Resource Groups in AWS Systems Manager - AWS Systems Manager

Resource Groups in AWS Systems Manager

You can use resource groups to organize your AWS resources. Resource groups make it easier to manage, monitor, and automate tasks on large numbers of resources at one time.

AWS Resource Groups provides two general methods for defining a resource group. Both methods involve using a query to identify the members for a group.

The first method relies on tags applied to AWS resources to add resources to a group. Using this method, you apply the same key/value pair tags to resources of various types in your account and then use the AWS Resource Groups service to create a group based on that tag pair.

The second method is based on resources available in an individual AWS CloudFormation stack. Using this method, you choose an AWS CloudFormation stack, and then choose resource types in the stack that you want to be in the group.

For more information about these methods, see Build Queries and Groups in AWS Resource Groups in the AWS Resource Groups User Guide.

In order to be added to a resource group, the resources must all be in the same AWS Region. The resources must also be one of the resource types supported for use in resource groups. For example, in the AWS Identity and Access Management (IAM) service, you can apply tags to both users and roles, but only roles are supported by resource groups. In the Amazon Simple Notification Service (Amazon SNS), you can add tags to topics to add them to a resource group, but you can't add tags to subscriptions. In AWS Systems Manager, you can apply tags to several resource types, including maintenance windows, managed instances, and patch baselines, but not to change calendars or Distributor packages.

You can add tags to your AWS resources in different ways:

  • When you create the resource

  • When you update the resource

  • Using the Tag Editor in the Resource Groups service

Supported AWS resource types

For a list of all services with resources types that can be added to resource groups through the use of tags, and the resources they support, see Supported Resources in the AWS Resource Groups User Guide.

Supported Systems Manager resource types

The Systems Manager resource types that you can tag in order to add them to resource groups include the following:

  • SSM documents

  • Managed instances

  • Maintenance windows

  • SSM parameters

  • Patch baselines

Permissions to work with resource groups and Tag Editor

Before users in your AWS account can work with resource groups and tags in the Resource Groups service and Tag Editor, a user with administrator access must provide the users with the necessary permissions. For information about granting the Systems Manager users in your account access to Resource Groups and Tag Editor in the AWS Management Console and the Resource Groups capability in Systems Manager, see Create user groups.

Using the Tag Editor

Using the Tag Editor is the most efficient way to add many resource types to a resource group. You can view all supported resource types in your account from the same page. For resources of certain types, choose just the resources you want to add to the resource group, and add the tags to them in bulk. For information about using the Tag Editor, see Find Resources to Tag and Manage Tags in the AWS Resource Groups User Guide.

What else can I use tagged resources for?

Adding resources to a resource group is just one major use of resource tags. You can also use tags to specify resources with certain tags applied as the targets of AWS operations. You can search for resources with the same tags applied to them. You can craft IAM policies to grant or deny users access to resources that are tagged with those tags.

What can I do with resource groups?

Several AWS services, including Systems Manager, let you act on, monitor, or share AWS resources as a group. For example, in Amazon CloudWatch, you can focus your view to display metrics and alarms from a single resource group. In AWS Resource Access Manager, you can share the AWS resources you have added to a resource group, as a group, with other accounts that you choose.

For information about all AWS services that can use resource groups, see Service Integrations with AWS Resource Groups in the AWS Resource Groups User Guide.

In Systems Manager, you can work with resource groups in a number of ways.

First, you can create and manage resource groups. Systems Manager includes a console that provides the same functionality as the Resource Groups service console. To access this console, do the following:

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Resource Groups.

For information about working with the Resource Groups console, see Getting Started with AWS Resource Groups in the AWS Resource Groups User Guide.

Second, in the Inventory capability, you can select the managed instances for which you want to view compliance data by specifying a resource group to which they belong.

Third, you can specify a resource group as the target for the following:

  • A command you run in Run Command.

  • An Automation workflow you run in Automation.

  • An association you create in State Manager.

  • A maintenance window you create in Maintenance Windows.

  • A package installation or update operation in Distributor.

Related AWS Blog Posts

Refer to the following AWS blog posts for more information about resource groups.