AWS Systems Manager
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Document History

The following table describes the important changes to the documentation since the last release of AWS Systems Manager. For notification about updates to this documentation, you can subscribe to an RSS feed.

Important

An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. If an older version of the agent is running on an instance, some SSM Agent processes can fail. For that reason, we recommend that you automate the process of keeping SSM Agent up-to-date on your instances. For information, see Automate Updates to SSM Agent. To be notified about SSM Agent updates, subscribe to the SSM Agent Release Notes page on GitHub.

  • API version: 2014-11-06

Change Description Date

Restrict Session Manager access using AWS-supplied tags

A second method for controlling user access to session actions is now available. This new method lets you create IAM access policies using AWS-supplied session tags instead of using the {aws:username} variable. Using these AWS-supplied session tags makes it possible for organizations that use federated IDs to control user access to sessions. For information, see Allow a User to Terminate Only Sessions They Started.

October 2, 2019

New Ansible SSM Document: AWS-ApplyAnsiblePlaybooks

You can create State Manager associations that run Ansible Playbooks by using the AWS-ApplyAnsiblePlaybooks document. This document offers the following benefits for running Playbooks:

  • Support for running complex Playbooks

  • Support for downloading Playbooks from GitHub and Amazon Simple Storage Service (Amazon S3)

  • Support for compressed Playbook structure

  • Enhanced logging

  • Ability to specify which Playbook to run when Playbooks are bundled

For more information, see Creating Associations that Run Ansible Playbooks

September 24, 2019

Port forwarding support for Session Manager

Session Manager now supports port forwarding sessions. Port forwarding allows you to securely create tunnels between your instances deployed in private subnets, without the need to start the SSH service on the server, to open the SSH port in the security group, or to use a bastion host. Similar to SSH tunnels, port forwarding allows you to forward traffic between your laptop to open ports on your instance. Once port forwarding is configured, you can connect to the local port and access the server application running inside the instance. For more information, see the following topics:

August 29, 2019

Specify a default parameter tier or automate tier selection

You can now specify a default parameter tier to use for requests to create or update a parameter that do not specify a tier. You can set the default tier to standard parameters, advanced parameters, or a new option, Intelligent-Tiering. Intelligent-Tiering evaluates each PutParameter request and creates an advanced parameter only when required. (Advanced parameters are required if the size of the parameter value is more than 4 KB, a parameter policy is associated with the parameter, or the maximum 10,000 parameters supported for the standard tier are already created.) For more information about specifying a default tier and using Intelligent-Tiering, see Specifying a Default Parameter Tier.

August 27, 2019

Working with Associations section updated with CLI and PowerShell procedures

The Working with Associations section has been updated to include procedural documentation for managing associations using the AWS CLI or AWS Tools for PowerShell. For information see, Working with Associations in Systems Manager.

August 26, 2019

Working with Automation Executions section updated with CLI and PowerShell procedures

The Working with Automation Executions section has been updated to include procedural documentation for running Automation workflows using the AWS CLI or AWS Tools for PowerShell. For information see, Working with Automation Executions.

August 20, 2019

OpsCenter integrates with Application Insights

OpsCenter integrates with Amazon CloudWatch Application Insights for .NET and SQL Server. This means you can automatically create OpsItems for problems detected in your applications. For information about how to configure Application Insights to create OpsItems, see Setting Up Your Application in the Amazon CloudWatch User Guide.

August 7, 2019

New console feature: AWS Systems Manager Quick Setup

Quick Setup is a new feature in the Systems Manager console that helps you quickly configure several Systems Manager components on your Amazon EC2 instances. Specifically, Quick Setup helps you configure the following components on the instances you choose or target by using tags:

  • An AWS Identity and Access Management (IAM) instance profile role for Systems Manager.

  • A scheduled, bi-monthly update of SSM Agent.

  • A scheduled collection of Inventory metadata every 30 minutes.

  • A daily scan of your instances to identify missing patches.

  • A one-time installation and configuration of the Amazon CloudWatch agent.

  • A scheduled, monthly update of the CloudWatch agent.

For more information, see AWS Systems Manager Quick Setup.

August 7, 2019

Register a resource group as a maintenance window target

In addition to registering managed instances as the target of a maintenance window, you can now register a resource group as a maintenance window target. Maintenance Windows supports all the AWS resource types that are supported by AWS Resource Groups including AWS::EC2::Instance, AWS::DynamoDB::Table, AWS::OpsWorks::Instance, AWS::Redshift::Cluster, and more. With this release you can also send commands to a resource group, for example by using the Run Command console or the AWS CLI send-command command. For more information, see the following topics:

July 23, 2019

Simplified package creation and versioning with AWS Systems Manager Distributor

Distributor has a new, simplified package creation workflow that can generate a package manifest, scripts, and file hashes for you. You can also use the simplified workflow when you add a version to an existing package.

July 22, 2019

New Document categories pane for Systems Manager Automation

Systems Manager includes a new Document categories pane when you run an Automation in the console. Use this pane to filter Automation documents based on their purpose.

July 18, 2019

Verify user permissions to access the default Session Manager configuration document

When a user in your account uses the AWS CLI to start a Session Manager session and doesn't specify a configuration document in the command, Systems Manager uses the default configuration document SSM-SessionManagerRunShell. You can now verify that the user has been granted permission to access this document by adding a condition element for ssm:SessionDocumentAccessCheck to the IAM user's policy. For information, see Enforce Document Permission Check for Default CLI Scenario.

July 9, 2019

Support for starting Session Manager sessions using operating system user credentials

By default, Session Manager sessions are launched using the credentials of a system-generated ssm-user account that is created on a managed instance. On Linux machines, you can now instead launch sessions using the credentials of an operating system account. For information, see Enable Run As Support for Linux Instances.

