AWS Systems Manager
User Guide

Document History

The following table describes the important changes to the documentation since the last release of AWS Systems Manager. For notification about updates to this documentation, you can subscribe to an RSS feed.

Note

SSM Agent is updated whenever changes are made to Systems Manager and when new capabilities are added. To ensure that your instances are always running the newest version of SSM Agent, we recommend that you create a State Manager association that automatically updates SSM Agent when a new version is available. You can also use Run Command to quickly update one or more instances with the latest version. For more information, see Automatically Update SSM Agent (CLI) (State Manager) and Update SSM Agent by using Run Command.

  • API version: 2014-11-06

Change Description Date

Query inventory data from multiple AWS Regions and accounts

Systems Manager Inventory integrates with Amazon Athena to help you query inventory data from multiple AWS Regions and accounts. Athena integration uses Resource Data Sync so that you can view inventory data from all of your managed instances on the Inventory Detail View page in the AWS Systems Manager console. For more information see Querying Inventory Data from Multiple Regions and Accounts.

November 15, 2018

Create State Manager associations that execute MOF files

You can execute Managed Object Format (MOF) files to enforce a desired state on Windows Server managed instances with State Manager by using the AWS-ApplyDSCMofs SSM document. The AWS-ApplyDSCMofs document has two execution modes. With the first mode, you can configure the association to scan and report if the managed instances are currently in the desired state defined in the specified MOF files. In the second mode, you can execute the MOF files and change the configuration of your instances based on the resources and their values defined in the MOF files. The AWS-ApplyDSCMofs document enables you to download and execute MOF configuration files from Amazon Simple Storage Service (Amazon S3), a local share, or from a secure web site with an HTTPS domain. For more information, see Creating Associations that Execute MOF Files.

November 15, 2018

Restrict administrative access in Session Manager sessions

Session Manager sessions are launched using the credentials of a user account that is created with default root or administrator privileges called ssm-user. Information about restricting administrative control for this account is now available in the topic Disable or Enable ssm-user Account Administrative Permissions.

November 13, 2018

YAML examples in Automation Actions Reference

The Automations Actions Reference now includes a YAML sample for each action that already includes a JSON sample.

October 31, 2018

Assign compliance severity levels to associations

You can now assign compliance severity levels to State Manager associations. These severity levels are reported in the Compliance Dashboard and can also be used to filter your compliance reports. The severity levels you can assign include Critical, High, Medium, Low, and Unspecified. For more information, see Create an Association (Console).

October 26, 2018

Use targets and rate controls with Automation and State Manager

Control the execution of Automations and State Manager associations across your fleet of resources by using targets, concurrency, and error thresholds. For more information see Using Targets and Rate Controls to Execute Automation Workflows on a Fleet and Using Targets and Rate Controls with State Manager Associations.

October 23, 2018

Specify active time ranges and international time zones for Maintenance Windows

You can also specify dates that a Maintenance Window should not run before or after (start date and end date), and you can specify the international time zone on which to base the Maintenance Window schedule. For more information see Create a Maintenance Window (Console) and Update a Maintenance Window (CLI).

October 9, 2018

Maintain a custom list of patches for your patch baseline in an S3 bucket

The new 'InstallOverrideList' parameter in the SSM document 'AWS-RunPatchBaseline' lets you specify an https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format, overrides the patches specified by the default patch baseline. For more information, see Parameter name: InstallOverrideList.

October 5, 2018

Expanded control over whether patch dependencies are installed

Previously, if a patch in your Rejected patches list was identified as a dependency of another patch, it would still be installed. Now you can choose whether to install these dependencies or block them from being installed. For more information, see Create a Patch Baseline.

October 5, 2018

Create dynamic Automation workflows with conditional branching

The aws:branch Automation action enables you to create a dynamic Automation workflow that evaluates multiple choices in a single step and then jumps to a different step in the Automation document based on the results of that evaluation. For more information, see Creating Dynamic Automation Workflows with Conditional Branching.

September 26, 2018

Use the AWS CLI to Update Session Manager Preferences

Instructions for using the CLI to update Session Manager preferences, such as CloudWatch Logs and Amazon S3 bucket logging options, have been added to the AWS Systems Manager User Guide. For information, see Use the AWS CLI to Update Session Manager Preferences.

September 25, 2018

Set up patching options more easily with the new 'Configure patching' page

Patch Manager has been updated with a new system for setting up patching configurations. On the Configure patching page, you can specify multiple patching options in a single location, including associating a Maintenance Window with a patching configuration and changing the patch baseline associated with a patch group. For more information, see About Patching Configurations and Create a Patching Configuration.

September 22, 2018

Updated SSM Agent requirement for Session Manager

Session Manager now requires SSM Agent version 2.3.68.0 or later. For more information about Session Manager prerequisites, see Step 1: Verify Session Manager Prerequisites.

September 17, 2018

Manage instances without opening inbound ports or maintaining bastion hosts using Session Manager

Now available, Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your Amazon EC2 instances. For more information, see Learn More About Session Manager.

September 11, 2018

Invoking other AWS Services from a Systems Manager Automation Workflow

You can invoke other AWS services and other Systems Manager capabilities in your Automation workflow by using three new Automation actions (or plugins) in your Automation documents. For more information, see For more information, see Invoking other AWS Services from a Systems Manager Automation Workflow.

August 28, 2018

Use Systems Manager-specific condition keys in IAM policies

The topic Specifying Conditions in a Policy has been updated to list the IAM condition keys for Systems Manager that you can incorporate in policies. You can use these keys to specify the conditions under which a policy should take effect. The topic also includes links to example policies and other related topics.

August 18, 2018

Aggregate Inventory data with groups to see which instances are and aren't configured to collect an Inventory type

Groups enable you to quickly see a count of which managed instances are and aren’t configured to collect one or more Inventory types. With groups, you specify one or more Inventory types and a filter that uses the exists operator. For more information, see Aggregating Inventory Data.

August 16, 2018

View history and change tracking for Inventory and Configuration Compliance

You can now view history and change tracking for Inventory collected from your managed instances. You can also viewing history and changing tracking for Patch Manager patching and State Manager associations reported by Configuration Compliance. For more information, see Viewing Inventory History and Change Tracking.

August 9, 2018

Systems Manager service-linked role extends support for Maintenance Window tasks

The Maintenance Window service requires a set of IAM permissions in order to run Maintenance Window tasks on your instances. Previously, the only option was to create a custom IAM role to supply these permissions. The service-linked role for Systems Manager has now been enhanced to provide these permissions, giving you two IAM role options. For more information, see Should I Use a Service-Linked Role or a Custom Service Role to Run Maintenance Window Tasks?

August 2, 2018

Parameter Store integrates with Secrets Manager

Parameter Store is now integrated with AWS Secrets Manager so that you can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters. These services include Amazon EC2, Amazon Elastic Container Service, AWS Lambda, AWS CloudFormation, AWS CodeBuild, AWS CodeDeploy, and other Systems Manager capabilities. By using Parameter Store to reference Secrets Manager secrets, you create a consistent and secure process for calling and using secrets and reference data in your code and configuration scripts. For information, see Referencing AWS Secrets Manager Secrets from Parameter Store Parameters.

July 26, 2018

Attach labels to Parameter Store parameters

A parameter label is a user-defined alias to help you manage different versions of a parameter. When you modify a parameter, Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter version when there are multiple versions. For information, see Labeling Parameters.

July 26, 2018

Create dynamic Automation workflows

By default, the steps (or actions) that you define in the mainSteps section of an Automation document execute in sequential order. After one action completes, the next action specified in the mainSteps section begins. With this release, you can now create Automation workflows that perform conditional branching. This means that you can create Automation workflows that dynamically respond to condition changes and jump to a specified step. For information, see Creating Dynamic Automation Workflows.

