AWS Systems Manager
User Guide

What Is AWS Systems Manager?

AWS Systems Manager is a collection of capabilities for configuring and managing your Amazon EC2 instances, on-premises servers and virtual machines, and other AWS resources at scale. Systems Manager includes a unified interface that allows you to easily centralize operational data and automate tasks across your AWS resources. Systems Manager shortens the time to detect and resolve operational problems in your infrastructure. Systems Manager gives you a complete view of your infrastructure performance and configuration, simplifies resource and application management, and makes it easy to operate and manage your infrastructure at scale.

Service Name and Console Access

AWS Systems Manager (Systems Manager) was formerly known as "Amazon Simple Systems Manager (SSM)" and "Amazon EC2 Systems Manager (SSM)". The original abbreviated name of the service, "SSM", is still reflected in various AWS resources, including a few other service consoles. Some examples:

  • AWS CLI commands: aws ssm describe-patch-baselines

  • AWS Systems Manager Agent: SSM Agent

  • AWS Systems Manager documents: SSM documents

  • AWS Systems Manager parameters: SSM parameters

  • AWS Systems Manager resource ARNs: arn:aws:ssm:us-east-2:111222333444:patchbaseline/pb-07d8884178EXAMPLE

  • AWS CloudFormation resource types: AWS::SSM::Document

  • AWS Config rule identifier: EC2_INSTANCE_MANAGED_BY_SSM

  • AWS Identity and Access Management (IAM) managed policy names: AmazonSSMReadOnlyAccess

  • Service endpoints:

  • Amazon CloudWatch Events event rule wizard: EC2 Simple Systems Manager (SSM)

Systems Manager functionality was previously available only in the Amazon EC2 console. There you’ll still find Systems Manager features and services in the left navigation pane under the headings SYSTEMS MANAGER SERVICES and SYSTEMS MANAGER SHARED RESOURCES. However, the Amazon EC2 console offers access to only those Systems Manager features and services released before November 2017. Systems Manager access through the Amazon EC2 console will be deprecated in the future. We therefore encourage you to use the AWS Systems Manager console. The AWS Systems Manager console offers access to all Systems Manager services, data, and shared resources. This console also includes dashboards and access to related services that work with Systems Manager to help you manage your AWS resources.

How It Works

Diagram 1 shows a general example of the different processes that Systems Manager performs when executing an action like sending a command to your fleet of servers or performing an inventory of the applications running on your on-premises servers. Each Systems Manager capability, for example Run Command or Maintenance Windows, uses a similar process of set up, execution, processing, and reporting.

  1. Configure Systems Manager: Use the Systems Manager console, SDK, AWS CLI, or AWS Tools for Windows PowerShell to configure, schedule, automate, and execute actions that you want to perform on your AWS resources.

  2. Verification and processing: Systems Manager verifies the configurations, including permissions, and sends requests to the SSM Agent running on your instances or servers in your hybrid environment. SSM Agent performs the specified configuration changes.

  3. Reporting: SSM Agent reports the status of the configuration changes and actions to Systems Manager in the AWS cloud. Systems Manager then sends the status to the user and various AWS services, if configured.

Diagram 1: General Example of Systems Manager Process Flow

                Diagram showing how Systems Manager capabilities, for example Run Command or Maintenance Windows,
                    use a similar process of set up, execution, processing, and reporting.


Systems Manager includes the following capabilities:

Resource Groups

AWS Resource Groups: An AWS resource is an entity you can work with in AWS, such as an Amazon Elastic Compute Cloud (Amazon EC2) instance, an Amazon Elastic Block Store (Amazon EBS) volume, a security group, or an Amazon Virtual Private Cloud (VPC). A resource group is a collection of AWS resources that are all in the same AWS Region, and that match criteria provided in a query. You build queries in the Resource Groups console, or pass them as arguments to Resource Groups commands in the AWS CLI. With Resource Groups, you can create a custom console that organizes and consolidates information based on criteria that you specify in tags. You can also use groups as the basis for viewing monitoring and configuration insights in AWS Systems Manager.


Systems Manager provides the following capabilities for centrally viewing data about your AWS resources. Choose the tabs to learn more.

Built-in InsightsCloudWatch DashboardsInventory ManagementConfiguration Compliance
Built-in Insights

Insights show detailed information about the resources in your AWS Resource Groups, such as AWS CloudTrail logs, results of evaluations against AWS Config rules, and AWS Trusted Advisor reports. Insights show information about a single, selected resource group at a time.

CloudWatch Dashboards

Amazon CloudWatch Dashboards are customizable home pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across different regions. You can use CloudWatch dashboards to create customized views of the metrics and alarms for your AWS resources.

Inventory Management

Inventory Manager automates the process of collecting software inventory from managed instances. You can use Inventory Manager to gather metadata about applications, files, components, patches, and more on your managed instances.

Configuration Compliance

Use Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements.


Systems Manager provides the following capabilities for taking action against your AWS resources. Choose the tabs to learn more.

AutomationRun CommandSession ManagerDistributorPatch ManagementMaintenance WindowsState Management

Use Systems Manager Automation to automate common maintenance and deployment tasks. You can use Automation to create and update Amazon Machine Images, apply driver and agent updates, reset passwords on Windows instance, reset SSH keys on Linux instances, and apply OS patches or application updates.

Run Command

Use Systems Manager Run Command to remotely and securely manage the configuration of your managed instances at scale. Use Run Command to perform on-demand changes like updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of instances.

Session Manager

Use Session Manager to manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your Amazon EC2 instances.


Use Distributor to create and deploy packages to managed instances. Distributor lets you package your own software—or find AWS-provided agent software packages, such as AmazonCloudWatchAgent—to install on AWS Systems Manager managed instances. Distributor publishes resources, such as software packages, to AWS Systems Manager managed instances.

Patch Management

Use Patch Manager to automate the process of patching your managed instances. This capability enables you to scan instances for missing patches and apply missing patches individually or to large groups of instances by using Amazon EC2 instance tags. For security patches, Patch Manager uses patch baselines that include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. Security patches are installed from the default repository for patches configured for the instance. You can install security patches on a regular basis by scheduling patching to run as a Systems Manager Maintenance Window task. For Linux operating systems, you can define the repositories that should be used for patching operations as part of your patch baseline. This allows you to ensure that updates are installed only from trusted repositories regardless of what repositories are configured on the instance. For Linux, you also have the ability to update any package on the instance, not just those that are classified as operating system security updates.

Maintenance Windows

Use Maintenance Windows to set up recurring schedules for managed instances to execute administrative tasks like installing patches and updates without interrupting business-critical operations.

State Management

Use Systems Manager State Manager to automate the process of keeping your managed instances in a defined state. You can use State Manager to ensure that your instances are bootstrapped with specific software at startup, joined to a Windows domain (Windows instances only), or patched with specific software updates.

Shared Resources

Systems Manager uses the following shared resources for managing and configuring your AWS resources. Choose the tabs to learn more.

Managed InstancesActivationsSystems Manager DocumentsParameter Store
Managed Instances

A managed instance is any Amazon EC2 instance or on-premises machine–a server or a virtual machine (VM)–in your hybrid environment that is configured for Systems Manager. To set up managed instances, you need to install SSM Agent on your machines (if not installed by default) and configure AWS Identity and Access Management (IAM) permissions. On-premises machines also require an activation code.


To set up servers and VMs in your hybrid environment as managed instances, you need to create a managed-instance activation. After you complete the activation, you receive an activation code and ID. This code/ID combination functions like an Amazon EC2 access ID and secret key to provide secure access to the Systems Manager service from your managed instances.

Systems Manager Documents

A Systems Manager document (SSM document) defines the actions that Systems Manager performs. SSM document types include Command documents, which are used by State Manager and Run Command, and Automation documents, which are used by Systems Manager Automation. Systems Manager includes more dozens of pre-configured documents that you can use by specifying parameters at runtime. Documents can be expressed in JSON or YAML, and include steps and parameters that you specify.

Parameter Store

Parameter Store provides secure, hierarchical storage for configuration data and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name you specified when you created the parameter.

Getting Started

To get started with Systems Manager, do the following:

  • Ensure you have completed the Systems Manager prerequisites

  • Configure roles and permissions

  • Install SSM Agent on your instance (if necessary)

If you want to manage your on-premises servers and VMs with Systems Manager, then you must also create a managed instance activation.

These tasks are described in Setting Up AWS Systems Manager.

Accessing Systems Manager

You can access Systems Manager using any of the following interfaces:

  • The AWS Systems Manager console — Provides a web interface that you can use to access Systems Manager.

  • AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services, including Systems Manager, and is supported on Windows, Mac, and Linux. For more information, see AWS Command Line Interface.

  • AWS Tools for Windows PowerShell — Provides commands for a broad set of AWS services, including Systems Manager. For more information, see AWS Tools for Windows PowerShell.

  • AWS SDKs — Provides language-specific APIs and takes care of many of the connection details, such as calculating signatures, handling request retries, and error handling. For more information, see AWS SDKs.


Some Systems Manager capabilities charge a fee. For more information, see AWS Systems Manager Pricing.

We Want to Hear from You

We welcome your feedback. To contact us, visit the AWS Systems Manager forum.

Systems Manager is also documented in the following references.