AWS Systems Manager

(1)

AWS Systems Manager

User Guide

(2)

AWS Systems Manager: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is AWS Systems Manager?

AWS Systems Manager (formerly known as SSM (p. 2)) is an AWS service that you can use to view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. Systems Manager helps you maintain security and compliance by scanning your managed nodes and reporting on (or taking corrective action on) any policy violations it detects.

A managed node is any machine conﬁgured for Systems Manager. Systems Manager supports Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs), including VMs in other cloud environments. For operating systems, Systems Manager supports Windows Server, macOS, Raspberry Pi OS (formerly Raspbian), and multiple distributions of Linux.

With Systems Manager, you can associate AWS resources by assigning resource tags. You can then view operational data for these resources as a resource group. Resource groups help you monitor and troubleshoot your resources.

For example, you can assign a resource tag of "Operation=Standard OS Patching" to the following resources:

• A group of AWS IoT Greengrass core devices

• A group of Amazon EC2 instances

• A group of on-premises servers in your own facility

• A Systems Manager patch baseline that speciﬁes which patches to apply to your managed instances

• An Amazon Simple Storage Service (Amazon S3) bucket to store patching operation log output

• A Systems Manager maintenance window that speciﬁes the schedule for the patching operation

After tagging your resources, you can view the patch status of those resources in a Systems Manager consolidated dashboard. If a problem arises with any of the resources, you can take corrective action immediately.

Capabilities in Systems Manager

Systems Manager is comprised of individual capabilities (p. 4), which are grouped into ﬁve categories:

Operations Management, Application Management, Change Management, Node Management, and Shared Resources.

This collection of capabilities is a powerful set of tools and features that you can use to perform many operational tasks. For example:

• Group AWS resources together by any purpose or activity you choose, such as application, environment, Region, project, campaign, business unit, or software lifecycle.

• Centrally deﬁne the conﬁguration options and policies for your managed nodes.

• Centrally view, investigate, and resolve operational work items related to AWS resources.

• Automate or schedule a variety of maintenance and deployment tasks.

• Use and create runbook-style SSM documents that deﬁne the actions to perform on your managed instances.

• Run a command, with rate and error controls, that targets an entire ﬂeet of managed nodes.

(12)

• Securely connect to a managed node without having to open an inbound port or manage SSH keys.

• Separate your secrets and conﬁguration data from your code by using parameters, with or without encryption, and then reference those parameters from other AWS services.

• Perform automated inventory by collecting metadata about your managed nodes. Metadata can include information about applications, network conﬁgurations, and more.

• View consolidated inventory metadata from multiple AWS Regions and AWS accounts that you manage.

• See which resources in your account are out of compliance and take corrective action from a centralized dashboard.

• View active summaries of metrics and alarms for your AWS resources.

Systems Manager simpliﬁes resource and application management, shortens the time to detect and resolve operational problems, and helps you operate and manage your AWS infrastructure securely at scale.

Note

AWS Systems Manager was formerly known as Amazon Simple Systems Manager (SSM) and Amazon EC2 Systems Manager (SSM). For more information, see Systems Manager service name history (p. 2).

What is AWS Systems Manager? (Video)

View more Amazon Web Services videos on the Amazon Web Services YouTube Channel.

Systems Manager supported AWS Regions

Systems Manager is available in the AWS Regions listed in Systems Manager service endpoints in the Amazon Web Services General Reference. Before starting your Systems Manager conﬁguration process, we recommend that you verify the service is available in each of the AWS Regions you want to use it in.

For on-premises servers and VMs in your hybrid environment, we recommend that you choose the Region closest to your data center or computing environment.

Systems Manager pricing

Some Systems Manager capabilities charge a fee. For more information, see AWS Systems Manager Pricing.

Systems Manager service name history

Systems Manager was formerly known as "Amazon Simple Systems Manager (SSM)" and "Amazon EC2 Systems Manager (SSM)". The original abbreviated name of the service, "SSM", is still reﬂected in various AWS resources, including a few other service consoles. Some examples:

• Systems Manager Agent: SSM Agent

• Systems Manager parameters: SSM parameters

• Systems Manager service endpoints: ssm.region.amazonaws.com

• AWS CloudFormation resource types: AWS::SSM::Document

• AWS Conﬁg rule identiﬁer: EC2_INSTANCE_MANAGED_BY_SSM

• AWS Command Line Interface (AWS CLI) commands: aws ssm describe-patch-baselines

• AWS Identity and Access Management (IAM) managed policy names:

AmazonSSMReadOnlyAccess

• Systems Manager resource ARNs: arn:aws:ssm:region:account-id:patchbaseline/

pb-07d8884178EXAMPLE

(13)

Related API references

• AWS Systems Manager API Reference – Provides descriptions, syntax, and usage examples for each of the Systems Manager actions and data types.

• AWS AppConﬁg API Reference – Provides descriptions, syntax, and usage examples for each of the AWS AppConﬁg actions and data types.

Systems Manager capabilities

Systems Manager groups capabilities into the following capability types:

Topics

• Quick Setup (p. 4)

• Operations Management (p. 4)

• Application Management (p. 5)

• Change Management (p. 6)

• Node Management (p. 6)

• Shared Resources (p. 8)

Quick Setup

Use Quick Setup (p. 128) to configure frequently used AWS services and features with recommended best practices. You can use Quick Setup in an individual AWS account or across multiple AWS accounts and AWS Regions by integrating with AWS Organizations. Quick Setup simplifies setting up services, including Systems Manager, by automating common or recommended tasks. These tasks include, for example, creating required AWS Identity and Access Management (IAM) instance profile roles and setting up operational best practices, such as periodic patch scans and inventory collection.

Operations Management

Operations Management is a suite of capabilities that help you manage your AWS resources.

Incident Manager

Incident Manager (p. 140) is an incident management console that helps users mitigate and recover from incidents aﬀecting their AWS hosted applications.

Incident Manager increases incident resolution by notifying responders of impact, highlighting relevant troubleshooting data, and providing collaboration tools to get services back up and running. Incident Manager also automates response plans and allows responder team escalation.

Explorer

Explorer (p. 140) is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data (OpsData) for your AWS accounts and across AWS Regions. In Explorer, OpsData includes metadata about your Amazon EC2 instances, patch compliance details, and operational work items (OpsItems). Explorer provides context about how OpsItems are distributed across your business units or applications, how they trend over time, and how they vary by category. You can group and ﬁlter information in Explorer to focus on items that are relevant to you and that require action. When you identify high priority issues, you can use OpsCenter, a capability of AWS Systems Manager, to run Automation runbooks and resolve those issues.

OpsCenter

OpsCenter (p. 163) provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources.

OpsCenter is designed to reduce mean time to resolution for issues impacting AWS resources. This Systems Manager capability aggregates and standardizes OpsItems across services while providing contextual investigation data about each OpsItem, related OpsItems, and related resources.

OpsCenter also provides Systems Manager Automation runbooks that you can use to resolve

(15)

Application Management

issues. You can specify searchable, custom data for each OpsItem. You can also view automatically generated summary reports about OpsItems by status and source.

CloudWatch Dashboards

Amazon CloudWatch Dashboards are customizable pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across diﬀerent regions. You can use CloudWatch dashboards to create customized views of the metrics and alarms for your AWS resources.

Trusted Advisor & AWS Health Dashboard (PHD)

Systems Manager hosts two online tools to help you provision your resources and monitor your account for health events. Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices. For more information, see Trusted Advisor.

The AWS Health Dashboard provides information about AWS Health events that can aﬀect your account. The information is presented in two ways: a dashboard that shows recent and upcoming events organized by category, and a full event log that shows all events from the past 90 days. For more information, see Getting Started with the AWS Health Dashboard.

Application Management

Application Management is a suite of capabilities that help you manage your applications running in AWS.

Application Manager

Application Manager (p. 215) helps you investigate and remediate issues with your AWS resources in the context of your applications. Application Manager aggregates operations information from multiple AWS services and Systems Manager capabilities to a single AWS Management Console.

Resource Groups

AWS Resource Groups: An AWS resource is an entity you can work with in AWS, such as SSM

documents, patch baselines, maintenance windows, parameters, and managed instances; an Amazon Elastic Compute Cloud (Amazon EC2) instance; an Amazon Elastic Block Store (Amazon EBS) volume;

a security group; or an Amazon Virtual Private Cloud (VPC). A resource group is a collection of AWS resources that are all in the same AWS Region, and that match criteria provided in a query. You build queries in the Resource Groups console, or pass them as arguments to AWS Resource Groups commands in the AWS CLI. With Resource Groups, you can create a custom console that organizes and consolidates information based on criteria that you specify in tags. You can also use groups as the basis for viewing monitoring and conﬁguration insights in Systems Manager.

AppConﬁg

AppConfig (p. 240) helps you create, manage, and deploy application configurations. AppConfig supports controlled deployments to applications of any size. You can use AppConfig with

applications hosted on Amazon EC2 instances, AWS Lambda containers, mobile applications, or edge devices. To prevent errors when deploying application conﬁgurations, AppConﬁg includes validators.

A validator provides a syntactic or semantic check to verify that the configuration you want to deploy works as intended. During a configuration deployment, AppConfig monitors the application to verify that the deployment is successful. If the system encounters an error or if the deployment invokes an alarm, AppConfig rolls back the change to minimize impact for your application users.

Parameter Store

Parameter Store (p. 240) provides secure, hierarchical storage for conﬁguration data and secrets management. You can store data such as passwords, database strings, Amazon Elastic Compute Cloud (Amazon EC2) instance IDs and Amazon Machine Image (AMI) IDs, and license codes as

(16)

Change Management

parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name you speciﬁed when you created the parameter.

Change Management

Systems Manager provides the following capabilities for taking action on or changing your AWS resources.

Change Manager

Change Manager (p. 336) is an enterprise change management framework for requesting,

approving, implementing, and reporting on operational changes to your application conﬁguration and infrastructure. From a single delegated administrator account, if you use AWS Organizations, you can manage changes across multiple AWS accounts in multiple AWS Regions. Alternatively, using a local account, you can manage changes for a single AWS account. Use Change Manager for managing changes to both AWS resources and on-premises resources.

Automation

Use Automation (p. 376) to automate common maintenance and deployment tasks. You can use Automation to create and update Amazon Machine Images (AMIs), apply driver and agent updates, reset passwords on Windows Server instance, reset SSH keys on Linux instances, and apply OS patches or application updates.

Change Calendar

Change Calendar (p. 674) helps you set up date and time ranges when actions you specify (for example, in Systems Manager Automation (p. 376) runbooks) can or can't be performed in your AWS account. In Change Calendar, these ranges are called events. When you create a Change Calendar entry, you're creating a Systems Manager document (p. 1264) of the type

ChangeCalendar. In Change Calendar, the document stores iCalendar 2.0 data in plaintext format.

Events that you add to the Change Calendar entry become part of the document. You can add events manually in the Change Calendar interface or import events from a supported third-party calendar using an .ics ﬁle.

Maintenance Windows

Use Maintenance Windows (p. 685) to set up recurring schedules for managed instances to run administrative tasks such as installing patches and updates without interrupting business-critical operations.

Node Management

Compliance

Use Compliance (p. 816) to scan your fleet of managed nodes for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and AWS Regions, and then drill down into specific resources that aren’t compliant. By default, Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements.

Fleet Manager

Fleet Manager (p. 778) is a unified user interface (UI) experience that helps you remotely manage your nodes. With Fleet Manager, you can view the health and performance status of your entire fleet from one console. You can also gather data from individual devices and instances to perform common troubleshooting and management tasks from the console. This includes viewing directory and file contents, Windows registry management, operating system user management, and more.

(17)

Node Management

Inventory

Inventory (p. 828) automates the process of collecting software inventory from your managed nodes. You can use Inventory to gather metadata about applications, ﬁles, components, patches, and more.

Session Manager

Use Session Manager (p. 892) to manage your edge devices and Amazon Elastic Compute Cloud (Amazon EC2) instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable edge device and instance management without needing to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to edge devices and instances, strict security practices, and fully auditable logs with edge device and instance access details, while still providing end users with simple one-click cross-platform access to your edge devices and EC2 instances. To use Session Manager, you must enable the advanced-instances tier. For more information, see Turning on the advanced-instances tier (p. 785).

Run Command

Use Run Command (p. 971) to remotely and securely manage the conﬁguration of your managed nodes at scale. Use Run Command to perform on-demand changes such as updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of managed nodes.

State Manager

Use State Manager (p. 1015) to automate the process of keeping your managed nodes in a defined state. You can use State Manager to guarantee that your managed nodes are bootstrapped with specific software at startup, joined to a Windows domain (Windows Server nodes only), or patched with specific software updates.

Patch Manager

Use Patch Manager (p. 1071) to automate the process of patching your managed nodes with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for applications released by Microsoft.)

This capability allows you to scan managed nodes for missing patches and apply missing patches individually or to large groups of managed nodes by using tags. Patch Manager uses patch baselines, which can include rules for auto-approving patches within days of their release, and a list of

approved and rejected patches. You can install security patches on a regular basis by scheduling patching to run as a Systems Manager maintenance window task, or you can patch your managed nodes on demand at any time.

For Linux operating systems, you can define the repositories that should be used for patching operations as part of your patch baseline. This allows you to ensure that updates are installed only from trusted repositories regardless of what repositories are configured on the managed node. For Linux, you also have the ability to update any package on the managed node, not just those that are classified as operating system security updates. You can also generate patch reports that are sent to an S3 bucket of your choice. For a single managed node, reports include details of all patches for the machine. For a report on all managed nodes, only a summary of how many patches are missing is provided. To use Patch Manager, you must enable the advanced-instances tier. For more information, see Turning on the advanced-instances tier (p. 785).

Distributor

Use Distributor (p. 1229) to create and deploy packages to managed nodes. With Distributor, you can package your own software—or ﬁnd AWS-provided agent software packages, such as AmazonCloudWatchAgent—to install on Systems Manager managed nodes. After you install a package for the ﬁrst time, you can use Distributor to uninstall and reinstall a new package version, or

(18)

Shared Resources

perform an in-place update that adds new or changed ﬁles. Distributor publishes resources, such as software packages, to Systems Manager managed nodes.

Hybrid Activations

To set up servers and VMs in your hybrid environment as managed instances, create a managed instance activation (p. 36). After you complete the activation, you receive an activation code and ID. This code and ID combination functions like an Amazon Elastic Compute Cloud (Amazon EC2) access ID and secret key to provide secure access to the Systems Manager service from your managed instances.

You can also create an activation for edge devices if you want to manage them by using Systems Manager.

Shared Resources

Systems Manager uses the following shared resources for managing and conﬁguring your AWS resources.

Documents

A Systems Manager document (p. 1264) (SSM document) deﬁnes the actions that Systems Manager performs. SSM document types include Command documents, which are used by State Manager and Run Command, and Automation runbooks, which are used by Systems Manager Automation.

Systems Manager includes dozens of pre-conﬁgured documents that you can use by specifying parameters at runtime. Documents can be expressed in JSON or YAML, and include steps and parameters that you specify.

How Systems Manager works

AWS Systems Manager helps you manage, access, and troubleshoot AWS resources, including Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs) in a hybrid environment. The following diagram describes how Systems Manager capabilities, such as Session Manager and Patch Manager, perform actions on your resources. Each enumerated interaction is described after the diagram.

Diagram 1: General example of Systems Manager process ﬂow

(19)

About SSM Agent

1.Access Systems Manager – You can access Systems Manager in the AWS Management Console. If you prefer to manage resources programmatically, you can use the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDK.

2.Choose a Systems Manager capability – Do you need to apply operating system patches to a ﬂeet of Linux or Windows Server managed nodes? Do you want to connect to an Amazon EC2 instance using a secure, interactive, browser-based shell? Systems Manager consists of more than two dozen capabilities to help you perform actions on your resources. The diagram shows only a few of the capabilities that administrators use to conﬁgure and manage their resources.

3.Verification and processing – Systems Manager verifies that your AWS Identity and Access Management (IAM) user, group, or role has permission to perform the actions you specified on the designated resources. After successfully verifying your permissions, the system sends your request to the AWS Systems Manager agent (SSM Agent) running on your managed nodes. SSM Agent performs the specified configuration changes or actions.

4.Reporting – SSM Agent reports the status of the conﬁguration changes and actions to Systems Manager in the AWS Cloud, Systems Manager operations management capabilities, and various AWS services, if conﬁgured.

5.Systems Manager operations management capabilities – If enabled, Systems Manager operations management capabilities such as Explorer OpsCenter, and Incident Manager aggregate operations data or create artifacts such as operational work items (OpsItems) and incidents in response to events or errors with your resources. You can use these capabilities to help you investigate and troubleshoot problems.

About SSM Agent

AWS Systems Manager Agent (SSM Agent) is Amazon software that runs on Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs). SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources. The agent processes requests from the Systems Manager service in the AWS Cloud, and then runs them as specified in the request. SSM Agent then sends status and execution information back to the Systems Manager service by using the Amazon Message Delivery Service (service prefix: ec2messages).

SSM Agent must be installed on each instance you want to use with AWS Systems Manager. By default, SSM Agent is preinstalled on instances created from the following Amazon Machine Images (AMIs):

(20)

About SSM Agent

• Amazon Linux

• Amazon Linux 2

• Amazon Linux 2 ECS-Optimized Base AMIs

• macOS 10.14.x (Mojave), 10.15.x (Catalina), and 11.x (Big Sur)

• SUSE Linux Enterprise Server (SLES) 12 and 15

• Ubuntu Server 16.04, 18.04, and 20.04

• Windows Server 2008-2012 R2 AMIs published in November 2016 or later

• Windows Server 2016, 2019, and 2022

On other AMIs; AWS IoT Greengrass core devices; and on-premises servers, edge devices, and virtual machines in your hybrid environment, you must install the agent manually, as described in the following table.

Important

An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. If an older version of the agent is running on a managed node, some SSM Agent processes can fail. For that reason, we recommend that you automate the process of keeping SSM Agent up-to-date on your machines. For information, see Automating updates to SSM Agent (p. 118). Subscribe to the SSM Agent Release Notes page on GitHub to get notiﬁcations about SSM Agent updates.

Operating system type SSM Agent installation

Linux SSM Agent is installed by default on Amazon

Linux, Amazon Linux 2, SUSE Linux Enterprise Server (SLES) 12 and 15, Ubuntu Server 16.04, 18.04 LTS, and 20.04 base Amazon EC2 AMIs.

You must manually install SSM Agent on other versions of Amazon EC2 for Linux, including non- base images. For more information, see Installing and conﬁguring SSM Agent on EC2 instances for Linux (p. 75).

macOS SSM Agent is installed by default on macOS

10.14.6 (Mojave), 10.15.7 (Catalina), and 11.x (BigSur) AMIs for Amazon EC2. For more information, see Installing and conﬁguring SSM Agent on EC2 instances for macOS (p. 104).

Windows Windows AMIs published before November 2016

use the EC2Conﬁg service to process requests and conﬁgure instances.

Unless you have a specific reason for using the EC2Config service or an earlier version of SSM Agent to process Systems Manager requests, we recommend that you download and install the latest version of the SSM Agent to each of your EC2 instances and managed instances in your hybrid environment. For more information, see Installing and configuring SSM Agent on EC2 instances for Windows Server (p. 106).

Edge devices Systems Manager supports the following types of

edge devices:

(21)

Supported operating systems

Operating system type SSM Agent installation

• AWS IoT Greengrass core devices

• AWS IoT devices

• Non-AWS IoT devices

Setup requirements diﬀer based on the type of edge device. For more information, see Setting up AWS Systems Manager for edge devices (p. 54).

On-premises servers and VMs You must manually install SSM Agent on on- premises servers and virtual machines (VMs) in your hybrid environment. The SSM Agent download and installation process for these machines is diﬀerent than the process used for Amazon EC2 instances. For more information, see the following topics:

• Install SSM Agent for a hybrid environment (Windows) (p. 51)

• Install SSM Agent for a hybrid environment (Linux) (p. 46)

Supported operating systems

To work with AWS Systems Manager, your Amazon Elastic Compute Cloud (Amazon EC2) instances and on-premises servers and virtual machines (VMs) must be running one of the following operating systems.

Note

If you plan to manage and conﬁgure AWS IoT Greengrass core devices by using Systems Manager, those devices must meet the requirements for AWS IoT Greengrass. For more

information, see Setting up AWS IoT Greengrass core devices in the AWS IoT Greengrass Version 2 Developer Guide.

If you plan to manage and conﬁgure AWS IoT and non-AWS edge devices, those devices must meet the requirements listed here and be conﬁgured as on-premises managed nodes for Systems Manager. For more information, see Setting up AWS Systems Manager for edge devices (p. 54).

Operating system types

• Linux (p. 11)

• macOS (p. 13)

• Raspberry Pi OS (formerly Raspbian) (p. 14)

• Windows Server (p. 14)

Linux

Amazon Linux

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)

2012.03 – 2018.03 ✓ ✓

(22)

Linux

Note

Beginning with version 2015.03, Amazon Linux is released in Intel 64-bit (x86_64) versions.

Amazon Linux 2

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64) 2.0 and all later

versions ✓ ✓

CentOS

6.x¹ ✓ ✓

7.1 and later 7.x

versions ✓ ✓

8.0-8.5 versions ✓ ✓

¹ SSM Agent no longer oﬃcially supports these versions and no longer updates the agent for these versions of CentOS. SSM Agent version 3.0.1390.0 and earlier is supported for CentOS 6.

Debian Server

Jessie (8) ✓

Stretch (9) ✓ ✓

Buster (10) ✓ ✓

Bullseye (11) ✓ ✓

Oracle Linux

7.5-7.8 ✓

8.1-8.3 ✓

Red Hat Enterprise Linux (RHEL)

6.x¹ ✓ ✓

7.0-7.5 ✓

7.6-8.5 ✓ ✓

¹ SSM Agent no longer oﬃcially supports these versions and no longer updates the agent for these versions of RHEL. SSM Agent version 3.0.1390.0 and earlier is supported for RHEL 6.

(23)

macOS

Rocky Linux

Versions Intel 64-bit (x86_64) ARM 64-bit (arm64)

8.4/8.5 ✓ ✓

SUSE Linux Enterprise Server (SLES)

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64) 12 and later 12.x

versions ✓

15 and later 15.x

versions ✓

Ubuntu Server

Versions Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64) 12.04 LTS and 14.04

LTS ✓ ✓

16.04 LTS and 18.04

LTS ✓ ✓

20.04 LTS and 20.10

STR ✓ ✓

macOS

Version Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)

10.14.x (Mojave) ✓

10.15.x (Catalina) ✓

11.x (BigSur) ✓

Note

macOS support is limited to the following AWS Regions:

• US East (N. Virginia) (us-east-1)

• US East (Ohio) (us-east-2)

• US West (Oregon) (us-west-2)

• Europe (Ireland) (eu-west-1)

• Asia Paciﬁc (Singapore) (ap-southeast-1)

For more information about Amazon EC2 support for macOS, see Amazon EC2 Mac instances in the Amazon EC2 User Guide for Linux Instances

(24)

Raspberry Pi OS (formerly Raspbian)

Version ARM 32-bit (arm)

8 (Jessie) ✓

9 (Stretch) ✓

Related content

Manage Raspberry Pi devices using AWS Systems Manager

Windows Server

SSM Agent requires Windows PowerShell 3.0 or later to run certain AWS Systems Manager documents (SSM documents) on Windows Server instances (for example, the legacy AWS-ApplyPatchBaseline document). Verify that your Windows Server instances are running Windows Management Framework 3.0 or later. This framework includes Windows PowerShell. For more information, see Windows Management Framework 3.0.

Version Intel 32-bit (x86) Intel 64-bit (x86_64) ARM 64-bit (arm64)

2008¹ ✓ ✓

2008 R2¹ ✓

2012 and 2012 R2 ✓

2016 ✓

2019 ✓

2022 ✓

¹ As of January 14, 2020, Windows Server 2008 is no longer supported for feature or security updates from Microsoft. Legacy Amazon Machine Images (AMIs) for Windows Server 2008 and 2008 R2 still include version 2 of SSM Agent preinstalled, but Systems Manager no longer oﬃcially supports 2008 versions and no longer updates the agent for these versions of Windows Server. In addition, SSM Agent version 3.0 (p. 74) might not be compatible with all operations on Windows Server 2008 and 2008 R2.

The ﬁnal oﬃcially supported version of SSM Agent for Windows Server 2008 versions is 2.3.1644.0.

Accessing Systems Manager

You can work with AWS Systems Manager in any of the following ways:

Systems Manager console

The AWS Systems Manager console is a browser-based interface to access and use Systems Manager.

AWS IoT Greengrass V2 console

You can view and manage edge devices that are conﬁgured for AWS IoT Greengrass in the Greengrass console.

(25)

Prerequisites

AWS command line tools

By using the AWS command line tools, you can issue commands at your system's command line to perform Systems Manager and other AWS tasks. The tools are supported on Linux, macOS, and Windows. Using the AWS Command Line Interface (AWS CLI) can be faster and more convenient than using the console. The command line tools also are useful if you want to build scripts that perform AWS tasks.

AWS provides two sets of command line tools: the AWS Command Line Interface and the AWS Tools for Windows PowerShell. For information about installing and using the AWS CLI, see the AWS Command Line Interface User Guide. For information about installing and using the Tools for Windows PowerShell, see the AWS Tools for Windows PowerShell User Guide.

Note

On your Windows Server instances, Windows PowerShell 3.0 or later is required to run certain SSM documents (for example, the legacy AWS-ApplyPatchBaseline document).

Verify that your Windows Server instances are running Windows Management Framework 3.0 or later. The framework includes Windows PowerShell.

AWS SDKs

AWS provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (for example, Java, Python, Ruby, .NET, iOS and Android, and others). The SDKs provide a convenient way to create programmatic access to Systems Manager.

For information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

Systems Manager prerequisites

The prerequisites for using AWS Systems Manager to manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs) are covered step by step in the Setting Up chapters of this user guide:

• Setting up AWS Systems Manager (p. 17)

• Setting up AWS Systems Manager for hybrid environments (p. 36)

• Setting up AWS Systems Manager for edge devices (p. 54)

This topic provides an overview of these prerequisites.

To complete prerequisites for using Systems Manager

1. Create an AWS account and conﬁgure the required AWS Identity and Access Management (IAM) roles.

2. Verify that Systems Manager is supported in the AWS Regions where you want to use the service.

3. Verify that your machines run a supported operating system.

4. For edge devices, verify that your devices are conﬁgured to run the AWS IoT Greengrass Core software. For edge devices that don't run AWS IoT Greengrass Core software, the machines must be conﬁgured as on-premises machines for Systems Manager.

5. For Amazon EC2 instances, create an IAM instance proﬁle and attach it to your machines.

6. For on-premises servers, edge devices, and VMs, create an IAM service role.

7. (Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.

If you don't use a VPC endpoint, conﬁgure your managed instances to allow HTTPS (port 443) outbound traﬃc to the Systems Manager endpoints. For information, see (Optional) Create a Virtual Private Cloud endpoint.

(26)

Prerequisites

8. For on-premises servers, edge devices, VMs, and Amazon EC2 instances created from Amazon Machine Images (AMIs) that aren't supplied by AWS, ensure that a Transport Layer Security (TLS) certiﬁcate is installed.

9. For on-premises servers and VMs, register the machines with Systems Manager through the managed instance activation process.

10. Install or verify installation of the SSM Agent on each of your managed nodes.

11. For Amazon EC2 instances, verify the instance can reach the Instance Metadata Service (IMDS).

Systems Manager relies on EC2 instance metadata to function correctly.

Note

SSM Agent initiates all connections to the Systems Manager service in cloud. For this reason, you don't need to configure your firewall to allow inbound traffic to your managed nodes for Systems Manager.

If your managed nodes don't display in Systems Manager after you've follow these steps, see Troubleshooting managed node availability (p. 796).

Integration with IAM and Amazon EC2

User access to Systems Manager, its capabilities, and its resources are controlled through policies that you use or create in AWS Identity and Access Management. If you plan to use computing resources provided by AWS and on-premises servers and virtual machines (VMs), you also need to understand Amazon Elastic Compute Cloud before you set up Systems Manager for your organization.

Understanding how these services work is essential to successfully set up Systems Manager.

For more information about Amazon EC2, see the following:

• Amazon Elastic Compute Cloud

• Getting Started with Amazon EC2 Linux Instances

• Getting Started with Amazon EC2 Windows Instances

• What is Amazon EC2? (Linux)

• What is Amazon EC2? (Windows)

• Amazon EC2 Mac instances in the Amazon EC2 User Guide for Linux Instances

For more information about IAM, see the following:

• AWS Identity and Access Management (IAM)

• Getting Started with IAM

• What is IAM?

(27)

Setting up for EC2 instances

Setting up AWS Systems Manager

Complete the tasks in this section to set up and configure roles, user accounts, permissions, and initial resources for AWS Systems Manager. The tasks described in this section are typically performed by AWS account and systems administrators. After these steps are complete, users in your organization can use Systems Manager to configure, manage, and access your managed nodes. A managed node is any machine configured for Systems Manager. Systems Manager supports the following types of managed nodes: Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs) in a hybrid environment.

Note

If you plan to use Amazon EC2 instances and your own computing resources in a hybrid environment, follow the steps in Setting up AWS Systems Manager for EC2 instances (p. 17).

That topic presents steps in the best order for completing Systems Manager setup for EC2 instances and hybrid machines.

If you already use other AWS services, you have completed some of these steps. However, other steps are speciﬁc to Systems Manager. Therefore, we recommend reviewing this entire section to ensure that you're ready to use all Systems Manager capabilities.

Topics

• Setting up AWS Systems Manager for EC2 instances (p. 17)

• Setting up AWS Systems Manager for hybrid environments (p. 36)

• Setting up AWS Systems Manager for edge devices (p. 54)

Setting up AWS Systems Manager for EC2 instances

Complete the tasks in this section to setup and conﬁgure roles, user accounts, permissions, and initial resources for AWS Systems Manager. The tasks described in this section are typically performed by AWS account and systems administrators. After these steps are complete, users in your organization can use Systems Manager to conﬁgure, manage, and access Amazon Elastic Compute Cloud (Amazon EC2) instances.

Note

If you plan to use Systems Manager to manage and configure on-premises machines, follow the setup steps in Setting up AWS Systems Manager for hybrid environments (p. 36). If you plan to use both Amazon EC2 instances and your own computing resources in a hybrid environment, follow the steps here first. This section presents steps in the best order for configuring the roles, users, permissions, and initial resources to use in your Systems Manager operations.

If you already use other AWS services, you have completed some of these steps. However, other steps are speciﬁc to Systems Manager. Therefore, we recommend reviewing this entire section to ensure that you're ready to use all Systems Manager capabilities.

Contents

• Step 1: Sign up for AWS (p. 18)

• Step 2: Create an Admin IAM user for AWS (p. 18)

• Step 3: Create non-Admin IAM users and groups for Systems Manager (p. 19)

(28)

Step 1: Sign up for AWS

• Step 4: Create an IAM instance proﬁle for Systems Manager (p. 22)

• Step 5: Attach an IAM instance proﬁle to an Amazon EC2 instance (p. 27)

• Step 6: (Optional) Create a Virtual Private Cloud endpoint (p. 29)

• Step 7: (Optional) Create Systems Manager service roles (p. 33)

• Step 8: (Optional) Set up integrations with other AWS services (p. 35)

Step 1: Sign up for AWS

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

Continue to Step 2: Create an Admin IAM user for AWS (p. 18).

Step 2: Create an Admin IAM user for AWS

When you ﬁrst create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your ﬁrst IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.

In this procedure, you use the AWS account root user to create your ﬁrst user in AWS Identity and Access Management (IAM). You add this IAM user to an Administrators group, to ensure that you have access to all services and their resources in your account. The next time that you access your AWS account, you should sign in with the credentials for this IAM user. As a best practice, create only the credentials that the user needs. For example, for a user who requires access only through the AWS Management Console, do not create access keys. Optionally, you can conﬁgure multi-factor authentication (MFA) for the user. MFA requires the user to provide a one-time-use code each time he or she signs into the AWS Management Console.

To create an IAM user with restricted permissions, see Step 3: Create non-Admin IAM users and groups for Systems Manager (p. 19).

To create an administrator user for yourself and add the user to an administrators group (console)

1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

Note

We strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

2. In the navigation pane, choose Users and then choose Add user.

3. For User name, enter Administrator.

(29)

Step 3: Create non-Admin IAM users and groups for Systems Manager

4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.

5. (Optional) By default, AWS requires the new user to create a new password when ﬁrst signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

6. Choose Next: Permissions.

7. Under Set permissions, choose Add user to group.

8. Choose Create group.

9. In the Create group dialog box, for Group name enter Administrators.

10. Choose Filter policies, and then select AWS managed - job function to ﬁlter the table contents.

11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

Note

You must activate IAM user and role access to Billing before you can use the

AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.

12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

13. Choose Next: Tags.

14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to speciﬁc AWS resources, see Access management and Example policies.

Continue to Step 3: Create non-Admin IAM users and groups for Systems Manager (p. 19).

Step 3: Create non-Admin IAM users and groups for Systems Manager

Users in the administrators group for an account have access to all AWS services and resources in that account. This section describes how to create users with permissions that are limited to AWS Systems Manager.

Note

You can grant users or groups full Systems Manager access using the AWS Identity and Access Management (IAM) policy AmazonSSMFullAccess, as described later in this section. In practice, however, you might want to limit users or groups to only some Systems Manager features. In the chapters for many Systems Manager capabilities, such as Session Manager and Maintenance Windows, we provide instructions for limiting access to actions and resources for that capability only.

For information about using IAM policies to control user access to Systems Manager capabilities and resources, see AWS Systems Manager identity-based policy examples (p. 1368).

For information about how to change permissions for an IAM user account, group, or role, see Changing permissions for an IAM User in the IAM User Guide.

Topics

• Task 1: Create user groups (p. 20)

AWS Systems Manager

AWS Systems Manager

User Guide

AWS Systems Manager: User Guide

Table of Contents

What is AWS Systems Manager?

Note

Related API references

Related content

Systems Manager capabilities

Quick Setup

Operations Management

Application Management

Change Management

Node Management

Shared Resources

How Systems Manager works

About SSM Agent

Important

Supported operating systems

Note

Linux

Amazon Linux

Note

Amazon Linux 2

CentOS

Debian Server

Oracle Linux

Red Hat Enterprise Linux (RHEL)

Rocky Linux

SUSE Linux Enterprise Server (SLES)

Ubuntu Server

macOS

Note

Raspberry Pi OS (formerly Raspbian)

Windows Server

Accessing Systems Manager

Note

Systems Manager prerequisites

To complete prerequisites for using Systems Manager

Note

Setting up AWS Systems Manager

Note

Setting up AWS Systems Manager for EC2 instances

Note

Step 1: Sign up for AWS

To sign up for an AWS account

Step 2: Create an Admin IAM user for AWS

To create an administrator user for yourself and add the user to an administrators group (console)

Note

Note

Step 3: Create non-Admin IAM users and groups for Systems Manager

Note