July 18, 2018

SSM Agent now pre-installed on Ubuntu Server 16.04 AMIs using Snap

Beginning with instances created from Ubuntu Server 16.04 AMIs identified with 20180627, the SSM Agent is pre-installed using Snap packages. On instances created from earlier AMIs, you should continue using deb installer packages. For information, see About SSM Agent installations on 64-bit Ubuntu Server 16.04 instances.

July 7, 2018

Review minimum S3 permissions required by SSM Agent

The new topic Minimum S3 Bucket Permissions for SSM Agent provides information about the Amazon Simple Storage Service (Amazon S3) buckets that resources might need to access to perform Systems Manager operations. You can specify these buckets in a custom policy if you want to limit Amazon S3 bucket access for an instance profile or VPC endpoint to the minimum required to use Systems Manager.

July 5, 2018

View complete execution history for a specific State Manager association ID

The new topic Viewing Association Histories describes how to view all executions for a specific association ID and then view execution details for one or more resources.

July 2, 2018

Patch Manager introduces support for Amazon Linux 2

You can now use Patch Manager to apply patches to Amazon Linux 2 instances. For general information about Patch Manager operating system support, see Patch Manager Prerequisites. For information about the supported key/value pairs for Amazon Linux 2 when defining a patch filter, see PatchFilter in the AWS Systems Manager API Reference.

June 26, 2018

Send command output to Amazon CloudWatch Logs

The new topic Configuring Amazon CloudWatch Logs for Run Command describes how to send Run Command output to CloudWatch Logs.

June 18, 2018

Quickly create or delete Resource Data Sync for Inventory by using AWS CloudFormation

You can use AWS CloudFormation to create or delete a Resource Data Sync for Systems Manager Inventory. To use AWS CloudFormation, add the AWS::SSM::ResourceDataSync resource to your AWS CloudFormation template. For more information, see Working with AWS CloudFormation Templates in the AWS CloudFormation User Guide. You can also manually create a Resource Data Sync for Inventory as described in Configuring Resource Data Sync for Inventory.

June 11, 2018

AWS Systems Manager User Guide update notifications now available through RSS

The HTML version of the Systems Manager User Guide now supports an RSS feed of updates that are documented in the Systems Manager Documentation Update History page. The RSS feed includes updates made in June, 2018, and later. Previously announced updates are still available in the Systems Manager Documentation Update History page. Use the RSS button in the top menu panel to subscribe to the feed.

June 6, 2018

Specify an exit code in scripts to reboot managed instances

The new topic Rebooting Managed Instance from Scripts describes how to instruct Systems Manager to reboot managed instances by specifying an exit code in scripts that you run with Run Command.

June 3, 2018

Create an event in Amazon CloudWatch Events whenever custom Inventory is deleted

The new topic Viewing Inventory Delete Actions in CloudWatch Events describes how to configure Amazon CloudWatch Events to create an event anytime a user deletes custom Inventory.

June 1, 2018

Earlier Updates

The following table describes important changes in each release of the AWS Systems Manager User Guide before June 2018.

Change Description Release Date
Inventory all managed instances in your AWS account

You can easily inventory all managed instances in your AWS account by creating a global inventory association. For more information, see Inventory All Managed Instances in Your AWS Account.

Note

Global inventory associations are available in SSM Agent version 2.0.790.0 or later. For information about how to update SSM Agent on your instances, see Update SSM Agent by using Run Command.

May 3, 2018
SSM Agent installed by default on Ubuntu Server 18

SSM Agent is installed, by default, on Ubuntu Server 18.04 LTS 64-bit and 32-bit AMIs.

May 2, 2018
New topic

The new topic Sending Commands that Use the Document Version Parameter describes how to use the document-version parameter to specify which version of an SSM document to use when the command runs.

May 1, 2018
New topic

The new topic Deleting Custom Inventory describes how to delete custom Inventory data from Amazon S3 by using the AWS CLI. The topic also describes how to use the SchemaDeleteOption to manage custom inventory by disabling or deleting a custom inventory type. This new feature uses the DeleteInventory API action.

April 19, 2018
Amazon SNS notifications for SSM Agent

You can subscribe to an Amazon SNS topic to receive notifications when a new version of SSM Agent is available. For more information, see Subscribing to SSM Agent Notifications.

April 9, 2018
CentOS patching support

Systems Manager now supports patching CentOS instances. For information about supported CentOS versions, see Patch Manager Prerequisites. For more information about how patching works, see How Patch Manager Operations Work.

March 29, 2018
New section

To provide a single source for reference information in the AWS Systems Manager User Guide, a new section has been introduced, AWS Systems Manager Reference. Additional content will be added to this section as it becomes available.

March 15, 2018
New topic

The new topic About Package Name Formats for Approved and Rejected Patch Lists details the package name formats you can enter in the lists of approved patches and rejected patches for a custom patch baseline. Sample formats are provided for each operating system type supported by Patch Manager.

March 9, 2018
New topic

Systems Manager now integrates with Chef InSpec. InSpec is an open-source, runtime framework that enables you to create human-readable profiles on GitHub or Amazon S3. Then you can use Systems Manager to run compliance scans and view compliant and noncompliant instances. For more information, see Using Chef InSpec Profiles with Systems Manager Compliance.

March 7, 2018
New topic

The new topic Using Service-Linked Roles for Systems Manager describes how to use an AWS Identity and Access Management (IAM) service-linked role with Systems Manager. Currently, service-linked roles are only required when using Systems Manager Inventory to collect metadata about tags and Resource Groups.

February 27, 2018
New and updated topics

You can now use Patch Manager to install patches that are in a different source repository than the default one configured on the instance. This is useful for patching instances with updates not related to security; with the content of Personal Package Archives (PPA) for Ubuntu Server; with updates for internal corporate applications; and so on. You specify alternative patch source repositories when you create a custom patch baseline. For more information, see the following topics:

In addition, you can now use Patch Manager to patch SUSE Linux Enterprise Server instances. Patch Manager supports patching SLES 12.* versions (64-bit only). For more information, see the SLES-specific information in the following topics:

February 6, 2018
New topic

The new topic Upgrade the Python Requests Module on Amazon Linux Instances That Use a Proxy Server provides instructions for ensuring that instances created using an Amazon Linux AMI have been updated with a current version of the Python requests module. This requirement is to ensure compatibility with Patch Manager.

January 12, 2018
New topic

The new topic About SSM Documents for Patching Instances describes the seven SSM documents currently available to help you keep your managed instances patched with the latest security-related updates.

January 10, 2018
Important updates regarding Linux support

Updated various topics with the following information:

  • SSM Agent is installed, by default, on Amazon Linux base AMIs dated 2017.09 and later.

  • You must manually install SSM Agent on other versions of Linux, including non-base images like Amazon ECS-Optimized AMIs.

January 9, 2018
New topic

A new topic, About the SSM Document AWS-RunPatchBaseline, provides details of how this SSM document operates on both Windows and Linux systems. It also provides information about the two available parameters in the AWS-RunPatchBaseline document, Operation and Snapshot ID.

January 5, 2018
New topics A new section, How Patch Manager Operations Work, provides technical details that explain how Patch Manager determines which security patches to install and how it installs them on each supported operating system. It also provides information about how patch baseline rules work on different distributions of the Linux operating system January 2, 2018
Retitled and moved the Systems Manager Automation Actions Reference

Based on customer feedback, the Automation Actions Reference is now called the Systems Manager Automation Document Reference. Furthermore, we moved the reference into the Shared Resources > Documents node so it is closer to the SSM Document Plugin Reference. For more information, see Systems Manager Automation Actions Reference.

December 20, 2017

New Monitoring chapter and content

A new chapter, Monitoring Instances with AWS Systems Manager, provides instructions for sending metrics and log data to Amazon CloudWatch Logs. A new topic, Send Logs to CloudWatch Logs (CloudWatch Agent), provides instructions for migrating on-instance monitoring tasks, on 64-bit Windows Server instances only, from SSM Agent to the CloudWatch Agent.

December 14, 2017

New chapter A new chapter, Authentication and Access Control for AWS Systems Manager, provides comprehensive information about using AWS Identity and Access Management (IAM) and AWS Systems Manager to help secure access to your resources through the use of credentials. These credentials provide the permissions required to access AWS resources, such as accessing data stored in Amazon S3 buckets and sending commands to and reading the tags on Amazon EC2 instances. December 11, 2017

Changes to the left navigation

We changed the headings in the left navigation of this user guide to match the headings in the new AWS Systems Manager console.

December 8, 2017

Multiple changes for re:Invent 2017

  • Official launch of AWS Systems Manager: AWS Systems Manager (formerly Amazon EC2 Systems Manager) is a unified interface that allows you to easily centralize operational data and automate tasks across your AWS resources. You can access the new AWS Systems Manager console here. For more information, see What Is AWS Systems Manager?

  • YAML Support: You can create SSM documents in YAML. For more information, see AWS Systems Manager Documents.

November 29, 2017

Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes

Using Run Command, you can take application-consistent snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 Windows instances. The snapshot process uses the Windows Volume Shadow Copy Service (VSS) to take image-level backups of VSS-aware applications, including data from pending transactions between these applications and the disk. Furthermore, you don't need to shut down your instances or disconnect them when you need to back up all attached volumes. For more information, see Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes.

November 20, 2017

Enhanced Systems Manager Security Available By Using VPC Endpoints

You can improve the security posture of your managed instances (including managed instances in your hybrid environment) by configuring Systems Manager to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, Systems Manager, and EC2 to the Amazon network (managed instances don't have access to the Internet). Also, you don't need an Internet gateway, a NAT device, or a virtual private gateway. For more information, see Setting Up VPC Endpoints for Systems Manager.

November 7, 2017

Inventory Support for Files, Services, Windows Roles, and the Windows Registry

SSM Inventory now supports gathering the following information from your managed instances.

  • Files: Name, size, version, installed date, modification and last accessed times, etc.

  • Services: Name, display name, status, dependent services, service type, start type, etc.

  • Windows Registry: Registry key path, value name, value type, and value.

  • Windows roles: Name, display name, path, feature type, installed state, etc.

Before you attempt to collect information for these inventory types, update SSM Agent on the instances you want to inventory. By running the latest version of SSM Agent, you ensure that you can collect metadata for all supported inventory types. For information about how to update SSM Agent by using State Manager, see Automatically Update SSM Agent (CLI).

For more information Inventory, see Learn More About Systems Manager Inventory.

November 6, 2017

Updates to Automation documenation

Fixed several issues in the information about setting up and configuring access for Systems Manager Automation. For more information, see Setting Up Automation.

October 31, 2017

GitHub and Amazon S3 Integration

Run remote scripts: Systems Manager now supports downloading and running scripts from a private or public GitHub repository, and from Amazon S3. Using either the AWS-RunRemoteScript pre-defined SSM document or the aws:downloadContent plugin in a custom SSM document, you can run Ansible Playbooks and scripts in Python, Ruby, or PowerShell, to name a few. These changes further enhance infrastructure as code when you use Systems Manager to automate configuration and deployment of Amazon EC2 instances and on-premises managed instances in your hybrid environment. For more information, see Partner and Product Integration.

Create composite SSM documents: Systems Manager now supports running one or more secondary SSM documents from a primary SSM document. These primary documents that run other documents are called composite documents. Composite documents enable you to create and share a standard set of secondary SSM documents across AWS accounts for common tasks such as boot-strapping anti-virus software or domain-joining instances. You can run composite and secondary documents stored in Systems Manager, GitHub, or Amazon S3. After you create a composite document, you can run it by using the AWS-RunDocument pre-defined SSM document. For more information, see Creating Composite Documents and Running Documents from Remote Locations.

SSM document plugin reference: For easier access, we moved the SSM Plugin Reference for SSM documents out of the Systems Manager API Reference and into the User Guide. For more information, see SSM Document Plugin Reference.

October 26, 2017

Support for Parameter Versions in Parameter Store

When you edit a parameter, Parameter Store now automatically iterates the version number by 1. You can specify a parameter name and a specific version number in API calls and SSM documents. If you don't specify a version number, the system automatically uses the latest version.

Parameter versions provide a layer of protection in the event that a parameter is accidentally changed. You can view the values of all versions, and reference older versions if necessary. You can also use parameter versions to see how many times a parameter changed over a period of time. For more information, see Working with Parameter Versions.

October 24, 2017

Support for Tagging Systems Manager Documents

You can now use the AddTagsToResource API, the AWS CLI, or the AWS Tools for Windows to tag Systems Manager documents with key-value pairs. Tagging helps you quickly identify specific resources based on the tags you've assigned to them. This is in addition to existing tagging support for managed instances, Maintenance Windows, Parameter Store parameters, and patch baselines. New topics include Tagging Systems Manager Documents and Controlling Access to Documents Using Tags.

October 3, 2017

Various Documentation Updates to Fix Errors or Update Content Based on Feedback

October 2, 2017

Troubleshoot Unreachable Windows Instances by Using the EC2Rescue Automation Workflow

EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Windows Server instances. You can run the tool as a Systems Manager Automation workflow by using the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue. For more information, see Run the EC2Rescue Tool on Unreachable Instances.

September 29, 2017

SSM Agent Installed By Default on Amazon Linux

SSM Agent is installed, by default, on Amazon Linux AMIs dated 2017.09 and later. You must manually install SSM Agent on other versions of Linux, as described in Installing and Configuring SSM Agent on Linux Instances.

September 27, 2017

Run Command Enhancements

Run Command includes the following enhancements.

September 12, 2017

Systems Manager Supported on Raspbian

Systems Manager can now run on Raspbian Jessie and Raspbian Stretch devices, including Raspberry Pi (32-Bit). For more information, see Raspbian.

September 7, 2017

Automatically Send SSM Agent Logs to Amazon CloudWatch Logs

You can now make a simple configuration change on your instances to have SSM Agent send log files to CloudWatch. For more information, see Send Logs to CloudWatch Logs (SSM Agent).

September 7, 2017

Encrypt Resource Data Sync

Systems Manager Resource Data Sync lets you aggregate Inventory data collected on dozens or hundreds of managed instance in a central Amazon S3 bucket. You can now encrypt Resource Data Sync by using an AWS Key Management Service key. For more information, see Walkthrough: Use Resource Data Sync to Aggregate Inventory Data.

September 1, 2017

New State Manager Walkthroughs

Added two new walkthroughs to the State Manager documentation:

Automatically Update SSM Agent (CLI)

Walkthrough: Automatically Update PV Drivers on EC2 Windows Instances (Console)

August 31, 2017

Systems Manager Configuration Compliance

Use Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. For more information, see AWS Systems Manager Configuration Compliance.

August 28, 2017

New Automation Action: aws:executeAutomation

Executes a secondary Automation workflow by calling a secondary Automation document. With this action, you can create Automation documents for your most common workflows, and reference those documents during an Automation execution. This action can simplify your Automation documents by removing the need to duplicate steps across similar documents. For more information, see aws:executeAutomation.

August 22, 2017

Automation as the Target of a CloudWatch Event

You can start an Automation workflow by specifying an Automation document as the target of an Amazon CloudWatch event. You can start workflows according to a schedule, or when a specific AWS system event occurs. For more information, see Configuring Automation as a CloudWatch Events Target (Optional).

August 21, 2017

State Manager Association Versioning and General Updates

You can now create different State Manager association versions. There is a limit of 1,000 versions for each association. You can also specify names for your associations. Also, the State Manager documentation has been updated to address outdated information and inconsistencies. For more information, see AWS Systems Manager State Manager.

August 21, 2017

Changes to Maintenance Windows

Maintenance Windows include the following changes or enhancements:

  • Previously, Maintenance Windows could only perform tasks by using Run Command. You can now perform tasks by using Systems Manager Automation, AWS Lambda, and AWS Step Functions.

  • You can edit the targets of a Maintenance Window, specify a target name, description, and owner.

  • You can edit tasks in a Maintenance Window, including specifying a new SSM document for Run Command and Automation tasks.

  • All Run Command parameters are now supported, including DocumentHash, DocumentHashType, TimeoutSeconds, Comment, and NotificationConfig.

  • You can now use a safe flag when you attempt to deregister a target. If enabled, the system returns an error if the target is referenced by any task.

For more information, see AWS Systems Manager Maintenance Windows.

August 16, 2017

New Automation Action: aws:approve

This new action for Automation documents temporarily pauses an Automation execution until designated principals either approve or reject the action. After the required number of approvals is reached, the Automation execution resumes.

For more information, see Systems Manager Automation Actions Reference.

August 10, 2017

Automation Assume Role No Longer Required

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's privileges on a resource, but you want the user to run an Automation workflow that requires higher privileges. In this scenario, you can create a service role with higher privileges and allow the user to run the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

For more information, see Setting Up Automation.

August 3, 2017

Configuration Compliance

Use Amazon EC2 Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. For more information, see AWS Systems Manager Configuration Compliance.

August 8, 2017

SSM Document Enhancements

SSM Command and Policy documents now offer cross-platform support. This means that a single SSM document can process plugins for Windows and Linux operating systems. Cross-platform suppport enables you to consolidate the number of documents you manage. Cross-platform support is offered in SSM documents that use schema version 2.2 or later.

SSM Command documents that use schema version 2.0 or later can now include multiple plugins of the same type. For example, you can create a Command document that calls the aws:runRunShellScript plugin multiple times.

For more information about schema verion 2.2 changes, see AWS Systems Manager Documents. For more information about SSM plugins, see Systems Manager Plugins.

July 12, 2017

Linux Patching

Patch Manager can now patch the following Linux distributions:

64-Bit and 32-Bit Systems

  • Amazon Linux 2014.03, 2014.09, or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5 or later

64-Bit Systems Only

  • Amazon Linux 2015.03, 2015.09, or later

  • Red Hat Enterprise Linux (RHEL) 7.x or later

For more information, see AWS Systems Manager Patch Manager.

Note

  • To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update SSM Agent in Running Commands from the Console.

  • The AWS-ApplyPatchBaseline SSM document is being replaced by the AWS-RunPatchBaseline document.

July 6, 2017

Resource Data Sync

You can use Systems Manager Resource Data Sync to send Inventory data collected from all of your managed instances to a single Amazon S3 bucket. Resource Data Sync then automatically updates the centralized data when new Inventory data is collected. With all Inventory data stored in a target Amazon S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data.For more information, see Configuring Resource Data Sync for Inventory. For an example of how to work with Resource Data Sync, see Walkthrough: Use Resource Data Sync to Aggregate Inventory Data.

June 29, 2017

Systems Manager Parameter Hierarchies

Managing dozens or hundreds of Systems Manager parameters as a flat list is time-consuming and prone to errors. You can use parameter hierarchies to help you organize and manage Systems Manager parameters. A hierarchy is a parameter name that includes a path that you define by using forward slashes. Here is an example that uses three hierarchy levels in the name to identify the following:

/Environment/Type of computer/Application/Data

/Dev/DBServer/MySQL/db-string13

For more information, see Organizing Parameters into Hierarchies. For an example of how to work with parameter hierarchies, see Walkthrough: Manage Parameters Using Hierarchies (AWS CLI).

June 22, 2017

SSM Agent Support for SUSE Linux Enterprise Server

You can install SSM Agent on 64-bit SUSE Linux Enterprise Server (SLES). For more information, see Installing and Configuring SSM Agent on Linux Instances.

June 14, 2017

On this page: