September 7, 2017

Encrypt Resource Data Sync

Systems Manager Resource Data Sync lets you aggregate Inventory data collected on dozens or hundreds of managed instance in a central Amazon S3 bucket. You can now encrypt Resource Data Sync by using an AWS Key Management Service key. For more information, see Walkthrough: Use Resource Data Sync to Aggregate Inventory Data.

September 1, 2017

New State Manager Walkthroughs

Added two new walkthroughs to the State Manager documentation:

Walkthrough: Automatically Update the SSM Agent (CLI)

Walkthrough: Automatically Update PV Drivers on EC2 Windows Instances (Console)

August 31, 2017

Systems Manager Configuration Compliance

Use Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. For more information, see AWS Systems Manager Configuration Compliance.

August 28, 2017

New Automation Action: aws:executeAutomation

Executes a secondary Automation workflow by calling a secondary Automation document. With this action, you can create Automation documents for your most common workflows, and reference those documents during an Automation execution. This action can simplify your Automation documents by removing the need to duplicate steps across similar documents. For more information, see aws:executeAutomation.

August 22, 2017

Automation as the Target of a CloudWatch Event

You can start an Automation workflow by specifying an Automation document as the target of an Amazon CloudWatch event. You can start workflows according to a schedule, or when a specific AWS system event occurs. For more information, see Configuring Automation as a CloudWatch Events Target (Optional).

August 21, 2017

State Manager Association Versioning and General Updates

You can now create different State Manager association versions. There is a limit of 1,000 versions for each association. You can also specify names for your associations. Also, the State Manager documentation has been updated to address outdated information and inconsistencies. For more information, see AWS Systems Manager State Manager.

August 21, 2017

Changes to Maintenance Windows

Maintenance Windows include the following changes or enhancements:

  • Previously, Maintenance Windows could only perform tasks by using Run Command. You can now perform tasks by using Systems Manager Automation, AWS Lambda, and AWS Step Functions.

  • You can edit the targets of a Maintenance Window, specify a target name, description, and owner.

  • You can edit tasks in a Maintenance Window, including specifying a new SSM document for Run Command and Automation tasks.

  • All Run Command parameters are now supported, including DocumentHash, DocumentHashType, TimeoutSeconds, Comment, and NotificationConfig.

  • You can now use a safe flag when you attempt to deregister a target. If enabled, the system returns an error if the target is referenced by any task.

For more information, see AWS Systems Manager Maintenance Windows.

August 16, 2017

New Automation Action: aws:approve

This new action for Automation documents temporarily pauses an Automation execution until designated principals either approve or reject the action. After the required number of approvals is reached, the Automation execution resumes.

For more information, see Systems Manager Automation Document Reference.

August 10, 2017

Automation Assume Role No Longer Required

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's privileges on a resource, but you want the user to execute an Automation workflow that requires higher privileges. In this scenario, you can create a service role with higher privileges and allow the user to execute the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

For more information, see Setting Up Automation.

August 3, 2017

Configuration Compliance

Use Amazon EC2 Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. For more information, see AWS Systems Manager Configuration Compliance.

August 8, 2017

SSM Document Enhancements

SSM Command and Policy documents now offer cross-platform support. This means that a single SSM document can process plugins for Windows and Linux operating systems. Cross-platform suppport enables you to consolidate the number of documents you manage. Cross-platform support is offered in SSM documents that use schema version 2.2 or later.

SSM Command documents that use schema version 2.0 or later can now include multiple plugins of the same type. For example, you can create a Command document that calls the aws:runRunShellScript plugin multiple times.

For more information about schema verion 2.2 changes, see AWS Systems Manager Documents. For more information about SSM plugins, see Systems Manager Plugins.

July 12, 2017

Linux Patching

Patch Manager can now patch the following Linux distributions:

64-Bit and 32-Bit Systems

  • Amazon Linux 2014.03, 2014.09, or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5 or later

64-Bit Systems Only

  • Amazon Linux 2015.03, 2015.09, or later

  • Red Hat Enterprise Linux (RHEL) 7.x or later

For more information, see AWS Systems Manager Patch Manager.


  • To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update the SSM Agent in Running Commands from the Console.

  • The AWS-ApplyPatchBaseline SSM document is being replaced by the AWS-RunPatchBaseline document.

July 6, 2017

Resource Data Sync

You can use Systems Manager Resource Data Sync to send Inventory data collected from all of your managed instances to a single Amazon S3 bucket. Resource Data Sync then automatically updates the centralized data when new Inventory data is collected. With all Inventory data stored in a target Amazon S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data.For more information, see Configuring Resource Data Sync for Inventory. For an example of how to work with Resource Data Sync, see Walkthrough: Use Resource Data Sync to Aggregate Inventory Data.

June 29, 2017

Systems Manager Parameter Hierarchies

Managing dozens or hundreds of Systems Manager parameters as a flat list is time-consuming and prone to errors. You can use parameter hierarchies to help you organize and manage Systems Manager parameters. A hierarchy is a parameter name that includes a path that you define by using forward slashes. Here is an example that uses three hierarchy levels in the name to identify the following:

/Environment/Type of computer/Application/Data


For more information, see Organizing Parameters into Hierarchies. For an example of how to work with parameter hierarchies, see Walkthrough: Manage Parameters Using Hierarchies (AWS CLI).

June 22, 2017

SSM Agent Support for SUSE Linux Enterprise Server

You can install the SSM Agent on 64-bit SUSE Linux Enterprise Server (SLES). For more information, see Installing and Configuring SSM Agent on Linux Instances.

June 14, 2017