Document history - AWS Systems Manager

Document history

The following table describes the important changes to the documentation since the last release of AWS Systems Manager. For notification about updates to this documentation, you can subscribe to an RSS feed.

Important

An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. If an older version of the agent is running on an instance, some SSM Agent processes can fail. For that reason, we recommend that you automate the process of keeping SSM Agent up-to-date on your instances. For information, see Automate updates to SSM Agent. To be notified about SSM Agent updates, subscribe to the SSM Agent Release Notes page on GitHub.

  • API version: 2014-11-06

Change Description Date

AppConfig content moved into a separate user guide

Information about AWS AppConfig has been moved into a separate user guide. For more information, see What Is AWS AppConfig? AppConfig also has a separate documentation landing page with links to the user guide, the AppConfig API reference, and a new AppConfig workshop.

August 3, 2020

Quick Setup now supports AWS Organizations

Quick Setup now supports AWS Organizations enabling you to quickly configure required security roles and commonly used Systems Manager capabilities across multiple accounts and Regions. For more information, see AWS Systems Manager Quick Setup.

July 23, 2020

New data source in Explorer: association compliance

Explorer now displays association compliance data from State Manager. For more information, see Editing Systems Manager Explorer data sources .

July 23, 2020

New Systems Manager Command document to Enable and Disable Kernel Live Patching

The document AWS-ConfigureKernelLivePatching is now available to use with Run Command when you want to enable or disable Kernel Live Patching on Amazon Linux 2 instances. This document replaces the need for creating your own custom Command documents for these tasks. For more information, see Use Kernel Live Patching on Amazon Linux 2 instances

July 22, 2020

Updated Automation quotas

Service quotas for Automation have been updated including a separate queue for rate control automations. For more information, see AWS Systems Manager Automation.

July 20, 2020

Specify the number of schedule offset days for a maintenance window using the console

Using the Systems Manager console, you can now specify a number of days to wait after the date and time specified by a CRON expression before running a maintenance window. (Previously, this option was available only when using an AWS SDK or a command line tool.) For example, if your CRON expression schedules a maintenance window to run on the third Tuesday of every month at 11:30 PM – cron(0 30 23 ? * TUE#3 *) – and you specify a schedule offset of 2, the window won't run until two days later at 11:30 PM. For more information, see Cron and rate expressions for Systems Manager and Specify the number of schedule offset days for a maintenance window.

July 17, 2020

Update PowerShell using Run Command

To help you update PowerShell to version 5.1 on your Windows Server 2012 and 2012 R2 instances, we added a walkthrough to the AWS Systems Manager User Guide. For more information, see Update PowerShell using Run Command.

June 30, 2020

Patch Manager now supports CentOS 8.0 and 8.1

You can now use Patch Manager to patch CentOS 8.0 and 8.1 instances. For more information, see the the following topics:

June 27, 2020

AppConfig integrates with AWS CodePipeline

AppConfig is an integrated deploy action for AWS CodePipeline (CodePipeline). CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define. The integration of AppConfig with CodePipeline offers the following benefits. For more information, see AppConfig integration with CodePipeline.

  • Customers who use CodePipeline to manage orchestration now have a lightweight means of deploying configuration changes to their applications without having to deploy their entire codebase.

  • Customers who want to use AppConfig to manage configuration deployments but are limited because AppConfig does not support their current code or configuration store, now have additional options. CodePipeline supports AWS CodeCommit, GitHub, and BitBucket (to name a few).

June 25, 2020

New chapter: Product and service integrations

To help you understand how Systems Manager integrates with AWS services and other products and services, a new chapter has been added to the AWS Systems Manager User Guide. For more information, see Product and service integrations with Systems Manager.

June 23, 2020

Automation chapter reorganization

To help you find what you need, we reorganized topics in the Automation chapter of the AWS Systems Manager User Guide. For example, the Automation actions and Automation documents references are now top-level sections in the chapter. For more information, see AWS Systems Manager Automation.

June 23, 2020

Specify the number of schedule offset days for a maintenance window

Using a command line tool or AWS SDK, you can now specify a number of days to wait after the date and time specified by a CRON expression before running a maintenance window. For example, if your CRON expression schedules a maintenance window to run on the third Tuesday of every month at 11:30 PM – cron(0 30 23 ? * TUE#3 *) – and you specify a schedule offset of 2, the window won't run until two days later at 11:30 PM. For more information, see Cron and rate expressions for Systems Manager and Specify the number of schedule offset days for a maintenance window.

June 19, 2020

Patch Manager support for Kernel Live Patching on Amazon Linux 2 instances

Kernel Live Patching for Amazon Linux 2 enables you to apply security vulnerability and critical bug patches to a running Linux kernel, without reboots or disruptions to running applications. You can now enable the feature and apply kernel live patches using Patch Manager. For information, see Use Kernel Live Patching on Amazon Linux 2 instances.

June 16, 2020

Patch Manager increases Oracle Linux version support

Previously, Patch Manager supported only version 7.6 of Oracle Linux. As listed in Patch Manager prerequisites, support now covers versions 7.5-7.8.

June 16, 2020

Sample scenario for using the 'InstallOverrideList' parameter in AWS-RunPatchBaseline

The new topic Sample scenario for using the InstallOverrideList parameter describes a strategy for using the InstallOverrideList parameter in the AWS-RunPatchBaseline document to apply different types of patches to a target group, on different maintenance window schedules, while still using a single patch baseline.

June 11, 2020

Predefined deployment strategies for AppConfig

AppConfig now offers predefined deployment strategies. For more information, see Creating a deployment strategy.

June 10, 2020

Patch Manager now supports Red Hat Enterprise Linux (RHEL) 7.8-8.2

You can now use Patch Manager to patch RHEL 7.8 - 8.2 instances. For more information, see the the following topics:

June 9, 2020

Explorer supports delegated administration

If you aggregate Explorer data from multiple AWS Regions and accounts by using resource data sync with AWS Organizations, then we suggest that you configure a delegated administrator for Explorer. A delegated administrator improves Explorer security by limiting the number of Explorer administrators who can create or delete multi-account and Region resource data syncs to only one individual. You also no longer need to be logged into the AWS Organizations master account to administer resource data syncs in Explorer. For more information, see Configuring a Delegated Administrator.

June 3, 2020

Apply State Manager association only at the next specified Cron interval

If you don't want a State Manager association to run immediately after you create it, you can choose the Apply association only at the next specified Cron interval option in the Systems Manager console. For more information, see Create an association.

June 3, 2020

New data source in Explorer: AWS Compute Optimizer

Explorer now displays data from AWS Compute Optimizer. This includes a count of Under provisioned and Over provisioned EC2 instances, optimization findings, on-demand pricing details, and recommendations for instance type and price. For more information, see the details for setting up AWS Compute Optimizer in Setting up related services.

May 26, 2020

New chapter: Tagging Systems Manager Resources

The new chapter Tagging Systems Manager resources provides an overview of how you can use tags with the six taggable resource types in Systems Manager. The chapter also provides comprehensive instructions for adding and removing tags from these resource types:

  • Documents

  • Maintenance windows

  • Managed instances

  • OpsItems

  • Parameters

  • Patch baselines

May 25, 2020

Install Windows Service Packs and Linux minor version upgrades using Patch Manager

The new topic Walkthrough: Create a patch baseline for installing Windows Service Packs (console) demonstrates how you can create a patch baseline devoted exclusively to installing Windows Service Packs. The topic Create a custom patch baseline (Linux) has been updated with information about including minor version upgrades for Linux operating systems in patch baselines.

May 21, 2020

Parameter Store chapter reorganization

All topics that deal with configuring or setting options for Parameter Store operations have been consolidated into the Getting started with Parameter Store section. This includes the topics Managing parameter tiers and Increasing Parameter Store throughput, which have been relocated from other parts of the chapter.

May 18, 2020

New topic for creating date and time strings for interacting with Systems Manager API actions.

The new topic Creating formatted date and time strings for Systems Manager describes how to create formatted date and time strings for interacting with Systems Manager API actions.

May 13, 2020

About permissions for encrypting SecureString parameters

The new topic IAM permissions for using AWS default keys and customer managed keys explains the difference between encrypting your SecureString parameters using a customer master key (CMK) and using the default AWS KMS key provided by AWS.

May 13, 2020

Patch Manager now supports the Debian and Oracle Linux 7.6 operating systems

You can now use Patch Manager to patch Debian and Oracle Linux instances. Patch Manager supports patching Debian 8.x and 9.x and Oracle Linux 7.6 versions. For more information, see the the following topics:

May 7, 2020

Create State Manager associations that target AWS Resource Groups

In addition to targeting tags, individual instances, and all instances in your AWS account, you can now create State Manager associations that target instances in AWS Resource Groups. For more information, see About targets and rate controls in State Manager associations

May 7, 2020

New aws:ec2:image data type in Parameter Store to validate AMI IDs

When you create a String parameter, you can now specify a data type as aws:ec2:image to ensure that the parameter value you enter is a valid Amazon Machine Image (AMI) ID format. Support for AMI ID formats lets you avoid updating all your scripts and templates with a new ID each time the AMI that you want to use in your processes changes. You can create a parameter with the data type aws:ec2:image, and for its value, enter the ID of an AMI. This is the AMI from which you currently want new instances to be created. You then reference this parameter in your templates, commands. When you're ready to use a different AMI, update the parameter value. Parameter Store validates the new AMI ID, and you don't need to update your scripts and templates. For more information, see Native parameter support for Amazon Machine Image IDs.

May 5, 2020

Managing exit codes in Run Command commands

Run Command lets you define how exit codes are handled in your scripts. By default, the exit code of the last command run in a script is reported as the exit code for the entire script. However, you can include a shell conditional statement to exit the script if any command before the final one fails using the following approach. For examples, see the new topic Managing exit codes in Run Command commands.

May 5, 2020

New public parameters released for availability zones and local zones

Public parameters have been released to make information about AWS availability zones and local zones available programmatically. These are in addition to existing global infrastructure public parameters for AWS services and Regions. For more information, see Calling AWS service, Region, endpoint, availability zone, and local zone public parameters.

May 4, 2020

New data source in Explorer: AWS Trusted Advisor

Explorer now displays data from AWS Trusted Advisor. This includes the status of best practice checks and recommendations in the following areas: cost optimization, security, fault tolerance, performance, and service limits. For more information, see the details for setting up Trusted Advisor in Setting up related services.

May 4, 2020

New topic for AppConfig configuration store quotas and limitations

We've added a new topic to help users quickly understand the service quotas and limitations of each AppConfig configuration store. For more information, see About configuration store quotas and limitations.

April 17, 2020

View Amazon CloudWatch alarms for AWS Resource Groups

In addition to the four operations data tabs added to the AWS Resource Groups page in Systems Manager earlier this month, the AWS Resource Groups page now includes a Monitoring tab. This tab shows CloudWatch alarms and dashboards for the resources in the selected group.

These operations data tabs are not available when viewing a group in the AWS Resource Groups service console. You can use the information on these tabs to help you understand which resources in a group are compliant and working correctly and which resources require action. If you need to take action on a resource, you can use Systems Manager Automation runbooks to perform common operations maintenance and troubleshooting tasks. For more information, see Viewing operations Data for AWS Resource Groups.

March 25, 2020

Create State Manager associations that run Chef recipes

You can create State Manager associations that run Chef cookbooks and recipes by using the AWS-ApplyChefRecipes document. This document offers the following benefits for running Chef recipes:

  • Supports multiple releases of Chef (Chef 11 through Chef 14).

  • Automatically installs the Chef client software on target instances.

  • Optionally runs Systems Manager compliance checks on target instances, and stores the results of compliance checks in an S3 bucket.

  • Runs multiple cookbooks and recipes in a single run of the document.

  • Optionally runs recipes in why-run mode, to show which recipes will change on target instances without making changes.

  • Optionally applies custom JSON attributes to chef-client runs.

For more information, see Creating associations that run Chef recipes

March 19, 2020

Updated "Resource Groups" topic

The topic AWS Resource Groups has been updated to provide more comprehensive information about working with resource groups in Systems Manager, and about using resource groups in your Systems Manager operations.

March 17, 2020

View operations data for AWS Resource Groups

The AWS Resource Groups page in Systems Manager now displays operations data for a selected group on four tabs: Details, Config, CloudTrail, OpsItems. These tabs are not available when viewing a group in the AWS Resource Groups service console. You can use the information on these tabs to help you understand which resources in a group are compliant and working correctly and which resources require action. If you need to take action on a resource, you can use Systems Manager Automation runbooks to perform common operations maintenance and troubleshooting tasks. For more information, see Viewing operations data for AWS Resource Groups.

March 16, 2020

Synchronize inventory data from multiple AWS accounts to a central Amazon S3 bucket

You can synchronize Systems Manager Inventory data from multiple AWS accounts to a central S3 bucket. The accounts must be defined in AWS Organizations. For more information, see Creating an Inventory Resource Data Sync for multiple accounts defined in AWS Organizations.

March 16, 2020

Store AppConfig configurations in Amazon S3

Previously, AppConfig only supported application configurations that were stored in Systems Manager (SSM) documents or Parameter Store parameters. In addition to these options, AppConfig now supports storing configurations in Amazon S3. For more information, see About configurations stored in Amazon S3.

March 13, 2020

SSM Agent installed by default on Amazon ECS-optimized AMIs

SSM Agent is now installed by default on Amazon ECS-Optimized AMIs. For more information, see Working with SSM Agent.

February 25, 2020

Create AppConfig configurations in the console

AppConfig now enables you to create an application configuration in the console at the time you create a configuration profile. For more information, see Create a Cconfiguration and a configuration Profile.

February 13, 2020

Auto-approve only patches released up to a specified date

In addition to the option for automatically approving patches for installation a specified number of days after they are released, Patch Manager now supports the ability to auto-approve only patches released on or before a date that you specify. For example, if you specify July 7, 2020, as the cutoff date in your patch baseline, no patches released on or after July 8, 2020, are installed automatically. For more information, see About custom baselines and Create a custom patch baseline.

February 12, 2020

Use the {{RESOURCE_ID}} pseudo parameter in maintenance window tasks

When you register a maintenance window task, you specify the parameters that are unique to the task type. You can reference certain values using pseudo parameter syntax, such as {{TARGET_ID}}, {{TARGET_TYPE}}, and {{WINDOW_TARGET_ID}}. When the maintenance window task runs, it passes the correct values instead of the pseudo parameter placeholders. To support resources that are part of a resource group as a target, you can use the {{RESOURCE_ID}} pseudo parameter to pass values for resources such as DynamoDB tables, S3 buckets, and other supported types. For more information, see the following topics in Tutorial: Create and configure a maintenance window (AWS CLI):

February 6, 2020

Quickly rerun commands

Systems Manager includes two options to help you rerun a command from the Run Command page in the AWS Systems Manager console. Rerun: This button enables you to run the same command without making changes to it. Copy to new: This button copies the settings of one command to a new command and gives you the option to edit those settings before you run it. For more information, see Rerunning commands.

February 5, 2020

Reverting from the advanced-instances tier to the standard-instances tier

If you previously configured all on-premises instances running in your hybrid environment to use the advanced-instances tier, you can now quickly configure those instances to use the standard-instance tier. Reverting to the standard-instances tier applies to all hybrid instances in an AWS account and a single AWS Region. Reverting to the standard-instances tier impacts the availability of some Systems Manager capabilities. For more information, see Reverting from the advanced-instances tier to the standard-instances tier.

January 16, 2020

New option to skip instance reboots after patch installation

Previously, managed instances were always rebooted after Patch Manager installed patches on them. A new RebootOption parameter in the SSM document AWS-RunPatchBaseline lets you specify whether or not you want your instances to reboot automatically after new patches are installed. For more information, see Parameter name: RebootOption in the topic About the SSM document AWS-RunPatchBaseline.

January 15, 2020

New topic: 'Running PowerShell scripts on Linux instances'

A new topic that describes how to use Run Command to run PowerShell scripts on Linux instances. For more information, see Running PowerShell scripts on Linux instances.

January 10, 2020

New topic: 'Automation document schema and syntax'

Examples and information about the elements in Schema 0.3, which is used by SSM Automation documents, can now be found in the topic Automation document schema and syntax.

January 10, 2020

Updates to 'configure SSM Agent to use a proxy'

The values to specify when configuring SSM Agent to use a proxy have been updated to reflect options for both HTTP proxy servers and HTTPS proxy servers. For more information, see Configure SSM Agent to use a proxy.

January 9, 2020

New "Security" chapter outlines practices for securing Systems Manager resources

A new Security chapter in the AWS Systems Manager User Guide helps you understand how to apply the shared responsibility model when using Systems Manager. Topics in the chapter show you how to configure Systems Manager to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Systems Manager resources.

Note

As part of this update, the user guide chapter "Authentication and Access Control" has been replaced by a new, simpler section, Identity and access management for AWS Systems Manager.

December 24, 2019

New sample custom Automation documents

A set of sample custom Automation documents has been added to the user guide. These samples show how to use various Automation actions to simplify deployment, troubleshooting, and maintenance tasks, and are intended to help you write your own custom Automation documents. For more information, see Custom Automation document samples. You can also view Amazon Managed Automation Document content in the Systems Manager Console. For more information, see Systems Manager Automation document details reference.

December 23, 2019

Support for the Oracle Linux

Systems Manager now supports Oracle Linux 7.5 and 7.7. For information about manually installing SSM Agent on EC2 instances for Oracle Linux instances, see Oracle Linux. For information about installing SSM Agent on Oracle Linux servers in a hybrid environment, see Step 6: Install SSM Agent for a hybrid environment (Linux) .

December 19, 2019

Add a script from another Automation document to your workflow

When you create an Automation document using a command line tool, you can now add a script that is already used in another document to a step in your new document. (Scripts are used with the aws:executeScript action type.) You can add scripts from Automation documents that you own or that are shared with you from another AWS account. For details, see Creating an Automation document that runs scripts (command line).

December 19, 2019

Launch Session Manager sessions from the Amazon EC2 console

You can now start Session Manager sessions from the Amazon Elastic Compute Cloud (Amazon EC2) console. Working with session-related tasks from the Amazon EC2 console requires different IAM permissions for both users and administrators. You can provide permissions for using the Session Manager console and AWS CLI only, for using the Amazon EC2 console only, or for using all three tools. For more information, see the following topics.

December 18, 2019

CloudWatch support for Run Command metrics and alarms

AWS Systems Manager now publishes metrics about the status of Run Command commands to CloudWatch, enabling you to set alarms based on those metrics. The terminal status values for commands for which you can track metrics include Success, Failed, and Delivery Timed Out. For more information, see Monitoring Run Command metrics using Amazon CloudWatch.

December 17, 2019

New Systems Manager capability: Change Calendar

Use Systems Manager Change Calendar to specify periods of time (events) during which you want to limit or prevent code changes (such as from Systems Manager Automation documents or AWS Lambda functions) to resources. A Change Calendar is a new Systems Manager document type that stores iCalendar 2.0 data in plaintext format. For more information, see AWS Systems Manager Change Calendar.

December 11, 2019

New Systems Manager capability: AWS AppConfig

Use AppConfig to create, manage, and quickly deploy application configurations. AppConfig supports controlled deployments to applications of any size. You can use AppConfig with applications hosted on EC2 instances, AWS Lambda, containers, mobile applications, or IoT devices. To prevent errors when deploying application configurations, AppConfig includes validators. A validator provides a syntactic or semantic check to ensure that the configuration you want to deploy works as intended. During a configuration deployment, AppConfig monitors the application to ensure that the deployment is successful. If the system encounters an error or if the deployment triggers an alarm, AppConfig rolls back the change to minimize impact for your application users. For more information, see AWS AppConfig.

November 25, 2019

Changes to left navigation in Systems Manager console

You can now find AWS Resource Groups and Parameter Store under Application Management. To view the documentation for these capabilities, see AWS Systems Manager Application Management.

November 25, 2019

New Systems Manager capability: Systems Manager Explorer

AWS Systems Manager Explorer is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data (OpsData) for your AWS accounts and across Regions. In Explorer, OpsData includes metadata about your EC2 instances, patch compliance details, and operational work items (OpsItems). Explorer provides context about how OpsItems are distributed across your business units or applications, how they trend over time, and how they vary by category. You can group and filter information in Explorer to focus on items that are relevant to you and that require action. When you identify high priority issues, you can use Systems Manager OpsCenter to run Automation runbooks and quickly resolve those issues. For information see, AWS Systems Manager Explorer.

Note

Set up for Systems Manager OpsCenter is integrated with set up for Explorer. If you already set up OpsCenter, you still need to complete Integrated Setup to verify settings and options. If you have not set up OpsCenter, then you can use Integrated Setup to get started with both capabilities. For more information, see Getting started with Explorer and OpsCenter.

November 18, 2019

Improved parameter search capabilities

The tools for searching for parameters now make it easier to find parameters when you have large number of them in your account or when you do not remember the exact name of a parameter. The search tool now lets you filter by contains. Previously, the search tools supported searching for parameter names only by equals and begins-with. For more information, see Searching for Systems Manager parameters.

November 15, 2019

New console-based Document Builder for Automation | Support for running scripts in Automation steps

You can now use Systems Manager Automation to build and share standardized operational playbooks to ensure consistency across users, accounts, and AWS Regions. With this ability to run scripts and add inline documentation to your Automation documents using Markdown, you can reduce errors and eliminate manual steps such as navigating written procedures in wikis and running terminal commands.

For more information, see the following topics.

November 14, 2019

Perform an in-place package update using Distributor

Previously, when you wanted to install an update to a package using Distributor, your only choice was to uninstall the entire package and reinstall the new version. Now you can choose to perform an in-place update instead. During an in-place update, Distributor installs only files that are new or changed since the last installation, according to the update script you include in your package. With this option, your package application can remain available and not be taken offline during the update. For more information, see the following topics.

November 11, 2019

New SSM Agent auto update feature

With one click, you can configure all instances in your AWS account to automatically check for and download new versions of SSM Agent. To do this, choose Agent auto update on the Managed instances page in the AWS Systems Manager console. For information, see Automate updates to SSM Agent.

November 5, 2019

Restrict Session Manager access using AWS-supplied tags

A second method for controlling user access to session actions is now available. This new method lets you create IAM access policies using AWS-supplied session tags instead of using the {aws:username} variable. Using these AWS-supplied session tags makes it possible for organizations that use federated IDs to control user access to sessions. For information, see Allow a user to terminate only sessions they started.

October 2, 2019

New Ansible SSM document: AWS-ApplyAnsiblePlaybooks

You can create State Manager associations that run Ansible Playbooks by using the AWS-ApplyAnsiblePlaybooks document. This document offers the following benefits for running Playbooks:

  • Support for running complex Playbooks

  • Support for downloading Playbooks from GitHub and Amazon Simple Storage Service (Amazon S3)

  • Support for compressed Playbook structure

  • Enhanced logging

  • Ability to specify which Playbook to run when Playbooks are bundled

For more information, see Creating associations that run Ansible playbooks

September 24, 2019

Port forwarding support for Session Manager

Session Manager now supports port forwarding sessions. Port forwarding allows you to securely create tunnels between your instances deployed in private subnets, without the need to start the SSH service on the server, to open the SSH port in the security group, or to use a bastion host. Similar to SSH tunnels, port forwarding allows you to forward traffic between your laptop to open ports on your instance. Once port forwarding is configured, you can connect to the local port and access the server application running inside the instance. For more information, see the following topics:

August 29, 2019

Specify a default parameter tier or automate tier selection

You can now specify a default parameter tier to use for requests to create or update a parameter that do not specify a tier. You can set the default tier to standard parameters, advanced parameters, or a new option, Intelligent-Tiering. Intelligent-Tiering evaluates each PutParameter request and creates an advanced parameter only when required. (Advanced parameters are required if the size of the parameter value is more than 4 KB, a parameter policy is associated with the parameter, or the maximum 10,000 parameters supported for the standard tier are already created.) For more information about specifying a default tier and using Intelligent-Tiering, see Specifying a default parameter tier.

August 27, 2019

Working with associations section updated with CLI and PowerShell procedures

The Working with Associations section has been updated to include procedural documentation for managing associations using the AWS CLI or AWS Tools for PowerShell. For information see, Working with associations in Systems Manager.

August 26, 2019

Working with Automation executions section updated with CLI and PowerShell procedures

The Working with Automation Executions section has been updated to include procedural documentation for running Automation workflows using the AWS CLI or AWS Tools for PowerShell. For information see, Working with Automation executions.

August 20, 2019

OpsCenter integrates with application insights

OpsCenter integrates with Amazon CloudWatch Application Insights for .NET and SQL Server. This means you can automatically create OpsItems for problems detected in your applications. For information about how to configure Application Insights to create OpsItems, see Setting up your application in the Amazon CloudWatch User Guide.

August 7, 2019

New console feature: AWS Systems Manager Quick Setup

Quick Setup is a new feature in the Systems Manager console that helps you quickly configure several Systems Manager components on your EC2 instances. Specifically, Quick Setup helps you configure the following components on the instances you choose or target by using tags:

  • An AWS Identity and Access Management (IAM) instance profile role for Systems Manager.

  • A scheduled, bi-monthly update of SSM Agent.

  • A scheduled collection of Inventory metadata every 30 minutes.

  • A daily scan of your instances to identify missing patches.

  • A one-time installation and configuration of the Amazon CloudWatch agent.

  • A scheduled, monthly update of the CloudWatch agent.

For more information, see AWS Systems Manager Quick Setup.

August 7, 2019

Register a resource group as a maintenance window target

In addition to registering managed instances as the target of a maintenance window, you can now register a resource group as a maintenance window target. Maintenance Windows supports all the AWS resource types that are supported by AWS Resource Groups including AWS::EC2::Instance, AWS::DynamoDB::Table, AWS::OpsWorks::Instance, AWS::Redshift::Cluster, and more. With this release you can also send commands to a resource group, for example by using the Run Command console or the AWS CLI send-command command. For more information, see the following topics:

July 23, 2019

Simplified package creation and versioning with AWS Systems Manager Distributor

Distributor has a new, simplified package creation workflow that can generate a package manifest, scripts, and file hashes for you. You can also use the simplified workflow when you add a version to an existing package.

July 22, 2019

New document categories pane for Systems Manager Automation

Systems Manager includes a new Document categories pane when you run an Automation in the console. Use this pane to filter Automation documents based on their purpose.

July 18, 2019

Verify user permissions to access the default Session Manager configuration document

When a user in your account uses the AWS CLI to start a Session Manager session and doesn't specify a configuration document in the command, Systems Manager uses the default configuration document SSM-SessionManagerRunShell. You can now verify that the user has been granted permission to access this document by adding a condition element for ssm:SessionDocumentAccessCheck to the IAM user's policy. For information, see Enforce document permission check for default CLI scenario.

July 9, 2019

Support for starting Session Manager sessions using operating system user credentials

By default, Session Manager sessions are launched using the credentials of a system-generated ssm-user account that is created on a managed instance. On Linux machines, you can now instead launch sessions using the credentials of an operating system account. For information, see Enable Run As support for Linux instances.

July 9, 2019

Support for starting Session Manager sessions using SSH

You can now use the AWS CLI to start an SSH session on a managed instance using Session Manager. For information about enabling SSH sessions with Session Manager, see (Optional) Enable SSH Session Manager sessions. For information about starting an SSH session using Session Manager, see Starting a session (SSH).

July 9, 2019

Support for changing passwords on managed instances

You can now reset passwords on machines that you manage using Systems Manager (managed instances). You can reset the password using the Systems Manager console or the AWS CLI. For information, see Resetting passwords on managed instances.

July 9, 2019

Revisions to "What is AWS Systems Manager?"

The introductory content in What is AWS Systems Manager? has been expanded to provide a broader introduction to the service and reflect Systems Manager capabilities that have been released recently. In addition, other content in the section has been moved into individual topics for better discoverability.

June 10, 2019

New Systems Manager capability: OpsCenter

OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources. OpsCenter is designed to reduce mean time to resolution for issues impacting AWS resources. This Systems Manager capability aggregates and standardizes OpsItems across services while providing contextual investigation data about each OpsItem, related OpsItems, and related resources. OpsCenter also provides Systems Manager Automation documents (runbooks) that you can use to quickly resolve issues. You can specify searchable, custom data for each OpsItem. You can also view automatically-generated summary reports about OpsItems by status and source. For more information, see AWS Systems Manager OpsCenter.

June 6, 2019

Changes to Systems Manager left navigation pane in the AWS Management Console

The Systems Manager left navigation pane in the AWS Management Console includes new headings, including a new heading for Ops Center, that provide a more logical grouping of Systems Manager capabilities.

June 6, 2019

Revised tutorial for creating and configuring a maintenance window using the AWS CLI

Tutorial: Create and configure a maintenance window (AWS CLI) has been overhauled to provide a simple path through the practice steps. You create a single maintenance window, identify a single target, and set up a simple task for the maintenance window to run. Along the way, we provide information and examples you can use to create your own task registration commands, including information for using pseudo parameters such as {{TARGET_ID}}. For additional information and examples, see the following topics:

May 31, 2019

Notifications about SSM Agent updates

To be notified about SSM Agent updates, subscribe to the SSM Agent Release Notes page on GitHub.

May 24, 2019

Receive notifications or trigger actions based on changes in Parameter Store

The topic Set up notifications or trigger actions based on Parameter Store events now helps you set up Amazon CloudWatch Events rules to respond to changes in Parameter Store. You can receive notifications or trigger other actions when any of the following occur:

  • A parameter is created, updated, or deleted.

  • A parameter label version is created, updated, or deleted.

  • A parameter expires, is going to expire, or hasn't changed in a specified period of time.

May 22, 2019

Major revisions to setting up and getting started content

We have expanded and reorganized the Setting Up and Getting Started content in the AWS Systems Manager User Guide. Setting Up content has been divided into two sections. One section focuses on tasks for setting up Systems Manager to configure and manage your EC2 instances. The other focuses on tasks for setting up Systems Manager to configure and manage your on-premises servers and virtual machines (VMs) in a hybrid environment. Both sections now present all setup topics as major numbered steps, in the recommended order of completion. A new Getting Started chapter focuses on helping end-users get started with Systems Manager after account and service configuration tasks have been completed.

May 15, 2019

Include patches for Microsoft applications in patch baselines (Windows)

Patch Manager now supports patch updates for Microsoft applications on Windows Server instances. Previously, only patches for the Windows Server operating system were supported. Patch Manager provides two predefined patch baselines for Windows Server instances. The patch baseline AWS-WindowsPredefinedPatchBaseline-OS applies to operating system patches only. AWS-WindowsPredefinedPatchBaseline-OS-Applications applies to both the Windows Server operating system and Microsoft applications on Windows. For information about creating a custom patch baseline that includes patches for Microsoft applications, see the first procedure in Create a custom patch baseline. Also, as part of this update, the names of AWS-provided predefined patch baselines are being changed. For more information, see Predefined baselines.

May 7, 2019

Examples for registering maintenance window targets using the AWS CLI

The new topic Examples: Register targets with a maintenance window provides three sample commands to demonstrate different ways you can specify the targets for a maintenance window when you use the AWS CLI. The topic also explains the best use case for each of the sample commands.

May 3, 2019

Updates to patch group topics

The topic About patch groups has been updated to include a section on how managed instances determine the appropriate patch baseline to use during patching operations. Additionally, instructions have been added for using the AWS CLI or Systems Manager console to add Patch Group tags to your managed instances and how to add a Patch Group to a patch baseline. For more information see Create a patch group and Add a patch group to a patch baseline.

May 1, 2019

New Parameter Store features

Parameter Store offers the following new features:

  • Advanced parameters: Parameter Store now enables you to individually configure parameters to use either a standard-parameter tier (the default tier) or an advanced-parameter tier. Advanced parameters offer a larger size limit for the parameter value, a higher limit for the number of parameters you can create per account and Region, and the ability to use parameter policies. For more information about advanced parameters, see About Systems Manager advanced parameters.

  • Parameter policies: Parameter policies help you manage a growing set of parameters by enabling you to assign specific criteria to a parameter, such as an expiration date or time to live. Parameter policies are especially helpful in forcing you to update or delete passwords and configuration data stored in Parameter Store. Parameter policies are only available for parameters that use the advanced-parameter tier. For more information, see Working with parameter policies.

  • Higher throughput: You can now increase the Parameter Store throughput limit to a maximum of 1,000 transactions per second. For more information, see Increasing Parameter Store throughput.

April 25, 2019

Updates to the Automation section

The Automation section has been updated for improved discoverability. In addition, three new topics have been added to the Automation section:

April 17, 2019

Encrypt session data using an AWS KMS key

By default, Session Manager uses TLS 1.2 to encrypt session data transmitted between the local machines of users in your account and your EC2 instances. Now you can choose to further encrypt that data using a customer master key (CMK) that has been created in AWS Key Management Service. You can use a key that has been created in your AWS account or one that has been shared with you from another account. For information about specifying a CMK to encrypt session data, see Enable AWS KMS key encryption of session data (console), Create Session Manager preferences (AWS CLI), or Update Session Manager preferences (AWS CLI).

April 4, 2019

Configuring Amazon SNS notifications for AWS Systems Manager

Added instructions for using the AWS CLI or Systems Manager console to configure Amazon SNS notifications for Run Command and Run Command tasks registered to a maintenance window. For more information see Configuring Amazon SNS notifications for AWS Systems Manager.

March 6, 2019

Advanced instances for servers and VMs in hybrid environments

AWS Systems Manager offers a standard-instances tier and an advanced-instances tier for servers and VMs in your hybrid environment. The standard-instances tier enables you to register a maximum of 1,000 servers or VMs per AWS account per AWS Region. If you need to register more than 1,000 servers or VMs in a single account and Region, then use the advanced-instances tier. You can create as many instances as you like in the advanced-instances tier, but all instances configured for Systems Manager are available on a pay-per-use basis. Advanced instances also enable you to connect to your hybrid machines by using AWS Systems Manager Session Manager. Session Manager provides interactive shell access to your instances. For more information about enabling advanced instances, see Using the advanced-instances tier.

March 4, 2019

Create State Manager associations that use shared SSM documents

You can create State Manager associations that use SSM Command and Automation documents shared from other AWS accounts. Creating associations by using shared SSM documents helps to keep your Amazon EC2 and hybrid infrastructure in a consistent state even when instances are not in the same account. For information about sharing SSM documents, see AWS Systems Manager Documents. For information about creating a State Manager association, see Create an association.

February 28, 2019

View lists of Systems Manager events supported for Amazon CloudWatch Events rules

The new topic Monitoring Systems Manager events with Amazon CloudWatch Events provides a summary of the various events emitted by Systems Manager for which you can set up event monitoring rules in CloudWatch Events.

February 25, 2019

Add tags when you create Systems Manager resources

Systems Manager now supports the ability to add tags to certain resource types when you create them. The resources you can tag when you create them with the AWS CLI or an SDK include maintenance windows, patch baselines, Parameter Store parameters, and SSM documents. You can also assign tags to a managed instance when you create an activation for it. When you use the Systems Manager console, you can add tags to maintenance windows, patch baselines, and parameters.

February 24, 2019

Automatic IAM role creation for Systems Manager Inventory

Previously you had to create an AWS Identity and Access Management (IAM) role and attach separate policies to this role to view inventory data on the Inventory Detail View page in the console. You no longer need to create this role or attach policies to it. When you choose a Remote Data Sync on the Inventory Detail View page, Systems Manager automatically creates the Amazon-GlueServicePolicyForSSM role and assigns the Amazon-GlueServicePolicyForSSM-{S3 bucket name} policy and the AWSGlueServiceRole policy to it. For more information, see Querying inventory data from multiple Regions and accounts.

February 14, 2019

Maintenance Windows walkthroughs to update SSM Agent

Added two new walkthroughs to the Maintenance Windows documentation. The walkthroughs detail how to use the Systems Manager console or the AWS CLI to create a maintenance window that keeps SSM Agent up-to-date automatically. For more information, see Maintenance Windows walkthroughs.

February 11, 2019

Using Parameter Store public parameters

Added short section describing Parameter Store public parameters. For more information, see Using Systems Manager public parameters.

January 31, 2019

Use the AWS CLI to create Session Manager preferences

Added instructions for using the AWS CLI to create Session Manager preferences, such as CloudWatch Logs, S3 bucket logging options, and session encryption settings. For more information, see Use the AWS CLI to create Session Manager preferences.

January 22, 2019

Executing Systems Manager automation workflows by using State Manager

AWS Systems Manager State Manager now supports creating associations that use SSM Automation documents. State Manager previously supported only command and policy documents, which meant that you could only create associations that targeted managed instances. With support for SSM Automation documents, you can now create associations that target different types of AWS resources. For more information, see Executing Systems Manager Automation workflows by using State Manager.

January 22, 2019

Reference updates for cron and rate expressions and maintenance window scheduling options

The reference topic Cron and rate expressions for Systems Manager has been revised. The new version provides more examples and improved explanations of how to use cron and rate expressions to schedule your maintenance windows and State Manager associations. In addition, the new topic Maintenance Windows scheduling and active period options explains how the various schedule-related options for maintenance windows (Start date, End date, Time zone, Schedule frequency) relate to one another.

December 6, 2018

Updates to the Systems Manager prerequisites topic

The Systems Manager prerequisites topic has been updated to provide information about supported operating system versions in a more detailed tabular format, along with other changes in the page for improved readability.

December 4, 2018

Enable SSM Agent debug logging

You can enable SSM Agent debug logging by editing the seelog.xml.template file on the managed instance. For more information, see Enable SSM Agent debug logging.

November 30, 2018

Support for ARM64 processor architectures

AWS Systems Manager now supports ARM64 versions of the Amazon Linux 2, Red Hat Enterprise Linux 7.6, and Ubuntu Server (18.04 LTS and 16.04 LTS) operating systems. For more information, see the instructions for installing Amazon Linux 2, RHEL, and Ubuntu Server 18.04 and 16.04 LTS with Snap packages. For more information about the A1 instance type, see General purpose instances in the Amazon EC2 User Guide for Linux Instances.

November 26, 2018

Create and deploy packages by using AWS Systems Manager Distributor

AWS Systems Manager Distributor lets you package your own software—or find AWS-provided agent software packages, such as AmazonCloudWatchAgent—to install on AWS Systems Manager managed instances. Distributor publishes resources, such as software packages, to AWS Systems Manager managed instances. Publishing a package advertises specific versions of the package's document—a Systems Manager document that you create when you add the package in Distributor—to managed instances that you identify by managed instance IDs, AWS account IDs, tags, or an AWS Region. For more information, see AWS Systems Manager Distributor.

November 20, 2018

Concurrently run AWS Systems Manager Automation workflows across multiple AWS Regions and AWS accounts from a central account

You can concurrently run AWS Systems Manager automation workflows across multiple AWS Regions and AWS accounts or AWS Organizational Units (OUs) from an Automation management account. Concurrently executing Automations in multiple Regions and accounts or OUs reduces the time required to administer your AWS resources while enhancing the security of your computing environment. For more information see Executing Automation workflows in multiple AWS Regions and accounts.

November 19, 2018

Query inventory data from multiple AWS Regions and accounts

Systems Manager Inventory integrates with Amazon Athena to help you query inventory data from multiple AWS Regions and accounts. Athena integration uses Resource Data Sync so that you can view inventory data from all of your managed instances on the Inventory Detail View page in the AWS Systems Manager console. For more information see Querying Inventory data from multiple Regions and accounts.

November 15, 2018

Create State Manager associations that run MOF files

You can run Managed Object Format (MOF) files to enforce a desired state on Windows Server managed instances with State Manager by using the AWS-ApplyDSCMofs SSM document. The AWS-ApplyDSCMofs document has two execution modes. With the first mode, you can configure the association to scan and report if the managed instances are currently in the desired state defined in the specified MOF files. In the second mode, you can run the MOF files and change the configuration of your instances based on the resources and their values defined in the MOF files. The AWS-ApplyDSCMofs document enables you to download and run MOF configuration files from Amazon Simple Storage Service (Amazon S3), a local share, or from a secure web site with an HTTPS domain. For more information, see Creating associations that run MOF files.

November 15, 2018

Restrict administrative access in Session Manager sessions

Session Manager sessions are launched using the credentials of a user account that is created with default root or administrator privileges called ssm-user. Information about restricting administrative control for this account is now available in the topic Disable or enable ssm-user account administrative permissions.

November 13, 2018

YAML examples in Automation actions reference

The Automations actions reference now includes a YAML sample for each action that already includes a JSON sample.

October 31, 2018

Assign compliance severity levels to associations

You can now assign compliance severity levels to State Manager associations. These severity levels are reported in the Compliance Dashboard and can also be used to filter your compliance reports. The severity levels you can assign include Critical, High, Medium, Low, and Unspecified. For more information, see Create an association (console).

October 26, 2018

Use targets and rate controls with Automation and State Manager

Control the execution of Automations and State Manager associations across your fleet of resources by using targets, concurrency, and error thresholds. For more information see Using targets and rate controls to run Automation workflows on a fleet and Using targets and rate controls with State Manager associations.

October 23, 2018

Specify active time ranges and international time zones for maintenance windows

You can also specify dates that a maintenance window should not run before or after (start date and end date), and you can specify the international time zone on which to base the maintenance window schedule. For more information see Create a maintenance window (console) and Update a maintenance window (AWS CLI).

October 9, 2018

Maintain a custom list of patches for your patch baseline in an S3 bucket

The new 'InstallOverrideList' parameter in the SSM document 'AWS-RunPatchBaseline' lets you specify an https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format, overrides the patches specified by the default patch baseline. For more information, see Parameter name: InstallOverrideList.

October 5, 2018

Expanded control over whether patch dependencies are installed

Previously, if a patch in your Rejected patches list was identified as a dependency of another patch, it would still be installed. Now you can choose whether to install these dependencies or block them from being installed. For more information, see Create a patch baseline.

October 5, 2018

Create dynamic automation workflows with conditional branching

The aws:branch Automation action enables you to create a dynamic Automation workflow that evaluates multiple choices in a single step and then jumps to a different step in the Automation document based on the results of that evaluation. For more information, see Creating dynamic Automation workflows with conditional branching.

September 26, 2018

Use the AWS CLI to update Session Manager preferences

Instructions for using the CLI to update Session Manager preferences, such as CloudWatch Logs and S3 bucket logging options, have been added to the AWS Systems Manager User Guide. For information, see Use the AWS CLI to update Session Manager preferences.

September 25, 2018

Set up patching options more easily with the new 'Configure patching' page

Patch Manager has been updated with a new system for setting up patching configurations. On the Configure patching page, you can specify multiple patching options in a single location, including associating a maintenance window with a patching configuration and changing the patch baseline associated with a patch group. For more information, see About patching configurations and Create a patching configuration.

September 22, 2018

Updated SSM Agent requirement for Session Manager

Session Manager now requires SSM Agent version 2.3.68.0 or later. For more information about Session Manager prerequisites, see Complete Session Manager prerequisites.

September 17, 2018

Manage instances without opening inbound ports or maintaining bastion hosts using Session Manager

Now available, Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your EC2 instances. For more information, see Learn more about Session Manager.

September 11, 2018

Invoking other AWS services from a Systems Manager Automation workflow

You can invoke other AWS services and other Systems Manager capabilities in your Automation workflow by using three new Automation actions (or plugins) in your Automation documents. For more information, see For more information, see Invoking other AWS services from a Systems Manager Automation workflow.

August 28, 2018

Use Systems Manager-specific condition keys in IAM policies

The topic Specifying conditions in a policy has been updated to list the IAM condition keys for Systems Manager that you can incorporate in policies. You can use these keys to specify the conditions under which a policy should take effect. The topic also includes links to example policies and other related topics.

August 18, 2018

Aggregate inventory data with groups to see which instances are and aren't configured to collect an inventory type

Groups enable you to quickly see a count of which managed instances are and aren’t configured to collect one or more Inventory types. With groups, you specify one or more Inventory types and a filter that uses the exists operator. For more information, see Aggregating Inventory data.

August 16, 2018

View history and change tracking for Inventory and Configuration Compliance

You can now view history and change tracking for Inventory collected from your managed instances. You can also viewing history and changing tracking for Patch Manager patching and State Manager associations reported by Configuration Compliance. For more information, see Viewing Inventory history and change tracking.

August 9, 2018

Systems Manager service-linked role extends support for maintenance window tasks

The Maintenance Windows service requires a set of IAM permissions in order to run maintenance window tasks on your instances. Previously, the only option was to create a custom IAM role to supply these permissions. The service-linked role for Systems Manager has now been enhanced to provide these permissions, giving you two IAM role options. For more information, see Should I use a service-linked role or a custom service role to run maintenance window tasks?

August 2, 2018

Parameter Store integrates with Secrets Manager

Parameter Store is now integrated with AWS Secrets Manager so that you can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters. These services include Amazon EC2, Amazon Elastic Container Service, AWS Lambda, AWS CloudFormation, AWS CodeBuild, AWS CodeDeploy, and other Systems Manager capabilities. By using Parameter Store to reference Secrets Manager secrets, you create a consistent and secure process for calling and using secrets and reference data in your code and configuration scripts. For information, see Referencing AWS Secrets Manager secrets from Parameter Store parameters.

July 26, 2018

Attach labels to Parameter Store parameters

A parameter label is a user-defined alias to help you manage different versions of a parameter. When you modify a parameter, Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter version when there are multiple versions. For information, see Labeling parameters.

July 26, 2018

Create dynamic Automation workflows

By default, the steps (or actions) that you define in the mainSteps section of an Automation document run in sequential order. After one action completes, the next action specified in the mainSteps section begins. With this release, you can now create Automation workflows that perform conditional branching. This means that you can create Automation workflows that dynamically respond to condition changes and jump to a specified step. For information, see Creating dynamic Automation workflows.

July 18, 2018

SSM Agent now pre-installed on Ubuntu Server 16.04 AMIs using Snap

Beginning with instances created from Ubuntu Server 16.04 AMIs identified with 20180627, the SSM Agent is pre-installed using Snap packages. On instances created from earlier AMIs, you should continue using deb installer packages. For information, see About SSM Agent installations on 64-bit Ubuntu Server 16.04 instances.

July 7, 2018

Review minimum S3 permissions required by SSM Agent

The new topic Minimum S3 bucket permissions for SSM Agent provides information about the Amazon Simple Storage Service (Amazon S3) buckets that resources might need to access to perform Systems Manager operations. You can specify these buckets in a custom policy if you want to limit S3 bucket access for an instance profile or VPC endpoint to the minimum required to use Systems Manager.

July 5, 2018

View complete execution history for a specific State Manager association ID

The new topic Viewing association histories describes how to view all executions for a specific association ID and then view execution details for one or more resources.

July 2, 2018

Patch Manager introduces support for Amazon Linux 2

You can now use Patch Manager to apply patches to Amazon Linux 2 instances. For general information about Patch Manager operating system support, see Patch Manager prerequisites. For information about the supported key-value pairs for Amazon Linux 2 when defining a patch filter, see PatchFilter in the AWS Systems Manager API Reference.

June 26, 2018

Send command output to Amazon CloudWatch Logs

The new topic Configuring Amazon CloudWatch Logs for Run Command describes how to send Run Command output to CloudWatch Logs.

June 18, 2018

Quickly create or delete Resource Data Sync for Inventory by using AWS CloudFormation

You can use AWS CloudFormation to create or delete a Resource Data Sync for Systems Manager Inventory. To use AWS CloudFormation, add the AWS::SSM::ResourceDataSync resource to your AWS CloudFormation template. For more information, see Working with AWS CloudFormation Templates in the AWS CloudFormation User Guide. You can also manually create a Resource Data Sync for Inventory as described in Configuring Resource Data Sync for Inventory.

June 11, 2018

AWS Systems Manager User Guide update notifications now available through RSS

The HTML version of the Systems Manager User Guide now supports an RSS feed of updates that are documented in the Systems Manager Documentation update history page. The RSS feed includes updates made in June, 2018, and later. Previously announced updates are still available in the Systems Manager documentation update history page. Use the RSS button in the top menu panel to subscribe to the feed.

June 6, 2018

Specify an exit code in scripts to reboot managed instances

The new topic Rebooting managed instances from scripts describes how to instruct Systems Manager to reboot managed instances by specifying an exit code in scripts that you run with Run Command.

June 3, 2018

Create an event in Amazon CloudWatch Events whenever custom inventory is deleted

The new topic Viewing inventory delete actions in CloudWatch Events describes how to configure Amazon CloudWatch Events to create an event anytime a user deletes custom Inventory.

June 1, 2018

Earlier updates

The following table describes important changes in each release of the AWS Systems Manager User Guide before June 2018.

Change Description Release date
Inventory all managed instances in your AWS account

You can easily inventory all managed instances in your AWS account by creating a global inventory association. For more information, see Inventory all managed instances in your AWS account.

Note

Global inventory associations are available in SSM Agent version 2.0.790.0 or later. For information about how to update SSM Agent on your instances, see Update SSM Agent by using Run Command.

May 3, 2018
SSM Agent installed by default on Ubuntu Server 18

SSM Agent is installed, by default, on Ubuntu Server 18.04 LTS 64-bit and 32-bit AMIs.

May 2, 2018
New topic

The new topic Running commands using the document version parameter describes how to use the document-version parameter to specify which version of an SSM document to use when the command runs.

May 1, 2018
New topic

The new topic Deleting custom inventory describes how to delete custom Inventory data from Amazon S3 by using the AWS CLI. The topic also describes how to use the SchemaDeleteOption to manage custom inventory by disabling or deleting a custom inventory type. This new feature uses the DeleteInventory API action.

April 19, 2018
Amazon SNS notifications for SSM Agent

You can subscribe to an Amazon SNS topic to receive notifications when a new version of SSM Agent is available. For more information, see Subscribe to SSM Agent notifications.

April 9, 2018
CentOS patching support

Systems Manager now supports patching CentOS instances. For information about supported CentOS versions, see Patch Manager prerequisites. For more information about how patching works, see How Patch Manager operations work.

March 29, 2018
New section

To provide a single source for reference information in the AWS Systems Manager User Guide, a new section has been introduced, AWS Systems Manager reference. Additional content will be added to this section as it becomes available.

March 15, 2018
New topic

The new topic About package name formats for approved and rejected patch lists details the package name formats you can enter in the lists of approved patches and rejected patches for a custom patch baseline. Sample formats are provided for each operating system type supported by Patch Manager.

March 9, 2018
New topic

Systems Manager now integrates with Chef InSpec. InSpec is an open-source, runtime framework that enables you to create human-readable profiles on GitHub or Amazon S3. Then you can use Systems Manager to run compliance scans and view compliant and noncompliant instances. For more information, see Using Chef InSpec profiles with Systems Manager Compliance.

March 7, 2018
New topic

The new topic Using service-linked roles for Systems Manager describes how to use an AWS Identity and Access Management (IAM) service-linked role with Systems Manager. Currently, service-linked roles are only required when using Systems Manager Inventory to collect metadata about tags and Resource Groups.

February 27, 2018
New and updated topics

You can now use Patch Manager to install patches that are in a different source repository than the default one configured on the instance. This is useful for patching instances with updates not related to security; with the content of Personal Package Archives (PPA) for Ubuntu Server; with updates for internal corporate applications; and so on. You specify alternative patch source repositories when you create a custom patch baseline. For more information, see the following topics:

In addition, you can now use Patch Manager to patch SUSE Linux Enterprise Server instances. Patch Manager supports patching SLES 12.* versions (64-bit only). For more information, see the SLES-specific information in the following topics:

February 6, 2018
New topic

The new topic Upgrade the Python requests module on Amazon Linux instances that use a proxy server provides instructions for ensuring that instances created using an Amazon Linux AMI have been updated with a current version of the Python requests module. This requirement is to ensure compatibility with Patch Manager.

January 12, 2018
New topic

The new topic About SSM documents for patching instances describes the seven SSM documents currently available to help you keep your managed instances patched with the latest security-related updates.

January 10, 2018
Important updates regarding Linux support

Updated various topics with the following information:

  • SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later.

  • You must manually install SSM Agent on other versions of Linux, including non-base images like Amazon ECS-Optimized AMIs.

January 9, 2018
New topic

A new topic, About the SSM document AWS-RunPatchBaseline, provides details of how this SSM document operates on both Windows and Linux systems. It also provides information about the two available parameters in the AWS-RunPatchBaseline document, Operation and Snapshot ID.

January 5, 2018
New topics A new section, How Patch Manager operations work, provides technical details that explain how Patch Manager determines which security patches to install and how it installs them on each supported operating system. It also provides information about how patch baseline rules work on different distributions of the Linux operating system January 2, 2018
Retitled and moved the Systems Manager Automation Actions Reference

Based on customer feedback, the Automation Actions Reference is now called the Systems Manager Automation Document Reference. Furthermore, we moved the reference into the Shared Resources > Documents node so it is closer to the Systems Manager Command document plugin reference. For more information, see Systems Manager Automation actions reference.

December 20, 2017

New Monitoring chapter and content

A new chapter, Monitoring AWS Systems Manager, provides instructions for sending metrics and log data to Amazon CloudWatch Logs. A new topic, Sending instance logs to CloudWatch Logs (CloudWatch agent), provides instructions for migrating on-instance monitoring tasks, on 64-bit Windows Server instances only, from SSM Agent to the CloudWatch agent.

December 14, 2017

New chapter A new chapter, Identity and access management for AWS Systems Manager, provides comprehensive information about using AWS Identity and Access Management (IAM) and AWS Systems Manager to help secure access to your resources through the use of credentials. These credentials provide the permissions required to access AWS resources, such as accessing data stored in S3 buckets and sending commands to and reading the tags on EC2 instances. December 11, 2017

Changes to the left navigation

We changed the headings in the left navigation of this user guide to match the headings in the new AWS Systems Manager console.

December 8, 2017

Multiple changes for re:Invent 2017

  • Official launch of AWS Systems Manager: AWS Systems Manager (formerly Amazon EC2 Systems Manager) is a unified interface that allows you to easily centralize operational data and automate tasks across your AWS resources. You can access the new AWS Systems Manager console here. For more information, see What is AWS Systems Manager?

  • YAML Support: You can create SSM documents in YAML. For more information, see AWS Systems Manager documents.

November 29, 2017

Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes

Using Run Command, you can take application-consistent snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 Windows instances. The snapshot process uses the Windows Volume Shadow Copy Service (VSS) to take image-level backups of VSS-aware applications, including data from pending transactions between these applications and the disk. Furthermore, you don't need to shut down your instances or disconnect them when you need to back up all attached volumes. For more information, see Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes in the Amazon EC2 User Guide for Windows Instances.

November 20, 2017

Enhanced Systems Manager Security Available By Using VPC Endpoints

You can improve the security posture of your managed instances (including managed instances in your hybrid environment) by configuring Systems Manager to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, Systems Manager, and EC2 to the Amazon network (managed instances don't have access to the Internet). Also, you don't need an Internet gateway, a NAT device, or a virtual private gateway. For more information, see (Optional) Create a Virtual Private Cloud endpoint.

November 7, 2017

Inventory Support for Files, Services, Windows Roles, and the Windows Registry

SSM Inventory now supports gathering the following information from your managed instances.

  • Files: Name, size, version, installed date, modification and last accessed times, etc.

  • Services: Name, display name, status, dependent services, service type, start type, etc.

  • Windows Registry: Registry key path, value name, value type, and value.

  • Windows roles: Name, display name, path, feature type, installed state, etc.

Before you attempt to collect information for these inventory types, update SSM Agent on the instances you want to inventory. By running the latest version of SSM Agent, you ensure that you can collect metadata for all supported inventory types. For information about how to update SSM Agent by using State Manager, see Automatically update SSM Agent (CLI).

For more information Inventory, see Learn more about Systems Manager Inventory.

November 6, 2017

Updates to Automation documentation

Fixed several issues in the information about setting up and configuring access for Systems Manager Automation. For more information, see Getting started with Automation.

October 31, 2017

GitHub and Amazon S3 Integration

Run remote scripts: Systems Manager now supports downloading and running scripts from a private or public GitHub repository, and from Amazon S3. Using either the AWS-RunRemoteScript pre-defined SSM document or the aws:downloadContent plugin in a custom SSM document, you can run Ansible Playbooks and scripts in Python, Ruby, or PowerShell, to name a few. These changes further enhance infrastructure as code when you use Systems Manager to automate configuration and deployment of EC2 instances and on-premises managed instances in your hybrid environment. For more information, see Running scripts from GitHub and Running scripts from Amazon S3.

Create composite SSM documents: Systems Manager now supports running one or more secondary SSM documents from a primary SSM document. These primary documents that run other documents are called composite documents. Composite documents enable you to create and share a standard set of secondary SSM documents across AWS accounts for common tasks such as boot-strapping anti-virus software or domain-joining instances. You can run composite and secondary documents stored in Systems Manager, GitHub, or Amazon S3. After you create a composite document, you can run it by using the AWS-RunDocument pre-defined SSM document. For more information, see Creating composite documents and Running Systems Manager command documents from remote locations.

SSM document plugin reference: For easier access, we moved the SSM Plugin Reference for SSM documents out of the Systems Manager API Reference and into the User Guide. For more information, see Systems Manager Command document plugin reference.

October 26, 2017

Support for Parameter Versions in Parameter Store

When you edit a parameter, Parameter Store now automatically iterates the version number by 1. You can specify a parameter name and a specific version number in API calls and SSM documents. If you don't specify a version number, the system automatically uses the latest version.

Parameter versions provide a layer of protection in the event that a parameter is accidentally changed. You can view the values of all versions, and reference older versions if necessary. You can also use parameter versions to see how many times a parameter changed over a period of time. For more information, see Working with parameter versions.

October 24, 2017

Support for Tagging Systems Manager Documents

You can now use the AddTagsToResource API, the AWS CLI, or the AWS Tools for PowerShell to tag Systems Manager documents with key-value pairs. Tagging helps you quickly identify specific resources based on the tags you've assigned to them. This is in addition to existing tagging support for managed instances, maintenance windows, Parameter Store parameters, and patch baselines. For information, see Tagging Systems Manager documents.

October 3, 2017

Various Documentation Updates to Fix Errors or Update Content Based on Feedback

October 2, 2017

Troubleshoot Unreachable Windows Instances by Using the EC2Rescue Automation Workflow

EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Windows Server instances. You can run the tool as a Systems Manager Automation workflow by using the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue. For more information, see Walkthrough: Run the EC2Rescue tool on unreachable instances.

September 29, 2017

SSM Agent Installed By Default on Amazon Linux

SSM Agent is installed, by default, on Amazon Linux AMIs dated 2017.09 and later. You must manually install SSM Agent on other versions of Linux, as described in Installing and configuring SSM Agent on EC2 instances for Linux.

September 27, 2017

Run Command Enhancements

Run Command includes the following enhancements.

September 12, 2017

Systems Manager Supported on Raspbian

Systems Manager can now run on Raspbian Jessie and Raspbian Stretch devices, including Raspberry Pi (32-Bit).

September 7, 2017

Automatically Send SSM Agent Logs to Amazon CloudWatch Logs

You can now make a simple configuration change on your instances to have SSM Agent send log files to CloudWatch. For more information, see Sending SSM Agent logs to CloudWatch Logs.

September 7, 2017

Encrypt Resource Data Sync

Systems Manager Resource Data Sync lets you aggregate Inventory data collected on dozens or hundreds of managed instance in a central S3 bucket. You can now encrypt Resource Data Sync by using an AWS Key Management Service key. For more information, see Walkthrough: Use Resource Data Sync to aggregate inventory data.

September 1, 2017

New State Manager Walkthroughs

Added two new walkthroughs to the State Manager documentation:

Automatically update SSM Agent (CLI)

Walkthrough: Automatically update PV drivers on EC2 instances for Windows Server (console)

August 31, 2017

Systems Manager Configuration Compliance

Use Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. For more information, see AWS Systems Manager Configuration Compliance.

August 28, 2017

New Automation Action: aws:executeAutomation

Runs a secondary Automation workflow by calling a secondary Automation document. With this action, you can create Automation documents for your most common workflows, and reference those documents during an Automation execution. This action can simplify your Automation documents by removing the need to duplicate steps across similar documents. For more information, see aws:executeAutomation – Run another automation execution.

August 22, 2017

Automation as the Target of a CloudWatch Event

You can start an Automation workflow by specifying an Automation document as the target of an Amazon CloudWatch event. You can start workflows according to a schedule, or when a specific AWS system event occurs. For more information, see Running automations with triggers using CloudWatch Events.

August 21, 2017

State Manager Association Versioning and General Updates

You can now create different State Manager association versions. There is a limit of 1,000 versions for each association. You can also specify names for your associations. Also, the State Manager documentation has been updated to address outdated information and inconsistencies. For more information, see AWS Systems Manager State Manager.

August 21, 2017

Changes to Maintenance Windows

Maintenance Windows include the following changes or enhancements:

  • Previously, Maintenance Windows could only perform tasks by using Run Command. You can now perform tasks by using Systems Manager Automation, AWS Lambda, and AWS Step Functions.

  • You can edit the targets of a maintenance window, specify a target name, description, and owner.

  • You can edit tasks in a maintenance window, including specifying a new SSM document for Run Command and Automation tasks.

  • All Run Command parameters are now supported, including DocumentHash, DocumentHashType, TimeoutSeconds, Comment, and NotificationConfig.

  • You can now use a safe flag when you attempt to deregister a target. If enabled, the system returns an error if the target is referenced by any task.

For more information, see AWS Systems Manager Maintenance Windows.

August 16, 2017

New Automation Action: aws:approve

This new action for Automation documents temporarily pauses an Automation execution until designated principals either approve or reject the action. After the required number of approvals is reached, the Automation execution resumes.

For more information, see Systems Manager Automation actions reference.

August 10, 2017

Automation Assume Role No Longer Required

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's privileges on a resource, but you want the user to run an Automation workflow that requires elevated privileges. In this scenario, you can create a service role with elevated privileges and allow the user to run the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

For more information, see Getting started with Automation.

August 3, 2017

Configuration Compliance

Use Amazon EC2 Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. For more information, see AWS Systems Manager Configuration Compliance.

August 8, 2017

SSM Document Enhancements

SSM Command and Policy documents now offer cross-platform support. This means that a single SSM document can process plugins for Windows and Linux operating systems. Cross-platform support enables you to consolidate the number of documents you manage. Cross-platform support is offered in SSM documents that use schema version 2.2 or later.

SSM Command documents that use schema version 2.0 or later can now include multiple plugins of the same type. For example, you can create a Command document that calls the aws:runRunShellScript plugin multiple times.

For more information about schema version 2.2 changes, see AWS Systems Manager documents. For more information about SSM plugins, see Systems Manager Plugins.

July 12, 2017

Linux Patching

Patch Manager can now patch the following Linux distributions:

64-bit and 32-bit systems

  • Amazon Linux 2014.03, 2014.09, or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5 or later

64-bit systems only

  • Amazon Linux 2015.03, 2015.09, or later

  • Red Hat Enterprise Linux (RHEL) 7.x or later

For more information, see AWS Systems Manager Patch Manager.

Note
  • To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update SSM Agent in Running commands from the console.

  • The AWS-ApplyPatchBaseline SSM document is being replaced by the AWS-RunPatchBaseline document.

July 6, 2017

Resource Data Sync

You can use Systems Manager Resource Data Sync to send Inventory data collected from all of your managed instances to a single Amazon S3 bucket. Resource Data Sync then automatically updates the centralized data when new Inventory data is collected. With all Inventory data stored in a target S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data.For more information, see Configuring Resource Data Sync for Inventory. For an example of how to work with Resource Data Sync, see Walkthrough: Use Resource Data Sync to aggregate inventory data.

June 29, 2017

Systems Manager Parameter Hierarchies

Managing dozens or hundreds of Systems Manager parameters as a flat list is time-consuming and prone to errors. You can use parameter hierarchies to help you organize and manage Systems Manager parameters. A hierarchy is a parameter name that includes a path that you define by using forward slashes. Here is an example that uses three hierarchy levels in the name to identify the following:

/Environment/Type of computer/Application/Data

/Dev/DBServer/MySQL/db-string13

For more information, see Organizing parameters into hierarchies. For an example of how to work with parameter hierarchies, see Walkthrough: Manage parameters using hierarchies (AWS CLI).

June 22, 2017

SSM Agent Support for SUSE Linux Enterprise Server

You can install SSM Agent on 64-bit SUSE Linux Enterprise Server (SLES). For more information, see Installing and configuring SSM Agent on EC2 instances for Linux.

June 14, 2017