← Back to Home | All Services | View Old Version
← Back to Services

Systems Manager

Priority Tier 4

AWS Systems Manager (SSM) is a secure, end-to-end management solution for AWS Cloud and hybrid cloud environments. It provides a centralized and consistent way to gather operational insights and perform routine management tasks across multiple AWS services, simplifying configuration management, patching, and automation tasks. (source_page: 1, 4)

Learning Objectives

Introduction to AWS Systems Manager

AWS Systems Manager (SSM) is a comprehensive management service designed to streamline operations across your cloud and hybrid infrastructure.

AWS Systems Manager (SSM) is a secure, end-to-end management solution for AWS Cloud and hybrid cloud environments. It provides a centralized and consistent method for gathering operational insights and performing routine management tasks across multiple AWS services. Its main purpose is to reduce operational overhead and improve efficiency by simplifying configuration management, patching, and automation tasks. (source_page: 1, 2, 4, 8, 9)
SSM offers several key benefits to manage EC2 instances for personal learning or organizational use cases.
AWS Systems Manager is a free service.
AWS Systems Manager is usable via multiple interfaces.
SSM allows executing commands on multiple instances simultaneously.

Prerequisites for AWS Systems Manager Integration

Before an EC2 instance or hybrid resource can be managed by AWS Systems Manager, certain prerequisites must be met to ensure proper communication and security.

The Systems Manager Agent (SSM agent) must be installed and running on the EC2 instance or virtual machine. Many recent AWS AMIs (Amazon Machine Images) come with the SSM agent pre-installed. For older AMIs or specific OS versions (e.g., Windows Server 2008 to 2012 R2 before November 2016), manual installation is required. AWS documentation lists AMIs with pre-installed SSM agent.
An IAM role or EC2 instance profile with required privileges is necessary for the SSM agent to communicate with the Systems Manager service. This adheres to AWS’s zero-trust policy. The AmazonSSMManagedInstanceCore AWS managed policy provides the necessary permissions.
The EC2 Security Group must allow outbound connections to the SSM service. This acts as an instance-level firewall. Neglecting this step is a common reason for SSM-related issues.
If troubleshooting SSM-related issues, verify these three prerequisites (SSM Agent, IAM Role, Security Group) in order.

AWS Systems Manager Core Capabilities

AWS Systems Manager offers a suite of capabilities to manage, automate, and secure your compute infrastructure.

These are the main features provided by Systems Manager for managing applications and infrastructure across AWS and hybrid environments.

Automation

Performs automated steps across AWS Cloud and hybrid environments. It automates common and repetitive IT tasks across AWS resources. Can integrate with on-premise and other cloud VMs. Automation involves creating/using an automation document, running it, and monitoring results. Can be triggered by Amazon EventBridge.
document_types_used: Automation runbooks
trigger_integration: Amazon EventBridge
example_tasks: Remediate unreachable instances, create golden Amazon Machine Images (AMIs), patch instances
Use Cases:
  • Automating routine operational tasks
  • Responding to events with predefined workflows

Maintenance Windows

Creates custom maintenance windows to automatically apply software or OS patches, update drivers, or install software. It allows scheduling potentially disruptive actions. Users can set limits for simultaneous task runs and error rates.
supported_task_types: ['Systems Manager Run Command commands', 'Systems Manager Automation workflows', 'AWS Step Functions workflows', 'AWS Lambda functions']
Use Cases:
  • Scheduling patches and updates during off-peak hours
  • Running administrative tasks with controlled impact

Patch Manager

Automatically applies OS-level or security patches to SSM-managed EC2 instances and applies software updates/patches. It automates the deployment of OS and software patches across large groups of EC2 instances or on-premises machines.
process_steps_overview: Create a patch baseline, define a maintenance window, apply patches and reboot instances, audit patch compliance results
Use Cases:
  • Automating OS and application patching
  • Ensuring security and compliance across instances

State Manager

Maintains consistent configuration of Amazon EC2 or on-premises instances. It prevents configuration drift and monitors instance state. It involves choosing an SSM document, associating instances, specifying a schedule, and optionally outputting data to an S3 bucket. Stores credentials, passwords, or parameters in Parameter Store to avoid hardcoding.
process_steps_overview: Choose/create an SSM document, associate instances, specify schedule, (optional) output to Amazon S3
Use Cases:
  • Enforcing desired configuration states
  • Preventing configuration drift

Parameter Store

Provides centralized storage for configuration data and secrets. It stores data as name-value pairs, which can be plain text or encrypted using AWS Key Management Service (AWS KMS). It allows referencing parameters in scripts, commands, SSM documents, and workflows.
data_types: Plain text or encrypted
encryption_service: AWS Key Management Service (AWS KMS)
Use Cases:
  • Securely storing database credentials
  • Managing application configuration parameters

Inventory

Collects information about instances and installed software. It gathers data such as application data, files, network configurations, Windows services, server roles, updates, and system properties. It provides comprehensive system configuration and application insights without individual instance logins.
data_collected_examples: Application data, files, network configurations, Windows services, server roles, updates, system properties
Use Cases:
  • Tracking software installations
  • Managing application assets and licenses
  • Monitoring file integrity

Documents (Runbooks)

These define the actions performed by Systems Manager on managed instances. They are sets of steps for common maintenance and deployment tasks. Documents can be AWS-managed (predefined), custom (authored by you), or shared from other accounts. They can be authored in JSON or YAML.
types: Command documents, Automation runbooks
authoring_formats: JSON, YAML
ownership_types: Owned by Amazon, Owned by you, Shared with you
Use Cases:
  • Standardizing operational procedures
  • Automating complex multi-step tasks

Run Command

Remotely executes commands to securely manage the configuration of managed nodes. It automates running predefined commands on EC2 instances and allows for the creation of custom commands. Instances can be selected manually or using tags.
example_predefined_commands: ['AWS-InstallWindowsUpdates (Installs Windows updates)', 'AWS-RunPowerShellScript (Runs PowerShell scripts)', 'AWS-RunShellScript (Runs shell scripts)']
Use Cases:
  • Executing scripts on multiple instances
  • Patching or updating software
  • Reducing management overhead by eliminating the need for bastion hosts or managing SSH keys

Session Manager

Establishes RDP or SSH sessions without opening TCP ports or using key pairs. It provides an interactive browser-based shell via the AWS Management Console, AWS CLI, or SSH. Offers secure and auditable instance management, logging sessions to Amazon S3 or Amazon CloudWatch Logs. It enforces compliance with corporate policies requiring controlled access and auditable logs.
access_methods: AWS Management Console, AWS CLI, SSH
logging_destinations: Amazon Simple Storage Service (Amazon S3), Amazon CloudWatch Logs
security_benefits: No inbound ports, no bastion hosts, no SSH keys
Use Cases:
  • Secure remote access to instances
  • Auditable instance management
  • Compliance enforcement

System Compliance

Tracks infrastructure compliance and views a dashboard of compliant vs. non-compliant instances/configurations.
Use Cases:
  • Monitoring security posture
  • Auditing configuration adherence

Detailed Capability: AWS Systems Manager Patch Manager

AWS Systems Manager Patch Manager automates the patching of operating systems, security updates, and applications across your hybrid environments.

Manual patching of servers is labor-intensive and error-prone, leading to vulnerabilities. Patch Manager provides a robust solution to automate this process across AWS, on-premises, and other cloud VMs. Its primary goal is a uniform, automated, and consistent patching process across all regions and environments.

Use Cases and Supported Environments

Patch Manager is ideal for scalable patching requirements and managing updates across diverse environments.
key_use_cases: ['Scalability: Efficiently patching 10 or more EC2 instances.', 'Hybrid Cloud Management: Consolidating patching for AWS, on-premises, and other cloud platforms.', 'Edge Device Patching: Managing updates for AWS IoT and non-AWS IoT devices.', 'Diverse Operating Systems: Supporting Windows, Linux, and Unix.', 'Uniform Patching Strategy: Enforcing consistent policies across hybrid environments.']
supported_environments: ['AWS EC2 Instances', 'On-Premise Servers', 'Edge Devices (AWS and non-AWS IoT devices)', 'VMs in Other Cloud Providers']
unsupported_environments: ['macOS in on-premise data centers']

Prerequisites for Using Patch Manager

Similar to general SSM integration, Patch Manager requires specific components to be in place.
ssm_agent: Must be installed and running on all EC2 instances and virtual machines.
iam_permissions: Appropriate IAM role attached to EC2 instance profile, or non-administrator IAM user with permissions for on-premises/other cloud VMs.
network_connectivity: Managed nodes must have outbound network access to AWS Systems Manager endpoints (EC2 security groups must allow outbound connections).

Automated Patch Management Process

The automated patching process involves four key stages to define, target, schedule, and execute patching operations.
step_1_create_patch_baseline: {'purpose': 'Defines rules for patch approval (safe and acceptable for installation).', 'configuration_options': ['Operating System and Product Versions (e.g., Windows Server 2019, Amazon Linux 2)', 'Patch Type (OS patches, security updates, application patches)', 'Severity Levels (e.g., Critical, Important, Moderate, Low)', 'Classifications (e.g., Security Updates, Critical Updates, Service Packs, Driver Related)', 'Auto-approval Rules (delay in days or specific date)', 'Application Rules (e.g., Microsoft SQL Server, Microsoft Office)', 'Patch Exceptions (exclude specific problematic patches)']}
step_2_identify_targets_patch_groups: {'purpose': "Logically group managed nodes for targeted patching (e.g., 'critical', 'webservers', 'database servers').", 'association_and_constraints': 'A managed node can only belong to one patch group at a time. Typically implemented using AWS tags on EC2 instances.'}
step_3_define_maintenance_window: {'purpose': 'Scheduled period for executing patching tasks, minimizing disruption.', 'scheduling_and_duration': ['Scheduling Options: Cron-based schedules, rate-based schedules, or a combination.', 'Duration: Maximum time allowed for tasks to complete.', 'Stop Initiating Task: Cutoff time before window closes to prevent new tasks from starting too late.', 'Timing: Configure dates and times, considering time zones.']}
step_4_create_patching_task_association: {'purpose': 'Defines the specific patching operation, linking the patch baseline, maintenance window, and target patch group.', 'actions_and_association': ["Actions: 'scan only' (identify missing patches) or 'scan and install' (identify and apply patches).", 'Association: Task is associated with a chosen Maintenance Window, a specific Patch Baseline, and a target Patch Group.']}

Patch Application Methods

Patch Manager supports both automated, scheduled patching via Maintenance Windows and manual, on-demand patching.
automated_patching_via_maintenance_windows: {'scheduling_options': "Select existing Maintenance Window, 'patch now' (can create temporary or use existing), Create new Maintenance Window.", 'patch_operations': 'Scan only (identifies missing patches without installing) or Scan and Install (scans and applies patches).', 'instance_selection_methods': 'By Tag, By Patch Group, Manual Selection.'}
manual_patching: {'triggering_and_patch_operations': "Manually trigger 'patch now', choose 'Scan only' or 'Scan and Install'.", 'instance_selection_methods_manual': 'By Instance Tag, Manually Chosen Instances, Resource Groups.', 'log_storage': 'Optionally store detailed patching logs in an Amazon S3 bucket.', 'reboot_options': 'Reboot if needed, Do not reboot, Schedule a reboot time.', 'lifecycle_hooks': 'Define actions at various stages (e.g., backups before patching, cleanup, revert on failure).'}

Execution, Monitoring, and Compliance

Patch Manager provides tools to monitor the status of patching tasks and compliance across your infrastructure.
patch_execution_status: Monitor progress via Systems Manager console; each execution has a unique Execution ID. Statuses: Pending, In-progress, Completed, Failed. Detailed logs available.
compliance_reporting: Dashboard view of patching compliance. Compliant instances have patches applied; non-compliant instances have not undergone scanning or patching.
tag_based_automation: Instances tagged with criteria used in patching tasks are automatically included in future executions. New instances with matching tags are automatically brought into the patching process.

Systems Manager for Hybrid Environments

AWS Systems Manager extends its management capabilities beyond AWS Cloud to encompass on-premise servers and virtual machines in other cloud providers, offering a centralized management console for diverse compute nodes.

Systems Manager supports management for a variety of compute resources outside of AWS.
A hybrid environment involves managing compute resources both within AWS (e.g., EC2 instances) and outside of AWS (e.g., on-premise data centers or other cloud providers). AWS Systems Manager provides a centralized management console for these diverse compute nodes.

Key Steps for Hybrid Environment Configuration

procedure

To configure AWS Systems Manager for managing resources in a hybrid environment, several crucial steps are involved, from IAM setup to agent installation and advanced settings.

The setup process for integrating on-premise or other cloud VMs with Systems Manager involves creating necessary IAM permissions, activating nodes, installing the SSM Agent, and configuring optional settings for enhanced security and functionality.

Prerequisites

  • Understanding of IAM roles and policies.
  • Network connectivity between on-premises/other cloud environment and AWS (optional for VPC Endpoint).
  • Access to Systems Manager console for activation.
1

Create a Non-Admin IAM User and Group for Systems Manager

πŸ’‘ For on-premise or other cloud VMs, a non-IAM user with programmatic access is required, unlike EC2 instances which use IAM roles. Access keys and secret access keys are generated and must be securely stored.

2

Create a Managed Node Activation for Hybrid Environment

πŸ’‘ To register hybrid resources (on-premise VMs, other cloud VMs) with Systems Manager.

3

Install the SSM Agent on the Hybrid Resource

πŸ’‘ The SSM Agent must be installed on the on-premise VMs or VMs in other cloud providers.

powershell & "C:\Program Files\Amazon\SSM\amazonaws.com" /register-instance --register-with-amazon --region "us-east-1" --private-key "C:\Program Files\Amazon\SSM\etc\amazon-ssm-agent.pem" --activation-key "YOUR_ACTIVATION_CODE" --expected-container-path "C:\Program Files\Amazon\SSM" --installer-type "msi" --target-instance-id "i-0123456789abcdef0" (Note: Actual command in demo involved downloading and then registering with activation code/ID. Key Parameters: -region, -activation-code, -activation-id)
4

Optional: Configure VPC Endpoint

πŸ’‘ To prevent traffic from going to the public internet when connecting to AWS services, routing traffic through the AWS backbone network.

5

Optional: Set Up Private Key Auto-Rotation

πŸ’‘ To automatically rotate the private keys used by the SSM agent.

6

Enable Advanced Instance Tier (for Session Manager)

πŸ’‘ Required to use Session Manager with on-premise instances.

Demonstration: Setting up SSM for an EC2 Instance

procedure

This demonstration outlines the step-by-step process to integrate a Linux EC2 instance with AWS Systems Manager, ensuring it appears as a managed node.

The goal is to integrate a Linux EC2 instance with AWS Systems Manager, covering prerequisites and practical steps to ensure successful communication and management.

Prerequisites

  • A running Linux EC2 instance.
  • AWS Management Console access.
  • Basic understanding of IAM roles and security groups.
1

Access EC2 Console and Verify SSM Agent (Linux Instance)

πŸ’‘ To view running instances and confirm if the SSM agent is pre-installed or its version.

sudo cat /etc/amazon/ssm/agent_version (or similar command for specific Linux distributions as per AWS documentation) or sudo systemctl status amazon-ssm-agent
2

Create and Attach IAM Role for EC2

πŸ’‘ The SSM Agent needs permissions to communicate with the Systems Manager service, adhering to AWS’s zero-trust policy.

3

Verify Security Group Outbound Rules

πŸ’‘ Security groups act as instance-level firewalls. Outbound connections to the SSM service must be explicitly allowed.

4

Validate SSM Integration

πŸ’‘ To confirm that the SSM Agent is successfully communicating with the Systems Manager service and the instance is recognized as a managed node.

5

Installing SSM Agent (If Not Pre-installed)

πŸ’‘ To enable SSM management for instances that do not come with the agent pre-installed.

Specific Use Case: CloudWatch Agent Installation using SSM Run Command

procedure

AWS Systems Manager Run Command provides a scalable solution for deploying and managing the Amazon CloudWatch Agent across multiple EC2 instances, streamlining the collection of custom metrics and logs.

This procedure demonstrates how AWS Systems Manager (SSM) Run Command can be used to install and configure the CloudWatch Agent on a Windows EC2 instance.

Prerequisites

  • An active AWS account.
  • At least one Windows EC2 instance in a running state with an attached IAM instance role (containing CloudWatchAgentAdminPolicy, CloudWatchAgentServerPolicy, AmazonSSMFullAccess, and AmazonSSMManagedInstanceCore policies).
  • EC2 instance appears as a managed instance in Systems Manager Fleet Manager.
  • Security group of the EC2 instance must allow outbound connections to AWS CloudWatch services.
1

Install CloudWatch Agent using AWS Systems Manager Run Command

πŸ’‘ To remotely install the CloudWatch Agent package on the target EC2 instance(s) in a scalable manner.

AWS Systems Manager -> Run Command -> Select Command Document: AWS-ConfigureAWSPackage -> Action: Install -> Installation Type: Uninstall and reinstall -> Package Name: AmazonCloudWatchAgent -> Version: latest -> Target Selection: Choose instances manually (select Windows EC2 instance).
2

Configure the CloudWatch Agent via Configuration Wizard (on instance)

πŸ’‘ To define which metrics and logs the CloudWatch Agent should collect and to store this configuration securely.

3

Start CloudWatch Agent service using AWS Systems Manager Run Command

πŸ’‘ To activate the CloudWatch Agent with the new configuration, sending metrics and logs to CloudWatch.

AWS Systems Manager -> Run Command -> Select Command Document: AmazonCloudWatch-ManageAgent -> Action: Configure -> Mode: EC2 -> Optional Configuration Location: Parameter store name (e.g., AmazonCloudWatchWindows) -> Optional Restart: Yes -> Target Selection: Choose instances manually (select Windows EC2 instance).

Exam Tips

Glossary

SSM Agent
The Systems Manager Agent, a software installed on EC2 instances and hybrid resources that allows them to be managed by Systems Manager.
Managed Node Activation
A process in Systems Manager to register hybrid resources (on-premise VMs, other cloud VMs) with the service, generating an Activation Code and Activation ID.
Run Command
A Systems Manager capability to remotely and securely execute predefined or custom commands on managed instances.
Session Manager
A Systems Manager capability that allows secure, browser-based shell access to managed instances without requiring open inbound ports, bastion hosts, or SSH keys.
Patch Baseline
A defined set of rules for patch approval, specifying which patches are considered safe and acceptable for installation by Patch Manager.
Maintenance Window
A scheduled period of time during which administrative and maintenance tasks, such as patching, are performed on instances to minimize business disruption.
SSM Document
A document (runbook) that defines the actions performed by Systems Manager on managed instances, authored in JSON or YAML.
Parameter Store
A Systems Manager capability that provides centralized storage for configuration data and secrets, stored as name-value pairs.
Inventory
A Systems Manager capability that collects information about instances and installed software, providing comprehensive system configuration and application insights.

Key Takeaways

Content Sources

Introduction to AWS Systems Manager f... Introduction to AWS Systems Manager f... AWS Systems Manager for Hybrid Enviro... Tooling and Automation Systems Operations Extracted: 2026-01-26 12:57:29.660924 Model: gemini-2.5-flash