July 9, 2019

Support for starting Session Manager sessions using SSH

You can now use the AWS CLI to start an SSH session on a managed instance using Session Manager. For information about enabling SSH sessions with Session Manager, see (Optional) Enable SSH Session Manager Sessions. For information about starting an SSH session using Session Manager, see Starting a Session (SSH).

July 9, 2019

Support for changing passwords on managed instances

You can now reset passwords on machines that you manage using Systems Manager (managed instances). You can reset the password using the Systems Manager console or the AWS CLI. For information, see Resetting Passwords on Managed Instances.

July 9, 2019

Revisions to "What is AWS Systems Manager?"

The introductory content in What is AWS Systems Manager? has been expanded to provide a broader introduction to the service and reflect Systems Manager capabilities that have been released recently. In addition, other content in the section has been moved into individual topics for better discoverability.

June 10, 2019

New Systems Manager capability: OpsCenter

OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources. OpsCenter is designed to reduce mean time to resolution for issues impacting AWS resources. This Systems Manager capability aggregates and standardizes OpsItems across services while providing contextual investigation data about each OpsItem, related OpsItems, and related resources. OpsCenter also provides Systems Manager Automation documents (runbooks) that you can use to quickly resolve issues. You can specify searchable, custom data for each OpsItem. You can also view automatically-generated summary reports about OpsItems by status and source. For more information, see AWS Systems Manager OpsCenter.

June 6, 2019

Changes to Systems Manager left navigation pane in the AWS Management Console

The Systems Manager left navigation pane in the AWS Management Console includes new headings, including a new heading for Ops Center, that provide a more logical grouping of Systems Manager capabilities.

June 6, 2019

Revised tutorial for creating and configuring a maintenance window using the AWS CLI

Tutorial: Create and Configure a Maintenance Window (AWS CLI) has been overhauled to provide a simple path through the practice steps. You create a single maintenance window, identify a single target, and set up a simple task for the maintenance window to run. Along the way, we provide information and examples you can use to create your own task registration commands, including information for using pseduo parameters such as {{TARGET_ID}}. For additional information and examples, see the following topics:

May 31, 2019

Notifications about SSM Agent updates

To be notified about SSM Agent updates, subscribe to the SSM Agent Release Notes page on GitHub.

May 24, 2019

Receive notifications or trigger actions based on changes in Parameter Store

The topic Set Up Notifications or Trigger Actions Based on Parameter Store Events now helps you set up Amazon CloudWatch Events rules to respond to changes in Parameter Store. You can receive notifications or trigger other actions when any of the following occur:

  • A parameter is created, updated, or deleted.

  • A parameter label version is created, updated, or deleted.

  • A parameter expires, is going to expire, or hasn't changed in a specified period of time.

May 22, 2019

Major revisions to Setting Up and Getting Started content

We have expanded and reorganized the Setting Up and Getting Started content in the AWS Systems Manager User Guide. Setting Up content has been divided into two sections. One section focuses on tasks for setting up Systems Manager to configure and manage your Amazon EC2 instances. The other focuses on tasks for setting up Systems Manager to configure and manage your on-premises servers and virtual machines (VMs) in a hybrid environment. Both sections now present all setup topics as major numbered steps, in the recommended order of completion. A new Getting Started chapter focuses on helping end-users get started with Systems Manager after account and service configuration tasks have been completed.

May 15, 2019

Include patches for Microsoft applications in patch baselines (Windows)

Patch Manager now supports patch updates for Microsoft applications on Windows Server instances. Previously, only patches for the Windows Server operating system were supported. Patch Manager provides two predefined patch baselines for Windows Server instances. The patch baseline AWS-WindowsPredefinedPatchBaseline-OS applies to operating system patches only. AWS-WindowsPredefinedPatchBaseline-OS-Applications applies to both the Windows Server operating system and Microsoft applications on Windows. For information about creating a custom patch baseline that includes patches for Microsoft applications, see the first procedure in Create a Custom Patch Baseline. Also, as part of this update, the names of AWS-provided predefined patch baselines are being changed. For more information, see Predefined Baselines.

May 7, 2019

Examples for registering maintenance window targets using the AWS CLI

The new topic Examples: Register Targets with a Maintenance Window provides three sample commands to demonstrate different ways you can specify the targets for a maintenance window when you use the AWS CLI. The topic also explains the best use case for each of the sample commands.

May 3, 2019

Updates to Patch Group topics

The topic About Patch Groups has been updated to include a section on how managed instances determine the appropriate patch baseline to use during patching operations. Additionally, instructions have been added for using the AWS CLI or Systems Manager console to add Patch Group tags to your managed instances and how to add a Patch Group to a patch baseline. For more information see Create a Patch Group and Add a Patch Group to a Patch Baseline.

May 1, 2019

New Parameter Store features

Parameter Store offers the following new features:

  • Advanced parameters: Parameter Store now enables you to individually configure parameters to use either a standard-parameter tier (the default tier) or an advanced-parameter tier. Advanced parameters offer a larger size limit for the parameter value, a higher limit for the number of parameters you can create per account and Region, and the ability to use parameter policies. For more information about advanced parameters, see About Systems Manager Advanced Parameters.

  • Parameter policies: Parameter policies help you manage a growing set of parameters by enabling you to assign specific criteria to a parameter, such as an expiration date or time to live. Parameter policies are especially helpful in forcing you to update or delete passwords and configuration data stored in Parameter Store. Parameter policies are only available for parameters that use the advanced-parameter tier. For more information, see Working with Parameter Policies.

  • Higher throughput: You can now increase the Parameter Store throughput limit to a maximum of 1,000 transactions per second. For more information, see Increasing Parameter Store Throughput.

April 25, 2019

Updates to the Automation section

The Automation section has been updated for improved discoverability. In addition, four new topics have been added to the Automation section:

April 17, 2019

Encrypt session data using an AWS KMS key

By default, Session Manager uses TLS 1.2 to encrypt session data transmitted between the local machines of users in your account and your Amazon EC2 instances. Now you can choose to further encrypt that data using a customer master key (CMK) that has been created in AWS Key Management Service. You can use a key that has been created in your AWS account or one that has been shared with you from another account. For information about specifying a CMK to encrypt session data, see Enable AWS KMS Key Encryption of Session Data (Console), Create Session Manager Preferences (AWS CLI), or Update Session Manager Preferences (AWS CLI).

April 4, 2019

Configuring Amazon SNS Notifications for AWS Systems Manager

Added instructions for using the AWS CLI or Systems Manager console to configure Amazon SNS notifications for Run Command and Run Command tasks registered to a maintenance window. For more information see Configuring Amazon SNS Notifications for AWS Systems Manager.

March 6, 2019

Advanced instances for servers and VMs in hybrid environments

AWS Systems Manager offers a standard-instances tier and an advanced-instances tier for servers and VMs in your hybrid environment. The standard-instances tier enables you to register a maximum of 1,000 servers or VMs per AWS account per AWS Region. If you need to register more than 1,000 servers or VMs in a single account and Region, then use the advanced-instances tier. You can create as many instances as you like in the advanced-instances tier, but all instances configured for Systems Manager are available on a pay-per-use basis. Advanced instances also enable you to connect to your hybrid machines by using AWS Systems Manager Session Manager. Session Manager provides interactive shell access to your instances. For more information about enabling advanced instances, see Using the Advanced-Instances Tier.

March 4, 2019

Create State Manager associations that use shared SSM documents

You can create State Manager associations that use SSM Command and Automation documents shared from other AWS accounts. Creating associations by using shared SSM documents helps to keep your Amazon EC2 and hybrid infrastructure in a consistent state even when instances are not in the same account. For information about sharing SSM documents, see AWS Systems Manager Documents. For information about creating a State Manager association, see Create an Association.

February 28, 2019

View lists of Systems Manager events supported for Amazon CloudWatch Events rules

The new topic Monitoring Systems Manager Events with Amazon CloudWatch Events provides a summary of the various events emitted by Systems Manager for which you can set up event monitoring rules in CloudWatch Events.

February 25, 2019

Add tags when you create Systems Manager resources

Systems Manager now supports the ability to add tags to certain resource types when you create them. The resources you can tag when you create them with the AWS CLI or an SDK include maintenance windows, patch baselines, Parameter Store parameters, and SSM documents. You can also assign tags to a managed instance when you create an activation for it. When you use the Systems Manager console, you can add tags to maintenance windows, patch baselines, and parameters.

February 24, 2019

Automatic IAM role creation for Systems Manager Inventory

Previously you had to create an AWS Identity and Access Management (IAM) role and attach separate policies to this role to view inventory data on the Inventory Detail View page in the console. You no longer need to create this role or attach policies to it. When you choose a Remote Data Sync on the Inventory Detail View page, Systems Manager automatically creates the Amazon-GlueServicePolicyForSSM role and assigns the Amazon-GlueServicePolicyForSSM-{Amazon S3 bucket name} policy and the AWSGlueServiceRole policy to it. For more information, see Querying Inventory Data from Multiple Regions and Accounts.

February 14, 2019

Maintenance Windows walkthroughs to update SSM Agent

Added two new walkthroughs to the Maintenance Windows documentation. The walkthroughs detail how to use the Systems Manager console or the AWS CLI to create a maintenance window that keeps SSM Agent up-to-date automatically. For more information, see Maintenance Windows Walkthroughs.

February 11, 2019

Using Parameter Store public parameters

Added short section describing Parameter Store public parameters. For more information, see Using Systems Manager Public Parameters.

January 31, 2019

Use the AWS CLI to Create Session Manager Preferences

Added instructions for using the AWS CLI to create Session Manager preferences, such as CloudWatch Logs, Amazon S3 bucket logging options, and session encryption settings. For more information, see Use the AWS CLI to Create Session Manager Preferences.

January 22, 2019

Executing Systems Manager Automations by using State Manager

AWS Systems Manager State Manager now supports creating associations that use SSM Automation documents. State Manager previously supported only command and policy documents, which meant that you could only create associations that targeted managed instances. With support for SSM Automation documents, you can now create associations that target different types of AWS resources. For more information, see Executing Systems Manager Automations by using State Manager.

January 22, 2019

Reference updates for Cron and Rate expressions and maintenance window scheduling options

The reference topic Cron and Rate Expressions for Systems Manager has been revised. The new version provides more examples and improved explanations of how to use cron and rate expressions to schedule your maintenance windows and State Manager associations. In addition, the new topic Maintenance Windows Scheduling and Active Period Options explains how the various schedule-related options for maintenance windows (Start date, End date, Time zone, Schedule frequency) relate to one another.

December 6, 2018

Updates to the Systems Manager Prerequisites topic

The Systems Manager Prerequisites topic has been updated to provide information about supported operating system versions in a more detailed tabular format, along with other changes in the page for improved readability.

December 4, 2018

Enable SSM Agent debug logging

You can enable SSM Agent debug logging by editing the seelog.xml.template file on the managed instance. For more information, see Enable SSM Agent Debug Logging.

November 30, 2018

Support for ARM64 processor architectures

AWS Systems Manager now supports ARM64 versions of the Amazon Linux 2, Red Hat Enterprise Linux 7.6, and Ubuntu Server (18.04 LTS and 16.04 LTS) operating systems. For more information, see the instructions for installing Amazon Linux 2, RHEL, and Ubuntu Server 18.04 and 16.04 LTS with Snap packages. For more information about the A1 instance type, see General Purpose Instances in the Amazon EC2 User Guide for Linux Instances.

November 26, 2018

Create and deploy packages by using AWS Systems Manager Distributor

AWS Systems Manager Distributor lets you package your own software—or find AWS-provided agent software packages, such as AmazonCloudWatchAgent—to install on AWS Systems Manager managed instances. Distributor publishes resources, such as software packages, to AWS Systems Manager managed instances. Publishing a package advertises specific versions of the package's document—a Systems Manager document that you create when you add the package in Distributor—to managed instances that you identify by managed instance IDs, AWS account IDs, tags, or an AWS Region. For more information, see AWS Systems Manager Distributor.

November 20, 2018

Concurrently run AWS Systems Manager Automations across multiple AWS Regions and AWS accounts from a central account

You can concurrently run AWS Systems Manager Automations across multiple AWS Regions and AWS accounts or AWS Organizational Units (OUs) from an Automation management account. Concurrently executing Automations in multiple Regions and accounts or OUs reduces the time required to administer your AWS resources while enhancing the security of your computing environment. For more information see Executing Automations in Multiple AWS Regions and Accounts.

November 19, 2018

Query inventory data from multiple AWS Regions and accounts

Systems Manager Inventory integrates with Amazon Athena to help you query inventory data from multiple AWS Regions and accounts. Athena integration uses Resource Data Sync so that you can view inventory data from all of your managed instances on the Inventory Detail View page in the AWS Systems Manager console. For more information see Querying Inventory Data from Multiple Regions and Accounts.

November 15, 2018

Create State Manager associations that run MOF files

You can run Managed Object Format (MOF) files to enforce a desired state on Windows Server managed instances with State Manager by using the AWS-ApplyDSCMofs SSM document. The AWS-ApplyDSCMofs document has two execution modes. With the first mode, you can configure the association to scan and report if the managed instances are currently in the desired state defined in the specified MOF files. In the second mode, you can run the MOF files and change the configuration of your instances based on the resources and their values defined in the MOF files. The AWS-ApplyDSCMofs document enables you to download and run MOF configuration files from Amazon Simple Storage Service (Amazon S3), a local share, or from a secure web site with an HTTPS domain. For more information, see Creating Associations that Run MOF Files.

November 15, 2018

Restrict administrative access in Session Manager sessions

Session Manager sessions are launched using the credentials of a user account that is created with default root or administrator privileges called ssm-user. Information about restricting administrative control for this account is now available in the topic Disable or Enable ssm-user Account Administrative Permissions.

November 13, 2018

YAML examples in Automation Actions Reference

The Automations Actions Reference now includes a YAML sample for each action that already includes a JSON sample.

October 31, 2018

Assign compliance severity levels to associations

You can now assign compliance severity levels to State Manager associations. These severity levels are reported in the Compliance Dashboard and can also be used to filter your compliance reports. The severity levels you can assign include Critical, High, Medium, Low, and Unspecified. For more information, see Create an Association (Console).

October 26, 2018

Use targets and rate controls with Automation and State Manager

Control the execution of Automations and State Manager associations across your fleet of resources by using targets, concurrency, and error thresholds. For more information see Using Targets and Rate Controls to Run Automation Workflows on a Fleet and Using Targets and Rate Controls with State Manager Associations.

October 23, 2018

Specify active time ranges and international time zones for maintenance windows

You can also specify dates that a maintenance window should not run before or after (start date and end date), and you can specify the international time zone on which to base the maintenance window schedule. For more information see Create a Maintenance Window (Console) and Update a Maintenance Window (AWS CLI).

October 9, 2018

Maintain a custom list of patches for your patch baseline in an S3 bucket

The new 'InstallOverrideList' parameter in the SSM document 'AWS-RunPatchBaseline' lets you specify an https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format, overrides the patches specified by the default patch baseline. For more information, see Parameter name: InstallOverrideList.

October 5, 2018

Expanded control over whether patch dependencies are installed

Previously, if a patch in your Rejected patches list was identified as a dependency of another patch, it would still be installed. Now you can choose whether to install these dependencies or block them from being installed. For more information, see Create a Patch Baseline.

October 5, 2018

Create dynamic Automation workflows with conditional branching

The aws:branch Automation action enables you to create a dynamic Automation workflow that evaluates multiple choices in a single step and then jumps to a different step in the Automation document based on the results of that evaluation. For more information, see Creating Dynamic Automation Workflows with Conditional Branching.

September 26, 2018

Use the AWS CLI to Update Session Manager Preferences

Instructions for using the CLI to update Session Manager preferences, such as CloudWatch Logs and Amazon S3 bucket logging options, have been added to the AWS Systems Manager User Guide. For information, see Use the AWS CLI to Update Session Manager Preferences.

September 25, 2018

Set up patching options more easily with the new 'Configure patching' page

Patch Manager has been updated with a new system for setting up patching configurations. On the Configure patching page, you can specify multiple patching options in a single location, including associating a maintenance window with a patching configuration and changing the patch baseline associated with a patch group. For more information, see About Patching Configurations and Create a Patching Configuration.

September 22, 2018

Updated SSM Agent requirement for Session Manager

Session Manager now requires SSM Agent version 2.3.68.0 or later. For more information about Session Manager prerequisites, see Complete Session Manager Prerequisites.

September 17, 2018

Manage instances without opening inbound ports or maintaining bastion hosts using Session Manager

Now available, Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your Amazon EC2 instances. For more information, see Learn More About Session Manager.

September 11, 2018

Invoking other AWS Services from a Systems Manager Automation Workflow

You can invoke other AWS services and other Systems Manager capabilities in your Automation workflow by using three new Automation actions (or plugins) in your Automation documents. For more information, see For more information, see Invoking other AWS Services from a Systems Manager Automation Workflow.

August 28, 2018

Use Systems Manager-specific condition keys in IAM policies

The topic Specifying Conditions in a Policy has been updated to list the IAM condition keys for Systems Manager that you can incorporate in policies. You can use these keys to specify the conditions under which a policy should take effect. The topic also includes links to example policies and other related topics.

August 18, 2018

Aggregate Inventory data with groups to see which instances are and aren't configured to collect an Inventory type

Groups enable you to quickly see a count of which managed instances are and aren’t configured to collect one or more Inventory types. With groups, you specify one or more Inventory types and a filter that uses the exists operator. For more information, see Aggregating Inventory Data.

August 16, 2018

View history and change tracking for Inventory and Configuration Compliance

You can now view history and change tracking for Inventory collected from your managed instances. You can also viewing history and changing tracking for Patch Manager patching and State Manager associations reported by Configuration Compliance. For more information, see Viewing Inventory History and Change Tracking.

August 9, 2018

Systems Manager service-linked role extends support for maintenance window tasks

The Maintenance Windows service requires a set of IAM permissions in order to run maintenance window tasks on your instances. Previously, the only option was to create a custom IAM role to supply these permissions. The service-linked role for Systems Manager has now been enhanced to provide these permissions, giving you two IAM role options. For more information, see Should I Use a Service-Linked Role or a Custom Service Role to Run Maintenance Windows Tasks?

August 2, 2018

Parameter Store integrates with Secrets Manager

Parameter Store is now integrated with AWS Secrets Manager so that you can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters. These services include Amazon EC2, Amazon Elastic Container Service, AWS Lambda, AWS CloudFormation, AWS CodeBuild, AWS CodeDeploy, and other Systems Manager capabilities. By using Parameter Store to reference Secrets Manager secrets, you create a consistent and secure process for calling and using secrets and reference data in your code and configuration scripts. For information, see Referencing AWS Secrets Manager Secrets from Parameter Store Parameters.

July 26, 2018

Attach labels to Parameter Store parameters

A parameter label is a user-defined alias to help you manage different versions of a parameter. When you modify a parameter, Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter version when there are multiple versions. For information, see Labeling Parameters.

July 26, 2018

Create dynamic Automation workflows

By default, the steps (or actions) that you define in the mainSteps section of an Automation document run in sequential order. After one action completes, the next action specified in the mainSteps section begins. With this release, you can now create Automation workflows that perform conditional branching. This means that you can create Automation workflows that dynamically respond to condition changes and jump to a specified step. For information, see Creating Dynamic Automation Workflows.

July 18, 2018

SSM Agent now pre-installed on Ubuntu Server 16.04 AMIs using Snap

Beginning with instances created from Ubuntu Server 16.04 AMIs identified with 20180627, the SSM Agent is pre-installed using Snap packages. On instances created from earlier AMIs, you should continue using deb installer packages. For information, see About SSM Agent installations on 64-bit Ubuntu Server 16.04 instances.

July 7, 2018

Review minimum S3 permissions required by SSM Agent

The new topic Minimum S3 Bucket Permissions for SSM Agent provides information about the Amazon Simple Storage Service (Amazon S3) buckets that resources might need to access to perform Systems Manager operations. You can specify these buckets in a custom policy if you want to limit Amazon S3 bucket access for an instance profile or VPC endpoint to the minimum required to use Systems Manager.

July 5, 2018

View complete execution history for a specific State Manager association ID

The new topic Viewing Association Histories describes how to view all executions for a specific association ID and then view execution details for one or more resources.

July 2, 2018

Patch Manager introduces support for Amazon Linux 2

You can now use Patch Manager to apply patches to Amazon Linux 2 instances. For general information about Patch Manager operating system support, see Patch Manager Prerequisites. For information about the supported key-value pairs for Amazon Linux 2 when defining a patch filter, see PatchFilter in the AWS Systems Manager API Reference.

June 26, 2018

Send command output to Amazon CloudWatch Logs

The new topic Configuring Amazon CloudWatch Logs for Run Command describes how to send Run Command output to CloudWatch Logs.

June 18, 2018

Quickly create or delete Resource Data Sync for Inventory by using AWS CloudFormation

You can use AWS CloudFormation to create or delete a Resource Data Sync for Systems Manager Inventory. To use AWS CloudFormation, add the AWS::SSM::ResourceDataSync resource to your AWS CloudFormation template. For more information, see Working with AWS CloudFormation Templates in the AWS CloudFormation User Guide. You can also manually create a Resource Data Sync for Inventory as described in Configuring Resource Data Sync for Inventory.

June 11, 2018

AWS Systems Manager User Guide update notifications now available through RSS

The HTML version of the Systems Manager User Guide now supports an RSS feed of updates that are documented in the Systems Manager Documentation Update History page. The RSS feed includes updates made in June, 2018, and later. Previously announced updates are still available in the Systems Manager Documentation Update History page. Use the RSS button in the top menu panel to subscribe to the feed.

June 6, 2018

Specify an exit code in scripts to reboot managed instances

The new topic Rebooting Managed Instance from Scripts describes how to instruct Systems Manager to reboot managed instances by specifying an exit code in scripts that you run with Run Command.

June 3, 2018

Create an event in Amazon CloudWatch Events whenever custom Inventory is deleted

The new topic Viewing Inventory Delete Actions in CloudWatch Events describes how to configure Amazon CloudWatch Events to create an event anytime a user deletes custom Inventory.

June 1, 2018

Earlier Updates

The following table describes important changes in each release of the AWS Systems Manager User Guide before June 2018.

Change Description Release Date
Inventory all managed instances in your AWS account

You can easily inventory all managed instances in your AWS account by creating a global inventory association. For more information, see Inventory All Managed Instances in Your AWS Account.

Note

Global inventory associations are available in SSM Agent version 2.0.790.0 or later. For information about how to update SSM Agent on your instances, see Update SSM Agent by using Run Command.

May 3, 2018
SSM Agent installed by default on Ubuntu Server 18

SSM Agent is installed, by default, on Ubuntu Server 18.04 LTS 64-bit and 32-bit AMIs.

May 2, 2018
New topic

The new topic Sending Commands that Use the Document Version Parameter describes how to use the document-version parameter to specify which version of an SSM document to use when the command runs.

May 1, 2018
New topic

The new topic Deleting Custom Inventory describes how to delete custom Inventory data from Amazon S3 by using the AWS CLI. The topic also describes how to use the SchemaDeleteOption to manage custom inventory by disabling or deleting a custom inventory type. This new feature uses the DeleteInventory API action.

April 19, 2018
Amazon SNS notifications for SSM Agent

You can subscribe to an Amazon SNS topic to receive notifications when a new version of SSM Agent is available. For more information, see Subscribe to SSM Agent Notifications.

April 9, 2018
CentOS patching support

Systems Manager now supports patching CentOS instances. For information about supported CentOS versions, see Patch Manager Prerequisites. For more information about how patching works, see How Patch Manager Operations Work.

March 29, 2018
New section

To provide a single source for reference information in the AWS Systems Manager User Guide, a new section has been introduced, AWS Systems Manager Reference. Additional content will be added to this section as it becomes available.

March 15, 2018
New topic

The new topic About Package Name Formats for Approved and Rejected Patch Lists details the package name formats you can enter in the lists of approved patches and rejected patches for a custom patch baseline. Sample formats are provided for each operating system type supported by Patch Manager.

March 9, 2018
New topic

Systems Manager now integrates with Chef InSpec. InSpec is an open-source, runtime framework that enables you to create human-readable profiles on GitHub or Amazon S3. Then you can use Systems Manager to run compliance scans and view compliant and noncompliant instances. For more information, see Using Chef InSpec Profiles with Systems Manager Compliance.

March 7, 2018
New topic

The new topic Using Service-Linked Roles for Systems Manager describes how to use an AWS Identity and Access Management (IAM) service-linked role with Systems Manager. Currently, service-linked roles are only required when using Systems Manager Inventory to collect metadata about tags and Resource Groups.

February 27, 2018
New and updated topics

You can now use Patch Manager to install patches that are in a different source repository than the default one configured on the instance. This is useful for patching instances with updates not related to security; with the content of Personal Package Archives (PPA) for Ubuntu Server; with updates for internal corporate applications; and so on. You specify alternative patch source repositories when you create a custom patch baseline. For more information, see the following topics:

In addition, you can now use Patch Manager to patch SUSE Linux Enterprise Server instances. Patch Manager supports patching SLES 12.* versions (64-bit only). For more information, see the SLES-specific information in the following topics:

February 6, 2018
New topic

The new topic Upgrade the Python Requests Module on Amazon Linux Instances That Use a Proxy Server provides instructions for ensuring that instances created using an Amazon Linux AMI have been updated with a current version of the Python requests module. This requirement is to ensure compatibility with Patch Manager.

January 12, 2018
New topic

The new topic About SSM Documents for Patching Instances describes the seven SSM documents currently available to help you keep your managed instances patched with the latest security-related updates.

January 10, 2018
Important updates regarding Linux support

Updated various topics with the following information:

  • SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later.

  • You must manually install SSM Agent on other versions of Linux, including non-base images like Amazon ECS-Optimized AMIs.

January 9, 2018
New topic

A new topic, About the SSM Document AWS-RunPatchBaseline, provides details of how this SSM document operates on both Windows and Linux systems. It also provides information about the two available parameters in the AWS-RunPatchBaseline document, Operation and Snapshot ID.

January 5, 2018
New topics A new section, How Patch Manager Operations Work, provides technical details that explain how Patch Manager determines which security patches to install and how it installs them on each supported operating system. It also provides information about how patch baseline rules work on different distributions of the Linux operating system January 2, 2018
Retitled and moved the Systems Manager Automation Actions Reference

Based on customer feedback, the Automation Actions Reference is now called the Systems Manager Automation Document Reference. Furthermore, we moved the reference into the Shared Resources > Documents node so it is closer to the SSM Document Plugin Reference. For more information, see Systems Manager Automation Actions Reference.

December 20, 2017

New Monitoring chapter and content

A new chapter, Monitoring AWS Systems Manager, provides instructions for sending metrics and log data to Amazon CloudWatch Logs. A new topic, Sending Logs to CloudWatch Logs (CloudWatch agent), provides instructions for migrating on-instance monitoring tasks, on 64-bit Windows Server instances only, from SSM Agent to the CloudWatch agent.

December 14, 2017

New chapter A new chapter, Authentication and Access Control for AWS Systems Manager, provides comprehensive information about using AWS Identity and Access Management (IAM) and AWS Systems Manager to help secure access to your resources through the use of credentials. These credentials provide the permissions required to access AWS resources, such as accessing data stored in Amazon S3 buckets and sending commands to and reading the tags on Amazon EC2 instances. December 11, 2017

Changes to the left navigation

We changed the headings in the left navigation of this user guide to match the headings in the new AWS Systems Manager console.

