• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# AWS Systems Manager Quick Setup
Use Quick Setup, a tool in AWS Systems Manager, to quickly configure frequently used Amazon Web Services services and features with recommended best practices. Quick Setup simplifies setting up services, including Systems Manager, by automating common or recommended tasks. These tasks include, for example, creating required AWS Identity and Access Management (IAM) instance profile roles and setting up operational best practices, such as periodic patch scans and inventory collection. There is no cost to use Quick Setup. However, costs can be incurred based on the type of services you set up and the usage limits with no fees for the services used to set up your service. To get started with Quick Setup, open the [Systems Manager console](https://console.aws.amazon.com/systems-manager/quick-setup). In the navigation pane, choose **Quick Setup**.
**Note**
If you were directed to Quick Setup to help you configure your instances to be managed by Systems Manager, complete the procedure in [Set up Amazon EC2 host management using Quick Setup](quick-setup-host-management.md).
## What are the benefits of Quick Setup?
Benefits of Quick Setup include the following:
+ **Simplify service and feature configuration**
Quick Setup walks you through configuring operational best practices and automatically deploys those configurations. The Quick Setup dashboard displays a real-time view of your configuration deployment status.
+ **Deploy configurations automatically across multiple accounts**
You can use Quick Setup in an individual AWS account or across multiple AWS accounts and AWS Regions by integrating with AWS Organizations. Using Quick Setup across multiple accounts helps to ensure that your organization maintains consistent configurations.
+ **Eliminate configuration drift**
Configuration drift occurs whenever a user makes any change to a service or feature that conflicts with the selections made through Quick Setup. Quick Setup periodically checks for configuration drift and attempts to remediate it.
## Who should use Quick Setup?
Quick Setup is most beneficial for customers who already have some experience with the services and features they're setting up, and want to simplify their setup process. If you're unfamiliar with the AWS service you're configuring with Quick Setup, we recommend that you learn more about the service. Review the content in the relevant User Guide before you create a configuration with Quick Setup.
## Availability of Quick Setup in AWS Regions
In the following AWS Regions, you can use all Quick Setup configuration types for an entire organization, as configured in AWS Organizations, or for only the organizational accounts and Regions you choose. You can also use Quick Setup with just a single account in these Regions.
+ US East (Ohio)
+ US East (N. Virginia)
+ US West (N. California)
+ US West (Oregon)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Seoul)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Tokyo)
+ Canada (Central)
+ Europe (Frankfurt)
+ Europe (Stockholm)
+ Europe (Ireland)
+ Europe (London)
+ Europe (Paris)
+ South America (São Paulo)
In the following Regions, only the [Host Management](quick-setup-host-management.md) configuration type is available for individual accounts:
+ Europe (Milan)
+ Asia Pacific (Hong Kong)
+ Middle East (Bahrain)
+ China (Beijing)
+ China (Ningxia)
+ AWS GovCloud (US-East)
+ AWS GovCloud (US-West)
For a list of all supported Regions for Systems Manager, see the **Region** column in [Systems Manager service endpoints](https://docs.aws.amazon.com/general/latest/gr/ssm.html#ssm_region) in the *Amazon Web Services General Reference*.
# Getting started with Quick Setup
Use the information in this topic to help you prepare to use Quick Setup.
**Topics**
+ [IAM roles and permissions for Quick Setup onboarding](#quick-setup-getting-started-iam)
+ [Manual onboarding for working with Quick Setup API programmatically](#quick-setup-api-manual-onboarding)
## IAM roles and permissions for Quick Setup onboarding
Quick Setup launched a new console experience and a new API. Now you can interact with this API using the console, AWS CLI, CloudFormation, and SDKs. If you opt in to the new experience, your existing configurations are recreated using the new API. Depending on the number of existing configurations in your account, this process can take several minutes.
To use the new Quick Setup console, you must have permissions for the following actions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm-quicksetup:*",
"cloudformation:DescribeStackSetOperation",
"cloudformation:ListStacks",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResources",
"cloudformation:ListStackSetOperations",
"cloudformation:ListStackInstances",
"cloudformation:DescribeStackSet",
"cloudformation:ListStackSets",
"cloudformation:DescribeStackInstance",
"cloudformation:DescribeOrganizationsAccess",
"cloudformation:ActivateOrganizationsAccess",
"cloudformation:GetTemplate",
"cloudformation:ListStackSetOperationResults",
"cloudformation:DescribeStackEvents",
"cloudformation:UntagResource",
"ec2:DescribeInstances",
"ssm:DescribeAutomationExecutions",
"ssm:GetAutomationExecution",
"ssm:ListAssociations",
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:ListDocuments",
"ssm:DescribeDocument",
"ssm:ListResourceDataSync",
"ssm:DescribePatchBaselines",
"ssm:GetPatchBaseline",
"ssm:DescribeMaintenanceWindows",
"ssm:DescribeMaintenanceWindowTasks",
"ssm:GetOpsSummary",
"organizations:DeregisterDelegatedAdministrator",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListDelegatedAdministrators",
"organizations:ListRoots",
"organizations:ListParents",
"organizations:ListOrganizationalUnitsForParent",
"organizations:DescribeOrganizationalUnit",
"organizations:ListAWSServiceAccessForOrganization",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"resource-groups:ListGroups",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:CreatePolicy",
"organizations:RegisterDelegatedAdministrator",
"organizations:EnableAWSServiceAccess",
"cloudformation:TagResource"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:RollbackStack",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*",
"arn:aws:cloudformation:*:*:stack/AWS-QuickSetup-*",
"arn:aws:cloudformation:*:*:type/resource/*",
"arn:aws:cloudformation:*:*:stack/StackSet-SSMQuickSetup"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStackSet",
"cloudformation:UpdateStackSet",
"cloudformation:DeleteStackSet",
"cloudformation:DeleteStackInstances",
"cloudformation:CreateStackInstances",
"cloudformation:StopStackSetOperation"
],
"Resource": [
"arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-*",
"arn:aws:cloudformation:*:*:stackset/SSMQuickSetup",
"arn:aws:cloudformation:*:*:type/resource/*",
"arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-*:*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/AWS-QuickSetup-*",
"arn:aws:iam::*:role/service-role/AWS-QuickSetup-*"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/AWS-QuickSetup-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ssm-quicksetup.amazonaws.com",
"cloudformation.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:DeleteAssociation",
"ssm:CreateAssociation",
"ssm:StartAssociationsOnce"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:StartAutomationExecution",
"Resource": [
"arn:aws:ssm:*:*:document/AWS-EnableExplorer",
"arn:aws:ssm:*:*:automation-execution/*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetOpsSummary",
"ssm:CreateResourceDataSync",
"ssm:UpdateResourceDataSync"
],
"Resource": "arn:aws:ssm:*:*:resource-data-sync/AWS-QuickSetup-*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"accountdiscovery.ssm.amazonaws.com",
"ssm.amazonaws.com",
"ssm-quicksetup.amazonaws.com",
"stacksets.cloudformation.amazonaws.com"
]
}
},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin"
}
]
}
```
------
To restrict users to read-only permissions, only allow `ssm-quicksetup:List*` and `ssm-quicksetup:Get*` operations for the Quick Setup API.
During onboarding, Quick Setup creates the following AWS Identity and Access Management (IAM) roles on your behalf:
+ `AWS-QuickSetup-LocalExecutionRole` – Grants CloudFormation permissions to use any template, excluding the patch policy template, and create the necessary resources.
+ `AWS-QuickSetup-LocalAdministrationRole` – Grants permissions to AWS CloudFormation to assume `AWS-QuickSetup-LocalExecutionRole`.
+ `AWS-QuickSetup-PatchPolicy-LocalExecutionRole` – Grants permissions to AWS CloudFormation to use the patch policy template, and create the necessary resources.
+ `AWS-QuickSetup-PatchPolicy-LocalAdministrationRole` – Grants permissions to AWS CloudFormation to assume `AWS-QuickSetup-PatchPolicy-LocalExecutionRole`.
If you're onboarding a management account—the account that you use to create an organization in AWS Organizations—Quick Setup also creates the following roles on your behalf:
+ `AWS-QuickSetup-SSM-RoleForEnablingExplorer` – Grants permissions to the `AWS-EnableExplorer` automation runbook. The `AWS-EnableExplorer` runbook configures Explorer, a tool in Systems Manager, to display information for multiple AWS accounts and AWS Regions.
+ `AWSServiceRoleForAmazonSSM` – A service-linked role that grants access to AWS resources managed and used by Systems Manager.
+ `AWSServiceRoleForAmazonSSM_AccountDiscovery` – A service-linked role that grants permissions to Systems Manager to call AWS services to discover AWS account information when synchronizing data. For more information, see [Using roles to collect AWS account information for OpsCenter and Explorer](using-service-linked-roles-service-action-2.md).
When onboarding a management account, Quick Setup enables trusted access between AWS Organizations and CloudFormation to deploy Quick Setup configurations across your organization. To enable trusted access, your management account must have administrator permissions. After onboarding, you no longer need administrator permissions. For more information, see [Enable trusted access with Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html).
For information about AWS Organizations account types, see [AWS Organizations terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*.
**Note**
Quick Setup uses CloudFormation StackSets to deploy your configurations across AWS accounts and Regions. If the number of target accounts multiplied by the number of Regions exceeds 10,000, the configuration fails to deploy. We recommend reviewing your use case and creating configurations that use fewer targets to accommodate the growth of your organization. Stack instances aren't deployed to your organization's management account. For more information, see [Considerations when creating a stack set with service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-getting-started-create.html?icmpid=docs_cfn_console#stacksets-orgs-considerations).
## Manual onboarding for working with Quick Setup API programmatically
If you use the console to work with Quick Setup, the service handles onboarding steps for you. If you plan to use SDKs or the AWS CLI to work with the Quick Setup API, you can still use the console to complete onboarding steps for you so you don't have to perform them manually. However, some customers need to complete onboarding steps for Quick Setup programmatically without interacting with the console. If this method fits your use case, you must complete the following steps. All of these steps must be completed from your AWS Organizations management account.
**To complete manual onboarding for Quick Setup**
1. Activate trusted access for CloudFormation with Organizations. This provides the management account with the permissions needed to create and manage StackSets for your organization. You can use CloudFormation's `ActivateOrganizationsAccess` API action to complete this step. For more information, see [ActivateOrganizationsAccess](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_ActivateOrganizationsAccess.html) in the *AWS CloudFormation API Reference*.
1. Enable the integration of Systems Manager with Organizations. This allows Systems Manager to create a service-linked role in all the accounts in your organization. This also allows Systems Manager to perform operations on your behalf in your organization and its accounts. You can use AWS Organizations's `EnableAWSServiceAccess` API action to complete this step. The service principal for Systems Manager is `ssm.amazonaws.com`.For more information, see [EnableAWSServiceAccess](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) in the *AWS Organizations API Reference*.
1. Create the required IAM role for Explorer. This allows Quick Setup to create dashboards for your configurations so you can view deployment and association statuses. Create an IAM role and attach the `AWSSystemsManagerEnableExplorerExecutionPolicy` managed policy. Modify the trust policy for the role to match the following. Replace each *account ID* with your information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:*:ssm:*:111122223333:automation-execution/*"
}
}
}
]
}
```
------
1. Update the Quick Setup service setting for Explorer. You can use Quick Setup's `UpdateServiceSettings` API action to complete this step. Specify the ARN for the IAM role you created in the previous step for the `ExplorerEnablingRoleArn` request parameter. For more information, see [UpdateServiceSettings](https://docs.aws.amazon.com/quick-setup/latest/APIReference/API_UpdateServiceSettings.html) in the *Quick Setup API Reference*.
1. Create the required IAM roles for CloudFormation StackSets to use. You must create an *execution* role and an *administration* role.
1. Create the execution role. The execution role should have at least one of the `AWSQuickSetupDeploymentRolePolicy` or `AWSQuickSetupPatchPolicyDeploymentRolePolicy` managed policies attached. If you're only creating patch policy configurations, you can use `AWSQuickSetupPatchPolicyDeploymentRolePolicy` managed policy. All other configurations use the `AWSQuickSetupDeploymentRolePolicy` policy. Modify the trust policy for the role to match the following. Replace each *account ID* and *administration role name* with your information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/administration role name"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Create the administration role. The permissions policy must match the following. Replace each *account ID* and *execution role name* with your information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:*:iam::111122223333:role/execution role name",
"Effect": "Allow"
}
]
}
```
------
Modify the trust policy for the role to match the following. Replace each *account ID* with your information.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudformation:*:111122223333:stackset/AWS-QuickSetup-*"
}
}
}
]
}
```
------
# Configuration for Assume Role for Systems Manager
## To create an assume role for Systems Manager Quick Setup:
Systems Manager Quick Setup requires a role that allows Systems Manager to securely perform actions in your account. This role grants Systems Manager the permissions needed to run commands on your instances and configure EC2 instances, IAM roles, and other Systems Manager resources on your behalf.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**, and then **Create Policy**
1. Add the `SsmOnboardingInlinePolicy` policy using the JSON below. (This policy enables actions required in order to attach instance profile permissions to instances you specify. For example allowing creation of instance profiles and associating them with EC2 instances).
1. Once complete, in the navigation pane, choose **Roles**, and then choose **Create role**.
1. For **Trusted entity type**, keep it as default (service).
1. Under **Use case**, choose **Systems Manager**, then choose **Next**.
1. On the **Add permissions** page:
1. Add the `SsmOnboardingInlinePolicy` policy
1. Choose **Next**
1. For **Role name**, enter a descriptive name (for example, `AmazonSSMRoleForAutomationAssumeQuickSetup`).
1. (Optional) Add tags to help identify and organize the role.
1. Choose **Create role**.
**Important**
The role must include a trust relationship with `ssm.amazonaws.com`. This is automatically configured when you select Systems Manager as the service in step 4.
After creating the role, you can select it when configuring Quick Setup. The role enables Systems Manager to manage EC2 instances, IAM roles, and other Systems Manager resources and run commands on your behalf while maintaining security through specific, limited permissions.
## Permissions Policies
**`SsmOnboardingInlinePolicy`**
The following policy defines the permissions for Systems Manager Quick Setup:
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:ListInstanceProfilesForRole",
"ec2:DescribeIamInstanceProfileAssociations",
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AssociateIamInstanceProfile"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"Null": {
"ec2:InstanceProfile": "true"
},
"ArnLike": {
"ec2:NewInstanceProfile": "arn:aws:iam::*:instance-profile/[INSTANCE_PROFILE_ROLE_NAME]"
}
}
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/[INSTANCE_PROFILE_ROLE_NAME]",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}
```
**Trust Relationship**
*This is added automatically via the above steps*
```
{
"Version": "2012-10-17" ,
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
# Using a delegated administrator for Quick Setup
After you register a delegated administrator account for Quick Setup, users with the appropriate permissions in that account can create, update, view, and delete configuration managers that target organizational units within your AWS Organizations structure. This delegated administrator account can also manage configuration managers previously created by your organization's management account.
The management account in Organizations can designate one account within your organization as a delegated administrator. When you register an account as a delegated administrator for Quick Setup, this account automatically becomes a delegated administrator for AWS CloudFormation StackSets and Systems Manager Explorer as well, since these services are required to deploy and monitor Quick Setup configurations.
**Note**
At this time, the patch policy configuration type isn't supported by the delegated administrator for Quick Setup. Patch policy configurations for an organization must be created and maintained in the management account for an organization. For more information, see [Creating a patch policy](quick-setup-patch-manager.md#create-patch-policy).
The following topics describe how to register and deregister a delegated administrator for Quick Setup.
**Topics**
+ [Register a delegated administrator for Quick Setup](quick-setup-register-delegated-administrator.md)
+ [Deregister a delegated administrator for Quick Setup](quick-setup-deregister-delegated-administrator.md)
# Register a delegated administrator for Quick Setup
Use the following procedure to register a delegated administrator for Quick Setup.
**To register a Quick Setup delegated administrator**
1. Log into your AWS Organizations management account.
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. Choose **Settings**.
1. In the **Delegated administrator for Quick Setup** section, verify that you have configured the required service-linked role and service access options. If necessary, choose the **Create role** and **Enable access** buttons to configure these options.
1. For **Account ID**, enter the AWS account ID. This account must be a member account in AWS Organizations.
1. Choose **Register delegated administrator**.
# Deregister a delegated administrator for Quick Setup
Use the following procedure to deregister a delegated administrator for Quick Setup.
**To deregister a Quick Setup delegated administrator**
1. Log into your AWS Organizations management account.
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. Choose **Settings**.
1. In the **Delegated administrator for Quick Setup** section, choose **Deregister** from the **Actions** dropdown.
1. Select **Confirm**.
# Learn Quick Setup terminology and details
Quick Setup, a tool in AWS Systems Manager, displays the results of all configuration managers you've created across all AWS Regions in the **Configuration managers** table on the Quick Setup home page. From this page, you can **View details** of each configuration, delete configurations from the **Actions** drop down, or **Create** configurations. The **Configuration managers** table contains the following information:
+ **Name** – The name of the configuration manager if provided when created.
+ **Configuration type** – The configuration type chosen when creating the configuration.
+ **Version** – The version of the configuration type currently deployed.
+ **Organizational units** – Displays the organizational units (OUs) that the configuration is deployed to if you chose a **Custom** set of targets. Organizational units and custom targets are only available to the management account of your organization. The management account is the account that you use to create an organization in AWS Organizations.
+ **Deployment type** – Indicates whether the deployment applies to the entire organization (`Organizational`) or only your account (`Local`).
+ **Regions** – The Regions that the configuration is deployed to if you chose a **Custom** set of targets or targets within your **Current account**.
+ **Deployment status** – The deployment status indicates if AWS CloudFormation successfully deployed the target or stack instance. The target and stack instances contain the configuration options that you chose during configuration creation.
+ **Association status** – The association status is the state of all associations created by the configuration that you created. The associations for all targets must run successfully; otherwise, the status is **Failed**.
Quick Setup creates and runs a State Manager association for each configuration target. State Manager is a tool in AWS Systems Manager.
To view configurations deployed to the Region you're currently browsing, select the **Configurations** tab.
## Configuration details
The **Configuration details** page displays information about the deployment of the configuration and its related associations. From this page, you can edit configuration options, update targets, or delete the configuration. You can also view the details of each configuration deployment to get more information about the associations.
Depending on the type of configuration, one or more of the following status graphs are displayed:
**Configuration deployment status**
Displays the number of deployments that have succeeded, failed, or are running or pending. Deployments occur in the specified target accounts and Regions that contain nodes affected by the configuration.
**Configuration association status**
Displays the number of State Manager associations that have succeeded, failed, or are pending. Quick Setup creates an association in each deployment for the configuration options selected.
**Setup status**
Displays the number of actions performed by the configuration type and their current statuses.
**Resource compliance**
Displays the number of resources that are compliant to the configurations specified policy.
The **Configuration details** table displays information about the deployment of your configuration. You can view more details about each deployment by selecting the deployment and then choosing **View details**. The details page of each deployment displays the associations deployed to the nodes in that deployment.
## Editing and deleting your configuration
You can edit configuration options of a configuration from the **Configuration details** page by choosing **Actions** and then **Edit configuration options**. When you add new options to the configuration, Quick Setup runs your deployments and creates new associations. When you remove options from a configuration, Quick Setup runs your deployments and removes any related associations.
**Note**
You can edit Quick Setup configurations for your account at anytime. To edit an **Organization** configuration, the **Configuration status** must be **Success** or **Failed**.
You can also update the targets included in your configurations by choosing **Actions** and **Add OUs**, **Add Regions**, **Remove OUs**, or **Remove Regions**. If your account isn't configured as the management account or you created the configuration for only the current account, you can't update the target organizational units (OUs). Removing a Region or OU removes the associations from those Regions or OUs.
Periodically, Quick Setup releases new versions of configurations. You can select the **Upgrade configuration** option to upgrade your configuration to the latest version.
You can delete a configuration from Quick Setup by choosing the configuration, then **Actions**, and then **Delete configuration**. Or, you can delete the configuration from the **Configuration details** page under the **Actions** dropdown and then **Delete configuration**. Quick Setup then prompts you to **Remove all OUs and Regions** which might take some time to complete. Deleting a configuration also deletes all related associations. This two-step deletion process removes all deployed resources from all accounts and Regions and then deletes the configuration.
## Configuration compliance
You can view whether your instances are compliant with the associations created by your configurations in either Explorer or Compliance, which are both tools in AWS Systems Manager. To learn more about compliance, see [Learn details about Compliance](compliance-about.md). To learn more about viewing compliance in Explorer, see [AWS Systems Manager Explorer](Explorer.md).
# Using the Quick Setup API to manage configurations and deployments
You can use the API provided by Quick Setup to create and manage configurations and deployments using the AWS CLI or your preferred SDK. You can also use CloudFormation to create a configuration manager resource that deploys configurations. Using the API, you create configuration managers that deploy configuration *definitions*. Configuration definitions contain all of the necessary information to deploy a particular configuration type. For more information about the Quick Setup API, see the [Quick Setup API Reference](https://docs.aws.amazon.com/quick-setup/latest/APIReference/).
The following examples demonstrate how to create configuration managers using the AWS CLI and CloudFormation.
------
#### [ AWS CLI ]
```
aws ssm-quicksetup create-configuration-manager \
--name configuration manager name \
--description Description of your configuration manager
--configuration-definitions JSON string containing configuration defintion
```
The following is an example JSON string containing a configuration definition for patch policy.
```
'{"Type":"AWSQuickSetupType-PatchPolicy","LocalDeploymentAdministrationRoleArn":"arn:aws:iam::123456789012:role/AWS-QuickSetup-StackSet-Local-AdministrationRole","LocalDeploymentExecutionRoleName":"AWS-QuickSetup-StackSet-Local-ExecutionRole","Parameters":{"ConfigurationOptionsInstallNextInterval":"true","ConfigurationOptionsInstallValue":"cron(0 2 ? * SAT#1 *)","ConfigurationOptionsPatchOperation":"ScanAndInstall","ConfigurationOptionsScanNextInterval":"false","ConfigurationOptionsScanValue":"cron(0 1 * * ? *)","HasDeletedBaseline":"false","IsPolicyAttachAllowed":"true","OutputBucketRegion":"","OutputLogEnableS3":"false","OutputS3BucketName":"","OutputS3KeyPrefix":"","PatchBaselineRegion":"us-east-1","PatchBaselineUseDefault":"custom","PatchPolicyName":"dev-patch-policy","RateControlConcurrency":"5","RateControlErrorThreshold":"0%","RebootOption":"RebootIfNeeded","ResourceGroupName":"","SelectedPatchBaselines":"{\"ALMA_LINUX\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-0cb0c4966f86b059b\",\"label\":\"AWS-AlmaLinuxDefaultPatchBaseline\",\"description\":\"Default Patch Baseline for Alma Linux Provided by AWS.\",\"disabled\":false},\"AMAZON_LINUX_2\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-0be8c61cde3be63f3\",\"label\":\"AWS-AmazonLinux2DefaultPatchBaseline\",\"description\":\"Baseline containing all Security and Bugfix updates approved for Amazon Linux 2 instances\",\"disabled\":false},\"AMAZON_LINUX_2023\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-05c9c9bf778d4c4d0\",\"label\":\"AWS-AmazonLinux2023DefaultPatchBaseline\",\"description\":\"Default Patch Baseline for Amazon Linux 2023 Provided by AWS.\",\"disabled\":false},\"DEBIAN\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-09a5f8eb62bde80b1\",\"label\":\"AWS-DebianDefaultPatchBaseline\",\"description\":\"Default Patch Baseline for Debian Provided by AWS.\",\"disabled\":false},\"MACOS\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-0ee4f94581368c0d4\",\"label\":\"AWS-MacOSDefaultPatchBaseline\",\"description\":\"Default Patch Baseline for MacOS Provided by AWS.\",\"disabled\":false},\"ORACLE_LINUX\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-06bff38e95fe85c02\",\"label\":\"AWS-OracleLinuxDefaultPatchBaseline\",\"description\":\"Default Patch Baseline for Oracle Linux Server Provided by AWS.\",\"disabled\":false},\"REDHAT_ENTERPRISE_LINUX\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-0cbb3a633de00f07c\",\"label\":\"AWS-RedHatDefaultPatchBaseline\",\"description\":\"Default Patch Baseline for Redhat Enterprise Linux Provided by AWS.\",\"disabled\":false},\"ROCKY_LINUX\":{\"value\":\"arn:aws:ssm:us-east-1:123456789012:patchbaseline/pb-03ec98bc512aa3ac0\",\"label\":\"AWS-RockyLinuxDefaultPatchBaseline\",\"description\":\"Default Patch Baseline for Rocky Linux Provided by AWS.\",\"disabled\":false},\"UBUNTU\":{\"value\":\"pb-06e3563bd35503f2b\",\"label\":\"custom-UbuntuServer-Blog-Baseline\",\"description\":\"Default Patch Baseline for Ubuntu Provided by AWS.\",\"disabled\":false},\"WINDOWS\":{\"value\":\"pb-016889927b2bb8542\",\"label\":\"custom-WindowsServer-Blog-Baseline\",\"disabled\":false}}","TargetInstances":"","TargetOrganizationalUnits":"ou-9utf-example","TargetRegions":"us-east-1,us-east-2","TargetTagKey":"Patch","TargetTagValue":"true","TargetType":"Tags"}}' \
```
------
#### [ CloudFormation ]
```
AWSTemplateFormatVersion: '2010-09-09'
Resources:
SSMQuickSetupTestConfigurationManager:
Type: "AWS::SSMQuickSetup::ConfigurationManager"
Properties:
Name: "MyQuickSetup"
Description: "Test configuration manager"
ConfigurationDefinitions:
- Type: "AWSQuickSetupType-CFGRecording"
Parameters:
TargetAccounts:
Ref: AWS::AccountId
TargetRegions:
Ref: AWS::Region
LocalDeploymentAdministrationRoleArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/AWS-QuickSetup-StackSet-ContractTest-AdministrationRole"
LocalDeploymentExecutionRoleName: "AWS-QuickSetup-StackSet-ContractTest-ExecutionRole"
Tags:
foo1: "bar1"
```
------
# Supported Quick Setup configuration types
**Supported configuration types**
Quick Setup walks you through configuring operational best practices for a number of Systems Manager and other AWS services, and automatically deploying those configurations. The Quick Setup dashboard displays a real-time view of your configuration deployment status.
You can use Quick Setup in an individual AWS account or across multiple AWS accounts and Regions by integrating with AWS Organizations. Using Quick Setup across multiple accounts helps to ensure that your organization maintains consistent configurations.
Quick Setup provides support for the following configuration types.
+ [Set up Amazon EC2 host management using Quick Setup](quick-setup-host-management.md)
+ [Set up the Default Host Management Configuration for an organization using Quick Setup](quick-setup-default-host-management-configuration.md)
+ [Create an AWS Config configuration recorder using Quick Setup](quick-setup-config.md)
+ [Deploy AWS Config conformance pack using Quick Setup](quick-setup-cpack.md)
+ [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md)
+ [Change Manager organization setup](change-manager-organization-setup.md)
+ [Set up DevOps Guru using Quick Setup](quick-setup-devops.md)
+ [Deploy Distributor packages using Quick Setup](quick-setup-distributor.md)
+ [Stop and start EC2 instances automatically on a schedule using Quick Setup](quick-setup-scheduler.md)
+ [OpsCenter organization setup](OpsCenter-quick-setup-cross-account.md)
+ [Configure AWS Resource Explorer using Quick Setup](Resource-explorer-quick-setup.md)
# Set up Amazon EC2 host management using Quick Setup
Use Quick Setup, a tool in AWS Systems Manager, to quickly configure required security roles and commonly used Systems Manager tools on your Amazon Elastic Compute Cloud (Amazon EC2) instances. You can use Quick Setup in an individual account or across multiple accounts and AWS Regions by integrating with AWS Organizations. These tools help you manage and monitor the health of your instances while providing the minimum required permissions to get started.
If you're unfamiliar with Systems Manager services and features, we recommend that you review the *AWS Systems Manager User Guide* before creating a configuration with Quick Setup. For more information about Systems Manager, see [What is AWS Systems Manager?](what-is-systems-manager.md).
**Important**
Quick Setup might not be the right tool to use for EC2 management if either of the following applies to you:
You’re trying to create an EC2 instance for the first time to try out AWS capabilities.
You’re still new to EC2 instance management.
Instead, we recommend that you explore the following content:
[Getting Started with Amazon EC2](https://aws.amazon.com/ec2/getting-started)
[Launch an instance using the new launch instance wizard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-instance-wizard.html) in the *Amazon EC2 User Guide*
[Tutorial: Get started with Amazon EC2 Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html) in the *Amazon EC2 User Guide*
If you’re already familiar with EC2 instance management and want to streamline configuration and management for multiple EC2 instances, use Quick Setup. Whether your organization has dozens, thousands, or millions of EC2 instances, use the following Quick Setup procedure to configure multiple options for them, all at once.
**Note**
This configuration type lets you set multiple options for an entire organization defined in AWS Organizations, only some organizational accounts and Regions, or a single account. One of these options is to check for and apply updates to SSM Agent every two weeks. If you are an organization administrator, you can also choose to update *all* EC2 instances in your organization with agent updates every two weeks using the Default Host Management Configuration type. For information, see [Set up the Default Host Management Configuration for an organization using Quick Setup](quick-setup-default-host-management-configuration.md).
## Configuring host management options for EC2 instances
To set up host management, perform the following tasks in the AWS Systems Manager Quick Setup console.
**To open the Host Management configuration page**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **Host Management** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
**To configure Systems Manager host management options**
+ To configure Systems Manager functionality, in the **Configuration options** section, choose the options in the **Systems Manager** group that you want to enable for your configuration:
**Update Systems Manager (SSM) Agent every two weeks**
Enables Systems Manager to check every two weeks for a new version of the agent. If there is a new version, then Systems Manager automatically updates the agent on your managed node to the latest released version. Quick Setup doesn't install the agent on instances where it's not already present. For information about which AMIs have SSM Agent preinstalled, see [Find AMIs with the SSM Agent preinstalled](ami-preinstalled-agent.md).
We encourage you to choose this option to ensure that your nodes are always running the most up-to-date version of SSM Agent. For more information about SSM Agent, including information about how to manually install the agent, see [Working with SSM Agent](ssm-agent.md).
**Collect inventory from your instances every 30 minutes**
Enables Quick Setup to configure collection of the following types of metadata:
+ **AWS components** – EC2 driver, agents, versions, and more.
+ **Applications** – Application names, publishers, versions, and more.
+ **Node details** – System name, operating system (OS) name, OS version, last boot, DNS, domain, work group, OS architecture, and more.
+ **Network configuration** – IP address, MAC address, DNS, gateway, subnet mask, and more.
+ **Services** – Name, display name, status, dependent services, service type, start type, and more (Windows Server nodes only).
+ **Windows roles** – Name, display name, path, feature type, installed state, and more (Windows Server nodes only).
+ **Windows updates** – Hotfix ID, installed by, installed date, and more (Windows Server nodes only).
For more information about Inventory, a tool in AWS Systems Manager, see [AWS Systems Manager Inventory](systems-manager-inventory.md).
The **Inventory collection** option can take up to 10 minutes to complete, even if you only selected a few nodes.
**Scan instances for missing patches daily**
Enables Patch Manager, a tool in Systems Manager, to scan your nodes daily and generate a report in the **Compliance** page. The report shows how many nodes are patch-compliant according to the *default patch baseline*. The report includes a list of each node and its compliance status.
For information about patching operations and patch baselines, see [AWS Systems Manager Patch Manager](patch-manager.md).
For information about patch compliance, see the Systems Manager [Compliance](https://console.aws.amazon.com/systems-manager/compliance) page.
For information about patching managed nodes in multiple accounts and Regions in one configuration, see [Patch policy configurations in Quick Setup](patch-manager-policies.md) and [Configure patching for instances in an organization using a Quick Setup patch policy](quick-setup-patch-manager.md).
Systems Manager supports several methods for scanning managed nodes for patch compliance. If you implement more than one of these methods at a time, the patch compliance information you see is always the result of the most recent scan. Results from previous scans are overwritten. If the scanning methods use different patch baselines, with different approval rules, the patch compliance information can change unexpectedly. For more information, see [Identifying the execution that created patch compliance data](patch-manager-compliance-data-overwrites.md).
**To configure Amazon CloudWatch host management options**
+ To configure CloudWatch functionality, in the **Configuration options** section, choose the options in the **Amazon CloudWatch** group that you want to enable for your configuration:
**Install and configure the CloudWatch agent**
Installs the basic configuration of the unified CloudWatch agent on your Amazon EC2 instances. The agent collects metrics and log files from your instances for Amazon CloudWatch. This information is consolidated so you can quickly determine the health of your instances. For more information about the CloudWatch agent basic configuration, see [CloudWatch agent predefined metric sets](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-cloudwatch-agent-configuration-file-wizard.html#cloudwatch-agent-preset-metrics). There might be added cost. For more information, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
**Update the CloudWatch agent once every 30 days**
Enables Systems Manager to check every 30 days for a new version of the CloudWatch agent. If there is a new version, Systems Manager updates the agent on your instance. We encourage you to choose this option to ensure that your instances are always running the most up-to-date version of the CloudWatch agent.
**To configure Amazon EC2 Launch Agent host management options**
+ To configure Amazon EC2 Launch Agent functionality, in the **Configuration options** section, choose the options in the ** Amazon EC2 Launch Agent** group that you want to enable for your configuration:
**Update the EC2 launch agent once every 30 days**
Enables Systems Manager to check every 30 days for a new version of the launch agent installed on your instance. If a new version is available, Systems Manager updates the agent on your instance. We encourage you to choose this option to ensure that your instances are always running the most up-to-date version of the applicable launch agent. For Amazon EC2 Windows instances, this option supports EC2Launch, EC2Launch v2, and EC2Config. For Amazon EC2 Linux instances, this option supports `cloud-init`. For Amazon EC2 Mac instances, this option supports `ec2-macos-init`. Quick Setup doesn't support updating launch agents that are installed on operating systems not supported by the launch agent, or on AL2023.
For more information about these initialization agents see the following topics:
+ [Configure a Windows instance using EC2Launch v2](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch-v2.html)
+ [Configure a Windows instance using EC2Launch](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2launch.html)
+ [Configure a Windows instance using the EC2Config service](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2config-service.html)
+ [cloud-init Documentation](https://cloudinit.readthedocs.io/en/22.2.2/index.html)
+ [ec2-macos-init](https://github.com/aws/ec2-macos-init)
**To select the EC2 instances to be updated by the host management configuration**
+ In the **Targets** section, choose the method to determine the accounts and Regions where the configuration is to be deployed:
**Note**
You can't create multiple Quick Setup Host Management configurations that target the same AWS Region.
------
#### [ Entire organization ]
Your configuration is deployed to all organizational units (OUs) and AWS Regions in your organization.
**Note**
The **Entire organization** option is only available if you're configuring host management from your organization's management account.
------
#### [ Custom ]
1. In the **Target OUs** section, select the OUs where you want to deploy this host management configuration.
1. In the **Target Regions** section, select the Regions where you want to deploy this host management configuration.
------
#### [ Current account ]
Choose one of the Region options and follow the steps for that option.
**Current Region**
Choose how to target instances in the current Region only:
+ **All instances** – The host management configuration automatically targets every EC2 in the current Region.
+ **Tag** – Choose **Add** and enter the key and optional value that is added to the instances to be targeted.
+ **Resource group** – For **Resource group**, select an existing resource group that contains the EC2 instances to be targeted.
+ **Manual** – In the **Instances** section, select the check box of each EC2 instance to be targeted.
**Choose Regions**
Choose how to target instances in the Region you specify by choosing one of the following:
+ **All instances** – All instances in the Regions you specify are targeted.
+ **Tag** – Choose **Add** and enter the key and optional value that has been added to the instances to be targeted.
In the **Target Regions** section, select the Regions where you want to deploy this host management configuration.
------
**To specify an instance profile option**
+ ***Entire organization** and **Custom** targets only.*
In the **Instance profile options** section, choose whether you want to add the required IAM policies to the existing instance profiles attached to your instances, or to allow Quick Setup to create the IAM policies and instance profiles with the permissions needed for the configuration you choose.
After specifying all your configuration choices, choose **Create**.
# Set up the Default Host Management Configuration for an organization using Quick Setup
With Quick Setup, a tool in AWS Systems Manager, you can activate Default Host Management Configuration for all accounts and Regions that have been added to your organization in AWS Organizations. This ensures that SSM Agent is kept up to date on all Amazon Elastic Compute Cloud (EC2) instances in the organization, and that they can connect to Systems Manager.
**Before you begin**
Ensure that the following requirements are met before enabling this setting.
+ The latest version of SSM Agent is already installed on all EC2 instances to be managed in your organization.
+ Your EC2 instances to be managed are using Instance Metadata Service Version 2 (IMDSv2).
+ You are signed in to the management account for your organization, as specified in AWS Organizations, using an AWS Identity and Access Management (IAM) identity (user, role, or group) with administrator permissions.
**Using the default EC2 instance management role**
Default Host Management Configuration makes use of the `default-ec2-instance-management-role` service setting for Systems Manager. This is a role with permissions that you want made available to all accounts in your organization to allow communication between SSM Agent on the instance and the Systems Manager service in the cloud.
If you have already set this role using the [https://docs.aws.amazon.com/cli/latest/reference/ssm/update-service-setting.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/update-service-setting.html) CLI command, Default Host Management Configuration uses that role. If you have not set this role yet, Quick Setup will create and apply the role for you.
To check whether this role has already been specified for your organization, use the [https://docs.aws.amazon.com/cli/latest/reference/ssm/get-service-setting.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/get-service-setting.html) command.
## Enable automatic updates of SSM Agent every two weeks
Use the following procedure to enable the Default Host Management Configuration option for your entire AWS Organizations organization.
**To enable automatic updates of SSM Agent every two weeks**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **Default Host Management Configuration** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
1. In the **Configuration options** section, select **Enable automatic updates of SSM Agent every two weeks**.
1. Choose **Create**
# Create an AWS Config configuration recorder using Quick Setup
With Quick Setup, a tool in AWS Systems Manager, you can quickly create a configuration recorder powered by AWS Config. Use the configuration recorder to detect changes in your resource configurations and capture the changes as configuration items. If you're unfamiliar with AWS Config, we recommend learning more about the service by reviewing the content in the *AWS Config Developer Guide* before creating a configuration with Quick Setup. For more information about AWS Config, see [What is AWS Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) in the *AWS Config Developer Guide*.
By default, the configuration recorder records all supported resources in the AWS Region where AWS Config is running. You can customize the configuration so that only the resource types you specify are recorded. For more information, see [Selecting which resources AWS Config records](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html) in the *AWS Config Developer Guide*.
You're charged service usage fees when AWS Config starts recording configurations. For pricing information, see [AWS Config pricing](https://aws.amazon.com/config/pricing/).
**Note**
If you've already created a configuration recorder, Quick Setup doesn't stop recording or make any changes to resource types that you're already recording. If you choose to record additional resource types using Quick Setup, the service appends them to your existing recorder groups. Deleting the Quick Setup **Config recording** configuration type doesn't stop the configuration recorder. Changes continue to be recorded, and service usage fees apply until you stop the configuration recorder. To learn more about managing the configuration recorder, see [Managing the Configuration Recorder](https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html) in the *AWS Config Developer Guide*.
To set up AWS Config recording, perform the following tasks in the AWS Systems Manager console.
**To set up AWS Config recording with Quick Setup**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **Config Recording** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
1. In the **Configuration options** section, do the following:
1. For **Choose the AWS resource types to record**, specify whether to record all supported resources or only the resource types you choose.
1. For **Delivery settings, specify whether to create a new Amazon Simple Storage Service (Amazon S3) bucket, or choose an existing bucket to send configuration snapshots to. **
1. For **Notification options**, choose the notification option you prefer. AWS Config uses Amazon Simple Notification Service (Amazon SNS) to notify you about important AWS Config events related to your resources. If you choose the **Use existing SNS topics** option, you must provide the AWS account ID and name of the existing Amazon SNS topic in that account you want to use. If you target multiple AWS Regions, the topic names must be identical in each Region.
1. In the **Schedule** section, choose how frequently you want Quick Setup to remediate changes made to resources that differ from your configuration. The **Default** option runs once. If you don't want Quick Setup to remediate changes made to resources that differ from your configuration, choose **Disable remediation** under **Custom**.
1. In the **Targets** section, choose one of the following to identify the accounts and Regions for recording.
**Note**
If you are working in a single account, options for working with organizations and organizational units (OUs) are not available. You can choose whether to apply this configuration to all AWS Regions in your account or only the Regions you select.
+ **Entire organization** – All accounts and Regions in your organization.
+ **Custom** – Only the OUs and Regions that you specify.
+ In the **Target OUs** section, select the OUs where you want to allow recording.
+ In the **Target Regions** section, select the Regions where you want to allow recording.
+ **Current account** – Only the Regions you specify in the account you are currently signed into are targeted. Choose one of the following:
+ **Current Region** – Only managed nodes in the Region selected in the console are targeted.
+ **Choose Regions** – Choose the individual Regions to apply the recording configuration to.
1. Choose **Create**.
# Deploy AWS Config conformance pack using Quick Setup
A conformance pack is a collection of AWS Config rules and remediation actions. With Quick Setup, you can deploy a conformance pack as a single entity in an account and an AWS Region or across an organization in AWS Organizations. This helps you manage configuration compliance of your AWS resources at scale, from policy definition to auditing and aggregated reporting, by using a common framework and packaging model.
To deploy conformance packs, perform the following tasks in the AWS Systems Manager Quick Setup console.
**Note**
You must enable AWS Config recording before deploying this configuration. For more information, see [Conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html) in the *AWS Config Developer Guide*.
**To deploy conformance packs with Quick Setup**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **Conformance Packs** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
1. In the **Choose conformance packs** section, choose the conformance packs you want to deploy.
1. In the **Schedule** section, choose how frequently you want Quick Setup to remediate changes made to resources that differ from your configuration. The **Default** option runs once. If you don't want Quick Setup to remediate changes made to resources that differ from your configuration, choose **Disabled** under **Custom**.
1. In the **Targets** section, choose whether to deploy conformance packs to your entire organization, some AWS Regions, or the account you're currently logged in to.
If you choose **Entire organization**, continue to step 8.
If you choose **Custom**, continue to step 7.
1. In the **Target Regions** section, select the check boxes of the Regions you want to deploy conformance packs to.
1. Choose **Create**.
# Configure patching for instances in an organization using a Quick Setup patch policy
With Quick Setup, a tool in AWS Systems Manager, you can create patch policies powered by Patch Manager. A patch policy defines the schedule and baseline to use when automatically patching your Amazon Elastic Compute Cloud (Amazon EC2) instances and other managed nodes. Using a single patch policy configuration, you can define patching for all accounts in multiple AWS Regions in your organization, for only the accounts and Regions you choose, or for a single account-Region pair. For more information about patch policies, see [Patch policy configurations in Quick Setup](patch-manager-policies.md).
**Prerequisite**
To define a patch policy for a node using Quick Setup, the node must be a *managed node*. For more information about managing your nodes, see [Setting up Systems Manager unified console for an organization](systems-manager-setting-up-organizations.md).
**Important**
**Patch compliance scanning methods** – Systems Manager supports several methods for scanning managed nodes for patch compliance. If you implement more than one of these methods at a time, the patch compliance information you see is always the result of the most recent scan. Results from previous scans are overwritten. If the scanning methods use different patch baselines, with different approval rules, the patch compliance information can change unexpectedly. For more information, see [Identifying the execution that created patch compliance data](patch-manager-compliance-data-overwrites.md).
**Association compliance status and patch policies** – The patching status for a managed node that's under a Quick Setup patch policy matches the status of the State Manager association execution for that node. If the association execution status is `Compliant`, the patching status for the managed node is also marked `Compliant`. If the association execution status is `Non-Compliant`, the patching status for the managed node is also marked `Non-Compliant`.
## Supported Regions for patch policy configurations
Patch policy configurations in Quick Setup are currently supported in the following Regions:
+ US East (Ohio) (us-east-2)
+ US East (N. Virginia) (us-east-1)
+ US West (N. California) (us-west-1)
+ US West (Oregon) (us-west-2)
+ Asia Pacific (Mumbai) (ap-south-1)
+ Asia Pacific (Seoul) (ap-northeast-2)
+ Asia Pacific (Singapore) (ap-southeast-1)
+ Asia Pacific (Sydney) (ap-southeast-2)
+ Asia Pacific (Tokyo) (ap-northeast-1)
+ Canada (Central) (ca-central-1)
+ Europe (Frankfurt) (eu-central-1)
+ Europe (Ireland) (eu-west-1)
+ Europe (London) (eu-west-2)
+ Europe (Paris) (eu-west-3)
+ Europe (Stockholm) (eu-north-1)
+ South America (São Paulo) (sa-east-1)
## Permissions for the patch policy S3 bucket
When you create a patch policy, Quick Setup creates an Amazon S3 bucket that contains a file named `baseline_overrides.json`. This file stores information about the patch baselines that you specified for your patch policy.
The S3 bucket is named in the format `aws-quicksetup-patchpolicy-account-id-quick-setup-configuration-id`.
For example: `aws-quicksetup-patchpolicy-123456789012-abcde`
If you're creating a patch policy for an organization, the bucket is created in your organization's management account.
There are two use cases when you must provide other AWS resources with permission to access this S3 bucket using AWS Identity and Access Management (IAM) policies:
+ [Case 1: Use your own instance profile or service role with your managed nodes instead of one provided by Quick Setup](#patch-policy-instance-profile-service-role)
+ [Case 2: Use VPC endpoints to connect to Systems Manager](#patch-policy-vpc)
The permissions policy you need in either case is located in the section below, [Policy permissions for Quick Setup S3 buckets](#patch-policy-bucket-permissions).
### Case 1: Use your own instance profile or service role with your managed nodes instead of one provided by Quick Setup
Patch policy configurations include an option to **Add required IAM policies to existing instance profiles attached to your instances**.
If you don't choose this option but want Quick Setup to patch your managed nodes using this patch policy, you must ensure that the following are implemented:
+ The IAM managed policy `AmazonSSMManagedInstanceCore` must be attached to the [IAM instance profile](setup-instance-permissions.md) or [IAM service role](hybrid-multicloud-service-role.md) that's used to provide Systems Manager permissions to your managed nodes.
+ You must add permissions to access your patch policy bucket as an inline policy to the IAM instance profile or IAM service role. You can provide wildcard access to all `aws-quicksetup-patchpolicy` buckets or only the specific bucket created for your organization or account, as shown in the earlier code samples.
+ You must tag your IAM instance profile or IAM service role with the following key-value pair.
`Key: QSConfigId-quick-setup-configuration-id, Value: quick-setup-configuration-id`
*quick-setup-configuration-id* represents the value of the parameter applied to the AWS CloudFormation stack that is used in creating your patch policy configuration. To retrieve this ID, do the following:
1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).
1. Select the name of the stack that is used to create your patch policy. The name is in a format such as `StackSet-AWS-QuickSetup-PatchPolicy-LA-q4bkg-52cd2f06-d0f9-499e-9818-d887cEXAMPLE`.
1. Choose the **Parameters** tab.
1. In the **Parameters** list, in the **Key** column, locate the key **QSConfigurationId**. In the **Value** column for its row, locate the configuration ID, such as `abcde`.
In this example, for the tag to apply to your instance profile or service role, the key is `QSConfigId-abcde`, and the value is `abcde`.
For information about adding tags to an IAM role, see [Tagging IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_roles.html#id_tags_roles_procs-console) and [Managing tags on instance profiles (AWS CLI or AWS API)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags_instance-profiles.html#id_tags_instance-profile_procs-cli-api) in the *IAM User Guide*.
### Case 2: Use VPC endpoints to connect to Systems Manager
If you use VPC endpoints to connect to Systems Manager, your VPC endpoint policy for S3 must allow access to your Quick Setup patch policy S3 bucket.
For information about adding permissions to a VPC endpoint policy for S3, see [Controlling access from VPC endpoints with bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies-vpc-endpoint.html) in the *Amazon S3 User Guide*.
### Policy permissions for Quick Setup S3 buckets
You can provide wildcard access to all `aws-quicksetup-patchpolicy` buckets or only the specific bucket created for your organization or account. To provide the necessary permissions for the two cases described below, use either format.
------
#### [ All patch policy buckets ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AccessToAllPatchPolicyRelatedBuckets",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-*"
}
]
}
```
------
------
#### [ Specific patch policy bucket ]
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AccessToMyPatchPolicyRelatedBucket",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-quicksetup-patchpolicy-111122223333-quick-setup-configuration-id"
}
]
}
```
------
**Note**
After the patch policy configuration is created, you can locate the full name of your bucket in the S3 console. For example: `aws-quicksetup-patchpolicy-123456789012-abcde`
------
## Random patch baseline IDs in patch policy operations
Patching operations for patch policies utilize the `BaselineOverride` parameter in the `AWS-RunPatchBaseline` SSM Command document.
When you use `AWS-RunPatchBaseline` for patching *outside* of a patch policy, you can use `BaselineOverride` to specify a list of patch baselines to use during the operation that are different from the specified defaults. You create this list in a file named `baseline_overrides.json` and manually add it to an Amazon S3 bucket that you own, as explained in [Using the BaselineOverride parameter](patch-manager-baselineoverride-parameter.md).
For patching operations based on patch policies, however, Systems Manager automatically creates an S3 bucket and adds a `baseline_overrides.json` file to it. Then, every time Quick Setup runs a patching operation (using the Run Command tool, the system generates a random ID for each patch baseline. This ID is different for every patch policy patching operation, and the patch baseline it represents is not stored or accessible to you in your account.
As a result, you will not see the ID of the patch baseline selected in your configuration in patching logs. This applies to both AWS managed patch baselines and custom patch baselines you might have selected. The baseline ID reported in the log is instead that one that was generated for that specific patching operation.
In addition, if you attempt to view details in Patch Manager about a patch baseline that was generated with a random ID, the system reports that the patch baseline doesn't exist. This is expected behavior and can be ignored.
## Creating a patch policy
To create a patch policy, perform the following tasks in the Systems Manager console.
**To create a patch policy with Quick Setup**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
If you are setting up patching for an organization, make sure you are signed in to the management account for the organization. You can't set up the policy using the delegated administrator account or a member account.
1. In the navigation pane, choose **Quick Setup**.
1. On the **Patch Manager** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
1. For **Configuration name**, enter a name to help identify the patch policy.
1. In the **Scanning and installation** section, under **Patch operation**, choose whether the patch policy will **Scan** the specified targets or **Scan and install** patches on the specified targets.
1. Under **Scanning schedule**, choose **Use recommended defaults** or **Custom scan schedule**. The default scan schedule will scan your targets daily at 1:00 AM UTC.
+ If you choose **Custom scan schedule**, select the **Scanning frequency**.
+ If you choose **Daily**, enter the time, in UTC, that you want to scan your targets.
+ If you choose **Custom CRON Expression**, enter the schedule as a **CRON expression**. For more information about formatting CRON expressions for Systems Manager, see [Reference: Cron and rate expressions for Systems Manager](reference-cron-and-rate-expressions.md).
Also, select **Wait to scan targets until first CRON interval**. By default, Patch Manager immediately scans nodes as they become targets.
1. If you chose **Scan and install**, choose the **Installation schedule** to use when installing patches to the specified targets. If you choose **Use recommended defaults**, Patch Manager will install weekly patches at 2:00 AM UTC on Sunday.
+ If you choose **Custom install schedule**, select the **Installation Frequency**.
+ If you choose **Daily**, enter the time, in UTC, that you want to install updates on your targets.
+ If you choose **Custom CRON expression**, enter the schedule as a **CRON expression**. For more information about formatting CRON expressions for Systems Manager, see [Reference: Cron and rate expressions for Systems Manager](reference-cron-and-rate-expressions.md).
Also, clear **Wait to install updates until first CRON interval** to immediately install updates on nodes as they become targets. By default, Patch Manager waits until the first CRON interval to install updates.
+ Choose **Reboot if needed** to reboot the nodes after patch installation. Rebooting after installation is recommended but can cause availability issues.
1. In the **Patch baseline** section, choose the patch baselines to use when scanning and updating your targets.
By default, Patch Manager uses the predefined patch baselines. For more information, see [Predefined baselines](patch-manager-predefined-and-custom-patch-baselines.md#patch-manager-baselines-pre-defined).
If you choose **Custom patch baseline**, change the selected patch baseline for operating systems that you don't want to use a predefined AWS patch baseline.
**Note**
If you use VPC endpoints to connect to Systems Manager, make sure your VPC endpoint policy for S3 allows access to this S3 bucket. For more information, see [Permissions for the patch policy S3 bucket](#patch-policy-s3-bucket-permissions).
**Important**
If you are using a [patch policy configuration](patch-manager-policies.md) in Quick Setup, updates you make to custom patch baselines are synchronized with Quick Setup once an hour.
If a custom patch baseline that was referenced in a patch policy is deleted, a banner displays on the Quick Setup **Configuration details** page for your patch policy. The banner informs you that the patch policy references a patch baseline that no longer exists, and that subsequent patching operations will fail. In this case, return to the Quick Setup **Configurations** page, select the Patch Manager configuration , and choose **Actions**, **Edit configuration**. The deleted patch baseline name is highlighted, and you must select a new patch baseline for the affected operating system.
1. (Optional) In the **Patching log storage** section, select **Write output to S3 bucket** to store patching operation logs in an Amazon S3 bucket.
**Note**
If you are setting up a patch policy for an organization, the management account for your organization must have at least read-only permissions for this bucket. All organization units included in the policy must have write-access to the bucket. For information about granting bucket access to different accounts, see [Example 2: Bucket owner granting cross-account bucket permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html) in the *Amazon Simple Storage Service User Guide*.
1. Choose **Browse S3** to select the bucket that you want to store patch log output in. The management account must have read access to this bucket. All non-management accounts and targets configured in the **Targets** section must have write access to the provided S3 bucket for logging.
1. In the **Targets** section, choose one of the following to identify the accounts and Regions for this patch policy operation.
**Note**
If you are working in a single account, options for working with organizations and organizational units (OUs) are not available. You can choose whether to apply this configuration to all AWS Regions in your account or only the Regions you select.
If you previously specified a Home Region for you account and haven't onboarded to the new Quick Setup console experience, you can't exclude that Region from the **Targets** configuration.
+ **Entire organization** – All accounts and Regions in your organization.
+ **Custom** – Only the OUs and Regions that you specify.
+ In the **Target OUs** section, select the OUs where you want to set up the patch policy.
+ In the **Target Regions** section, select the Regions where you want to apply the patch policy.
+ **Current account** – Only the Regions you specify in the account you are currently signed into are targeted. Choose one of the following:
+ **Current Region** – Only managed nodes in the Region selected in the console are targeted.
+ **Choose Regions** – Choose the individual Regions to apply the patch policy to.
1. For **Choose how you want to target instances**, choose one of the following to identify the nodes to patch:
+ **All managed nodes** – All managed nodes in the selected OUs and Regions.
+ **Specify the resource group** – Choose the name of a resource group from the list to target its associated resources.
**Note**
Currently, selecting resource groups is supported only for single account configurations. To patch resources in multiple accounts, choose a different targeting option.
+ **Specify a node tag** – Only nodes tagged with the key-value pair that you specify are patched in all accounts and Regions you have targeted.
+ **Manual** – Choose managed nodes from all specified accounts and Regions manually from a list.
**Note**
This option currently supports only Amazon EC2 instances. You can add a maximum of 25 instances manually in a patch policy configuration.
1. In the **Rate control** section, do the following:
+ For **Concurrency**, enter a number or percentage of nodes to run the patch policy on at the same time.
+ For **Error threshold**, enter the number or percentage of nodes that can experience an error before the patch policy fails.
1. (Optional) Select the **Add required IAM policies to existing instance profiles attached to your instances** check box.
This selection applies the IAM policies created by this Quick Setup configuration to nodes that already have an instance profile attached (EC2 instances) or a service role attached (hybrid-activated nodes). We recommend this selection when your managed nodes already have an instance profile or service role attached, but it doesn't contain all the permissions required for working with Systems Manager.
Your selection here is applied to managed nodes created later in the accounts and Regions that this patch policy configuration applies to.
**Important**
If you don't select this check box but want Quick Setup to patch your managed nodes using this patch policy, you must do the following:
Add permissions to your [IAM instance profile](setup-instance-permissions.md) or [IAM service role](hybrid-multicloud-service-role.md) to access the S3 bucket created for your patch policy
Tag your IAM instance profile or IAM service role with a specific key-value pair.
For information, see [Case 1: Use your own instance profile or service role with your managed nodes instead of one provided by Quick Setup](#patch-policy-instance-profile-service-role).
1. Choose **Create**.
To review patching status after the patch policy is created, you can access the configuration from the [https://console.aws.amazon.com/systems-manager/quick-setup](https://console.aws.amazon.com/systems-manager/quick-setup) page.
# Set up DevOps Guru using Quick Setup
You can quickly configure DevOps Guru options by using Quick Setup. Amazon DevOps Guru is a machine learning (ML) powered service that makes it easy to improve an application's operational performance and availability. DevOps Guru detects behaviors that are different from normal operating patterns so you can identify operational issues long before they impact your customers. DevOps Guru automatically ingests operational data from your AWS applications and provides a single dashboard to visualize issues in your operational data. You can get started with DevOps Guru to improve application availability and reliability with no manual setup or machine learning expertise.
Configuring DevOps Guru with Quick Setup is available in the following AWS Regions:
+ US East (N. Virginia)
+ US East (Ohio)
+ US West (Oregon)
+ Europe (Frankfurt)
+ Europe (Ireland)
+ Europe (Stockholm)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Tokyo)
For pricing information, see [Amazon DevOps Guru pricing](https://aws.amazon.com/devops-guru/pricing/).
To set up DevOps Guru, perform the following tasks in the AWS Systems Manager Quick Setup console.
**To set up DevOps Guru with Quick Setup**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **DevOps Guru** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
1. In the **Configuration options** section, choose the AWS resource types you want to analyze and your notification preferences.
If you don't select the **Analyze all AWS resources in all the accounts in my organization** option, you can choose AWS resources to analyze later in the DevOps Guru console. DevOps Guru analyzes different AWS resource types (such as Amazon Simple Storage Service (Amazon S3) buckets and Amazon Elastic Compute Cloud (Amazon EC2) instances), which are categorized into two pricing groups. You pay for the AWS resource hours analyzed, for each active resource. A resource is only active if it produces metrics, events, or log entries within an hour. The rate you're charged for a specific AWS resource type depends on the price group.
If you select the **Enable SNS notifications** option, an Amazon Simple Notification Service (Amazon SNS) topic is created in each AWS account in the organizational units (OUs) you target with your configuration. DevOps Guru uses the topic to notify you about important DevOps Guru events, such as the creation of a new insight. If you don't enable this option, you can add a topic later in the DevOps Guru console.
If you select the **Enable AWS Systems Manager OpsItems** option, operational work items (OpsItems) will be created for related Amazon EventBridge events and Amazon CloudWatch alarms.
1. In the **Schedule** section, choose how frequently you want Quick Setup to remediate changes made to resources that differ from your configuration. The **Default** option runs once. If you don't want Quick Setup to remediate changes made to resources that differ from your configuration, choose **Disabled** under **Custom**.
1. In the **Targets** section, choose whether to allow DevOps Guru to analyze resources in some of your organizational units (OUs), or the account you're currently logged in to.
If you choose **Custom**, continue to step 8.
If you choose **Current account**, continue to step 9.
1. In the **Target OUs** and **Target Regions** sections, select the check boxes of the OUs and Regions where you want to use DevOps Guru.
1. Choose the Regions where you want to use DevOps Guru in the current account.
1. Choose **Create**.
# Deploy Distributor packages using Quick Setup
Distributor is a tool in AWS Systems Manager. A Distributor package is a collection of installable software or assets that can be deployed as a single entity. With Quick Setup, you can deploy a Distributor package in an AWS account and an AWS Region or across an organization in AWS Organizations. Currently, only the EC2Launch v2 agent, Amazon Elastic File System (Amazon EFS) utilities package and Amazon CloudWatch agent can be deployed with Quick Setup. For more information about Distributor, see [AWS Systems Manager Distributor](distributor.md).
To deploy Distributor packages, perform the following tasks in the AWS Systems Manager Quick Setup console.
**To deploy Distributor packages with Quick Setup**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **Distributor** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
1. In the **Configuration options** section, choose the package you want to deploy.
1. In the **Targets** section, choose whether to deploy the package to your entire organization, some of your organizational units (OUs), or the account you're currently logged in to.
If you choose **Entire organization**, continue to step 8.
If you choose **Custom**, continue to step 7.
1. In the **Target OUs** section, select the check boxes of the OUs and Regions you want to deploy the package to.
1. Choose **Create**.
# Stop and start EC2 instances automatically on a schedule using Quick Setup
With Quick Setup, a tool in AWS Systems Manager, you can configure Resource Scheduler to automate the starting and stopping of Amazon Elastic Compute Cloud (Amazon EC2) instances.
This Quick Setup configuration helps you reduce operational costs by starting and stopping instances according to the schedule that you specify. This tool helps you avoid incurring unnecessary costs for running instances when they’re not needed.
For example, you currently might leave your instances running constantly, even though they’re only used 10 hours a day, 5 days a week. Instead, you can schedule your instances to stop every day after business hours. As a result, there would be 70 percent savings for those instances because the running time is reduced from 168 hours to 50 hours. There is no cost to use Quick Setup. However, costs can be incurred by the resources you set up and the usage limits with no fees for the services used to set up your configuration.
Using Resource Scheduler, you can choose to automatically stop and start instances across multiple AWS Regions and AWS accounts according to a schedule you define. The Quick Setup configuration targets Amazon EC2 instances using the tag key and value that you specify. Only the instances with a tag matching the value that you specify in your configuration are stopped or started by Resource Scheduler. Note that if the Amazon EBS volumes attached to the instance are encrypted, you must add the required permissions for the AWS KMS key to the IAM role for Resource Scheduler to start the instance.
**Maximum instances per configuration**
An individual configuration supports scheduling up to 5,000 instances per Region. If your case requires more than 5,000 instances to be scheduled in a given Region, you must create multiple configurations. Tag your instances accordingly so each configuration is managing up to 5,000 instances. When creating multiple Resource Scheduler Quick Setup configurations, you must specify different tag key values. For example, one configuration can use the tag key `Environment` with the value `Production`, while another uses `Environment` and `Development`.
**Scheduling behaviors**
The following points describe certain behaviors of schedule configurations:
+ Resource Scheduler starts the tagged instances only if they are in the `Stopped` state. Similarly, instances are only stopped if they are in the `running` state. Resource Scheduler operates on an event driven model and only starts or stops instances at the times that you specify. For example, you create a schedule that starts instances at 9 AM. Resource Scheduler starts all instances associated with the tag you specify that are in the `Stopped` state at 9 AM. If the instances are manually stopped at a later time, Resource Scheduler will not start them again to maintain the `Running` state. Similarly, if an instance is started manually after it was stopped according to your schedule, Resource Scheduler will not stop the instance again.
+ If you create a schedule with a start time that is later in a 24-hour day than the stop time, Resource Scheduler assumes your instances are to run overnight. For example, you create a schedule that starts instances at 9 PM, and stops instances at 7 AM. Resource Scheduler starts all instances associated with the tag you specify that are in the `Stopped` state at 9 PM, and stops them at 7 AM the following day. For overnight schedules, the start time applies to the days you select for your schedule. However, the stop time applies to the following day in your schedule.
+ When you create a schedule configuration, the current state of your instances might be changed to match the requirements of the schedule.
For example, say that today is a Wednesday, and you specify a schedule for your managed instances to start at 9 AM and stop at 5 PM on Tuesdays and Thursdays *only*. Because your current time is outside of the prescribed hours for the instances to be running, they will be stopped after the configuration is created. The instances won't run again until the next prescribed hour, 9 AM on Thursday.
If your instances are currently in a `Stopped` state, and you specify a schedule in which they would be running at the current time, Resource Scheduler starts them after the configuration is created.
If you delete your configuration, instances are no longer stopped and started according to the previously defined schedule. In rare cases, instances might not successfully stop or start due to API operation failures.
To set up scheduling for Amazon EC2 instances, perform the following tasks in the AWS Systems Manager Quick Setup console.
**To set up instance scheduling with Quick Setup**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **Resource Scheduler** card, choose **Create**.
**Tip**
If you already have one or more configurations in your account, first choose the **Library** tab or the **Create** button in the **Configurations** section to view the cards.
1. In the **Instance tag** section, specify the tag key and value applied to the instances you want to associate with your schedule.
1. In the **Schedule options** section, specify the time zone, days, and times you want to start and stop your instances.
1. In the **Targets** section, choose whether to set scheduling for a **Custom** group of organizational units (OUs), or the **Current account** you're signed in to:
+ **Custom** – In the **Target OUs** section, select the OUs where you want to set up scheduling. Next, in the **Target Regions** section, select the Regions where you want to set up scheduling.
+ **Current account** – Select **Current Region** or **Choose Regions**. If you selected **Choose Regions**, choose the **Target Regions** where you want to set up scheduling.
1. Verify the schedule information in the **Summary** section.
1. Choose **Create**.
# Configure AWS Resource Explorer using Quick Setup
With Quick Setup, a tool in AWS Systems Manager, you can quickly configure AWS Resource Explorer to search and discover resources in your AWS account or across an entire AWS organization. You can search for your resources using metadata like names, tags, and IDs. AWS Resource Explorer provides fast responses to your search queries by using *indexes*. Resource Explorer creates and maintains indexes using a variety of data sources to gather information about resources in your AWS account.
Quick Setup for Resource Explorer automates the index configuration process. For more information about AWS Resource Explorer, see [ What is AWS Resource Explorer?](https://docs.aws.amazon.com/resource-explorer/latest/userguide/welcome.html) in the AWS Resource Explorer User Guide.
During Quick Setup, Resource Explorer does the following:
+ Creates an index in every AWS Region in your AWS account.
+ Updates the index in the Region you specify to be the aggregator index for the account.
+ Creates a default view in the aggregator index Region. This view has no filters so it returns all resources found in the index.
**Minimum permissions**
To perform the steps in the following procedure, you must have the following permissions:
+ **Action**: `resource-explorer-2:*` – **Resource**: no specific resource (`*`)
+ **Action**: `iam:CreateServiceLinkedRole` – **Resource**: no specific resource (`*`)
**To configure Resource Explorer**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Quick Setup**.
1. On the **Resource Explorer** card, choose **Create**.
1. In the **Aggregator Index Region** section, choose which Region you want to contain the **aggregator index**. You should select the Region that is appropriate for the geographic location for your users.
1. (Optional) Select the **Replace existing aggregator indexes in Regions other than the one selected above** check box.
1. In the **Targets** section, choose the target **organization** or specific **Organizational Units (OUs)** containing the resources you want to discover.
1. In the **Regions** section, choose which **Regions** to include in the configuration.
1. Review the configuration summary, and then choose **Create**.
On the **Resource Explorer** page, you can monitor the configuration status.
# Troubleshooting Quick Setup results
Use the following information to help you troubleshoot problems with Quick Setup, a tool in AWS Systems Manager. This topic includes specific tasks to resolve issues based on the type of Quick Setup issue.
**Issue: Failed deployment**
A deployment fails if the CloudFormation stack set failed during creation. Use the following steps to investigate a deployment failure.
1. Navigate to the [AWS CloudFormation console](https://console.aws.amazon.com/cloudformation).
1. Choose the stack created by your Quick Setup configuration. The **Stack name** includes `QuickSetup` followed by the type of configuration you chose, such as `SSMHostMgmt`.
**Note**
CloudFormation sometimes deletes failed stack deployments. If the stack isn't available in the **Stacks** table, choose **Deleted** from the filter list.
1. View the **Status** and **Status reason**. For more information about stack statuses, see [Stack status codes](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html#cfn-console-view-stack-data-resources-status-codes) in the *AWS CloudFormation User Guide*.
1. To understand the exact step that failed, view the **Events** tab and review each event's **Status**.
1. Review [Troubleshooting](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html) in the *AWS CloudFormation User Guide*.
1. If you are unable to resolve the deployment failure using the CloudFormation troubleshooting steps, delete the configuration and reconfigure it.
**Issue: Failed association**
The **Configuration details** table on the **Configuration details** page of your configuration shows a **Configuration status** of **Failed** if any of the associations failed during set up. Use the following steps to troubleshoot a failed association.
1. In the **Configuration details** table, choose the failed configuration and then choose **View Details**.
1. Copy the **Association name**.
1. Navigate to **State Manager** and paste the association name into the search field.
1. Choose the association and choose the **Execution history** tab.
1. Under **Execution ID**, choose the association execution that failed.
1. The **Association execution targets** page lists all of the nodes where the association ran. Choose the **Output** button for an execution that failed to run.
1. In the **Output** page, choose **Step - Output** to view the error message for that step in the command execution. Each step can display a different error message. Review the error messages for all steps to help troubleshoot the issue.
If viewing the step output doesn't solve the problem, then you can try to recreate the association. To recreate the association, first delete the failing association in State Manager. After deleting the association, edit the configuration and choose the option you deleted and choose **Update**.
To investigate **Failed** associations for an **Organization** configuration, you must sign in to the account with the failed association and use the following failed association procedure, previously described. The **Association ID** isn't a hyperlink to the target account when viewing results from the management account.
**Issue: Drift status**
When viewing a configuration's details page, you can view the drift status of each deployment. Configuration drift occurs whenever a user makes any change to a service or feature that conflicts with the selections made through Quick Setup. If an association has changed after the initial configuration, the table displays a warning icon that indicates the number of items that have drifted. You can determine what caused the drift by hovering over the icon.
When an association is deleted in State Manager, the related deployments display a drift warning. To fix this, edit the configuration and choose the option that was removed when the association was deleted. Choose **Update** and wait for the deployment to complete.