This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS Systems Manager **Resource types** + [AWS::SSM::Association](aws-resource-ssm-association.md) + [AWS::SSM::Document](aws-resource-ssm-document.md) + [AWS::SSM::MaintenanceWindow](aws-resource-ssm-maintenancewindow.md) + [AWS::SSM::MaintenanceWindowTarget](aws-resource-ssm-maintenancewindowtarget.md) + [AWS::SSM::MaintenanceWindowTask](aws-resource-ssm-maintenancewindowtask.md) + [AWS::SSM::Parameter](aws-resource-ssm-parameter.md) + [AWS::SSM::PatchBaseline](aws-resource-ssm-patchbaseline.md) + [AWS::SSM::ResourceDataSync](aws-resource-ssm-resourcedatasync.md) + [AWS::SSM::ResourcePolicy](aws-resource-ssm-resourcepolicy.md) # AWS::SSM::Association The `AWS::SSM::Association` resource creates a State Manager association for your managed instances. A State Manager association defines the state that you want to maintain on your instances. For example, an association can specify that anti-virus software must be installed and running on your instances, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an AWS Resource Groups or an AWS Auto Scaling Group, State Manager applies the configuration when new instances are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software is not installed, then State Manager installs it. If the software is installed, but the service is not running, then the association might instruct State Manager to start the service. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::Association", "Properties" : { "[ApplyOnlyAtCronInterval](#cfn-ssm-association-applyonlyatcroninterval)" : Boolean, "[AssociationName](#cfn-ssm-association-associationname)" : String, "[AutomationTargetParameterName](#cfn-ssm-association-automationtargetparametername)" : String, "[CalendarNames](#cfn-ssm-association-calendarnames)" : [ String, ... ], "[ComplianceSeverity](#cfn-ssm-association-complianceseverity)" : String, "[DocumentVersion](#cfn-ssm-association-documentversion)" : String, "[InstanceId](#cfn-ssm-association-instanceid)" : String, "[MaxConcurrency](#cfn-ssm-association-maxconcurrency)" : String, "[MaxErrors](#cfn-ssm-association-maxerrors)" : String, "[Name](#cfn-ssm-association-name)" : String, "[OutputLocation](#cfn-ssm-association-outputlocation)" : InstanceAssociationOutputLocation, "[Parameters](#cfn-ssm-association-parameters)" : [ String, ... ], "[ScheduleExpression](#cfn-ssm-association-scheduleexpression)" : String, "[ScheduleOffset](#cfn-ssm-association-scheduleoffset)" : Integer, "[SyncCompliance](#cfn-ssm-association-synccompliance)" : String, "[Targets](#cfn-ssm-association-targets)" : [ Target, ... ], "[WaitForSuccessTimeoutSeconds](#cfn-ssm-association-waitforsuccesstimeoutseconds)" : Integer } } ``` ### YAML ``` Type: AWS::SSM::Association Properties: [ApplyOnlyAtCronInterval](#cfn-ssm-association-applyonlyatcroninterval): Boolean [AssociationName](#cfn-ssm-association-associationname): String [AutomationTargetParameterName](#cfn-ssm-association-automationtargetparametername): String [CalendarNames](#cfn-ssm-association-calendarnames): - String [ComplianceSeverity](#cfn-ssm-association-complianceseverity): String [DocumentVersion](#cfn-ssm-association-documentversion): String [InstanceId](#cfn-ssm-association-instanceid): String [MaxConcurrency](#cfn-ssm-association-maxconcurrency): String [MaxErrors](#cfn-ssm-association-maxerrors): String [Name](#cfn-ssm-association-name): String [OutputLocation](#cfn-ssm-association-outputlocation): InstanceAssociationOutputLocation [Parameters](#cfn-ssm-association-parameters): - String [ScheduleExpression](#cfn-ssm-association-scheduleexpression): String [ScheduleOffset](#cfn-ssm-association-scheduleoffset): Integer [SyncCompliance](#cfn-ssm-association-synccompliance): String [Targets](#cfn-ssm-association-targets): - Target [WaitForSuccessTimeoutSeconds](#cfn-ssm-association-waitforsuccesstimeoutseconds): Integer ``` ## Properties `ApplyOnlyAtCronInterval` By default, when you create a new association, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter is not supported for rate expressions. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AssociationName` Specify a descriptive name for the association. *Required*: No *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{3,128}$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AutomationTargetParameterName` Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a tool in AWS Systems Manager. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CalendarNames` The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that Change Calendar is open. For more information, see [AWS Systems Manager Change Calendar](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the *AWS Systems Manager User Guide*. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceSeverity` The severity level that is assigned to the association. *Required*: No *Type*: String *Allowed values*: `CRITICAL | HIGH | MEDIUM | LOW | UNSPECIFIED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DocumentVersion` The version of the SSM document to associate with the target. Note the following important information. + State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the `default` version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version to `default`. + `DocumentVersion` is not valid for documents owned by AWS, such as `AWS-RunPatchBaseline` or `AWS-UpdateSSMAgent`. If you specify `DocumentVersion` for an AWS document, the system returns the following error: "Error occurred during operation 'CreateAssociation'." (RequestToken: , HandlerErrorCode: GeneralServiceException). *Required*: No *Type*: String *Pattern*: `([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InstanceId` `InstanceId` has been deprecated. To specify an instance ID for an association, use the `Targets` parameter. If you use the parameter `InstanceId`, you cannot use the parameters `AssociationName`, `DocumentVersion`, `MaxErrors`, `MaxConcurrency`, `OutputLocation`, or `ScheduleExpression`. To use these parameters, you must use the `Targets` parameter. Note that in some examples later in this page, `InstanceIds` is used as the tag-key name in a `Targets` filter. `InstanceId` is not used as a parameter. The ID of the instance that the SSM document is associated with. You must specify the `InstanceId` or `Targets` property. *Required*: Conditional *Type*: String *Pattern*: `(^i-(\w{8}|\w{17})$)|(^mi-\w{17}$)` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaxConcurrency` The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time. If a new managed node starts and attempts to run an association while Systems Manager is running `MaxConcurrency` associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for `MaxConcurrency`. *Required*: No *Type*: String *Pattern*: `^([1-9][0-9]{0,6}|[1-9][0-9]%|[1-9]%|100%)$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaxErrors` The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set `MaxError` to 10%, then the system stops sending the request when the sixth error is received. Executions that are already running an association when `MaxErrors` is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set `MaxConcurrency` to 1 so that executions proceed one at a time. *Required*: No *Type*: String *Pattern*: `^([1-9][0-9]{0,6}|[0]|[1-9][0-9]%|[0-9]%|100%)$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the SSM document that contains the configuration information for the instance. You can specify `Command` or `Automation` documents. The documents can be AWS-predefined documents, documents you created, or a document that is shared with you from another account. For SSM documents that are shared with you from other AWS accounts, you must specify the complete SSM document ARN, in the following format: `arn:partition:ssm:region:account-id:document/document-name` For example: `arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document` For AWS-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, `AWS-ApplyPatchBaseline` or `My-Document`. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.:/]{3,200}$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OutputLocation` An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request. *Required*: No *Type*: [InstanceAssociationOutputLocation](aws-properties-ssm-association-instanceassociationoutputlocation.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Parameters` The parameters for the runtime configuration of the document. *Required*: No *Type*: Array of String *Pattern*: `.{1,255}` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ScheduleExpression` A cron expression that specifies a schedule when the association runs. The schedule runs in Coordinated Universal Time (UTC). *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ScheduleOffset` Number of days to wait after the scheduled day to run an association. *Required*: No *Type*: Integer *Minimum*: `1` *Maximum*: `6` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SyncCompliance` The mode for generating association compliance. You can specify `AUTO` or `MANUAL`. In `AUTO` mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is `COMPLIANT`. If the association execution doesn't run successfully, the association is `NON-COMPLIANT`. In `MANUAL` mode, you must specify the `AssociationId` as a parameter for the `PutComplianceItems` API action. In this case, compliance data is not managed by State Manager. It is managed by your direct call to the `PutComplianceItems` API action. By default, all associations use `AUTO` mode. *Required*: No *Type*: String *Allowed values*: `AUTO | MANUAL` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Targets` The targets for the association. You must specify the `InstanceId` or `Targets` property. You can target all instances in an AWS account by specifying t he `InstanceIds` key with a value of `*`. Supported formats include the following. + `Key=InstanceIds,Values=,,` + `Key=tag-key,Values=,` To view a JSON and a YAML example that targets all instances, see "Create an association for all managed instances in an AWS account" on the Examples page. *Required*: Conditional *Type*: Array of [Target](aws-properties-ssm-association-target.md) *Minimum*: `0` *Maximum*: `5` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `WaitForSuccessTimeoutSeconds` The number of seconds the service should wait for the association status to show "Success" before proceeding with the stack execution. If the association status doesn't show "Success" after the specified number of seconds, then stack creation fails. When you specify a value for the `WaitForSuccessTimeoutSeconds`, [drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html) for your CloudFormation stack’s configuration might yield inaccurate results. If drift detection is important in your scenario, we recommend that you don’t include `WaitForSuccessTimeoutSeconds` in your template. *Required*: No *Type*: Integer *Minimum*: `15` *Maximum*: `172800` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `AssociationId` The association ID. ## Examples **Topics** + [Create an association for a specific instance](#aws-resource-ssm-association--examples--Create_an_association_for_a_specific_instance) + [Create an association for all managed instances in an AWS account](#aws-resource-ssm-association--examples--Create_an_association_for_all_managed_instances_in_an) + [Create an association for a specific tag](#aws-resource-ssm-association--examples--Create_an_association_for_a_specific_tag) + [Create an association that associates an automation document with an instance](#aws-resource-ssm-association--examples--Create_an_association_that_associates_an_automation_document_with_an_instance) + [Create an association that uses rate controls and sends log output to Amazon S3](#aws-resource-ssm-association--examples--Create_an_association_that_uses_rate_controls_and_sends_log_output_to) + [Create an association that works with Ansible](#aws-resource-ssm-association--examples--Create_an_association_that_works_with_Ansible) + [Create an association that runs a bash script](#aws-resource-ssm-association--examples--Create_an_association_that_runs_a_bash_script) + [Create an association that runs a bash script with Systems Manager Automation](#aws-resource-ssm-association--examples--Create_an_association_that_runs_a_bash_script_with_Automation) ### Create an association for a specific instance The following example creates an association that uses the AWS-RunShellScript SSM document. The association runs a simple command on a specific instance. #### JSON ``` { "Resources": { "SpecificInstanceIdAssociation": { "Type": "AWS::SSM::Association", "Properties": { "Name": "AWS-RunShellScript", "Targets": [ { "Key": "InstanceIds", "Values": [ "i-1234567890abcdef0" ] } ], "Parameters": { "commands": [ "ls" ], "workingDirectory": [ "/" ] } } } } } ``` #### YAML ``` --- Resources: SpecificInstanceIdAssociation: Type: AWS::SSM::Association Properties: Name: AWS-RunShellScript Targets: - Key: InstanceIds Values: - i-1234567890abcdef0 Parameters: commands: - ls workingDirectory: - "/" ``` ### Create an association for all managed instances in an AWS account The following example creates an association that uses the AWS-UpdateSSMAgent SSM document. The association updates SSM Agent on all managed instances (instances configured for Systems Manager) in the user's AWS account according to the specified CRON schedule. #### JSON ``` { "Resources": { "AllInstanceIdsAssociation": { "Type": "AWS::SSM::Association", "Properties": { "AssociationName": "UpdateSSMAgent", "Name": "AWS-UpdateSSMAgent", "ScheduleExpression": "cron(0 2 ? * SUN *)", "Targets": [ { "Key": "InstanceIds", "Values": [ "*" ] } ] } } } } ``` #### YAML ``` --- Resources: AllInstanceIdsAssociation: Type: AWS::SSM::Association Properties: AssociationName: UpdateSSMAgent Name: AWS-UpdateSSMAgent ScheduleExpression: cron(0 2 ? * SUN *) Targets: - Key: InstanceIds Values: - "*" ``` ### Create an association for a specific tag The following example creates an association that uses the AWS-UpdateSSMAgent SSM document. The association updates SSM Agent on all managed instances that are assigned a tag key of `Environment` and value of `Production`. The association runs every seven days according to the specified rate expression. #### JSON ``` { "Resources": { "TaggedInstancesAssociation": { "Type": "AWS::SSM::Association", "Properties": { "AssociationName": "UpdateSSMAgent", "Name": "AWS-UpdateSSMAgent", "ScheduleExpression": "rate(7 days)", "Targets": [ { "Key": "tag:Environment", "Values": [ "Production" ] } ] } } } } ``` #### YAML ``` --- Resources: TaggedInstancesAssociation: Type: AWS::SSM::Association Properties: AssociationName: UpdateSSMAgent Name: AWS-UpdateSSMAgent ScheduleExpression: rate(7 days) Targets: - Key: tag:Environment Values: - Production ``` ### Create an association that associates an automation document with an instance The following example creates an association that assigns the AWS-StopEC2Instance automation document to a specific instance. **Note** This example specifies the following Amazon Resource Name (ARN): `arn:${AWS::Partition}:iam::aws:policy/AmazonEC2FullAccess`. This policy provides more than the required permissions to stop the instance. We recommend that you use a policy with more restrictive permissions. #### YAML ``` --- Resources: AutomationExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: ssm.amazonaws.com Action: - sts:AssumeRole Path: / ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2FullAccess AutomationAssociation: Type: AWS::SSM::Association Properties: Name: AWS-StopEC2Instance Parameters: AutomationAssumeRole: - !GetAtt AutomationExecutionRole.Arn Targets: - Key: MyInstanceId Values: - i-1234567890abcdef0 AutomationTargetParameterName: InstanceId ``` ### Create an association that uses rate controls and sends log output to Amazon S3 The following example creates an association that uses rate controls. The association attempts to update SSM Agent on only 20% of instances at one time. Systems Manager stops the association from running on any additional instances if the execution fails on 5% of the total number of instances. Systems Manager also logs the association output to Amazon S3. #### JSON ``` { "Resources": { "RateControlAssociation": { "Type": "AWS::SSM::Association", "Properties": { "Name": "AWS-UpdateSSMAgent", "Targets": [ { "Key": "InstanceIds", "Values": [ "*" ] } ], "MaxConcurrency": "20%", "MaxErrors": "5%" }, "OutputLocation": { "S3Location": { "OutputS3BucketName": "amzn-s3-demo-bucket", "OutputS3KeyPrefix": "my-agent-update-output" } } } } } ``` #### YAML ``` --- Resources: RateControlAssociation: Type: 'AWS::SSM::Association' Properties: Name: AWS-UpdateSSMAgent Targets: - Key: InstanceIds Values: - '*' MaxConcurrency: 20% MaxErrors: 5% OutputLocation: S3Location: OutputS3BucketName: amzn-s3-demo-bucket OutputS3KeyPrefix: my-agent-update-output ``` ### Create an association that works with Ansible The following example creates an association that uses Ansible and Systems Manager to deploy Nginx. This template copies the Ansible Playbook from a Github repo. The target is based on instance ID. #### YAML ``` --- Description: "Deploy single Amazon Linux 2 EC2 instance" Parameters: # Using SSM Parameter Store to fetch the Latest AMI for Amazon Linux 2. Eliminates the need for AMI Mappings. LatestAmiId: Type: 'AWS::SSM::Parameter::Value' Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" GitHubOwner: Type: 'String' GitHubRepo: Type: 'String' GitHubBranch: Type: 'String' Resources: amzn-s3-demo-bucket: Type: AWS::S3::Bucket SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17 ' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17 ' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::amzn-s3-demo-bucket/*' - !Sub 'arn:${AWS::Partition}:s3:::amzn-s3-demo-bucket' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: "t3.small" IamInstanceProfile: !Ref SSMInstanceProfile AnsibleAssociation: Type: AWS::SSM::Association Properties: # Here using the AWS-ApplyAnsiblePlaybooks Name: AWS-ApplyAnsiblePlaybooks # Targeting Instance by InstanceId passed from the Logical ID of Instance being created # in CloudFormation Targets: - Key: InstanceIds Values: [ !Ref EC2Instance ] OutputLocation: S3Location: OutputS3BucketName: !Ref amzn-s3-demo-bucket OutputS3KeyPrefix: 'logs/' Parameters: # Getting an Ansible Playbook from a GitHub Location SourceType: - 'GitHub' # At a minimum must include the following GitHub repo information, if using a private repo # would want to include the GitHub Token option SourceInfo: - !Sub | {"owner":"${GitHubOwner}", "repository":"${GitHubRepo}", "path":"", "getOptions":"branch:${GitHubBranch}"} # Installing Ansible and its dependencies InstallDependencies: - 'True' # Playbook file we want to run PlaybookFile: - 'playbook.yml' ExtraVariables: - 'SSM=True' Check: - 'False' Verbose: - '-v' Outputs: WebServerPublic: Value: !GetAtt 'EC2Instance.PublicDnsName' Description: Public DNS for WebServer ``` ### Create an association that runs a bash script The following example creates an association that runs a bash script. Target is based on tags. #### YAML ``` --- Description: "Deploy single Amazon Linux 2 EC2 instance and install Nginx by a State Manager association" Parameters: LatestAmiId: Type: 'AWS::SSM::Parameter::Value*' Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" Resources: amzn-s3-demo-bucket: Type: AWS::S3::Bucket # Role that allows SSM Agent to communicate with SSM and allows use of all features of SSM SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17 ' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17 ' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::amzn-s3-demo-bucket/*' - !Sub 'arn:${AWS::Partition}:s3:::amzn-s3-demo-bucket' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: "t3.medium" IamInstanceProfile: !Ref SSMInstanceProfile Tags: - Key: 'nginx' Value: 'yes' NginxAssociation: DependsOn: EC2Instance # CloudFormation Resource Type that creates State Manager Associations Type: AWS::SSM::Association Properties: # Command Document that this Association will run Name: AWS-RunShellScript # Targeting Instance by Tags Targets: - Key: tag:nginx Values: - 'yes' # The passing in the S3 Bucket that is created in the template that logs will be sent to OutputLocation: S3Location: OutputS3BucketName: !Ref amzn-s3-demo-bucket OutputS3KeyPrefix: 'logs/' # Parameters for the AWS-RunShellScript, in this case commands to install nginx Parameters: commands: - | sudo amazon-linux-extras install nginx1 -y sudo service nginx start Outputs: WebServerPublic: Value: !GetAtt 'EC2Instance.PublicDnsName' Description: Public DNS for WebServer ``` ### Create an association that runs a bash script with Systems Manager Automation The following example creates an assocation that runs a bash script using State Manager and Automation with multiple steps. Target is based on tags. #### YAML ``` --- Description: "Deploy single Amazon Linux 2 EC2 instance" Parameters: LatestAmiId: Type: 'AWS::SSM::Parameter::Value' Default: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2" Resources: amzn-s3-demo-bucket: Type: AWS::S3::Bucket nginxInstallAutomation: Type: AWS::SSM::Document Properties: DocumentType: Automation Content: schemaVersion: "0.3" description: "Updates AMI with Linux distribution packages and installs Nginx software" assumeRole: "{{AutomationAssumeRole}}" parameters: InstanceId: description: "ID of the Instance." type: "String" AutomationAssumeRole: default: "" description: "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf." type: "String" mainSteps: - name: "updateOSSoftware" action: "aws:runCommand" maxAttempts: 3 timeoutSeconds: 3600 inputs: DocumentName: "AWS-RunShellScript" InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" Parameters: commands: - | #!/bin/bash sudo yum update -y needs-restarting -r if [ $? -eq 1 ] then exit 194 else exit 0 fi - name: "InstallNginx" action: "aws:runCommand" inputs: DocumentName: "AWS-RunShellScript" InstanceIds: - "{{InstanceId}}" CloudWatchOutputConfig: CloudWatchOutputEnabled: "true" Parameters: commands: - | sudo amazon-linux-extras install nginx1 -y sudo service nginx start - name: "TestInstall" action: "aws:runCommand" maxAttempts: 3 timeoutSeconds: 3600 onFailure: "Abort" inputs: DocumentName: "AWS-RunShellScript" InstanceIds: - "{{InstanceId}}" Parameters: commands: - | curl localhost SSMExecutionRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17 ' Statement: - Action: - ssm:StartAssociationsOnce - ssm:CreateAssociation - ssm:CreateAssociationBatch - ssm:UpdateAssociation Resource: '*' Effect: Allow PolicyName: ssm-association Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonSSMAutomationRole' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceRole: Type : AWS::IAM::Role Properties: Policies: - PolicyDocument: Version: '2012-10-17 ' Statement: - Action: - s3:GetObject Resource: - !Sub 'arn:aws:s3:::aws-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::aws-windows-downloads-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-${AWS::Region}/*' - !Sub 'arn:aws:s3:::amazon-ssm-packages-${AWS::Region}/*' - !Sub 'arn:aws:s3:::${AWS::Region}-birdwatcher-prod/*' - !Sub 'arn:aws:s3:::patch-baseline-snapshot-${AWS::Region}/*' Effect: Allow PolicyName: ssm-custom-s3-policy - PolicyDocument: Version: '2012-10-17 ' Statement: - Action: - s3:GetObject - s3:PutObject - s3:PutObjectAcl - s3:ListBucket Resource: - !Sub 'arn:${AWS::Partition}:s3:::amzn-s3-demo-bucket/*' - !Sub 'arn:${AWS::Partition}:s3:::amzn-s3-demo-bucket' Effect: Allow PolicyName: s3-instance-bucket-policy Path: / ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" - "ssm.amazonaws.com" Action: "sts:AssumeRole" SSMInstanceProfile: Type: "AWS::IAM::InstanceProfile" Properties: Roles: - !Ref SSMInstanceRole EC2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !Ref LatestAmiId InstanceType: "t3.medium" IamInstanceProfile: !Ref SSMInstanceProfile Tags: - Key: nginx Value: Yes NginxAssociation: DependsOn: EC2Instance Type: AWS::SSM::Association Properties: Name: !Ref nginxInstallAutomation OutputLocation: S3Location: OutputS3BucketName: !Ref amzn-s3-demo-bucket OutputS3KeyPrefix: 'logs/' AutomationTargetParameterName: InstanceId Parameters: AutomationAssumeRole: - !GetAtt 'SSMExecutionRole.Arn' Targets: - Key: tag:nginx Values: - Yes Outputs: WebServerPublic: Value: !GetAtt 'EC2Instance.PublicDnsName' Description: Public DNS for WebServer ``` ## See also + [Reference: Cron and rate expressions for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html) # AWS::SSM::Association InstanceAssociationOutputLocation `InstanceAssociationOutputLocation` is a property of the [AWS::SSM::Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-association.html) resource that specifies an Amazon S3 bucket where you want to store the results of this association request. For the minimal permissions required to enable Amazon S3 output for an association, see [Creating associations](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-state-assoc.html) in the *Systems Manager User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[S3Location](#cfn-ssm-association-instanceassociationoutputlocation-s3location)" : S3OutputLocation } ``` ### YAML ``` [S3Location](#cfn-ssm-association-instanceassociationoutputlocation-s3location): S3OutputLocation ``` ## Properties `S3Location` `S3OutputLocation` is a property of the [InstanceAssociationOutputLocation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-association-instanceassociationoutputlocation.html) property that specifies an Amazon S3 bucket where you want to store the results of this request. *Required*: No *Type*: [S3OutputLocation](aws-properties-ssm-association-s3outputlocation.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::Association S3OutputLocation `S3OutputLocation` is a property of the [AWS::SSM::Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-association.html) resource that specifies an Amazon S3 bucket where you want to store the results of this association request. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[OutputS3BucketName](#cfn-ssm-association-s3outputlocation-outputs3bucketname)" : String, "[OutputS3KeyPrefix](#cfn-ssm-association-s3outputlocation-outputs3keyprefix)" : String, "[OutputS3Region](#cfn-ssm-association-s3outputlocation-outputs3region)" : String } ``` ### YAML ``` [OutputS3BucketName](#cfn-ssm-association-s3outputlocation-outputs3bucketname): String [OutputS3KeyPrefix](#cfn-ssm-association-s3outputlocation-outputs3keyprefix): String [OutputS3Region](#cfn-ssm-association-s3outputlocation-outputs3region): String ``` ## Properties `OutputS3BucketName` The name of the S3 bucket. *Required*: No *Type*: String *Minimum*: `3` *Maximum*: `63` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OutputS3KeyPrefix` The S3 bucket subfolder. *Required*: No *Type*: String *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OutputS3Region` The AWS Region of the S3 bucket. *Required*: No *Type*: String *Minimum*: `3` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::Association Target `Target` is a property of the [AWS::SSM::Association](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-association.html) resource that specifies the targets for an SSM document in Systems Manager. You can target all instances in an AWS account by specifying the `InstanceIds` key with a value of `*`. To view a JSON and a YAML example that targets all instances, see the example "Create an association for all managed instances in an AWS account" later in this page. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-association-target-key)" : String, "[Values](#cfn-ssm-association-target-values)" : [ String, ... ] } ``` ### YAML ``` [Key](#cfn-ssm-association-target-key): String [Values](#cfn-ssm-association-target-values): - String ``` ## Properties `Key` User-defined criteria for sending commands that target managed nodes that meet the criteria. *Required*: Yes *Type*: String *Pattern*: `^[\p{L}\p{Z}\p{N}_.:/=+\-@]{1,128}$|resource-groups:Name` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Values` User-defined criteria that maps to `Key`. For example, if you specified `tag:ServerRole`, you could specify `value:WebServer` to run a command on instances that include EC2 tags of `ServerRole,WebServer`. Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50. *Required*: Yes *Type*: Array of String *Minimum*: `0` *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::Document The `AWS::SSM::Document` resource creates a Systems Manager (SSM) document in AWS Systems Manager. This document defines the actions that Systems Manager performs on your AWS resources. **Note** This resource does not support CloudFormation drift detection. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::Document", "Properties" : { "[Attachments](#cfn-ssm-document-attachments)" : [ AttachmentsSource, ... ], "[Content](#cfn-ssm-document-content)" : Json, "[DocumentFormat](#cfn-ssm-document-documentformat)" : String, "[DocumentType](#cfn-ssm-document-documenttype)" : String, "[Name](#cfn-ssm-document-name)" : String, "[Requires](#cfn-ssm-document-requires)" : [ DocumentRequires, ... ], "[Tags](#cfn-ssm-document-tags)" : [ Tag, ... ], "[TargetType](#cfn-ssm-document-targettype)" : String, "[UpdateMethod](#cfn-ssm-document-updatemethod)" : String, "[VersionName](#cfn-ssm-document-versionname)" : String } } ``` ### YAML ``` Type: AWS::SSM::Document Properties: [Attachments](#cfn-ssm-document-attachments): - AttachmentsSource [Content](#cfn-ssm-document-content): Json [DocumentFormat](#cfn-ssm-document-documentformat): String [DocumentType](#cfn-ssm-document-documenttype): String [Name](#cfn-ssm-document-name): String [Requires](#cfn-ssm-document-requires): - DocumentRequires [Tags](#cfn-ssm-document-tags): - Tag [TargetType](#cfn-ssm-document-targettype): String [UpdateMethod](#cfn-ssm-document-updatemethod): String [VersionName](#cfn-ssm-document-versionname): String ``` ## Properties `Attachments` A list of key-value pairs that describe attachments to a version of a document. *Required*: No *Type*: Array of [AttachmentsSource](aws-properties-ssm-document-attachmentssource.md) *Minimum*: `0` *Maximum*: `20` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `Content` The content for the new SSM document in JSON or YAML. For more information about the schemas for SSM document content, see [SSM document schema features and examples](https://docs.aws.amazon.com/systems-manager/latest/userguide/document-schemas-features.html) in the *AWS Systems Manager User Guide*. This parameter also supports `String` data types. *Required*: Yes *Type*: Json *Minimum*: `1` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `DocumentFormat` Specify the document format for the request. `JSON` is the default format. *Required*: No *Type*: String *Allowed values*: `YAML | JSON | TEXT` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `DocumentType` The type of document to create. *Required*: No *Type*: String *Allowed values*: `ApplicationConfiguration | ApplicationConfigurationSchema | Automation | Automation.ChangeTemplate | AutoApprovalPolicy | ChangeCalendar | CloudFormation | Command | DeploymentStrategy | ManualApprovalPolicy | Package | Policy | ProblemAnalysis | ProblemAnalysisTemplate | Session` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Name` A name for the SSM document. You can't use the following strings as document name prefixes. These are reserved by AWS for use as document name prefixes: + `aws` + `amazon` + `amzn` + `AWSEC2` + `AWSConfigRemediation` + `AWSSupport` *Required*: No *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{3,128}$` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Requires` A list of SSM documents required by a document. This parameter is used exclusively by AWS AppConfig. When a user creates an AWS AppConfig configuration in an SSM document, the user must also specify a required document for validation purposes. In this case, an `ApplicationConfiguration` document requires an `ApplicationConfigurationSchema` document for validation purposes. For more information, see [What is AWS AppConfig?](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html) in the *AWS AppConfig User Guide*. *Required*: No *Type*: Array of [DocumentRequires](aws-properties-ssm-document-documentrequires.md) *Minimum*: `1` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `Tags` AWS CloudFormation resource tags to apply to the document. Use tags to help you identify and categorize resources. *Required*: No *Type*: Array of [Tag](aws-properties-ssm-document-tag.md) *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TargetType` Specify a target type to define the kinds of resources the document can run on. For example, to run a document on EC2 instances, specify the following value: `/AWS::EC2::Instance`. If you specify a value of '/' the document can run on all types of resources. If you don't specify a value, the document can't run on any resources. For a list of valid resource types, see [AWS resource and property types reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) in the *AWS CloudFormation User Guide*. *Required*: No *Type*: String *Pattern*: `^\/[\w\.\-\:\/]*$` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `UpdateMethod` If the document resource you specify in your template already exists, this parameter determines whether a new version of the existing document is created, or the existing document is replaced. `Replace` is the default method. If you specify `NewVersion` for the `UpdateMethod` parameter, and the `Name` of the document does not match an existing resource, a new document is created. When you specify `NewVersion`, the default version of the document is changed to the newly created version. *Required*: No *Type*: String *Allowed values*: `Replace | NewVersion` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VersionName` An optional field specifying the version of the artifact you are creating with the document. For example, `Release12.1`. This value is unique across all versions of a document, and can't be changed. *Required*: No *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{1,128}$` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the Systems Manager document name, such as `MyNewSSMDocument`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples **Topics** + [Create an Automation runbook that runs commands on an EC2 Linux instance](#aws-resource-ssm-document--examples--Create_an_Automation_runbook_that_runs_commands_on_an_EC2_Linux_instance) + [Create a document that runs commands on an EC2 Linux instance](#aws-resource-ssm-document--examples--Create_a_document_that_runs_commands_on_an_EC2_Linux_instance) + [Join a managed instance to a directory in AWS Directory Service](#aws-resource-ssm-document--examples--Join_a_managed_instance_to_a_directory_in) + [Associate an SSM document with an instance](#aws-resource-ssm-document--examples--Associate_an_SSM_document_with_an_instance) + [Create a Systems Manager document for Session Manager preferences](#aws-resource-ssm-document--examples--Create_a_document_for_Session_Manager_preferences) + [Create a Systems Manager document with JSON content](#aws-resource-ssm-document--examples--Create_a_document_with_JSON_content) + [Create a Systems Manager Distributor package](#aws-resource-ssm-document--examples--Create_a_Distributor_package) + [Create a Systems Manager Change Calendar document](#aws-resource-ssm-document--examples--Create_a_Change_Calendar_document) ### Create an Automation runbook that runs commands on an EC2 Linux instance The following runbook runs the commands you specify on your target Amazon EC2 Linux instance. You specify the commands parameter value when starting the runbook. #### YAML ``` document: Type: AWS::SSM::Document Properties: Content: schemaVersion: '0.3' description: 'Run a script on Linux instances.' parameters: AutomationAssumeRole: type: String description: (Optional) The ARN of the role that allows Automation to perform the actions on your behalf. default: '' commands: type: String description: "(Required) The commands to run or the path to an existing script on the instance." default: 'echo Hello World' InstanceId: type: String description: "(Required) The instance ID you want to run commands on." default: '' mainSteps: - name: sayHello action: 'aws:runCommand' inputs: DocumentName: AWS-RunShellScript InstanceIds: - '{{InstanceId}}' Parameters: commands: - "{{ commands }}" DocumentFormat: YAML DocumentType: Automation Name: 'CFN_runbook_example' ``` #### JSON ``` "document": { "Type": "AWS::SSM::Document", "Properties": { "Content": { "schemaVersion": "0.3", "description": "Run a script on Linux instances.", "parameters": { "AutomationAssumeRole": { "type": "String", "description": "(Optional) The ARN of the role that allows Automation to perform the actions on your behalf.", "default": "" }, "commands": { "type": "String", "description": "(Required) The commands to run or the path to an existing script on the instance.", "default": "echo Hello World" }, "InstanceId": { "type": "String", "description": "(Required) The instance ID you want to run commands on.", "default": "" } }, "mainSteps": [ { "name": "sayHello", "action": "aws:runCommand", "inputs": { "DocumentName": "AWS-RunShellScript", "Parameters": { "InstanceIds": [ "{{InstanceId}}" ], "commands": [ "{{ commands }}" ] } } } ] }, "DocumentType": "Automation", "Name": "CFN_runbook_example" } } ``` ### Create a document that runs commands on an EC2 Linux instance The following SSM document runs the commands you specify on your target Amazon EC2 Linux instance. You specify the commands parameter value when you run the document using Run Command. #### YAML ``` document: Type: AWS::SSM::Document Properties: Content: schemaVersion: '2.2' description: 'Run a script on Linux instances.' parameters: commands: type: String description: "(Required) The commands to run or the path to an existing script on the instance." default: 'echo Hello World' mainSteps: - action: aws:runShellScript name: runCommands inputs: timeoutSeconds: '60' runCommand: - "{{ commands }}" DocumentFormat: YAML DocumentType: Command Name: 'CFN_2.2_command_example' ``` #### JSON ``` "document": { "Type": "AWS::SSM::Document", "Properties": { "Content": { "schemaVersion": "2.2", "description": "Run a script on Linux instances.", "parameters": { "commands": { "type": "String", "description": "(Required) The commands to run or the path to an existing script on the instance.", "default": "echo Hello World" } }, "mainSteps": [ { "action": "aws:runShellScript", "name": "runCommands", "inputs": { "timeoutSeconds": "60", "runCommand": [ "{{ commands }}" ] } } ] }, "DocumentType": "Command", "Name": "CFN_2.2_command_ex" } } ``` ### Join a managed instance to a directory in AWS Directory Service The following SSM document joins instances to a directory in AWS Directory Service. The three runtime configuration parameters specify which directory the instance joins. You specify these parameter values when you associate the document with an instance. #### YAML ``` document: Type: AWS::SSM::Document Properties: Content: schemaVersion: '1.2' description: Join instances to an AWS Directory Service domain. parameters: directoryId: type: String description: "(Required) The ID of the AWS Directory Service directory." directoryName: type: String description: "(Required) The name of the directory. For example, test.example.com" dnsIpAddresses: type: StringList default: [] description: "(Optional) The IP addresses of the DNS servers in the directory. Required when DHCP is not configured. For more information, see https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_dns.html" allowedPattern: "((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" runtimeConfig: aws:domainJoin: properties: directoryId: "{{ directoryId}}" directoryName: "{{ directoryName }}" dnsIpAddresses: "{{ dnsIpAddresses }}" ``` #### JSON ``` "document" : { "Type": "AWS::SSM::Document", "Properties": { "Content": { "schemaVersion": "1.2", "description": "Join instances to an AWS Directory Service domain.", "parameters": { "directoryId": { "type": "String", "description": "(Required) The ID of the AWS Directory Service directory." }, "directoryName": { "type": "String", "description": "(Required) The name of the directory. For example, test.example.com" }, "dnsIpAddresses": { "type": "StringList", "default": [], "description": "(Optional) The IP addresses of the DNS servers in the directory. Required when DHCP is not configured. For more information, see https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_dns.html", "allowedPattern": "((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" } }, "runtimeConfig": { "aws:domainJoin": { "properties": { "directoryId": "{{ directoryId}}", "directoryName": "{{ directoryName }}", "dnsIpAddresses": "{{ dnsIpAddresses }}" } } } } } } ``` ### Associate an SSM document with an instance The following example shows how to associate an SSM document with an instance. The `DocumentName` property specifies the SSM document and the `AssociationParameters` property specifies values for the runtime configuration parameters. #### YAML ``` myEC2: Type: AWS::EC2::Instance Properties: ImageId: Ref: myImageId InstanceType: t2.micro SsmAssociations: - DocumentName: Ref: document AssociationParameters: - Key: directoryId Value: - Ref: myDirectory - Key: directoryName Value: - testDirectory.example.com - Key: dnsIpAddresses Value: Fn::GetAtt: - myDirectory - DnsIpAddresses IamInstanceProfile: Ref: myInstanceProfile NetworkInterfaces: - DeviceIndex: '0' AssociatePublicIpAddress: 'true' SubnetId: Ref: mySubnet KeyName: Ref: myKeyName ``` #### JSON ``` "myEC2" : { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": { "Ref": "myImageId" }, "InstanceType": "t2.micro", "SsmAssociations": [ { "DocumentName": { "Ref": "document" }, "AssociationParameters": [ { "Key": "directoryId", "Value": [ { "Ref": "myDirectory" } ] }, { "Key": "directoryName", "Value": [ "testDirectory.example.com" ] }, { "Key": "dnsIpAddresses", "Value": { "Fn::GetAtt": [ "myDirectory", "DnsIpAddresses" ] } } ] } ], "IamInstanceProfile": { "Ref": "myInstanceProfile" }, "NetworkInterfaces": [ { "DeviceIndex": "0", "AssociatePublicIpAddress": "true", "SubnetId": { "Ref": "mySubnet" } } ], "KeyName": { "Ref": "myKeyName" } } } ``` ### Create a Systems Manager document for Session Manager preferences The following example creates a Systems Manager`Session` type document for Session Manager preferences. Before using this example template replace the placeholder values. #### JSON ``` { "Resources":{ "SessionPreferencesDocument":{ "Type":"AWS::SSM::Document", "Properties":{ "Name":"SSM-SessionManagerRunShell", "Content":{ "schemaVersion":"1.0", "description":"Document to hold regional settings for Session Manager", "sessionType":"Standard_Stream", "inputs":{ "s3BucketName":"amzn-s3-demo-bucket", "s3KeyPrefix":"amzn-s3-demo-bucket-prefix", "s3EncryptionEnabled":true, "cloudWatchLogGroupName":"MyLogGroupName", "cloudWatchEncryptionEnabled":true, "cloudWatchStreamingEnabled":false, "kmsKeyId":"331dba25-425c-446c-abf9-daf42EXAMPLE", "runAsEnabled":false, "runAsDefaultUser":"MyDefaultRunAsUser", "idleSessionTimeout":"20", "shellProfile":{ "windows":"my-windowscommands", "linux":"my-linux-commands" } } }, "DocumentType":"Session" } } }, "Outputs":{ "DocumentName":{ "Description":"Session Manager preferences document", "Value":"SSM-SessionManagerRunShell" } } } ``` #### YAML ``` Resources: SessionPreferencesDocument: Type: AWS::SSM::Document Properties: Name: SSM-SessionManagerRunShell Content: schemaVersion: '1.0' description: Document to hold regional settings for Session Manager sessionType: Standard_Stream inputs: s3BucketName: 'amzn-s3-demo-bucket' s3KeyPrefix: 'amzn-s3-demo-bucket-prefix' s3EncryptionEnabled: true cloudWatchLogGroupName: 'MyLogGroupName' cloudWatchEncryptionEnabled: true cloudWatchStreamingEnabled: false kmsKeyId: '"331dba25-425c-446c-abf9-daf42EXAMPLE"' runAsEnabled: false runAsDefaultUser: 'MyDefaultRunAsUser' idleSessionTimeout: '20' shellProfile: windows: my-windows-commands linux: my-linux-commands DocumentFormat: YAML DocumentType: Session Outputs: DocumentName: Description: "Session Manager preferences document" Value: SSM-SessionManagerRunShell ``` ### Create a Systems Manager document with JSON content The following example creates a new Systems Manager command document with JSON content. #### JSON ``` { "Type":"AWS::SSM::Document", "Properties":{ "Content":"{\"schemaVersion\": \"2.2\", \"description\": \"Command Document Example JSON\nTemplate\", \"parameters\": { \"Message\": { \"type\": \"String\", \"description\":\n\"Example\", \"default\": \"Hello World\" } }, \"mainSteps\": [ { \"action\":\n\"aws:runPowerShellScript\", \"name\": \"example\", \"inputs\": { \"runCommand\":\n[ \"Write-Output {{Message}}\" ] } } ]}", "DocumentType":"Command", "DocumentFormat":"JSON" } } ``` #### YAML ``` --- Type: "AWS::SSM::Document" Properties: Content: "{\"schemaVersion\": \"2.2\", \"description\": \"Command Document Example JSON Template\", \"parameters\": { \"Message\": { \"type\": \"String\", \"description\": \"Example\", \"default\": \"Hello World\" } }, \"mainSteps\": [ { \"action\": \"aws:runPowerShellScript\", \"name\": \"example\", \"inputs\": { \"runCommand\": [ \"Write-Output {{Message}}\" ] } } ]}" DocumentFormat: JSON DocumentType: Command ``` ### Create a Systems Manager Distributor package The following example creates a new Systems Manager Distributor package. #### JSON ``` { "Resources": { "ExamplePackageDocument": { "Type": "AWS::SSM::Document", "Properties": { "Content": "{\"files\": {\"NewPackage_WINDOWS.zip\": {\"checksums\": {\"sha256\": \"36aeb0ec2c706013cf8c68163459678f7f6daa9489cd3f91d52799331EXAMPLE\"}}}, \"publisher\": \"MyPublisherName\", \"schemaVersion\": \"2.0\", \"packages\": {\"_any\": {\"_any\": {\"x86_64\": {\"file\": \"MyNewPackage_WINDOWS.zip\"}}}}, \"version\": \"1.0\"}", "DocumentType": "Package", "Attachments": [ { "Key": "SourceUrl", "Values": [ "s3://example-package-path/valid-package" ] } ] } } } } ``` #### YAML ``` Resources: ExamplePackageDocument: Type: AWS::SSM::Document Properties: Content: '{\"files\": {\"MyNewPackage_WINDOWS.zip\": {\"checksums\": {\"sha256\": \"36aeb0ec2c706013cf8c68163459678f7f6daa9489cd3f91d52799331EXAMPLE\"}}}, \"publisher\": \"MyPublisherName\", \"schemaVersion\": \"2.0\", \"packages\": {\"_any\": {\"_any\": {\"x86_64\": {\"file\": \"MyNewPackage_WINDOWS.zip\"}}}}, \"version\": \"1.0\"}' DocumentType: Package Attachments: - Key: SourceUrl Values: - "s3://example-package-path/valid-package" ``` ### Create a Systems Manager Change Calendar document The following example creates a new Systems Manager Change Calendar document. #### JSON ``` { "Resources":{ "ExampleChangeCalendarDocument":{ "Type":"AWS::SSM::Document", "Properties":{ "Content":"BEGIN:VCALENDAR\r\nPRODID:-//AWS//Change Calendar 1.0//EN\r\nVERSION:2.0\r\nX-CALENDAR-TYPE:DEFAULT_OPEN\r\nX-WR-CALDESC:test\r\nBEGIN:VTODO\r\nDTSTAMP:20200320T004207Z\r\nUID:3b5af39a-d0b3-4049-a839-d7bb8af01f92\r\nSUMMARY:Add events to this calendar.\r\nEND:VTODO\r\nEND:VCALENDAR\r\n", "DocumentType":"ChangeCalendar", "DocumentFormat":"TEXT" } } } } ``` #### YAML ``` Resources: ExampleChangeCalendarDocument: Type: 'AWS::SSM::Document' Properties: Content: "BEGIN:VCALENDAR\r\nPRODID:-//AWS//Change Calendar 1.0//EN\r\nVERSION:2.0\r\nX-CALENDAR-TYPE:DEFAULT_OPEN\r\nX-WR-CALDESC:test\r\nBEGIN:VTODO\r\nDTSTAMP:20200320T004207Z\r\nUID:3b5af39a-d0b3-4049-a839-d7bb8af01f92\r\nSUMMARY:Add events to this calendar.\r\nEND:VTODO\r\nEND:VCALENDAR\r\n" DocumentType: ChangeCalendar DocumentFormat: TEXT ``` ## See also + [AWS Systems Manager Documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html) # AWS::SSM::Document AttachmentsSource Identifying information about a document attachment, including the file name and a key-value pair that identifies the location of an attachment to a document. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-document-attachmentssource-key)" : String, "[Name](#cfn-ssm-document-attachmentssource-name)" : String, "[Values](#cfn-ssm-document-attachmentssource-values)" : [ String, ... ] } ``` ### YAML ``` [Key](#cfn-ssm-document-attachmentssource-key): String [Name](#cfn-ssm-document-attachmentssource-name): String [Values](#cfn-ssm-document-attachmentssource-values): - String ``` ## Properties `Key` The key of a key-value pair that identifies the location of an attachment to a document. *Required*: No *Type*: String *Allowed values*: `SourceUrl | S3FileUrl | AttachmentReference` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `Name` The name of the document attachment file. *Required*: No *Type*: String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `Values` The value of a key-value pair that identifies the location of an attachment to a document. The format for **Value** depends on the type of key you specify. + For the key *SourceUrl*, the value is an S3 bucket location. For example: `"Values": [ "s3://amzn-s3-demo-bucket/my-prefix" ]` + For the key *S3FileUrl*, the value is a file in an S3 bucket. For example: `"Values": [ "s3://amzn-s3-demo-bucket/my-prefix/my-file.py" ]` + For the key *AttachmentReference*, the value is constructed from the name of another SSM document in your account, a version number of that document, and a file attached to that document version that you want to reuse. For example: `"Values": [ "MyOtherDocument/3/my-other-file.py" ]` However, if the SSM document is shared with you from another account, the full SSM document ARN must be specified instead of the document name only. For example: `"Values": [ "arn:aws:ssm:us-east-2:111122223333:document/OtherAccountDocument/3/their-file.py" ]` *Required*: No *Type*: Array of String *Minimum*: `1 | 1` *Maximum*: `100000 | 1` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) # AWS::SSM::Document DocumentRequires An SSM document required by the current document. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Name](#cfn-ssm-document-documentrequires-name)" : String, "[Version](#cfn-ssm-document-documentrequires-version)" : String } ``` ### YAML ``` [Name](#cfn-ssm-document-documentrequires-name): String [Version](#cfn-ssm-document-documentrequires-version): String ``` ## Properties `Name` The name of the required SSM document. The name can be an Amazon Resource Name (ARN). *Required*: No *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.:/]{3,200}$` *Maximum*: `200` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) `Version` The document version required by the current document. *Required*: No *Type*: String *Pattern*: `([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)` *Maximum*: `8` *Update requires*: [Some interruptions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-some-interrupt) # AWS::SSM::Document Tag Metadata that you assign to your AWS resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In AWS Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-document-tag-key)" : String, "[Value](#cfn-ssm-document-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ssm-document-tag-key): String [Value](#cfn-ssm-document-tag-value): String ``` ## Properties `Key` The name of the tag. *Required*: No *Type*: String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value of the tag. *Required*: No *Type*: String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindow The `AWS::SSM::MaintenanceWindow` resource represents general information about a maintenance window for AWS Systems Manager. Maintenance windows let you define a schedule for when to perform potentially disruptive actions on your instances, such as patching an operating system (OS), updating drivers, or installing software. Each maintenance window has a schedule, a duration, a set of registered targets, and a set of registered tasks. For more information, see [Systems Manager Maintenance Windows](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-maintenance.html) in the *AWS Systems Manager User Guide* and [ CreateMaintenanceWindow](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateMaintenanceWindow.html) in the *AWS Systems Manager API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::MaintenanceWindow", "Properties" : { "[AllowUnassociatedTargets](#cfn-ssm-maintenancewindow-allowunassociatedtargets)" : Boolean, "[Cutoff](#cfn-ssm-maintenancewindow-cutoff)" : Integer, "[Description](#cfn-ssm-maintenancewindow-description)" : String, "[Duration](#cfn-ssm-maintenancewindow-duration)" : Integer, "[EndDate](#cfn-ssm-maintenancewindow-enddate)" : String, "[Name](#cfn-ssm-maintenancewindow-name)" : String, "[Schedule](#cfn-ssm-maintenancewindow-schedule)" : String, "[ScheduleOffset](#cfn-ssm-maintenancewindow-scheduleoffset)" : Integer, "[ScheduleTimezone](#cfn-ssm-maintenancewindow-scheduletimezone)" : String, "[StartDate](#cfn-ssm-maintenancewindow-startdate)" : String, "[Tags](#cfn-ssm-maintenancewindow-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::SSM::MaintenanceWindow Properties: [AllowUnassociatedTargets](#cfn-ssm-maintenancewindow-allowunassociatedtargets): Boolean [Cutoff](#cfn-ssm-maintenancewindow-cutoff): Integer [Description](#cfn-ssm-maintenancewindow-description): String [Duration](#cfn-ssm-maintenancewindow-duration): Integer [EndDate](#cfn-ssm-maintenancewindow-enddate): String [Name](#cfn-ssm-maintenancewindow-name): String [Schedule](#cfn-ssm-maintenancewindow-schedule): String [ScheduleOffset](#cfn-ssm-maintenancewindow-scheduleoffset): Integer [ScheduleTimezone](#cfn-ssm-maintenancewindow-scheduletimezone): String [StartDate](#cfn-ssm-maintenancewindow-startdate): String [Tags](#cfn-ssm-maintenancewindow-tags): - Tag ``` ## Properties `AllowUnassociatedTargets` Enables a maintenance window task to run on managed instances, even if you have not registered those instances as targets. If enabled, then you must specify the unregistered instances (by instance ID) when you register a task with the maintenance window. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Cutoff` The number of hours before the end of the maintenance window that AWS Systems Manager stops scheduling new tasks for execution. *Required*: Yes *Type*: Integer *Minimum*: `0` *Maximum*: `23` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A description of the maintenance window. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Duration` The duration of the maintenance window in hours. *Required*: Yes *Type*: Integer *Minimum*: `1` *Maximum*: `24` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EndDate` The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the maintenance window. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{3,128}$` *Minimum*: `3` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Schedule` The schedule of the maintenance window in the form of a cron or rate expression. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ScheduleOffset` The number of days to wait to run a maintenance window after the scheduled cron expression date and time. *Required*: No *Type*: Integer *Minimum*: `1` *Maximum*: `6` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ScheduleTimezone` The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StartDate` The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. `StartDate` allows you to delay activation of the maintenance window until the specified future date. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in. *Required*: No *Type*: Array of [Tag](aws-properties-ssm-maintenancewindow-tag.md) *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the maintenance window ID, such as `mw-abcde1234567890yz`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `WindowId` The ID of the maintenance window. ## Examples ### Create a maintenance window that does not allow unregistered targets The following example creates a Systems Manager maintenance window that runs for two hours with a one hour cutoff every Sunday at 04:00 AM US Eastern Time. The maintenance window doesn't allow unregistered targets. #### JSON ``` { "Resources": { "MaintenanceWindow": { "Type": "AWS::SSM::MaintenanceWindow", "Properties": { "AllowUnassociatedTargets": false, "Cutoff": 1, "Description": "Maintenance Window to update SSM Agent", "Duration": 2, "Name": "UpdateSSMAgentMaintenanceWindow", "Schedule": "cron(0 4 ? * SUN *)", "ScheduleTimezone": "US/Eastern" } } } } ``` #### YAML ``` --- Resources: MaintenanceWindow: Type: AWS::SSM::MaintenanceWindow Properties: AllowUnassociatedTargets: false Cutoff: 1 Description: Maintenance Window to update SSM Agent Duration: 2 Name: UpdateSSMAgentMaintenanceWindow Schedule: cron(0 4 ? * SUN *) ScheduleTimezone: US/Eastern ``` ## See also + [AWS::SSM::MaintenanceWindowTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtarget.html) + [AWS::SSM::MaintenanceWindowTask](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html) + [CreateMaintenanceWindow](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateMaintenanceWindow.html) in the *AWS Systems Manager API Reference.* + [Reference: Cron and Rate Expressions for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html) # AWS::SSM::MaintenanceWindow Tag Metadata that you assign to your AWS resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In AWS Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-maintenancewindow-tag-key)" : String, "[Value](#cfn-ssm-maintenancewindow-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ssm-maintenancewindow-tag-key): String [Value](#cfn-ssm-maintenancewindow-tag-value): String ``` ## Properties `Key` The name of the tag. *Required*: Yes *Type*: String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value of the tag. *Required*: Yes *Type*: String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTarget The `AWS::SSM::MaintenanceWindowTarget` resource registers a target with a maintenance window for AWS Systems Manager. For more information, see [ RegisterTargetWithMaintenanceWindow](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_RegisterTargetWithMaintenanceWindow.html) in the *AWS Systems Manager API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::MaintenanceWindowTarget", "Properties" : { "[Description](#cfn-ssm-maintenancewindowtarget-description)" : String, "[Name](#cfn-ssm-maintenancewindowtarget-name)" : String, "[OwnerInformation](#cfn-ssm-maintenancewindowtarget-ownerinformation)" : String, "[ResourceType](#cfn-ssm-maintenancewindowtarget-resourcetype)" : String, "[Targets](#cfn-ssm-maintenancewindowtarget-targets)" : [ Targets, ... ], "[WindowId](#cfn-ssm-maintenancewindowtarget-windowid)" : String } } ``` ### YAML ``` Type: AWS::SSM::MaintenanceWindowTarget Properties: [Description](#cfn-ssm-maintenancewindowtarget-description): String [Name](#cfn-ssm-maintenancewindowtarget-name): String [OwnerInformation](#cfn-ssm-maintenancewindowtarget-ownerinformation): String [ResourceType](#cfn-ssm-maintenancewindowtarget-resourcetype): String [Targets](#cfn-ssm-maintenancewindowtarget-targets): - Targets [WindowId](#cfn-ssm-maintenancewindowtarget-windowid): String ``` ## Properties `Description` A description for the target. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name for the maintenance window target. *Required*: No *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{3,128}$` *Minimum*: `3` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OwnerInformation` A user-provided value that will be included in any Amazon CloudWatch Events events that are raised while running tasks for these targets in this maintenance window. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceType` The type of target that is being registered with the maintenance window. *Required*: Yes *Type*: String *Allowed values*: `INSTANCE | RESOURCE_GROUP` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Targets` The targets to register with the maintenance window. In other words, the instances to run commands on when the maintenance window runs. You must specify targets by using the `WindowTargetIds` parameter. *Required*: Yes *Type*: [Array](aws-properties-ssm-maintenancewindowtarget-targets.md) of [Targets](aws-properties-ssm-maintenancewindowtarget-targets.md) *Minimum*: `0` *Maximum*: `5` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `WindowId` The ID of the maintenance window to register the target with. *Required*: Yes *Type*: String *Pattern*: `^mw-[0-9a-f]{17}$` *Minimum*: `20` *Maximum*: `20` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the maintenance window target ID, such as `12a345b6-bbb7-4bb6-90b0-8c9577a2d2b9`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `WindowTargetId` The ID of the target. ## Examples ### Create a maintenance window that targets instances by using tags The following example creates a Systems Manager maintenance window target that targets managed instances with the tag key `ENV` and the tag value `DEV`. #### JSON ``` { "Resources": { "MaintenanceWindowTarget": { "Type": "AWS::SSM::MaintenanceWindowTarget", "Properties": { "WindowId": "MaintenanceWindow", "ResourceType": "INSTANCE", "Targets": [ { "Key": "tag:ENV", "Values": [ "DEV" ] } ], "OwnerInformation": "SSM Step Function Demo", "Name": "SSMStepFunctionDemo", "Description": "A target for demonstrating maintenance windows and step functions" }, "DependsOn": "MaintenanceWindow" } } } ``` #### YAML ``` --- Resources: MaintenanceWindowTarget: Type: AWS::SSM::MaintenanceWindowTarget Properties: WindowId: MaintenanceWindow ResourceType: INSTANCE Targets: - Key: tag:ENV Values: - DEV OwnerInformation: SSM Step Function Demo Name: SSMStepFunctionDemo Description: A target for demonstrating maintenance windows and step functions DependsOn: MaintenanceWindow ``` ## See also + [AWS::SSM::MaintenanceWindow](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindow.html) + [AWS::SSM::MaintenanceWindowTask](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html) + [RegisterTaskWithMaintenanceWindow](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_RegisterTaskWithMaintenanceWindow.html) in the *AWS Systems Manager API Reference*. # AWS::SSM::MaintenanceWindowTarget Targets The `Targets` property type specifies adding a target to a maintenance window target in AWS Systems Manager. `Targets` is a property of the [AWS::SSM::MaintenanceWindowTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtarget.html) resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-maintenancewindowtarget-targets-key)" : String, "[Values](#cfn-ssm-maintenancewindowtarget-targets-values)" : [ String, ... ] } ``` ### YAML ``` [Key](#cfn-ssm-maintenancewindowtarget-targets-key): String [Values](#cfn-ssm-maintenancewindowtarget-targets-values): - String ``` ## Properties `Key` User-defined criteria for sending commands that target managed nodes that meet the criteria. *Required*: Yes *Type*: String *Pattern*: `^[\p{L}\p{Z}\p{N}_.:/=\-@]*$|resource-groups:ResourceTypeFilters|resource-groups:Name` *Minimum*: `1` *Maximum*: `163` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Values` User-defined criteria that maps to `Key`. For example, if you specified `tag:ServerRole`, you could specify `value:WebServer` to run a command on instances that include EC2 tags of `ServerRole,WebServer`. Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50. *Required*: Yes *Type*: Array of String *Minimum*: `0` *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask The `AWS::SSM::MaintenanceWindowTask` resource defines information about a task for an AWS Systems Manager maintenance window. For more information, see [RegisterTaskWithMaintenanceWindow](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_RegisterTaskWithMaintenanceWindow.html) in the *AWS Systems Manager API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::MaintenanceWindowTask", "Properties" : { "[CutoffBehavior](#cfn-ssm-maintenancewindowtask-cutoffbehavior)" : String, "[Description](#cfn-ssm-maintenancewindowtask-description)" : String, "[LoggingInfo](#cfn-ssm-maintenancewindowtask-logginginfo)" : LoggingInfo, "[MaxConcurrency](#cfn-ssm-maintenancewindowtask-maxconcurrency)" : String, "[MaxErrors](#cfn-ssm-maintenancewindowtask-maxerrors)" : String, "[Name](#cfn-ssm-maintenancewindowtask-name)" : String, "[Priority](#cfn-ssm-maintenancewindowtask-priority)" : Integer, "[ServiceRoleArn](#cfn-ssm-maintenancewindowtask-servicerolearn)" : String, "[Targets](#cfn-ssm-maintenancewindowtask-targets)" : [ Target, ... ], "[TaskArn](#cfn-ssm-maintenancewindowtask-taskarn)" : String, "[TaskInvocationParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters)" : TaskInvocationParameters, "[TaskParameters](#cfn-ssm-maintenancewindowtask-taskparameters)" : Json, "[TaskType](#cfn-ssm-maintenancewindowtask-tasktype)" : String, "[WindowId](#cfn-ssm-maintenancewindowtask-windowid)" : String } } ``` ### YAML ``` Type: AWS::SSM::MaintenanceWindowTask Properties: [CutoffBehavior](#cfn-ssm-maintenancewindowtask-cutoffbehavior): String [Description](#cfn-ssm-maintenancewindowtask-description): String [LoggingInfo](#cfn-ssm-maintenancewindowtask-logginginfo): LoggingInfo [MaxConcurrency](#cfn-ssm-maintenancewindowtask-maxconcurrency): String [MaxErrors](#cfn-ssm-maintenancewindowtask-maxerrors): String [Name](#cfn-ssm-maintenancewindowtask-name): String [Priority](#cfn-ssm-maintenancewindowtask-priority): Integer [ServiceRoleArn](#cfn-ssm-maintenancewindowtask-servicerolearn): String [Targets](#cfn-ssm-maintenancewindowtask-targets): - Target [TaskArn](#cfn-ssm-maintenancewindowtask-taskarn): String [TaskInvocationParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters): TaskInvocationParameters [TaskParameters](#cfn-ssm-maintenancewindowtask-taskparameters): Json [TaskType](#cfn-ssm-maintenancewindowtask-tasktype): String [WindowId](#cfn-ssm-maintenancewindowtask-windowid): String ``` ## Properties `CutoffBehavior` The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached. *Required*: No *Type*: String *Allowed values*: `CONTINUE_TASK | CANCEL_TASK` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A description of the task. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LoggingInfo` `LoggingInfo` has been deprecated. To specify an Amazon S3 bucket to contain logs for Run Command tasks, instead use the `OutputS3BucketName` and `OutputS3KeyPrefix` options in the `TaskInvocationParameters` structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see [AWS::SSM::MaintenanceWindowTask MaintenanceWindowRunCommandParameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-maintenancewindowruncommandparameters.html). Information about an Amazon S3 bucket to write Run Command task-level logs to. *Required*: No *Type*: [LoggingInfo](aws-properties-ssm-maintenancewindowtask-logginginfo.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaxConcurrency` The maximum number of targets this task can be run for, in parallel. Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a [targetless task](https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) You must provide a value in all other cases. For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of `1`. This value doesn't affect the running of your task. *Required*: No *Type*: String *Pattern*: `^([1-9][0-9]*|[1-9][0-9]%|[1-9]%|100%)$` *Minimum*: `1` *Maximum*: `7` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaxErrors` The maximum number of errors allowed before this task stops being scheduled. Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a [targetless task](https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) You must provide a value in all other cases. For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of `1`. This value doesn't affect the running of your task. *Required*: No *Type*: String *Pattern*: `^([1-9][0-9]*|[0]|[1-9][0-9]%|[0-9]%|100%)$` *Minimum*: `1` *Maximum*: `7` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The task name. *Required*: No *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{3,128}$` *Minimum*: `3` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Priority` The priority of the task in the maintenance window. The lower the number, the higher the priority. Tasks that have the same priority are scheduled in parallel. *Required*: Yes *Type*: Integer *Minimum*: `0` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ServiceRoleArn` The Amazon Resource Name (ARN) of the IAM service role for AWS Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run `RegisterTaskWithMaintenanceWindow`. However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see [Setting up Maintenance Windows](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html) in the in the *AWS Systems Manager User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Targets` The targets, either instances or window target IDs. + Specify instances using `Key=InstanceIds,Values=instanceid1,instanceid2`. + Specify window target IDs using `Key=WindowTargetIds,Values=window-target-id-1,window-target-id-2`. *Required*: No *Type*: Array of [Target](aws-properties-ssm-maintenancewindowtask-target.md) *Minimum*: `0` *Maximum*: `5` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TaskArn` The resource that the task uses during execution. For `RUN_COMMAND` and `AUTOMATION` task types, `TaskArn` is the SSM document name or Amazon Resource Name (ARN). For `LAMBDA` tasks, `TaskArn` is the function name or ARN. For `STEP_FUNCTIONS` tasks, `TaskArn` is the state machine ARN. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `1600` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TaskInvocationParameters` The parameters to pass to the task when it runs. Populate only the fields that match the task type. All other fields should be empty. When you update a maintenance window task that has options specified in `TaskInvocationParameters`, you must provide again all the `TaskInvocationParameters` values that you want to retain. The values you do not specify again are removed. For example, suppose that when you registered a Run Command task, you specified `TaskInvocationParameters` values for `Comment`, `NotificationConfig`, and `OutputS3BucketName`. If you update the maintenance window task and specify only a different `OutputS3BucketName` value, the values for `Comment` and `NotificationConfig` are removed. *Required*: No *Type*: [TaskInvocationParameters](aws-properties-ssm-maintenancewindowtask-taskinvocationparameters.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TaskParameters` `TaskParameters` has been deprecated. To specify parameters to pass to a task when it runs, instead use the `Parameters` option in the `TaskInvocationParameters` structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see [MaintenanceWindowTaskInvocationParameters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_MaintenanceWindowTaskInvocationParameters.html). The parameters to pass to the task when it runs. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TaskType` The type of task. Valid values: `RUN_COMMAND`, `AUTOMATION`, `LAMBDA`, `STEP_FUNCTIONS`. *Required*: Yes *Type*: String *Allowed values*: `RUN_COMMAND | AUTOMATION | STEP_FUNCTIONS | LAMBDA` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `WindowId` The ID of the maintenance window where the task is registered. *Required*: Yes *Type*: String *Pattern*: `^mw-[0-9a-f]{17}$` *Minimum*: `20` *Maximum*: `20` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the maintenance window task ID, such as `12a345b6-bbb7-4bb6-90b0-8c9577a2d2b9`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `WindowTaskId` The task ID. ## Examples **Topics** + [Create a Run Command task that targets instances using a resource group name](#aws-resource-ssm-maintenancewindowtask--examples--Create_a_Run_Command_task_that_targets_instances_using_a_resource_group_name) + [Create a Run Command task that targets instances using a maintenance window target ID](#aws-resource-ssm-maintenancewindowtask--examples--Create_a_Run_Command_task_that_targets_instances_using_a_maintenance_window_target_ID) + [Create a Run Command task that runs a PowerShell script](#aws-resource-ssm-maintenancewindowtask--examples--Create_a_Run_Command_task_that_runs_a_PowerShell_script) + [Create a task that runs an Automation runbook](#aws-resource-ssm-maintenancewindowtask--examples--Create_a_task_that_runs_an_Automation_runbook) + [Create a Step Functions task that targets a maintenance window target ID](#aws-resource-ssm-maintenancewindowtask--examples--Create_a_Step_Functions_task_that_targets_a_maintenance_window_target_ID) + [Create a Step Functions task that targets an instance ID](#aws-resource-ssm-maintenancewindowtask--examples--Create_a_Step_Functions_task_that_targets_an_instance_ID) + [Create a task that runs an AWS Lambda function](#aws-resource-ssm-maintenancewindowtask--examples--Create_a_task_that_runs_an_function) ### Create a Run Command task that targets instances using a resource group name The following example creates a maintenance window Run Command task that installs patches on instances using a using a resource group name as the target. #### JSON ``` { "Resources": { "PatchTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "Description": "Apply OS patches on instances in target", "MaxConcurrency": 1, "MaxErrors": 1, "Priority": 0, "TaskType": "RUN_COMMAND", "WindowId": { "Ref": "MaintenanceWindow" }, "TaskArn": "AWS-RunPatchBaseline", "TaskInvocationParameters": { "MaintenanceWindowRunCommandParameters": { "Parameters": { "Operation": [ "Install" ], "RebootOption": [ "NoReboot" ] } } }, "Targets": [ { "Key": "WindowTargetIds", "Values": [ { "Ref": "MaintenanceWindowTarget" } ] } ] } }, "MaintenanceWindow": { "Type": "AWS::SSM::MaintenanceWindow", "Properties": { "Name": "MaintenanceWindow", "AllowUnassociatedTargets": true, "Cutoff": 0, "Description": "Maintenance window for instances", "Duration": 1, "Schedule": "cron(20 17 ? * MON-FRI *)" } }, "MaintenanceWindowTarget": { "Type": "AWS::SSM::MaintenanceWindowTarget", "Properties": { "ResourceType": "RESOURCE_GROUP", "Targets": [ { "Key": "resource-groups:Name", "Values": [ "TestResourceGroup" ] } ], "WindowId": { "Ref": "MaintenanceWindow" } } } } } ``` #### YAML ``` --- Resources: PatchTask: Type: AWS::SSM::MaintenanceWindowTask Properties: Description: Apply OS patches on instances in target MaxConcurrency: 1 MaxErrors: 1 Priority: 0 TaskType: RUN_COMMAND WindowId: Ref: MaintenanceWindow TaskArn: AWS-RunPatchBaseline TaskInvocationParameters: MaintenanceWindowRunCommandParameters: Parameters: Operation: - Install RebootOption: - NoReboot Targets: - Key: WindowTargetIds Values: - Ref: MaintenanceWindowTarget MaintenanceWindow: Type: AWS::SSM::MaintenanceWindow Properties: Name: MaintenanceWindow AllowUnassociatedTargets: true Cutoff: 0 Description: Maintenance window for instances Duration: 1 Schedule: cron(20 17 ? * MON-FRI *) MaintenanceWindowTarget: Type: AWS::SSM::MaintenanceWindowTarget Properties: ResourceType: RESOURCE_GROUP Targets: - Key: resource-groups:Name Values: - TestResourceGroup WindowId: Ref: MaintenanceWindow ``` ### Create a Run Command task that targets instances using a maintenance window target ID The following example creates a maintenance window Run Command task that installs patches on instances but does not reboot them. The maintenance window task targets managed instances using a maintenance window target ID. #### JSON ``` { "Resources": { "MaintenanceWindowRunCommandTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "WindowId": "MaintenanceWindow", "Targets": [ { "Key": "WindowTargetIds", "Values": [ "MaintenanceWindowTarget" ] } ], "TaskType": "RUN_COMMAND", "TaskArn": "AWS-RunPatchBaseline", "TaskInvocationParameters": { "MaintenanceWindowRunCommandParameters": { "Parameters": { "Operation": [ "Install" ], "RebootOption": [ "NoReboot" ] } }, "MaxConcurrency": 7, "MaxErrors": 7, "Priority": 5 }, "DependsOn": "MaintenanceWindowTarget" } } } } ``` #### YAML ``` --- Resources: MaintenanceWindowRunCommandTask: Type: AWS::SSM::MaintenanceWindowTask Properties: WindowId: MaintenanceWindow Targets: - Key: WindowTargetIds Values: - MaintenanceWindowTarget TaskType: RUN_COMMAND TaskArn: AWS-RunPatchBaseline TaskInvocationParameters: MaintenanceWindowRunCommandParameters: Parameters: Operation: - Install RebootOption: - NoReboot MaxConcurrency: 7 MaxErrors: 7 Priority: 5 DependsOn: MaintenanceWindowTarget ``` ### Create a Run Command task that runs a PowerShell script The following example demonstrates running a command with `AWS-RunPowerShellScript`. #### JSON ``` { "Resources": { "MaintenanceWindowRunCommandTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "WindowId": { "Ref": "MaintenanceWindow" }, "Targets": [ { "Key": "WindowTargetIds", "Values": [ "MaintenanceWindowTarget" ] } ], "TaskType": "RUN_COMMAND", "TaskArn": "AWS-RunPowerShellScript", "TaskInvocationParameters": { "MaintenanceWindowRunCommandParameters": { "Comment": "This is a comment", "CloudWatchOutputConfig": { "CloudWatchLogGroupName": "MyLogGroupName", "CloudWatchOutputEnabled": true }, "Parameters": { "executionTimeout": [ "3600" ], "commands": [ "Get-Service myImportantService | Restart-Service\nGet-ExecutionPolicy -List\nSet-ExecutionPolicy -Scope Process AllSigned\n" ] } } }, "MaxConcurrency": 7, "MaxErrors": 7, "Priority": 5 }, "DependsOn": "MaintenanceWindowTarget" } } } ``` #### YAML ``` --- Resources: MaintenanceWindowRunCommandTask: Type: 'AWS::SSM::MaintenanceWindowTask' Properties: WindowId: !Ref MaintenanceWindow Targets: - Key: WindowTargetIds Values: - MaintenanceWindowTarget TaskType: RUN_COMMAND TaskArn: AWS-RunPowerShellScript TaskInvocationParameters: MaintenanceWindowRunCommandParameters: Comment: This is a comment CloudWatchOutputConfig: CloudWatchLogGroupName: MyLogGroupName CloudWatchOutputEnabled: true Parameters: executionTimeout: - '3600' commands: - Get-Service myImportantService | Restart-Service - Get-ExecutionPolicy -List - Set-ExecutionPolicy -Scope Process AllSigned MaxConcurrency: 7 MaxErrors: 7 Priority: 5 DependsOn: MaintenanceWindowTarget ``` ### Create a task that runs an Automation runbook The following example creates a Systems Manager maintenance window task that uses the runbook `AWS-PatchInstanceWithRollback` to patch instances. #### JSON ``` { "Resources": { "MaintenanceWindowStepFunctionsTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "WindowId": "MaintenanceWindow", "Targets": [ { "Key": "WindowTargetIds", "Values": [ "MaintenanceWindowTarget" ] } ], "TaskArn": "AWS-PatchInstanceWithRollback", "ServiceRoleArn": "arn:aws:iam::111222333444:role/MyMaintenanceWindowServiceRole", "TaskType": "AUTOMATION", "TaskInvocationParameters": { "MaintenanceWindowAutomationParameters": { "DocumentVersion": "1", "Parameters": { "InstanceId": [ "{{RESOURCE_ID}}" ] } } }, "Priority": 1, "MaxConcurrency": 5, "MaxErrors": 5, "Name": "AutomationTask" }, "DependsOn": "MaintenanceWindowTarget" } } } ``` #### YAML ``` --- Resources: MaintenanceWindowStepFunctionsTask: Type: AWS::SSM::MaintenanceWindowTask Properties: WindowId: MaintenanceWindow Targets: - Key: WindowTargetIds Values: - MaintenanceWindowTarget TaskArn: AWS-PatchInstanceWithRollback ServiceRoleArn: arn:aws:iam::111222333444:role/MyMaintenanceWindowServiceRole TaskType: AUTOMATION TaskInvocationParameters: MaintenanceWindowAutomationParameters: DocumentVersion: 1 Parameters: InstanceId: - '{{RESOURCE_ID}}' Priority: 1 MaxConcurrency: 5 MaxErrors: 5 Name: AutomationTask DependsOn: MaintenanceWindowTarget ``` ### Create a Step Functions task that targets a maintenance window target ID The following example creates a Systems Manager maintenance window task that runs the specified Step Function. The maintenance window task targets managed instances using a maintenance window target ID. #### JSON ``` { "Resources": { "MaintenanceWindowStepFunctionsTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "WindowId": "MaintenanceWindow", "Targets": [ { "Key": "WindowTargetIds", "Values": [ "MaintenanceWindowTarget" ] } ], "TaskArn": "SSMStepFunctionDemo", "ServiceRoleArn": "StepFunctionRole.Arn", "TaskType": "STEP_FUNCTIONS", "TaskInvocationParameters": { "MaintenanceWindowStepFunctionsParameters": { "Input": "{\"instanceId\":\"{{TARGET_ID}}\", \"wait_time\": 20}", "Name": "{{INVOCATION_ID}}" } }, "Priority": 1, "MaxConcurrency": 5, "MaxErrors": 5, "Name": "StepFunctionsTask" }, "DependsOn": "MaintenanceWindowTarget" } } } ``` #### YAML ``` --- Resources: MaintenanceWindowStepFunctionsTask: Type: AWS::SSM::MaintenanceWindowTask Properties: WindowId: MaintenanceWindow Targets: - Key: WindowTargetIds Values: - MaintenanceWindowTarget TaskArn: SSMStepFunctionDemo ServiceRoleArn: StepFunctionRole.Arn TaskType: STEP_FUNCTIONS TaskInvocationParameters: MaintenanceWindowStepFunctionsParameters: Input: '{"instanceId":"{{TARGET_ID}}", "wait_time": 20}' Name: "{{INVOCATION_ID}}" Priority: 1 MaxConcurrency: 5 MaxErrors: 5 Name: StepFunctionsTask DependsOn: MaintenanceWindowTarget ``` ### Create a Step Functions task that targets an instance ID The following example creates a Systems Manager maintenance window task that runs the specified Step Function. The maintenance window task targets the specified instance IDs. #### JSON ``` { "Resources": { "StepFunctionsTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "WindowId": "MaintenanceWindow", "Targets": [ { "Key": "InstanceIds", "Values": [ "i-012345678912345678" ] } ], "TaskArn": "SSMStepFunctionDemo", "ServiceRoleArn": "StepFunctionRole.Arn", "TaskType": "STEP_FUNCTIONS", "TaskInvocationParameters": { "MaintenanceWindowStepFunctionsParameters": { "Input": "{\"instanceId\":\"{{TARGET_ID}}\", \"wait_time\": 20}", "Name": "{{INVOCATION_ID}}" } }, "Priority": 1, "MaxConcurrency": 5, "MaxErrors": 5, "Name": "StepFunctionsTask" }, "DependsOn": "MaintenanceWindowTarget" } } } ``` #### YAML ``` --- Resources: StepFunctionsTask: Type: 'AWS::SSM::MaintenanceWindowTask' Properties: WindowId: MaintenanceWindow Targets: - Key: InstanceIds Values: - i-012345678912345678 TaskArn: SSMStepFunctionDemo ServiceRoleArn: StepFunctionRole.Arn TaskType: STEP_FUNCTIONS TaskInvocationParameters: MaintenanceWindowStepFunctionsParameters: Input: '{"instanceId":"{{TARGET_ID}}", "wait_time": 20}' Name: "{{INVOCATION_ID}}" Priority: 1 MaxConcurrency: 5 MaxErrors: 5 Name: StepFunctionsTask DependsOn: MaintenanceWindowTarget ``` ### Create a task that runs an AWS Lambda function The following example runs an AWS Lambda function to restart instances. **Note** The value for `Payload` in `MaintenanceWindowLambdaParameters` must be formatted as a Base64-encoded binary data object. #### JSON ``` { "Resources": { "LambdaTask": { "Type": "AWS::SSM::MaintenanceWindowTask", "Properties": { "WindowId": "mw-04fd6f19dfEXAMPLE", "TaskArn": "arn:aws:lambda:us-east-2:111222333444:function:MyLambdaTaskArn", "ServiceRoleArn": "arn:aws:iam::111222333444:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM", "TaskType": "LAMBDA", "TaskInvocationParameters": { "MaintenanceWindowLambdaParameters": { "ClientContext": "eyJ0ZXN0Q29udGV4dCI6Ik5vdGhp==trucated==EXAMPLE", "Qualifier": "$LATEST", "Payload": "eyJJbnN0YW5jZUlkIjoie3tSRVNPVVJDRV9JRH19IiwidGFyZ2V0VHlwZSI6Int7VEFSR0VUX1RZUEV9fSJ9" } }, "Priority": 1, "Name": "UpdateLambdaTaskEXAMPLE" } } } } ``` #### YAML ``` --- Resources: LambdaTask: Type: 'AWS::SSM::MaintenanceWindowTask' Properties: WindowId: mw-04fd6f19dfEXAMPLE TaskArn: >- arn:aws:lambda:us-east-2:111222333444:function:MyLambdaTaskArn ServiceRoleArn: >- arn:aws:iam::111222333444:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM TaskType: LAMBDA TaskInvocationParameters: MaintenanceWindowLambdaParameters: ClientContext: eyJ0ZXN0Q29udGV4dCI6Ik5vdGhp==trucated==EXAMPLE Qualifier: $LATEST Payload: >- eyJJbnN0YW5jZUlkIjoie3tSRVNPVVJDRV9JRH19IiwidGFyZ2V0VHlwZSI6Int7VEFSR0VUX1RZUEV9fSJ9 Priority: 1 Name: UpdateLambdaTaskEXAMPLE ``` ## See also + [AWS::SSM::MaintenanceWindow](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindow.html) + [AWS::SSM::MaintenanceWindowTarget](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtarget.html) + [RegisterTaskWithMaintenanceWindow](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_RegisterTaskWithMaintenanceWindow.html) in the *AWS Systems Manager API Reference*. # AWS::SSM::MaintenanceWindowTask CloudWatchOutputConfig Configuration options for sending command output to Amazon CloudWatch Logs. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CloudWatchLogGroupName](#cfn-ssm-maintenancewindowtask-cloudwatchoutputconfig-cloudwatchloggroupname)" : String, "[CloudWatchOutputEnabled](#cfn-ssm-maintenancewindowtask-cloudwatchoutputconfig-cloudwatchoutputenabled)" : Boolean } ``` ### YAML ``` [CloudWatchLogGroupName](#cfn-ssm-maintenancewindowtask-cloudwatchoutputconfig-cloudwatchloggroupname): String [CloudWatchOutputEnabled](#cfn-ssm-maintenancewindowtask-cloudwatchoutputconfig-cloudwatchoutputenabled): Boolean ``` ## Properties `CloudWatchLogGroupName` The name of the CloudWatch Logs log group where you want to send command output. If you don't specify a group name, AWS Systems Manager automatically creates a log group for you. The log group uses the following naming format: `aws/ssm/SystemsManagerDocumentName` *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `512` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CloudWatchOutputEnabled` Enables Systems Manager to send command output to CloudWatch Logs. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask LoggingInfo **Note** `LoggingInfo` has been deprecated. To specify an Amazon S3 bucket to contain logs, instead use the `OutputS3BucketName` and `OutputS3KeyPrefix` options in the `TaskInvocationParameters` structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see [AWS::SSM::MaintenanceWindowTask MaintenanceWindowRunCommandParameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-maintenancewindowruncommandparameters.html). The `LoggingInfo` property type specifies information about the Amazon S3 bucket to write instance-level logs to. `LoggingInfo` is a property of the [AWS::SSM::MaintenanceWindowTask](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html) resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Region](#cfn-ssm-maintenancewindowtask-logginginfo-region)" : String, "[S3Bucket](#cfn-ssm-maintenancewindowtask-logginginfo-s3bucket)" : String, "[S3Prefix](#cfn-ssm-maintenancewindowtask-logginginfo-s3prefix)" : String } ``` ### YAML ``` [Region](#cfn-ssm-maintenancewindowtask-logginginfo-region): String [S3Bucket](#cfn-ssm-maintenancewindowtask-logginginfo-s3bucket): String [S3Prefix](#cfn-ssm-maintenancewindowtask-logginginfo-s3prefix): String ``` ## Properties `Region` The AWS Region where the S3 bucket is located. *Required*: Yes *Type*: String *Minimum*: `3` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `S3Bucket` The name of an S3 bucket where execution logs are stored. *Required*: Yes *Type*: String *Minimum*: `3` *Maximum*: `63` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `S3Prefix` The Amazon S3 bucket subfolder. *Required*: No *Type*: String *Maximum*: `500` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask MaintenanceWindowAutomationParameters The `MaintenanceWindowAutomationParameters` property type specifies the parameters for an `AUTOMATION` task type for a maintenance window task in AWS Systems Manager. `MaintenanceWindowAutomationParameters` is a property of the [TaskInvocationParameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-taskinvocationparameters.html) property type. For information about available parameters in Automation runbooks, you can view the content of the runbook itself in the Systems Manager console. For information, see [View runbook content](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents-reference-details.html#view-automation-json) in the *AWS Systems Manager User Guide*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DocumentVersion](#cfn-ssm-maintenancewindowtask-maintenancewindowautomationparameters-documentversion)" : String, "[Parameters](#cfn-ssm-maintenancewindowtask-maintenancewindowautomationparameters-parameters)" : Json } ``` ### YAML ``` [DocumentVersion](#cfn-ssm-maintenancewindowtask-maintenancewindowautomationparameters-documentversion): String [Parameters](#cfn-ssm-maintenancewindowtask-maintenancewindowautomationparameters-parameters): Json ``` ## Properties `DocumentVersion` The version of an Automation runbook to use during task execution. *Required*: No *Type*: String *Pattern*: `([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Parameters` The parameters for the `AUTOMATION` type task. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask MaintenanceWindowLambdaParameters The `MaintenanceWindowLambdaParameters` property type specifies the parameters for a `LAMBDA` task type for a maintenance window task in AWS Systems Manager. `MaintenanceWindowLambdaParameters` is a property of the [TaskInvocationParameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-taskinvocationparameters.html) property type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientContext](#cfn-ssm-maintenancewindowtask-maintenancewindowlambdaparameters-clientcontext)" : String, "[Payload](#cfn-ssm-maintenancewindowtask-maintenancewindowlambdaparameters-payload)" : String, "[Qualifier](#cfn-ssm-maintenancewindowtask-maintenancewindowlambdaparameters-qualifier)" : String } ``` ### YAML ``` [ClientContext](#cfn-ssm-maintenancewindowtask-maintenancewindowlambdaparameters-clientcontext): String [Payload](#cfn-ssm-maintenancewindowtask-maintenancewindowlambdaparameters-payload): String [Qualifier](#cfn-ssm-maintenancewindowtask-maintenancewindowlambdaparameters-qualifier): String ``` ## Properties `ClientContext` Client-specific information to pass to the AWS Lambda function that you're invoking. You can then use the `context` variable to process the client information in your AWS Lambda function. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `8000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Payload` JSON to provide to your AWS Lambda function as input. Although `Type` is listed as "String" for this property, the payload content must be formatted as a Base64-encoded binary data object. *Length Constraint:* 4096 *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Qualifier` An AWS Lambda function version or alias name. If you specify a function version, the action uses the qualified function Amazon Resource Name (ARN) to invoke a specific Lambda function. If you specify an alias name, the action uses the alias ARN to invoke the Lambda function version that the alias points to. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask MaintenanceWindowRunCommandParameters The `MaintenanceWindowRunCommandParameters` property type specifies the parameters for a `RUN_COMMAND` task type for a maintenance window task in AWS Systems Manager. This means that these parameters are the same as those for the `SendCommand` API call. For more information about `SendCommand` parameters, see [SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) in the *AWS Systems Manager API Reference*. For information about available parameters in SSM Command documents, you can view the content of the document itself in the Systems Manager console. For information, see [Viewing SSM command document content](https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-ssm-document-content.html) in the *AWS Systems Manager User Guide*. `MaintenanceWindowRunCommandParameters` is a property of the [TaskInvocationParameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-taskinvocationparameters.html) property type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CloudWatchOutputConfig](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-cloudwatchoutputconfig)" : CloudWatchOutputConfig, "[Comment](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-comment)" : String, "[DocumentHash](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-documenthash)" : String, "[DocumentHashType](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-documenthashtype)" : String, "[DocumentVersion](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-documentversion)" : String, "[NotificationConfig](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-notificationconfig)" : NotificationConfig, "[OutputS3BucketName](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-outputs3bucketname)" : String, "[OutputS3KeyPrefix](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-outputs3keyprefix)" : String, "[Parameters](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-parameters)" : Json, "[ServiceRoleArn](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-servicerolearn)" : String, "[TimeoutSeconds](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-timeoutseconds)" : Integer } ``` ### YAML ``` [CloudWatchOutputConfig](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-cloudwatchoutputconfig): CloudWatchOutputConfig [Comment](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-comment): String [DocumentHash](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-documenthash): String [DocumentHashType](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-documenthashtype): String [DocumentVersion](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-documentversion): String [NotificationConfig](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-notificationconfig): NotificationConfig [OutputS3BucketName](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-outputs3bucketname): String [OutputS3KeyPrefix](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-outputs3keyprefix): String [Parameters](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-parameters): Json [ServiceRoleArn](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-servicerolearn): String [TimeoutSeconds](#cfn-ssm-maintenancewindowtask-maintenancewindowruncommandparameters-timeoutseconds): Integer ``` ## Properties `CloudWatchOutputConfig` Configuration options for sending command output to Amazon CloudWatch Logs. *Required*: No *Type*: [CloudWatchOutputConfig](aws-properties-ssm-maintenancewindowtask-cloudwatchoutputconfig.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Comment` Information about the command or commands to run. *Required*: No *Type*: String *Maximum*: `100` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DocumentHash` The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes have been deprecated. *Required*: No *Type*: String *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DocumentHashType` The SHA-256 or SHA-1 hash type. SHA-1 hashes are deprecated. *Required*: No *Type*: String *Allowed values*: `Sha256 | Sha1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DocumentVersion` The AWS Systems Manager document (SSM document) version to use in the request. You can specify `$DEFAULT`, `$LATEST`, or a specific version number. If you run commands by using the AWS CLI, then you must escape the first two options by using a backslash. If you specify a version number, then you don't need to use the backslash. For example: `--document-version "\$DEFAULT"` `--document-version "\$LATEST"` `--document-version "3"` *Required*: No *Type*: String *Pattern*: `([$]LATEST|[$]DEFAULT|^[1-9][0-9]*$)` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NotificationConfig` Configurations for sending notifications about command status changes on a per-managed node basis. *Required*: No *Type*: [NotificationConfig](aws-properties-ssm-maintenancewindowtask-notificationconfig.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OutputS3BucketName` The name of the Amazon Simple Storage Service (Amazon S3) bucket. *Required*: No *Type*: String *Minimum*: `3` *Maximum*: `63` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OutputS3KeyPrefix` The S3 bucket subfolder. *Required*: No *Type*: String *Maximum*: `500` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Parameters` The parameters for the `RUN_COMMAND` task execution. The supported parameters are the same as those for the `SendCommand` API call. For more information, see [SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) in the *AWS Systems Manager API Reference*. *Required*: No *Type*: Json *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ServiceRoleArn` The Amazon Resource Name (ARN) of the IAM service role for AWS Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run `RegisterTaskWithMaintenanceWindow`. However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see [Setting up Maintenance Windows](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html) in the in the *AWS Systems Manager User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `TimeoutSeconds` If this time is reached and the command hasn't already started running, it doesn't run. *Required*: No *Type*: Integer *Minimum*: `30` *Maximum*: `2592000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask MaintenanceWindowStepFunctionsParameters The `MaintenanceWindowStepFunctionsParameters` property type specifies the parameters for the execution of a `STEP_FUNCTIONS` task in a Systems Manager maintenance window. `MaintenanceWindowStepFunctionsParameters` is a property of the [TaskInvocationParameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-taskinvocationparameters.html) property type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Input](#cfn-ssm-maintenancewindowtask-maintenancewindowstepfunctionsparameters-input)" : String, "[Name](#cfn-ssm-maintenancewindowtask-maintenancewindowstepfunctionsparameters-name)" : String } ``` ### YAML ``` [Input](#cfn-ssm-maintenancewindowtask-maintenancewindowstepfunctionsparameters-input): String [Name](#cfn-ssm-maintenancewindowtask-maintenancewindowstepfunctionsparameters-name): String ``` ## Properties `Input` The inputs for the `STEP_FUNCTIONS` task. *Required*: No *Type*: String *Maximum*: `4096` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the `STEP_FUNCTIONS` task. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `80` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask NotificationConfig The `NotificationConfig` property type specifies configurations for sending notifications for a maintenance window task in AWS Systems Manager. `NotificationConfig` is a property of the [MaintenanceWindowRunCommandParameters](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-maintenancewindowtask-maintenancewindowruncommandparameters.html) property type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[NotificationArn](#cfn-ssm-maintenancewindowtask-notificationconfig-notificationarn)" : String, "[NotificationEvents](#cfn-ssm-maintenancewindowtask-notificationconfig-notificationevents)" : [ String, ... ], "[NotificationType](#cfn-ssm-maintenancewindowtask-notificationconfig-notificationtype)" : String } ``` ### YAML ``` [NotificationArn](#cfn-ssm-maintenancewindowtask-notificationconfig-notificationarn): String [NotificationEvents](#cfn-ssm-maintenancewindowtask-notificationconfig-notificationevents): - String [NotificationType](#cfn-ssm-maintenancewindowtask-notificationconfig-notificationtype): String ``` ## Properties `NotificationArn` An Amazon Resource Name (ARN) for an Amazon Simple Notification Service (Amazon SNS) topic. Run Command pushes notifications about command status changes to this topic. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NotificationEvents` The different events that you can receive notifications for. These events include the following: `All` (events), `InProgress`, `Success`, `TimedOut`, `Cancelled`, `Failed`. To learn more about these events, see [Configuring Amazon SNS Notifications for AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-sns-notifications.html) in the *AWS Systems Manager User Guide*. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NotificationType` The notification type. + `Command`: Receive notification when the status of a command changes. + `Invocation`: For commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes. *Required*: No *Type*: String *Allowed values*: `Command | Invocation` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::MaintenanceWindowTask Target The `Target` property type specifies targets (either instances or window target IDs). You specify instances by using `Key=InstanceIds,Values=,`. You specify window target IDs using `Key=WindowTargetIds,Values=,` for a maintenance window task in AWS Systems Manager. `Target` is a property of the [AWS::SSM::MaintenanceWindowTask](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html) property type. **Note** To use `resource-groups:Name` as the key for a maintenance window target, specify the resource group as a `AWS::SSM::MaintenanceWindowTarget` type, and use the `Ref` function to specify the target for `AWS::SSM::MaintenanceWindowTask`. For an example, see **Create a Run Command task that targets instances using a resource group name** in [AWS::SSM::MaintenanceWindowTask Examples](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html#aws-resource-ssm-maintenancewindowtask--examples). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-maintenancewindowtask-target-key)" : String, "[Values](#cfn-ssm-maintenancewindowtask-target-values)" : [ String, ... ] } ``` ### YAML ``` [Key](#cfn-ssm-maintenancewindowtask-target-key): String [Values](#cfn-ssm-maintenancewindowtask-target-values): - String ``` ## Properties `Key` User-defined criteria for sending commands that target instances that meet the criteria. `Key` can be `InstanceIds` or `WindowTargetIds`. For more information about how to target instances within a maintenance window task, see [About 'register-task-with-maintenance-window' Options and Values](https://docs.aws.amazon.com/systems-manager/latest/userguide/register-tasks-options.html) in the *AWS Systems Manager User Guide*. *Required*: Yes *Type*: String *Pattern*: `^[\p{L}\p{Z}\p{N}_.:/=\-@]*$|resource-groups:ResourceTypeFilters|resource-groups:Name` *Minimum*: `1` *Maximum*: `163` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Values` User-defined criteria that maps to `Key`. For example, if you specify `InstanceIds`, you can specify `i-1234567890abcdef0,i-9876543210abcdef0` to run a command on two EC2 instances. For more information about how to target instances within a maintenance window task, see [About 'register-task-with-maintenance-window' Options and Values](https://docs.aws.amazon.com/systems-manager/latest/userguide/register-tasks-options.html) in the *AWS Systems Manager User Guide*. *Required*: Yes *Type*: Array of String *Minimum*: `0` *Maximum*: `50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + [RegisterTargetWithMaintenanceWindow](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_RegisterTargetWithMaintenanceWindow.html) in the *AWS Systems Manager API Reference*. # AWS::SSM::MaintenanceWindowTask TaskInvocationParameters The `TaskInvocationParameters` property type specifies the task execution parameters for a maintenance window task in AWS Systems Manager. `TaskInvocationParameters` is a property of the [AWS::SSM::MaintenanceWindowTask](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-maintenancewindowtask.html) property type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[MaintenanceWindowAutomationParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowautomationparameters)" : MaintenanceWindowAutomationParameters, "[MaintenanceWindowLambdaParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowlambdaparameters)" : MaintenanceWindowLambdaParameters, "[MaintenanceWindowRunCommandParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowruncommandparameters)" : MaintenanceWindowRunCommandParameters, "[MaintenanceWindowStepFunctionsParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowstepfunctionsparameters)" : MaintenanceWindowStepFunctionsParameters } ``` ### YAML ``` [MaintenanceWindowAutomationParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowautomationparameters): MaintenanceWindowAutomationParameters [MaintenanceWindowLambdaParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowlambdaparameters): MaintenanceWindowLambdaParameters [MaintenanceWindowRunCommandParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowruncommandparameters): MaintenanceWindowRunCommandParameters [MaintenanceWindowStepFunctionsParameters](#cfn-ssm-maintenancewindowtask-taskinvocationparameters-maintenancewindowstepfunctionsparameters): MaintenanceWindowStepFunctionsParameters ``` ## Properties `MaintenanceWindowAutomationParameters` The parameters for an `AUTOMATION` task type. *Required*: No *Type*: [MaintenanceWindowAutomationParameters](aws-properties-ssm-maintenancewindowtask-maintenancewindowautomationparameters.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaintenanceWindowLambdaParameters` The parameters for a `LAMBDA` task type. *Required*: No *Type*: [MaintenanceWindowLambdaParameters](aws-properties-ssm-maintenancewindowtask-maintenancewindowlambdaparameters.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaintenanceWindowRunCommandParameters` The parameters for a `RUN_COMMAND` task type. *Required*: No *Type*: [MaintenanceWindowRunCommandParameters](aws-properties-ssm-maintenancewindowtask-maintenancewindowruncommandparameters.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MaintenanceWindowStepFunctionsParameters` The parameters for a `STEP_FUNCTIONS` task type. *Required*: No *Type*: [MaintenanceWindowStepFunctionsParameters](aws-properties-ssm-maintenancewindowtask-maintenancewindowstepfunctionsparameters.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::Parameter The `AWS::SSM::Parameter` resource creates an SSM parameter in AWS Systems Manager Parameter Store. **Note** To create an SSM parameter, you must have the AWS Identity and Access Management (IAM) permissions `ssm:PutParameter` and `ssm:AddTagsToResource`. On stack creation, AWS CloudFormation adds the following three tags to the parameter: `aws:cloudformation:stack-name`, `aws:cloudformation:logical-id`, and `aws:cloudformation:stack-id`, in addition to any custom tags you specify. To add, update, or remove tags during stack update, you must have IAM permissions for both `ssm:AddTagsToResource` and `ssm:RemoveTagsFromResource`. For more information, see [Managing access using policies](https://docs.aws.amazon.com/systems-manager/latest/userguide/security-iam.html#security_iam_access-manage) in the *AWS Systems Manager User Guide*. For information about valid values for parameters, see [About requirements and constraints for parameter names](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html#sysman-parameter-name-constraints) in the *AWS Systems Manager User Guide* and [PutParameter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutParameter.html) in the *AWS Systems Manager API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::Parameter", "Properties" : { "[AllowedPattern](#cfn-ssm-parameter-allowedpattern)" : String, "[DataType](#cfn-ssm-parameter-datatype)" : String, "[Description](#cfn-ssm-parameter-description)" : String, "[Name](#cfn-ssm-parameter-name)" : String, "[Policies](#cfn-ssm-parameter-policies)" : String, "[Tags](#cfn-ssm-parameter-tags)" : {Key: Value, ...}, "[Tier](#cfn-ssm-parameter-tier)" : String, "[Type](#cfn-ssm-parameter-type)" : String, "[Value](#cfn-ssm-parameter-value)" : String } } ``` ### YAML ``` Type: AWS::SSM::Parameter Properties: [AllowedPattern](#cfn-ssm-parameter-allowedpattern): String [DataType](#cfn-ssm-parameter-datatype): String [Description](#cfn-ssm-parameter-description): String [Name](#cfn-ssm-parameter-name): String [Policies](#cfn-ssm-parameter-policies): String [Tags](#cfn-ssm-parameter-tags): Key: Value [Tier](#cfn-ssm-parameter-tier): String [Type](#cfn-ssm-parameter-type): String [Value](#cfn-ssm-parameter-value): String ``` ## Properties `AllowedPattern` A regular expression used to validate the parameter value. For example, for `String` types with values restricted to numbers, you can specify the following: `AllowedPattern=^\d+$` *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DataType` The data type of the parameter, such as `text` or `aws:ec2:image`. The default is `text`. *Required*: No *Type*: String *Allowed values*: `text | aws:ec2:image` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` Information about the parameter. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the parameter. The reported maximum length of 2048 characters for a parameter name includes 1037 characters that are reserved for internal use by Systems Manager. The maximum length for a parameter name that you specify is 1011 characters. This count of 1011 characters includes the characters in the ARN that precede the name you specify. This ARN length will vary depending on your partition and Region. For example, the following 45 characters count toward the 1011 character maximum for a parameter created in the US East (Ohio) Region: `arn:aws:ssm:us-east-2:111122223333:parameter/`. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Policies` Information about the policies assigned to a parameter. [Assigning parameter policies](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-policies.html) in the *AWS Systems Manager User Guide*. *Required*: No *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` Optional metadata that you assign to a resource in the form of an arbitrary set of tags (key-value pairs). Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a Systems Manager parameter to identify the type of resource to which it applies, the environment, or the type of configuration data referenced by the parameter. *Required*: No *Type*: Object of String *Pattern*: `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tier` The parameter tier. *Required*: No *Type*: String *Allowed values*: `Standard | Advanced | Intelligent-Tiering` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` The type of parameter. Parameters of type `SecureString` are not supported by AWS CloudFormation. *Required*: Yes *Type*: String *Allowed values*: `String | StringList` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The parameter value. If type is `StringList`, the system returns a comma-separated string with no spaces between commas in the `Value` field. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the name of the SSM parameter. For example, `ssm-myparameter-ABCNPH3XCAO6`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). **Note** Due to eventual consistency of the underlying API, a `{ Fn::GetValue }` of an SSM Parameter that was just created may fail. Either avoid using `{ Fn::GetAtt }` on an SSM Parameter, or be aware that stack creation may sometimes fail and you will need to retry. #### `Type` Returns the type of the parameter. Valid values are `String` or `StringList`. `Value` Returns the value of the parameter. ## Examples **Topics** + [Create a String-type parameter](#aws-resource-ssm-parameter--examples--Create_a_String-type_parameter) + [Create a StringList-type parameter](#aws-resource-ssm-parameter--examples--Create_a_StringList-type_parameter) + [Create an advanced tier parameter and assign a policy](#aws-resource-ssm-parameter--examples--Create_an_advanced_tier_parameter_and_assign_a_policy) ### Create a String-type parameter The following example creates a Systems Manager parameter named command with a `String` type and adds the tag key-value pair `"Environment":"Dev"`. #### JSON ``` { "Resources": { "BasicParameter": { "Type": "AWS::SSM::Parameter", "Properties": { "Name": "command", "Type": "String", "Value": "date", "Description": "SSM Parameter for running date command.", "AllowedPattern": "^[a-zA-Z]{1,10}$", "Tags": { "Environment": "DEV" } } } } } ``` #### YAML ``` --- Resources: BasicParameter: Type: AWS::SSM::Parameter Properties: Name: command Type: String Value: date Description: SSM Parameter for running date command. AllowedPattern: "^[a-zA-Z]{1,10}$" Tags: Environment: DEV ``` ### Create a StringList-type parameter The following example creates a Systems Manager parameter named commands with a `StringList` type. #### JSON ``` { "Resources": { "BasicParameter": { "Type": "AWS::SSM::Parameter", "Properties": { "Name": "commands", "Type": "StringList", "Value": "date,ls", "Description": "SSM Parameter of type StringList.", "AllowedPattern": "^[a-zA-Z]{1,10}$" } } } } ``` #### YAML ``` --- Resources: BasicParameter: Type: AWS::SSM::Parameter Properties: Name: commands Type: StringList Value: date,ls Description: SSM parameter of type StringList. AllowedPattern: "^[a-zA-Z]{1,10}$" ``` ### Create an advanced tier parameter and assign a policy The following example creates a Systems Manager advanced tier parameter named 'command' with a `String` type and a parameter policy. #### JSON ``` { "Resources": { "BasicParameter": { "Type": "AWS::SSM::Parameter", "Properties": { "Name": "command", "Type": "String", "Value": "date", "Tier": "Advanced", "Policies": "[{\"Type\":\"Expiration\",\"Version\":\"1.0\",\"Attributes\":{\"Timestamp\":\"2020-05-13T00:00:00.000Z\"}},{\"Type\":\"ExpirationNotification\",\"Version\":\"1.0\",\"Attributes\":{\"Before\":\"5\",\"Unit\":\"Days\"}},{\"Type\":\"NoChangeNotification\",\"Version\":\"1.0\",\"Attributes\":{\"After\":\"60\",\"Unit\":\"Days\"}}]", "Description": "SSM Parameter for running date command.", "AllowedPattern": "^[a-zA-Z]{1,10}$", "Tags": { "Environment": "DEV" } } } } } ``` #### YAML ``` --- Resources: BasicParameter: Type: AWS::SSM::Parameter Properties: Name: command Type: String Value: date Tier: Advanced Policies: '[{"Type":"Expiration","Version":"1.0","Attributes":{"Timestamp":"2020-05-13T00:00:00.000Z"}},{"Type":"ExpirationNotification","Version":"1.0","Attributes":{"Before":"5","Unit":"Days"}},{"Type":"NoChangeNotification","Version":"1.0","Attributes":{"After":"60","Unit":"Days"}}]' Description: SSM parameter for running date command. AllowedPattern: "^[a-zA-Z]{1,10}$" Tags: Environment: DEV ``` ## See also + [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) + [Managing parameters tiers](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html) + [Assigning parameter policies](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-policies.html) # AWS::SSM::PatchBaseline The `AWS::SSM::PatchBaseline` resource defines the basic information for an AWS Systems Manager patch baseline. A patch baseline defines which patches are approved for installation on your instances. For more information, see [CreatePatchBaseline](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html) in the *AWS Systems Manager API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::PatchBaseline", "Properties" : { "[ApprovalRules](#cfn-ssm-patchbaseline-approvalrules)" : RuleGroup, "[ApprovedPatches](#cfn-ssm-patchbaseline-approvedpatches)" : [ String, ... ], "[ApprovedPatchesComplianceLevel](#cfn-ssm-patchbaseline-approvedpatchescompliancelevel)" : String, "[ApprovedPatchesEnableNonSecurity](#cfn-ssm-patchbaseline-approvedpatchesenablenonsecurity)" : Boolean, "[AvailableSecurityUpdatesComplianceStatus](#cfn-ssm-patchbaseline-availablesecurityupdatescompliancestatus)" : String, "[DefaultBaseline](#cfn-ssm-patchbaseline-defaultbaseline)" : Boolean, "[Description](#cfn-ssm-patchbaseline-description)" : String, "[GlobalFilters](#cfn-ssm-patchbaseline-globalfilters)" : PatchFilterGroup, "[Name](#cfn-ssm-patchbaseline-name)" : String, "[OperatingSystem](#cfn-ssm-patchbaseline-operatingsystem)" : String, "[PatchGroups](#cfn-ssm-patchbaseline-patchgroups)" : [ String, ... ], "[RejectedPatches](#cfn-ssm-patchbaseline-rejectedpatches)" : [ String, ... ], "[RejectedPatchesAction](#cfn-ssm-patchbaseline-rejectedpatchesaction)" : String, "[Sources](#cfn-ssm-patchbaseline-sources)" : [ PatchSource, ... ], "[Tags](#cfn-ssm-patchbaseline-tags)" : [ Tag, ... ] } } ``` ### YAML ``` Type: AWS::SSM::PatchBaseline Properties: [ApprovalRules](#cfn-ssm-patchbaseline-approvalrules): RuleGroup [ApprovedPatches](#cfn-ssm-patchbaseline-approvedpatches): - String [ApprovedPatchesComplianceLevel](#cfn-ssm-patchbaseline-approvedpatchescompliancelevel): String [ApprovedPatchesEnableNonSecurity](#cfn-ssm-patchbaseline-approvedpatchesenablenonsecurity): Boolean [AvailableSecurityUpdatesComplianceStatus](#cfn-ssm-patchbaseline-availablesecurityupdatescompliancestatus): String [DefaultBaseline](#cfn-ssm-patchbaseline-defaultbaseline): Boolean [Description](#cfn-ssm-patchbaseline-description): String [GlobalFilters](#cfn-ssm-patchbaseline-globalfilters): PatchFilterGroup [Name](#cfn-ssm-patchbaseline-name): String [OperatingSystem](#cfn-ssm-patchbaseline-operatingsystem): String [PatchGroups](#cfn-ssm-patchbaseline-patchgroups): - String [RejectedPatches](#cfn-ssm-patchbaseline-rejectedpatches): - String [RejectedPatchesAction](#cfn-ssm-patchbaseline-rejectedpatchesaction): String [Sources](#cfn-ssm-patchbaseline-sources): - PatchSource [Tags](#cfn-ssm-patchbaseline-tags): - Tag ``` ## Properties `ApprovalRules` A set of rules used to include patches in the baseline. *Required*: No *Type*: [RuleGroup](aws-properties-ssm-patchbaseline-rulegroup.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ApprovedPatches` A list of explicitly approved patches for the baseline. For information about accepted formats for lists of approved patches and rejected patches, see [Package name formats for approved and rejected patch lists](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) in the *AWS Systems Manager User Guide*. *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `100 | 50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ApprovedPatchesComplianceLevel` Defines the compliance level for approved patches. When an approved patch is reported as missing, this value describes the severity of the compliance violation. The default value is `UNSPECIFIED`. *Required*: No *Type*: String *Allowed values*: `CRITICAL | HIGH | MEDIUM | LOW | INFORMATIONAL | UNSPECIFIED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ApprovedPatchesEnableNonSecurity` Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is `false`. Applies to Linux managed nodes only. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AvailableSecurityUpdatesComplianceStatus` Indicates the status you want to assign to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline. Example scenario: Security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed. Supported for Windows Server managed nodes only. *Required*: No *Type*: String *Allowed values*: `NON_COMPLIANT | COMPLIANT` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DefaultBaseline` Indicates whether this is the default baseline. AWS Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A description of the patch baseline. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GlobalFilters` A set of global filters used to include patches in the baseline. The `GlobalFilters` parameter can be configured only by using the AWS CLI or an AWS SDK. It can't be configured from the Patch Manager console, and its value isn't displayed in the console. *Required*: No *Type*: [PatchFilterGroup](aws-properties-ssm-patchbaseline-patchfiltergroup.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the patch baseline. *Required*: Yes *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{3,128}$` *Minimum*: `3` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OperatingSystem` Defines the operating system the patch baseline applies to. The default value is `WINDOWS`. *Required*: No *Type*: String *Allowed values*: `WINDOWS | AMAZON_LINUX | AMAZON_LINUX_2 | AMAZON_LINUX_2022 | AMAZON_LINUX_2023 | UBUNTU | REDHAT_ENTERPRISE_LINUX | SUSE | CENTOS | ORACLE_LINUX | DEBIAN | MACOS | RASPBIAN | ROCKY_LINUX | ALMA_LINUX` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PatchGroups` The name of the patch group to be registered with the patch baseline. *Required*: No *Type*: Array of String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RejectedPatches` A list of explicitly rejected patches for the baseline. For information about accepted formats for lists of approved patches and rejected patches, see [Package name formats for approved and rejected patch lists](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) in the *AWS Systems Manager User Guide*. *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `100 | 50` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RejectedPatchesAction` The action for Patch Manager to take on patches included in the `RejectedPackages` list. ALLOW\$1AS\$1DEPENDENCY **Linux and macOS**: A package in the rejected patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as `INSTALLED_OTHER`. This is the default action if no option is specified. **Windows Server**: Windows Server doesn't support the concept of package dependencies. If a package in the rejected patches list and already installed on the node, its status is reported as `INSTALLED_OTHER`. Any package not already installed on the node is skipped. This is the default action if no option is specified. BLOCK **All OSs**: Packages in the rejected patches list, and packages that include them as dependencies, aren't installed by Patch Manager under any circumstances. State value assignment for patch compliance: + If a package was installed before it was added to the rejected patches list, or is installed outside of Patch Manager afterward, it's considered noncompliant with the patch baseline and its status is reported as `INSTALLED_REJECTED`. + If an update attempts to install a dependency package that is now rejected by the baseline, when previous versions of the package were not rejected, the package being updated is reported as `MISSING` for `SCAN` operations and as `FAILED` for `INSTALL` operations. *Required*: No *Type*: String *Allowed values*: `ALLOW_AS_DEPENDENCY | BLOCK` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Sources` Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only. *Required*: No *Type*: Array of [PatchSource](aws-properties-ssm-patchbaseline-patchsource.md) *Minimum*: `0` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a patch baseline to identify the severity level of patches it specifies and the operating system family it applies to. *Required*: No *Type*: Array of [Tag](aws-properties-ssm-patchbaseline-tag.md) *Minimum*: `0` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the patch baseline ID, such as `pb-abcde1234567890yz`. **Note** The ID of the default patch baseline provided by AWS is an Amazon Resource Name (ARN), for example `arn:aws:ssm:us-west-2:123456789012:patchbaseline/abcde1234567890yz`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). ## Examples ### Create a patch baseline The following example creates a Systems Manager patch baseline that approves patches for Windows Server 2019 instances seven days after they are released by Microsoft. The patch baseline also approves patches for Active Directory seven days after they are released by Microsoft. #### ``` { "Resources": { "myPatchBaseline": { "Type": "AWS::SSM::PatchBaseline", "Properties": { "Name": "myPatchBaseline", "Description": "Baseline containing all updates approved for Windows instances", "OperatingSystem": "WINDOWS", "PatchGroups": [ "myPatchGroup" ], "ApprovalRules": { "PatchRules": [ { "PatchFilterGroup": { "PatchFilters": [ { "Values": [ "Critical", "Important", "Moderate" ], "Key": "MSRC_SEVERITY" }, { "Values": [ "SecurityUpdates", "CriticalUpdates" ], "Key": "CLASSIFICATION" }, { "Values": [ "WindowsServer2019" ], "Key": "PRODUCT" } ] }, "ApproveAfterDays": 7, "ComplianceLevel": "CRITICAL" }, { "PatchFilterGroup": { "PatchFilters": [ { "Values": [ "Critical", "Important", "Moderate" ], "Key": "MSRC_SEVERITY" }, { "Values": [ "*" ], "Key": "CLASSIFICATION" }, { "Values": [ "APPLICATION" ], "Key": "PATCH_SET" }, { "Values": [ "Active Directory Rights Management Services Client 2.0" ], "Key": "PRODUCT" }, { "Values": [ "Active Directory" ], "Key": "PRODUCT_FAMILY" } ] }, "ApproveAfterDays": 7, "ComplianceLevel": "CRITICAL" } ] } } } } } ``` #### YAML ``` --- Resources: myPatchBaseline: Type: AWS::SSM::PatchBaseline Properties: Name: myPatchBaseline Description: Baseline containing all updates approved for Windows instances OperatingSystem: WINDOWS PatchGroups: - myPatchGroup ApprovalRules: PatchRules: - PatchFilterGroup: PatchFilters: - Values: - Critical - Important - Moderate Key: MSRC_SEVERITY - Values: - SecurityUpdates - CriticalUpdates Key: CLASSIFICATION - Values: - WindowsServer2019 Key: PRODUCT ApproveAfterDays: 7 ComplianceLevel: CRITICAL - PatchFilterGroup: PatchFilters: - Values: - Critical - Important - Moderate Key: MSRC_SEVERITY - Values: - "*" Key: CLASSIFICATION - Values: - APPLICATION Key: PATCH_SET - Values: - Active Directory Rights Management Services Client 2.0 Key: PRODUCT - Values: - Active Directory Key: PRODUCT_FAMILY ApproveAfterDays: 7 ComplianceLevel: CRITICAL ``` ## See also + [CreatePatchBaseline](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html) in the *AWS Systems Manager API Reference*. # AWS::SSM::PatchBaseline PatchFilter The `PatchFilter` property type defines a patch filter for an AWS Systems Manager patch baseline. The `PatchFilters` property of the [PatchFilterGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-patchfiltergroup.html) property type contains a list of `PatchFilter` property types. You can view lists of valid values for the patch properties by running the `DescribePatchProperties` command. For more information, see [DescribePatchProperties](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribePatchProperties.html) in the *AWS Systems Manager API Reference*. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-patchbaseline-patchfilter-key)" : String, "[Values](#cfn-ssm-patchbaseline-patchfilter-values)" : [ String, ... ] } ``` ### YAML ``` [Key](#cfn-ssm-patchbaseline-patchfilter-key): String [Values](#cfn-ssm-patchbaseline-patchfilter-values): - String ``` ## Properties `Key` The key for the filter. For information about valid keys, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html) in the *AWS Systems Manager API Reference*. *Required*: No *Type*: String *Allowed values*: `ADVISORY_ID | ARCH | BUGZILLA_ID | CLASSIFICATION | CVE_ID | EPOCH | MSRC_SEVERITY | NAME | PATCH_ID | PATCH_SET | PRIORITY | PRODUCT | PRODUCT_FAMILY | RELEASE | REPOSITORY | SECTION | SECURITY | SEVERITY | VERSION` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Values` The value for the filter key. For information about valid values for each key based on operating system type, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html) in the *AWS Systems Manager API Reference*. *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `64 | 20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::PatchBaseline PatchFilterGroup The `PatchFilterGroup` property type specifies a set of patch filters for an AWS Systems Manager patch baseline, typically used for approval rules for a Systems Manager patch baseline. `PatchFilterGroup` is the property type for the `GlobalFilters` property of the [AWS::SSM::PatchBaseline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html) resource and the `PatchFilterGroup` property of the [Rule](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rule.html) property type. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PatchFilters](#cfn-ssm-patchbaseline-patchfiltergroup-patchfilters)" : [ PatchFilter, ... ] } ``` ### YAML ``` [PatchFilters](#cfn-ssm-patchbaseline-patchfiltergroup-patchfilters): - PatchFilter ``` ## Properties `PatchFilters` The set of patch filters that make up the group. *Required*: No *Type*: Array of [PatchFilter](aws-properties-ssm-patchbaseline-patchfilter.md) *Minimum*: `0` *Maximum*: `5` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::PatchBaseline PatchSource `PatchSource` is the property type for the `Sources` resource of the [AWS::SSM::PatchBaseline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html) resource. The AWS CloudFormation`AWS::SSM::PatchSource` resource is used to provide information about the patches to use to update target instances, including target operating systems and source repository. Applies to Linux managed nodes only. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Configuration](#cfn-ssm-patchbaseline-patchsource-configuration)" : String, "[Name](#cfn-ssm-patchbaseline-patchsource-name)" : String, "[Products](#cfn-ssm-patchbaseline-patchsource-products)" : [ String, ... ] } ``` ### YAML ``` [Configuration](#cfn-ssm-patchbaseline-patchsource-configuration): String [Name](#cfn-ssm-patchbaseline-patchsource-name): String [Products](#cfn-ssm-patchbaseline-patchsource-products): - String ``` ## Properties `Configuration` The value of the repo configuration. **Example for yum repositories** `[main]` `name=MyCustomRepository` `baseurl=https://my-custom-repository` `enabled=1` For information about other options available for your yum repository configuration, see [dnf.conf(5)](https://man7.org/linux/man-pages/man5/dnf.conf.5.html) on the *man7.org* website. **Examples for Ubuntu Server and Debian Server** `deb http://security.ubuntu.com/ubuntu jammy main` `deb https://site.example.com/debian distribution component1 component2 component3` Repo information for Ubuntu Server repositories must be specifed in a single line. For more examples and information, see [jammy (5) sources.list.5.gz](https://manpages.ubuntu.com/manpages/jammy/man5/sources.list.5.html) on the *Ubuntu Server Manuals* website and [sources.list format](https://wiki.debian.org/SourcesList#sources.list_format) on the *Debian Wiki*. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name specified to identify the patch source. *Required*: No *Type*: String *Pattern*: `^[a-zA-Z0-9_\-.]{3,50}$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Products` The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "RedhatEnterpriseLinux7.2" or "Suse12.7". For lists of supported product values, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html) in the *AWS Systems Manager API Reference*. *Required*: No *Type*: Array of String *Minimum*: `1 | 0` *Maximum*: `128 | 20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::PatchBaseline Rule The `Rule` property type specifies an approval rule for a Systems Manager patch baseline. The `PatchRules` property of the [RuleGroup](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ssm-patchbaseline-rulegroup.html) property type contains a list of `Rule` property types. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ApproveAfterDays](#cfn-ssm-patchbaseline-rule-approveafterdays)" : Integer, "[ApproveUntilDate](#cfn-ssm-patchbaseline-rule-approveuntildate)" : String, "[ComplianceLevel](#cfn-ssm-patchbaseline-rule-compliancelevel)" : String, "[EnableNonSecurity](#cfn-ssm-patchbaseline-rule-enablenonsecurity)" : Boolean, "[PatchFilterGroup](#cfn-ssm-patchbaseline-rule-patchfiltergroup)" : PatchFilterGroup } ``` ### YAML ``` [ApproveAfterDays](#cfn-ssm-patchbaseline-rule-approveafterdays): Integer [ApproveUntilDate](#cfn-ssm-patchbaseline-rule-approveuntildate): String [ComplianceLevel](#cfn-ssm-patchbaseline-rule-compliancelevel): String [EnableNonSecurity](#cfn-ssm-patchbaseline-rule-enablenonsecurity): Boolean [PatchFilterGroup](#cfn-ssm-patchbaseline-rule-patchfiltergroup): PatchFilterGroup ``` ## Properties `ApproveAfterDays` The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of `7` means that patches are approved seven days after they are released. Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If a patch is released at `2025-11-09T18:00:00Z` and `ApproveAfterDays` is set to `7`, the patch will be approved after `2025-11-16T18:00:00Z`. This parameter is marked as `Required: No`, but your request must include a value for either `ApproveAfterDays` or `ApproveUntilDate`. Not supported for Debian Server or Ubuntu Server. Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the **Windows Server** tab in the topic [How security patches are selected](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html) in the *AWS Systems Manager User Guide*. *Required*: No *Type*: Integer *Minimum*: `0` *Maximum*: `360` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ApproveUntilDate` The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Enter dates in the format `YYYY-MM-DD`. For example, `2025-11-16`. Patch Manager evaluates patch release dates using Coordinated Universal Time (UTC). If you enter the date `2025-11-16`, patches released between `2025-11-16T00:00:00Z` and `2025-11-16T23:59:59Z` will be included in the approval. This parameter is marked as `Required: No`, but your request must include a value for either `ApproveUntilDate` or `ApproveAfterDays`. Not supported for Debian Server or Ubuntu Server. Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the **Windows Server** tab in the topic [How security patches are selected](https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html) in the *AWS Systems Manager User Guide*. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `10` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceLevel` A compliance severity level for all approved patches in a patch baseline. Valid compliance severity levels include the following: `UNSPECIFIED`, `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, and `INFORMATIONAL`. *Required*: No *Type*: String *Allowed values*: `CRITICAL | HIGH | INFORMATIONAL | LOW | MEDIUM | UNSPECIFIED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `EnableNonSecurity` For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is `false`. Applies to Linux managed nodes only. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PatchFilterGroup` The patch filter group that defines the criteria for the rule. *Required*: No *Type*: [PatchFilterGroup](aws-properties-ssm-patchbaseline-patchfiltergroup.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## See also + [PatchRule](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchRule.html) in the *AWS Systems Manager API Reference*. # AWS::SSM::PatchBaseline RuleGroup The `RuleGroup` property type specifies a set of rules that define the approval rules for an AWS Systems Manager patch baseline. `RuleGroup` is the property type for the `ApprovalRules` property of the [AWS::SSM::PatchBaseline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-patchbaseline.html) resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PatchRules](#cfn-ssm-patchbaseline-rulegroup-patchrules)" : [ Rule, ... ] } ``` ### YAML ``` [PatchRules](#cfn-ssm-patchbaseline-rulegroup-patchrules): - Rule ``` ## Properties `PatchRules` The rules that make up the rule group. *Required*: No *Type*: Array of [Rule](aws-properties-ssm-patchbaseline-rule.md) *Minimum*: `0` *Maximum*: `10` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::PatchBaseline Tag Metadata that you assign to your AWS resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In AWS Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Key](#cfn-ssm-patchbaseline-tag-key)" : String, "[Value](#cfn-ssm-patchbaseline-tag-value)" : String } ``` ### YAML ``` [Key](#cfn-ssm-patchbaseline-tag-key): String [Value](#cfn-ssm-patchbaseline-tag-value): String ``` ## Properties `Key` The name of the tag. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value of the tag. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::ResourceDataSync The `AWS::SSM::ResourceDataSync` resource creates, updates, or deletes a resource data sync for AWS Systems Manager. A resource data sync helps you view data from multiple sources in a single location. Systems Manager offers two types of resource data sync: `SyncToDestination` and `SyncFromSource`. You can configure Systems Manager Inventory to use the `SyncToDestination` type to synchronize Inventory data from multiple AWS Regions to a single Amazon S3 bucket. You can configure Systems Manager Explorer to use the `SyncFromSource` type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple AWS Regions. This type can synchronize OpsItems and OpsData from multiple AWS accounts and Regions or from an `EntireOrganization` by using AWS Organizations. A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. By default, data is not encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy. For more information, see [Configuring Inventory Collection](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-configuring.html#sysman-inventory-datasync) and [Setting Up Systems Manager Explorer to Display Data from Multiple Accounts and Regions](https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer-resource-data-sync.html) in the *AWS Systems Manager User Guide*. **Important** The following *Syntax* section shows all fields that are supported for a resource data sync. The *Examples* section below shows the recommended way to specify configurations for each sync type. Refer to the *Examples* section when you create your resource data sync. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::ResourceDataSync", "Properties" : { "[BucketName](#cfn-ssm-resourcedatasync-bucketname)" : String, "[BucketPrefix](#cfn-ssm-resourcedatasync-bucketprefix)" : String, "[BucketRegion](#cfn-ssm-resourcedatasync-bucketregion)" : String, "[KMSKeyArn](#cfn-ssm-resourcedatasync-kmskeyarn)" : String, "[S3Destination](#cfn-ssm-resourcedatasync-s3destination)" : S3Destination, "[SyncFormat](#cfn-ssm-resourcedatasync-syncformat)" : String, "[SyncName](#cfn-ssm-resourcedatasync-syncname)" : String, "[SyncSource](#cfn-ssm-resourcedatasync-syncsource)" : SyncSource, "[SyncType](#cfn-ssm-resourcedatasync-synctype)" : String } } ``` ### YAML ``` Type: AWS::SSM::ResourceDataSync Properties: [BucketName](#cfn-ssm-resourcedatasync-bucketname): String [BucketPrefix](#cfn-ssm-resourcedatasync-bucketprefix): String [BucketRegion](#cfn-ssm-resourcedatasync-bucketregion): String [KMSKeyArn](#cfn-ssm-resourcedatasync-kmskeyarn): String [S3Destination](#cfn-ssm-resourcedatasync-s3destination): S3Destination [SyncFormat](#cfn-ssm-resourcedatasync-syncformat): String [SyncName](#cfn-ssm-resourcedatasync-syncname): String [SyncSource](#cfn-ssm-resourcedatasync-syncsource): SyncSource [SyncType](#cfn-ssm-resourcedatasync-synctype): String ``` ## Properties `BucketName` The name of the S3 bucket where the aggregated data is stored. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `BucketPrefix` An Amazon S3 prefix for the bucket. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `BucketRegion` The AWS Region with the S3 bucket targeted by the resource data sync. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `KMSKeyArn` The Amazon Resource Name (ARN) of an encryption key for a destination in Amazon S3. You can use a KMS key to encrypt inventory data in Amazon S3. You must specify a key that exist in the same AWS Region as the destination Amazon S3 bucket. *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `512` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `S3Destination` Configuration information for the target S3 bucket. *Required*: No *Type*: [S3Destination](aws-properties-ssm-resourcedatasync-s3destination.md) *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SyncFormat` A supported sync format. The following format is currently supported: JsonSerDe *Required*: No *Type*: String *Minimum*: `0` *Maximum*: `1024` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SyncName` A name for the resource data sync. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SyncSource` Information about the source where the data was synchronized. *Required*: No *Type*: [SyncSource](aws-properties-ssm-resourcedatasync-syncsource.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SyncType` The type of resource data sync. If `SyncType` is `SyncToDestination`, then the resource data sync synchronizes data to an S3 bucket. If the `SyncType` is `SyncFromSource` then the resource data sync synchronizes data from AWS Organizations or from multiple AWS Regions. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the name of the resource data sync, such as `TestResourceDataSync`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ## Examples **Topics** + [Create a SyncToDestination resource data sync](#aws-resource-ssm-resourcedatasync--examples--Create_a_SyncToDestination_resource_data_sync) + [Create a SyncFromSource resource data sync with type SingleAccountMultipleRegions](#aws-resource-ssm-resourcedatasync--examples--Create_a_SyncFromSource_resource_data_sync_with_type_SingleAccountMultipleRegions) + [Create a SyncFromSource resource data sync with type EntireOrganization](#aws-resource-ssm-resourcedatasync--examples--Create_a_SyncFromSource_resource_data_sync_with_type_EntireOrganization) + [Creating a SyncFromSource resource data sync with type OrganizationalUnits](#aws-resource-ssm-resourcedatasync--examples--Creating_a_SyncFromSource_resource_data_sync_with_type_OrganizationalUnits) ### Create a SyncToDestination resource data sync The following example synchronizes Systems Manager Inventory metadata in the US East (Ohio) Region (us-east-2) to a single Amazon S3 bucket. Resource data sync then automatically updates the centralized data when new data is collected. #### JSON ``` { "Description": "Create a resource data sync for Systems Manager", "Resources": { "BasicResourceDataSync": { "Type": "AWS::SSM::ResourceDataSync", "Properties": { "SyncName": "test-sync", "SyncType": "SyncToDestination", "S3Destination": { "BucketName": "amzn-s3-demo-bucket", "BucketRegion": "us-east-2", "SyncFormat": "JsonSerDe", "BucketPrefix": "cfn", "KMSKeyArn": "kmsKeyARN" } } } } } ``` #### YAML ``` --- Description: Create a resource data sync for Systems Manager Resources: BasicResourceDataSync: Type: AWS::SSM::ResourceDataSync Properties: SyncName: test-sync SyncType: SyncToDestination S3Destination: BucketName: amzn-s3-demo-bucket BucketRegion: us-east-2 SyncFormat: JsonSerDe BucketPrefix: cfn KMSKeyArn: kmsKeyARN ``` ### Create a SyncFromSource resource data sync with type SingleAccountMultipleRegions The following example synchronizes Systems Manager Explorer OpsData and OpsItems from multiple AWS Regions in a single AWS account. #### JSON ``` { "Description": "Create a resource data sync for Systems Manager Explorer", "Resources": { "BasicResourceDataSync": { "Type": "AWS::SSM::ResourceDataSync", "Properties": { "SyncName": "test-sync", "SyncType": "SyncFromSource", "SyncSource": { "SourceType": "SingleAccountMultiRegions", "SourceRegions": [ "us-east-1", "us-west-1", "us-west-2" ], "IncludeFutureRegions": false } } } } } ``` #### YAML ``` --- Description: Create a resource data sync for Systems Manager Explorer Resources: BasicResourceDataSync: Type: AWS::SSM::ResourceDataSync Properties: SyncName: test-sync SyncType: SyncFromSource SyncSource: SourceType: SingleAccountMultiRegions SourceRegions: - us-east-1 - us-west-1 - us-west-2 IncludeFutureRegions: false ``` ### Create a SyncFromSource resource data sync with type EntireOrganization The following example synchronizes Systems Manager Explorer OpsData and OpsItems from your entire organization in AWS Organizationsin the us-west-1 Region. #### JSON ``` { "Description": "Create a resource data sync for Systems Manager Explorer", "Resources": { "BasicResourceDataSync": { "Type": "AWS::SSM::ResourceDataSync", "Properties": { "SyncName": "test-sync", "SyncType": "SyncFromSource", "SyncSource": { "SourceType": "AwsOrganizations", "AwsOrganizationsSource": { "OrganizationSourceType": "EntireOrganization" }, "SourceRegions": [ "us-west-1" ], "IncludeFutureRegions": false } } } } } ``` #### YAML ``` --- Description: Create a resource data sync for Systems Manager Explorer Resources: BasicResourceDataSync: Type: AWS::SSM::ResourceDataSync Properties: SyncName: test-sync SyncType: SyncFromSource SyncSource: SourceType: AwsOrganizations AwsOrganizationsSource: OrganizationSourceType: EntireOrganization SourceRegions: - us-west-1 IncludeFutureRegions: false ``` ### Creating a SyncFromSource resource data sync with type OrganizationalUnits The following example synchronizes Systems Manager Explorer OpsData and OpsItems from organization unit 12345 in AWS Organizations in the us-west-1 Region. #### JSON ``` { "Description": "Create a resource data sync for Systems Manager Explorer", "Resources": { "BasicResourceDataSync": { "Type": "AWS::SSM::ResourceDataSync", "Properties": { "SyncName": "test-sync", "SyncType": "SyncFromSource", "SyncSource": { "SourceType": "AwsOrganizations", "AwsOrganizationsSource": { "OrganizationSourceType": "OrganizationalUnits", "OrganizationalUnits": [ "ou-12345" ] }, "SourceRegions": [ "us-west-1" ], "IncludeFutureRegions": false } } } } } ``` #### YAML ``` --- Description: Create a resource data sync for Systems Manager Explorer Resources: BasicResourceDataSync: Type: AWS::SSM::ResourceDataSync Properties: SyncName: test-sync SyncType: SyncFromSource SyncSource: SourceType: AwsOrganizations AwsOrganizationsSource: OrganizationSourceType: OrganizationalUnits OrganizationalUnits: - ou-12345 SourceRegions: - us-west-1 IncludeFutureRegions: false ``` ## See also + [What is AWS Systems Manager?](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) + [AWS Systems Manager Inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html) + [Configuring inventory collection](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-configuring.html) # AWS::SSM::ResourceDataSync AwsOrganizationsSource Information about the `AwsOrganizationsSource` resource data sync source. A sync source of this type can synchronize data from AWS Organizations or, if an AWS organization isn't present, from multiple AWS Regions. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[OrganizationalUnits](#cfn-ssm-resourcedatasync-awsorganizationssource-organizationalunits)" : [ String, ... ], "[OrganizationSourceType](#cfn-ssm-resourcedatasync-awsorganizationssource-organizationsourcetype)" : String } ``` ### YAML ``` [OrganizationalUnits](#cfn-ssm-resourcedatasync-awsorganizationssource-organizationalunits): - String [OrganizationSourceType](#cfn-ssm-resourcedatasync-awsorganizationssource-organizationsourcetype): String ``` ## Properties `OrganizationalUnits` The AWS Organizations organization units included in the sync. *Required*: No *Type*: Array of String *Minimum*: `1` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OrganizationSourceType` If an AWS organization is present, this is either `OrganizationalUnits` or `EntireOrganization`. For `OrganizationalUnits`, the data is aggregated from a set of organization units. For `EntireOrganization`, the data is aggregated from the entire AWS organization. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::ResourceDataSync S3Destination Information about the target S3 bucket for the resource data sync. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BucketName](#cfn-ssm-resourcedatasync-s3destination-bucketname)" : String, "[BucketPrefix](#cfn-ssm-resourcedatasync-s3destination-bucketprefix)" : String, "[BucketRegion](#cfn-ssm-resourcedatasync-s3destination-bucketregion)" : String, "[KMSKeyArn](#cfn-ssm-resourcedatasync-s3destination-kmskeyarn)" : String, "[SyncFormat](#cfn-ssm-resourcedatasync-s3destination-syncformat)" : String } ``` ### YAML ``` [BucketName](#cfn-ssm-resourcedatasync-s3destination-bucketname): String [BucketPrefix](#cfn-ssm-resourcedatasync-s3destination-bucketprefix): String [BucketRegion](#cfn-ssm-resourcedatasync-s3destination-bucketregion): String [KMSKeyArn](#cfn-ssm-resourcedatasync-s3destination-kmskeyarn): String [SyncFormat](#cfn-ssm-resourcedatasync-s3destination-syncformat): String ``` ## Properties `BucketName` The name of the S3 bucket where the aggregated data is stored. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `BucketPrefix` An Amazon S3 prefix for the bucket. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `BucketRegion` The AWS Region with the S3 bucket targeted by the resource data sync. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `KMSKeyArn` The ARN of an encryption key for a destination in Amazon S3. Must belong to the same Region as the destination S3 bucket. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `512` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `SyncFormat` A supported sync format. The following format is currently supported: JsonSerDe *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `1024` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) # AWS::SSM::ResourceDataSync SyncSource Information about the source of the data included in the resource data sync. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AwsOrganizationsSource](#cfn-ssm-resourcedatasync-syncsource-awsorganizationssource)" : AwsOrganizationsSource, "[IncludeFutureRegions](#cfn-ssm-resourcedatasync-syncsource-includefutureregions)" : Boolean, "[SourceRegions](#cfn-ssm-resourcedatasync-syncsource-sourceregions)" : [ String, ... ], "[SourceType](#cfn-ssm-resourcedatasync-syncsource-sourcetype)" : String } ``` ### YAML ``` [AwsOrganizationsSource](#cfn-ssm-resourcedatasync-syncsource-awsorganizationssource): AwsOrganizationsSource [IncludeFutureRegions](#cfn-ssm-resourcedatasync-syncsource-includefutureregions): Boolean [SourceRegions](#cfn-ssm-resourcedatasync-syncsource-sourceregions): - String [SourceType](#cfn-ssm-resourcedatasync-syncsource-sourcetype): String ``` ## Properties `AwsOrganizationsSource` Information about the AwsOrganizationsSource resource data sync source. A sync source of this type can synchronize data from AWS Organizations. *Required*: No *Type*: [AwsOrganizationsSource](aws-properties-ssm-resourcedatasync-awsorganizationssource.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `IncludeFutureRegions` Whether to automatically synchronize and aggregate data from new AWS Regions when those Regions come online. *Required*: No *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceRegions` The `SyncSource`AWS Regions included in the resource data sync. *Required*: Yes *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceType` The type of data source for the resource data sync. `SourceType` is either `AwsOrganizations` (if an organization is present in AWS Organizations) or `SingleAccountMultiRegions`. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `64` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SSM::ResourcePolicy Creates or updates a Systems Manager resource policy. A resource policy helps you to define the IAM entity (for example, an AWS account) that can manage your Systems Manager resources. Currently, `OpsItemGroup` is the only resource that supports Systems Manager resource policies. The resource policy for `OpsItemGroup` enables AWS accounts to view and interact with OpsCenter operational work items (OpsItems). OpsCenter is a tool in Systems Manager. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SSM::ResourcePolicy", "Properties" : { "[Policy](#cfn-ssm-resourcepolicy-policy)" : Json, "[ResourceArn](#cfn-ssm-resourcepolicy-resourcearn)" : String } } ``` ### YAML ``` Type: AWS::SSM::ResourcePolicy Properties: [Policy](#cfn-ssm-resourcepolicy-policy): Json [ResourceArn](#cfn-ssm-resourcepolicy-resourcearn): String ``` ## Properties `Policy` A policy you want to associate with a resource. *Required*: Yes *Type*: Json *Pattern*: `^(?!\s*$).+` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceArn` The Amazon Resource Name (ARN) of the resource to which you want to attach a policy. *Required*: Yes *Type*: String *Minimum*: `20` *Maximum*: `2048` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `PolicyHash` ID of the current policy version. The hash helps to prevent a situation where multiple users attempt to overwrite a policy. You must provide this hash and the policy ID when updating or deleting a policy. `PolicyId` ID of the current policy version. ## Examples ### Create a resource policy for OpsCenter The following example specifies the management or delegated administrator account IDs for working with OpsItems across accounts. #### YAML ``` --- AWSTemplateFormatVersion: '2010-09-09' Description: Creates resources needed for a member account to work with OpsCenter OpsItems across multiple accounts. Parameters: AdminAccountIds: Description: Allows one or more accounts to access OpsItems. Specify AWS Organizations management account IDs and delegated administrator account IDs in a comma-separated list. Type: CommaDelimitedList ParentDeploymentRegion: Description: Primary AWS Region used for creating global resources such as IAM roles. Type: String Conditions: IsParentDeploymentRegion: Fn::Equals: - !Ref 'AWS::Region' - !Ref ParentDeploymentRegion Resources: OpsItemCrossAccountResourcePolicy: Type: AWS::SSM::ResourcePolicy Properties: Policy: !Sub - '{"Version":"2012-10-17", "Statement":[{"Sid":"AllowAdminAccountsToAccessOpsItems2","Effect":"Allow","Principal":{"AWS":["${AdminAccountIdsString}"]},"Action":["ssm:CreateOpsItem","ssm:AddTagsToResource","ssm:GetOpsItem","ssm:UpdateOpsItem"],"Resource":["arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitem/*","arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitemgroup/default"]}]}' - AdminAccountIdsString: Fn::Join: - '\",\"' - !Ref AdminAccountIds ResourceArn: Fn::Sub: arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:opsitemgroup/default OpsItemCrossAccountExecutionRole: Type: AWS::IAM::Role Condition: IsParentDeploymentRegion Properties: RoleName: OpsItem-CrossAccountExecutionRole Description: 'Role used by the management account or delegated administrator to remediate OpsItems' AssumeRolePolicyDocument: Version: '2012-10-17 ' Statement: - Effect: Allow Principal: AWS: !Ref AdminAccountIds Condition: StringLike: "aws:PrincipalArn": !Split - ',' - !Sub - 'arn:*:iam::${inner}:role/OpsItem-*Role*' - inner: !Join - ':role/OpsItem-*Role*,arn:*:iam::' - Ref: AdminAccountIds Action: - sts:AssumeRole Path: '/' ManagedPolicyArns: - !Sub 'arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess' ``` ## See also + [Setting up OpsCenter to work with OpsItems across accounts](https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-getting-started-multiple-accounts.html)