December 8, 2017

Multiple changes for re:Invent 2017

  • Official launch of AWS Systems Manager: AWS Systems Manager (formerly Amazon EC2 Systems Manager) is a unified interface that allows you to easily centralize operational data and automate tasks across your AWS resources. You can access the new AWS Systems Manager console here. For more information, see What Is AWS Systems Manager?

  • YAML Support: You can create SSM documents in YAML. For more information, see AWS Systems Manager Documents.

November 29, 2017

Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes

Using Run Command, you can take application-consistent snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 Windows instances. The snapshot process uses the Windows Volume Shadow Copy Service (VSS) to take image-level backups of VSS-aware applications, including data from pending transactions between these applications and the disk. Furthermore, you don't need to shut down your instances or disconnect them when you need to back up all attached volumes. For more information, see Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes in the Amazon EC2 User Guide for Windows Instances.

November 20, 2017

Enhanced Systems Manager Security Available By Using VPC Endpoints

You can improve the security posture of your managed instances (including managed instances in your hybrid environment) by configuring Systems Manager to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, Systems Manager, and EC2 to the Amazon network (managed instances don't have access to the Internet). Also, you don't need an Internet gateway, a NAT device, or a virtual private gateway. For more information, see (Optional) Create a Virtual Private Cloud Endpoint.

November 7, 2017

Inventory Support for Files, Services, Windows Roles, and the Windows Registry

SSM Inventory now supports gathering the following information from your managed instances.

  • Files: Name, size, version, installed date, modification and last accessed times, etc.

  • Services: Name, display name, status, dependent services, service type, start type, etc.

  • Windows Registry: Registry key path, value name, value type, and value.

  • Windows roles: Name, display name, path, feature type, installed state, etc.

Before you attempt to collect information for these inventory types, update SSM Agent on the instances you want to inventory. By running the latest version of SSM Agent, you ensure that you can collect metadata for all supported inventory types. For information about how to update SSM Agent by using State Manager, see Automatically Update SSM Agent (CLI).

For more information Inventory, see Learn More About Systems Manager Inventory.

November 6, 2017

Updates to Automation documenation

Fixed several issues in the information about setting up and configuring access for Systems Manager Automation. For more information, see Getting Started with Automation.

October 31, 2017

GitHub and Amazon S3 Integration

Run remote scripts: Systems Manager now supports downloading and running scripts from a private or public GitHub repository, and from Amazon S3. Using either the AWS-RunRemoteScript pre-defined SSM document or the aws:downloadContent plugin in a custom SSM document, you can run Ansible Playbooks and scripts in Python, Ruby, or PowerShell, to name a few. These changes further enhance infrastructure as code when you use Systems Manager to automate configuration and deployment of Amazon EC2 instances and on-premises managed instances in your hybrid environment. For more information, see Partner and Product Integration.

Create composite SSM documents: Systems Manager now supports running one or more secondary SSM documents from a primary SSM document. These primary documents that run other documents are called composite documents. Composite documents enable you to create and share a standard set of secondary SSM documents across AWS accounts for common tasks such as boot-strapping anti-virus software or domain-joining instances. You can run composite and secondary documents stored in Systems Manager, GitHub, or Amazon S3. After you create a composite document, you can run it by using the AWS-RunDocument pre-defined SSM document. For more information, see Creating Composite Documents and Running Documents from Remote Locations.

SSM document plugin reference: For easier access, we moved the SSM Plugin Reference for SSM documents out of the Systems Manager API Reference and into the User Guide. For more information, see SSM Document Plugin Reference.

October 26, 2017

Support for Parameter Versions in Parameter Store

When you edit a parameter, Parameter Store now automatically iterates the version number by 1. You can specify a parameter name and a specific version number in API calls and SSM documents. If you don't specify a version number, the system automatically uses the latest version.

Parameter versions provide a layer of protection in the event that a parameter is accidentally changed. You can view the values of all versions, and reference older versions if necessary. You can also use parameter versions to see how many times a parameter changed over a period of time. For more information, see Working with Parameter Versions.

October 24, 2017

Support for Tagging Systems Manager Documents

You can now use the AddTagsToResource API, the AWS CLI, or the AWS Tools for Windows to tag Systems Manager documents with key-value pairs. Tagging helps you quickly identify specific resources based on the tags you've assigned to them. This is in addition to existing tagging support for managed instances, maintenance windows, Parameter Store parameters, and patch baselines. New topics include Tagging Systems Manager Documents and Controlling Access to Documents Using Tags.

October 3, 2017

Various Documentation Updates to Fix Errors or Update Content Based on Feedback

October 2, 2017

Troubleshoot Unreachable Windows Instances by Using the EC2Rescue Automation Workflow

EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Windows Server instances. You can run the tool as a Systems Manager Automation workflow by using the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue. For more information, see Run the EC2Rescue Tool on Unreachable Instances.

September 29, 2017

SSM Agent Installed By Default on Amazon Linux

SSM Agent is installed, by default, on Amazon Linux AMIs dated 2017.09 and later. You must manually install SSM Agent on other versions of Linux, as described in Installing and Configuring SSM Agent on Amazon EC2 Linux Instances.

September 27, 2017

Run Command Enhancements

Run Command includes the following enhancements.

September 12, 2017

Systems Manager Supported on Raspbian

Systems Manager can now run on Raspbian Jessie and Raspbian Stretch devices, including Raspberry Pi (32-Bit). For more information, see Raspbian.

September 7, 2017

Automatically Send SSM Agent Logs to Amazon CloudWatch Logs

You can now make a simple configuration change on your instances to have SSM Agent send log files to CloudWatch. For more information, see Sending Logs to CloudWatch Logs (SSM Agent).

September 7, 2017

Encrypt Resource Data Sync

Systems Manager Resource Data Sync lets you aggregate Inventory data collected on dozens or hundreds of managed instance in a central Amazon S3 bucket. You can now encrypt Resource Data Sync by using an AWS Key Management Service key. For more information, see Walkthrough: Use Resource Data Sync to Aggregate Inventory Data.

September 1, 2017

New State Manager Walkthroughs

Added two new walkthroughs to the State Manager documentation:

Automatically Update SSM Agent (CLI)

Walkthrough: Automatically Update PV Drivers on EC2 Windows Instances (Console)

August 31, 2017

Systems Manager Configuration Compliance

Use Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. For more information, see AWS Systems Manager Configuration Compliance.

August 28, 2017

New Automation Action: aws:executeAutomation

Runs a secondary Automation workflow by calling a secondary Automation document. With this action, you can create Automation documents for your most common workflows, and reference those documents during an Automation execution. This action can simplify your Automation documents by removing the need to duplicate steps across similar documents. For more information, see aws:executeAutomation.

August 22, 2017

Automation as the Target of a CloudWatch Event

You can start an Automation workflow by specifying an Automation document as the target of an Amazon CloudWatch event. You can start workflows according to a schedule, or when a specific AWS system event occurs. For more information, see Running Automation Workflows with Triggers using CloudWatch Events.

August 21, 2017

State Manager Association Versioning and General Updates

You can now create different State Manager association versions. There is a limit of 1,000 versions for each association. You can also specify names for your associations. Also, the State Manager documentation has been updated to address outdated information and inconsistencies. For more information, see AWS Systems Manager State Manager.

August 21, 2017

Changes to Maintenance Windows

Maintenance Windows include the following changes or enhancements:

  • Previously, Maintenance Windows could only perform tasks by using Run Command. You can now perform tasks by using Systems Manager Automation, AWS Lambda, and AWS Step Functions.

  • You can edit the targets of a maintenance window, specify a target name, description, and owner.

  • You can edit tasks in a maintenance window, including specifying a new SSM document for Run Command and Automation tasks.

  • All Run Command parameters are now supported, including DocumentHash, DocumentHashType, TimeoutSeconds, Comment, and NotificationConfig.

  • You can now use a safe flag when you attempt to deregister a target. If enabled, the system returns an error if the target is referenced by any task.

For more information, see AWS Systems Manager Maintenance Windows.

August 16, 2017

New Automation Action: aws:approve

This new action for Automation documents temporarily pauses an Automation execution until designated principals either approve or reject the action. After the required number of approvals is reached, the Automation execution resumes.

For more information, see Systems Manager Automation Actions Reference.

August 10, 2017

Automation Assume Role No Longer Required

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's privileges on a resource, but you want the user to run an Automation workflow that requires elevated privileges. In this scenario, you can create a service role with elevated privileges and allow the user to run the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

For more information, see Getting Started with Automation.

August 3, 2017

Configuration Compliance

Use Amazon EC2 Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. For more information, see AWS Systems Manager Configuration Compliance.

August 8, 2017

SSM Document Enhancements

SSM Command and Policy documents now offer cross-platform support. This means that a single SSM document can process plugins for Windows and Linux operating systems. Cross-platform suppport enables you to consolidate the number of documents you manage. Cross-platform support is offered in SSM documents that use schema version 2.2 or later.

SSM Command documents that use schema version 2.0 or later can now include multiple plugins of the same type. For example, you can create a Command document that calls the aws:runRunShellScript plugin multiple times.

For more information about schema version 2.2 changes, see AWS Systems Manager Documents. For more information about SSM plugins, see Systems Manager Plugins.

July 12, 2017

Linux Patching

Patch Manager can now patch the following Linux distributions:

64-Bit and 32-Bit Systems

  • Amazon Linux 2014.03, 2014.09, or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5 or later

64-Bit Systems Only

  • Amazon Linux 2015.03, 2015.09, or later

  • Red Hat Enterprise Linux (RHEL) 7.x or later

For more information, see AWS Systems Manager Patch Manager.

Note

  • To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update SSM Agent in Running Commands from the Console.

  • The AWS-ApplyPatchBaseline SSM document is being replaced by the AWS-RunPatchBaseline document.

July 6, 2017

Resource Data Sync

You can use Systems Manager Resource Data Sync to send Inventory data collected from all of your managed instances to a single Amazon S3 bucket. Resource Data Sync then automatically updates the centralized data when new Inventory data is collected. With all Inventory data stored in a target Amazon S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data.For more information, see Configuring Resource Data Sync for Inventory. For an example of how to work with Resource Data Sync, see Walkthrough: Use Resource Data Sync to Aggregate Inventory Data.

June 29, 2017

Systems Manager Parameter Hierarchies

Managing dozens or hundreds of Systems Manager parameters as a flat list is time-consuming and prone to errors. You can use parameter hierarchies to help you organize and manage Systems Manager parameters. A hierarchy is a parameter name that includes a path that you define by using forward slashes. Here is an example that uses three hierarchy levels in the name to identify the following:

/Environment/Type of computer/Application/Data

/Dev/DBServer/MySQL/db-string13

For more information, see Organizing Parameters into Hierarchies. For an example of how to work with parameter hierarchies, see Walkthrough: Manage Parameters Using Hierarchies (AWS CLI).

June 22, 2017

SSM Agent Support for SUSE Linux Enterprise Server

You can install SSM Agent on 64-bit SUSE Linux Enterprise Server (SLES). For more information, see Installing and Configuring SSM Agent on Amazon EC2 Linux Instances.

June 14, 2017

On this page: