AWS Systems Manager User Guide AWS Systems Manager User Guide AWS Systems Manager: User Guide Copyright © 2022 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS Systems Manager User Guide Table of Contents What is AWS Systems Manager? .......................................................................................................... 1 How it works............................................................................................................................. 1 Capabilities................................................................................................................................ 2 Application management.................................................................................................... 2 Change management.......................................................................................................... 2 Node management............................................................................................................. 3 Operations management..................................................................................................... 5 Quick Setup...................................................................................................................... 5 Shared resources................................................................................................................ 5 Accessing Systems Manager ......................................................................................................... 6 Supported AWS Regions............................................................................................................. 6 Systems Manager pricing ............................................................................................................ 6 Systems Manager service name history ......................................................................................... 7 About SSM Agent ....................................................................................................................... 7 About resource groups ................................................................................................................ 8 Supported operating systems ...................................................................................................... 9 Linux................................................................................................................................ 9 macOS............................................................................................................................ 11 Raspberry Pi OS (formerly Raspbian) .................................................................................. 12 Windows Server............................................................................................................... 12 Prerequisites............................................................................................................................ 13 Related content and references .................................................................................................. 14 Setting up Systems Manager ............................................................................................................. 16 General setup.......................................................................................................................... 16 Sign up for an AWS account .............................................................................................. 16 Create an administrative user ............................................................................................ 17 Setting up for EC2 instances ...................................................................................................... 17 Step 1: Complete general Systems Manager setup steps ........................................................ 18 Step 2: Create non-Admin IAM users and groups for Systems Manager .................................... 18 Step 3: Create an IAM instance profile for Systems Manager .................................................. 21 Step 4: Attach an IAM instance profile to an Amazon EC2 instance .......................................... 26 Step 5: Create VPC endpoints ............................................................................................ 28 Setting up hybrid environments ................................................................................................. 32 Step 1: Complete general Systems Manager setup steps ........................................................ 34 Step 2: Create an IAM service role for a hybrid environment .................................................. 34 Step 3: Create a managed-node activation for a hybrid environment ....................................... 39 Step 4: Install SSM Agent for a hybrid environment (Linux) .................................................... 43 Step 5: Install SSM Agent for a hybrid environment (Windows) ............................................... 49 Setting up edge devices ............................................................................................................ 51 Step 1: Complete general Systems Manager setup steps ........................................................ 53 Step 2: Create an IAM service role for edge devices .............................................................. 54 Step 3: Set up AWS IoT Greengrass .................................................................................... 57 Step 4: Update the AWS IoT Greengrass token exchange role and install SSM Agent on your edge devices.................................................................................................................... 58 Getting started ................................................................................................................................ 59 Step 1: Install or upgrade AWS command line tools ...................................................................... 59 Installing or upgrading and then configuring the AWS CLI ..................................................... 60 Installing or upgrading and then configuring the AWS Tools for PowerShell ............................. 60 Step 2: Practice installing or updating SSM Agent on an instance ................................................... 61 Step 3: Try Systems Manager tutorials and walkthroughs .............................................................. 62 Operations management................................................................................................... 63 Application management.................................................................................................. 63 Change management........................................................................................................ 63 Node management........................................................................................................... 64 iii AWS Systems Manager User Guide Shared resources.............................................................................................................. 66 Working with SSM Agent .................................................................................................................. 67 SSM Agent technical reference................................................................................................... 67 SSM Agent credentials precedence ..................................................................................... 68 About the local ssm-user account ....................................................................................... 69 SSM Agent and the Instance Metadata Service (IMDS) ........................................................... 69 Keeping SSM Agent up-to-date .......................................................................................... 69 SSM Agent rolling updates by AWS Regions ......................................................................... 70 Installing SSM Agent on VMs and on-premises instances ....................................................... 70 Validating on-premises servers, edge devices, and virtual machines using a hardware fingerprint....................................................................................................................... 70 SSM Agent on GitHub ....................................................................................................... 71 AMIs with SSM Agent preinstalled .............................................................................................. 71 Verify the status of SSM Agent .......................................................................................... 72 SSM Agent version 3.0 .............................................................................................................. 75 Working with SSM Agent on EC2 instances for Linux ..................................................................... 75 Manually installing SSM Agent on EC2 instances for Linux ..................................................... 76 Verifying the signature of the SSM Agent .......................................................................... 112 Configuring SSM Agent to use a proxy (Linux) .................................................................... 117 Uninstalling SSM Agent from Linux instances ..................................................................... 120 Working with SSM Agent on EC2 instances for macOS ................................................................ 120 Manually installing SSM Agent on EC2 instances for macOS ................................................. 121 Configure SSM Agent to use a proxy (macOS) .................................................................... 122 Uninstall SSM Agent from macOS instances ....................................................................... 122 Working with SSM Agent on EC2 instances for Windows Server .................................................... 122 Manually installing SSM Agent on EC2 instances for Windows Server ..................................... 123 Configure SSM Agent to use a proxy for Windows Server instances ....................................... 125 Working with SSM Agent on edge devices ................................................................................. 127 Checking SSM Agent status and starting the agent ..................................................................... 127 Checking the SSM Agent version number .................................................................................. 129 Viewing SSM Agent logs .......................................................................................................... 132 Allowing SSM Agent debug logging .................................................................................. 133 Restricting access to root-level commands through SSM Agent ..................................................... 134 Automating updates to SSM Agent ........................................................................................... 135 Automatically updating SSM Agent ................................................................................... 136 Subscribing to SSM Agent notifications ..................................................................................... 137 SSM Agent communications with AWS managed S3 buckets ........................................................ 137 Required bucket permissions ............................................................................................ 138 Example........................................................................................................................ 141 Troubleshooting SSM Agent ..................................................................................................... 141 SSM Agent is out of date ................................................................................................ 142 View SSM Agent log files ................................................................................................ 142 Agent log files don't rotate (Windows) .............................................................................. 142 Unable to connect to SSM endpoints ................................................................................ 143 Quick Setup................................................................................................................................... 144 What are the benefits of Quick Setup? ...................................................................................... 144 Who should use Quick Setup?.................................................................................................. 144 Getting started with Quick Setup ............................................................................................. 144 IAM roles and permissions ............................................................................................... 144 Configure the home AWS Region ...................................................................................... 146 Availability of Quick Setup in AWS Regions ........................................................................ 146 Using Quick Setup.................................................................................................................. 147 Configuration details....................................................................................................... 147 Editing and deleting your configuration ............................................................................. 148 Configuration compliance................................................................................................ 148 Troubleshooting Quick Setup results ................................................................................. 149 Quick Setup Host Management................................................................................................ 150 iv AWS Systems Manager User Guide AWS Config recording ............................................................................................................. 152 Deploy AWS Config conformance packs ..................................................................................... 153 Configure DevOps Guru with Quick Setup .................................................................................. 154 Deploy Distributor packages with Quick Setup ........................................................................... 155 Automate organization-wide patching ....................................................................................... 156 Supported Regions for patch policy configurations ............................................................. 156 Creating a patch policy ................................................................................................... 157 Resource Scheduler................................................................................................................. 159 Operations Management................................................................................................................. 162 Incident Manager.................................................................................................................... 162 Explorer................................................................................................................................. 162 What are the features of Explorer? ................................................................................... 163 How does Explorer relate to OpsCenter? ............................................................................ 164 What is OpsData?........................................................................................................... 164 Is there a charge to use Explorer? ..................................................................................... 165 Getting started............................................................................................................... 165 Using Explorer................................................................................................................ 176 Exporting OpsData......................................................................................................... 182 Troubleshooting............................................................................................................. 184 OpsCenter............................................................................................................................. 185 OpsCenter integration..................................................................................................... 186 How can OpsCenter benefit my organization? .................................................................... 190 What are the features of OpsCenter? ................................................................................ 191 How does OpsCenter work with Amazon EventBridge? Which service should I use? .................. 192 Does OpsCenter integrate with my existing case management system? .................................. 193 Is there a charge to use OpsCenter? .................................................................................. 193 Does OpsCenter work with my on-premises and hybrid managed nodes? ............................... 193 What are the quotas for OpsCenter? ................................................................................. 193 Getting started with OpsCenter ........................................................................................ 194 Creating OpsItems.......................................................................................................... 203 Working with OpsItems ................................................................................................... 218 Working with OpsItems across accounts ............................................................................ 223 Reducing duplicate OpsItems ........................................................................................... 225 Working with Incident Manager incidents .......................................................................... 230 Remediating OpsItem issues ............................................................................................ 231 Viewing OpsCenter summary reports ................................................................................ 235 Supported resources reference ......................................................................................... 235 Receiving Security Hub findings ....................................................................................... 238 Auditing and logging OpsCenter activity ........................................................................... 240 CloudWatch Dashboard........................................................................................................... 240 Application Management.................................................................................................................... 2 Application Manager............................................................................................................... 242 What are the benefits of using Application Manager? .......................................................... 243 What are the features of Application Manager? .................................................................. 243 Is there a charge to use Application Manager? .................................................................... 245 What are the resource quotas for Application Manager? ...................................................... 245 Getting started............................................................................................................... 245 Working with Application Manager ................................................................................... 255 AWS AppConfig ...................................................................................................................... 271 Parameter Store..................................................................................................................... 271 How can Parameter Store benefit my organization? ............................................................ 272 Who should use Parameter Store? .................................................................................... 272 What are the features of Parameter Store? ........................................................................ 272 What is a parameter?...................................................................................................... 273 Setting up Parameter Store ............................................................................................. 275 Working with Parameter Store ......................................................................................... 294 Parameter Store walkthroughs ......................................................................................... 358 v AWS Systems Manager User Guide Auditing and logging Parameter Store activity ................................................................... 366 Troubleshooting Parameter Store ..................................................................................... 366 Change Management...................................................................................................................... 368 Change Manager.................................................................................................................... 368 How Change Manager works ............................................................................................ 369 How can Change Manager benefit my operations? .............................................................. 369 Who should use Change Manager?................................................................................... 370 What are the main features of Change Manager? ................................................................ 370 Is there a charge to use Change Manager? ......................................................................... 372 What are the primary components of Change Manager? ...................................................... 372 Setting up Change Manager ............................................................................................. 373 Working with Change Manager ........................................................................................ 389 Auditing and logging Change Manager activity ................................................................... 414 Troubleshooting Change Manager ..................................................................................... 414 Automation............................................................................................................................ 415 How can Automation benefit my organization? .................................................................. 415 Who should use Automation?.......................................................................................... 416 What is an automation?.................................................................................................. 417 Setting up Automation .................................................................................................... 418 Running automations...................................................................................................... 425 Scheduling automations.................................................................................................. 470 Automation actions reference .......................................................................................... 485 Creating your own runbooks ............................................................................................ 550 Automation runbook reference ......................................................................................... 653 Tutorials........................................................................................................................ 653 Understanding automation statuses.................................................................................. 690 Troubleshooting Systems Manager Automation .................................................................. 691 Change Calendar.................................................................................................................... 695 Who should use Change Calendar?................................................................................... 696 Benefits of Change Calendar............................................................................................ 696 Setting up Change Calendar ............................................................................................ 696 Working with Change Calendar ........................................................................................ 698 Adding Change Calendar dependencies to Automation runbooks .......................................... 705 Troubleshooting Change Calendar .................................................................................... 706 Maintenance Windows............................................................................................................. 706 Setting up Maintenance Windows ..................................................................................... 708 Working with maintenance windows (console) .................................................................... 716 Maintenance Windows tutorials (AWS CLI) ......................................................................... 723 Maintenance window walkthroughs .................................................................................. 769 Maintenance window scheduling and active period options .................................................. 782 Registering maintenance window tasks without targets ....................................................... 785 Troubleshooting maintenance windows ............................................................................. 787 Node Management......................................................................................................................... 790 Fleet Manager........................................................................................................................ 790 Who should use Fleet Manager?....................................................................................... 790 How can Fleet Manager benefit my organization? ............................................................... 790 What are the features of Fleet Manager? ........................................................................... 790 Getting started with Fleet Manager .................................................................................. 791 Working with Fleet Manager ............................................................................................ 795 Compliance............................................................................................................................ 834 Getting started with Compliance ...................................................................................... 834 Creating a resource data sync for Compliance .................................................................... 835 Working with Compliance ................................................................................................ 837 Deleting a resource data sync for Compliance .................................................................... 839 Remediating compliance issues using EventBridge .............................................................. 840 Compliance walkthrough (AWS CLI) .................................................................................. 841 Inventory............................................................................................................................... 845 vi AWS Systems Manager User Guide Learn more about Inventory ............................................................................................ 848 Setting up Inventory ....................................................................................................... 855 Configuring inventory collection ....................................................................................... 862 Working with inventory data ............................................................................................ 866 Working with custom inventory ........................................................................................ 881 Viewing inventory history and change tracking .................................................................. 891 Stopping data collection and deleting inventory data .......................................................... 893 Inventory walkthroughs................................................................................................... 894 Troubleshooting Inventory............................................................................................... 906 Hybrid Activations.................................................................................................................. 909 Session Manager.................................................................................................................... 909 How can Session Manager benefit my organization? ............................................................ 909 Who should use Session Manager?.................................................................................... 911 What are the main features of Session Manager? ................................................................ 911 What is a session?.......................................................................................................... 912 Setting up Session Manager ............................................................................................. 913 Working with Session Manager ......................................................................................... 960 Auditing session activity .................................................................................................. 974 Logging session activity .................................................................................................. 975 Session document schema............................................................................................... 979 Troubleshooting Session Manager ..................................................................................... 985 Run Command....................................................................................................................... 988 Setting up Run Command ............................................................................................... 989 Running commands on managed nodes ............................................................................ 992 Using exit codes in commands....................................................................................... 1004 Understanding command statuses.................................................................................. 1006 Run Command walkthroughs ......................................................................................... 1012 Troubleshooting Run Command ...................................................................................... 1030 State Manager...................................................................................................................... 1031 How can State Manager benefit my organization? ............................................................. 1031 Who should use State Manager?..................................................................................... 1031 What are the features of State Manager? ......................................................................... 1032 Is there a charge to use State Manager? .......................................................................... 1033 How do I get started with State Manager? ....................................................................... 1033 About State Manager.................................................................................................... 1033 Working with associations.............................................................................................. 1035 State Manager walkthroughs .......................................................................................... 1063 Patch Manager..................................................................................................................... 1089 Introducing patch policies.............................................................................................. 1091 Patch Manager prerequisites .......................................................................................... 1093 How it works................................................................................................................ 1095 About SSM documents for patching managed nodes ......................................................... 1125 About patch baselines................................................................................................... 1158 Using Kernel Live Patching on Amazon Linux 2 managed nodes .......................................... 1179 Working with Patch Manager (console)............................................................................ 1185 Working with Patch Manager (AWS CLI) ........................................................................... 1223 Patch Manager walkthroughs......................................................................................... 1247 Troubleshooting Patch Manager..................................................................................... 1258 Distributor........................................................................................................................... 1266 How can Distributor benefit my organization? .................................................................. 1266 Who should use Distributor?.......................................................................................... 1267 What are the features of Distributor? .............................................................................. 1267 What is a package?....................................................................................................... 1267 Setting up Distributor ................................................................................................... 1269 Working with Distributor............................................................................................... 1271 Auditing and logging Distributor activity ......................................................................... 1298 Troubleshooting Distributor........................................................................................... 1298 vii AWS Systems Manager User Guide Shared Resources.......................................................................................................................... 1301 Documents........................................................................................................................... 1301 How can the Documents capability benefit my organization? .............................................. 1301 Who should use Documents?.......................................................................................... 1302 What are the types of SSM documents? .......................................................................... 1302 SSM document schema features and examples ................................................................. 1307 SSM document data elements ........................................................................................ 1322 Systems Manager Command document plugin reference .................................................... 1329 Viewing SSM Command document content ...................................................................... 1366 Creating SSM documents............................................................................................... 1367 Deleting custom SSM documents .................................................................................... 1375 Comparing SSM document versions ................................................................................ 1376 Sharing SSM documents................................................................................................ 1376 Searching for SSM documents........................................................................................ 1386 Running Systems Manager Command documents from remote locations .............................. 1388 Security....................................................................................................................................... 1392 Data protection.................................................................................................................... 1392 Data encryption............................................................................................................ 1393 Internetwork traffic privacy............................................................................................ 1395 Identity and access management ............................................................................................ 1395 Audience...................................................................................................................... 1395 Authenticating with identities......................................................................................... 1396 Managing access using policies ....................................................................................... 1398 How AWS Systems Manager works with IAM .................................................................... 1399 Identity-based policy examples....................................................................................... 1406 AWS managed policies.................................................................................................. 1414 Troubleshooting............................................................................................................ 1426 Using service-linked roles ...................................................................................................... 1427 Inventory and Explorer data role .................................................................................... 1428 OpsCenter and Explorer account discovery role ................................................................. 1430 OpsData and OpsItems creation role ............................................................................... 1433 Operational insights creation role ................................................................................... 1436 Logging and monitoring........................................................................................................ 1439 Compliance validation........................................................................................................... 1441 Resilience............................................................................................................................. 1441 Infrastructure security........................................................................................................... 1442 Configuration and vulnerability analysis .................................................................................. 1442 Security best practices ........................................................................................................... 1442 Systems Manager preventative security best practices....................................................... 1442 Systems Manager monitoring and auditing best practices .................................................. 1444 Monitoring................................................................................................................................... 1447 Monitoring tools................................................................................................................... 1447 Sending node logs to unified CloudWatch Logs (CloudWatch agent) ............................................ 1448 Migrate Windows Server node log collection to the CloudWatch agent ................................. 1449 Store CloudWatch agent configuration settings in Parameter Store ..................................... 1455 Rolling back to log collection with SSM Agent .................................................................. 1455 Sending SSM Agent logs to CloudWatch Logs .......................................................................... 1457 Monitoring your change request events ................................................................................... 1459 Monitoring your automations ................................................................................................. 1461 Automation metrics...................................................................................................... 1461 Monitoring Run Command metrics using Amazon CloudWatch .................................................... 1462 Systems Manager Run Command metrics and dimensions .................................................. 1463 Logging AWS Systems Manager API calls with AWS CloudTrail .................................................... 1463 Systems Manager information in CloudTrail ..................................................................... 1463 Understanding Systems Manager log file entries ............................................................... 1464 Logging Automation action output with CloudWatch Logs ......................................................... 1466 Configuring Amazon CloudWatch Logs for Run Command .......................................................... 1468 viii AWS Systems Manager User Guide Specifying CloudWatch Logs when you send commands .................................................... 1469 Viewing command output in CloudWatch Logs ................................................................. 1470 Monitoring with Amazon EventBridge ..................................................................................... 1470 Configuring EventBridge for Systems Manager events ....................................................... 1471 Amazon EventBridge event examples for Systems Manager ................................................ 1473 Sample scenarios: Systems Manager targets in Amazon EventBridge rules ............................ 1482 Monitoring Systems Manager status changes using Amazon SNS notifications ............................... 1483 Configure Amazon SNS notifications for AWS Systems Manager .......................................... 1483 Example Amazon SNS notifications for AWS Systems Manager ........................................... 1488 Use Run Command to send a command that returns status notifications .............................. 1489 Use a maintenance window to send a command that returns status notifications ................... 1492 Product and service integrations ..................................................................................................... 1496 Integration with AWS services ................................................................................................ 1496 Compute...................................................................................................................... 1496 Internet of Things (IoT) ................................................................................................. 1498 Storage....................................................................................................................... 1498 Developer Tools............................................................................................................ 1499 Security, Identity, and Compliance.................................................................................. 1499 Cryptography and PKI................................................................................................... 1500 Management and Governance........................................................................................ 1501 Networking and Content Delivery ................................................................................... 1504 Analytics...................................................................................................................... 1505 Application Integration.................................................................................................. 1506 AWS Management Console ............................................................................................ 1506 Running scripts from Amazon S3 .................................................................................... 1506 Referencing AWS Secrets Manager secrets from Parameter Store parameters ........................ 1509 Using Parameter Store parameters in AWS Lambda functions ............................................. 1513 Integration with other products and services ............................................................................ 1523 Running scripts from GitHub .......................................................................................... 1525 Using Chef InSpec profiles with Systems Manager Compliance ............................................ 1530 Integrating with ServiceNow.......................................................................................... 1534 Tagging Systems Manager resources ............................................................................................... 1535 Systems Manager resources you can tag .................................................................................. 1535 Tagging Systems Manager associations .................................................................................... 1536 Creating associations with tags....................................................................................... 1536 Adding tags to an existing association ............................................................................. 1537 Removing tags from an association ................................................................................. 1538 Tagging automations............................................................................................................ 1539 Adding tags to automations (console) ............................................................................. 1539 Adding tags to automations (command line).................................................................... 1539 Removing tags from automations ................................................................................... 1541 Tagging Systems Manager documents ..................................................................................... 1542 Creating documents with tags ........................................................................................ 1542 Adding tags to existing documents ................................................................................. 1542 Removing tags from SSM documents.............................................................................. 1544 Tagging maintenance windows ............................................................................................... 1546 Creating maintenance windows with tags ........................................................................ 1546 Adding tags to existing maintenance windows .................................................................. 1546 Removing tags from maintenance windows ...................................................................... 1548 Tagging managed nodes ........................................................................................................ 1550 Creating or activating managed nodes with tags ............................................................... 1550 Adding tags to existing managed nodes .......................................................................... 1550 Removing tags from managed nodes .............................................................................. 1552 Tagging OpsItems................................................................................................................. 1554 Creating OpsItems with tags .......................................................................................... 1554 Adding tags to existing OpsItems ................................................................................... 1554 Removing tags from Systems Manager OpsItems.............................................................. 1556 ix AWS Systems Manager User Guide Tagging Systems Manager parameters ..................................................................................... 1557 Creating parameters with tags ........................................................................................ 1558 Adding tags to existing parameters ................................................................................. 1558 Removing tags from SSM parameters .............................................................................. 1559 Tagging patch baselines ........................................................................................................ 1561 Creating patch baselines with tags.................................................................................. 1561 Adding tags to existing patch baselines........................................................................... 1561 Removing tags from patch baselines ............................................................................... 1563 AWS Systems Manager reference .................................................................................................... 1566 EventBridge event patterns and types for Systems Manager ....................................................... 1566 Event type: Automation................................................................................................. 1567 Event type: Change Calendar ........................................................................................ 1568 Event type: Configuration Compliance ............................................................................. 1568 Event type: Inventory .................................................................................................... 1568 Event type: State Manager ............................................................................................. 1569 Event type: Maintenance Window ................................................................................... 1569 Event type: Parameter Store.......................................................................................... 1570 Event type: Run Command ............................................................................................ 1571 Cron and rate expressions ...................................................................................................... 1572 General information about cron and rate expressions ........................................................ 1572 Cron and rate expressions for associations....................................................................... 1575 Cron and rate expressions for maintenance windows ......................................................... 1577 ec2messages, ssmmessages, and other API operations............................................................... 1578 Creating formatted date and time strings for Systems Manager .................................................. 1579 Formatting date and time strings for Systems Manager ..................................................... 1580 Creating custom date and time strings for Systems Manager .............................................. 1580 Use cases and best practices .......................................................................................................... 1583 Deleting Systems Manager resources and artifacts .................................................................... 1585 Choosing between State Manager and Maintenance Windows .................................................... 1587 State Manager and Maintenance Windows: Key use cases ................................................... 1587 Document history......................................................................................................................... 1592 Updates prior to June 2018................................................................................................... 1672 Document conventions.................................................................................................................. 1683 AWS glossary............................................................................................................................... 1684 x
Description: