Document history - AWS Systems Manager

Document history

The following table describes the important changes to the documentation since the last release of AWS Systems Manager. For notification about updates to this documentation, you can subscribe to an RSS feed.

ChangeDescriptionDate

SSM Agent and Patch Manager support for additional versions: CentOS Stream, Ubuntu Server, and Windows Server

Patch Manager now supports CentOS Stream 9, Ubuntu Server 24.10, and Windows Server 2025. SSM Agent now supports Ubuntu Server 24.10 and Windows Server 2025. (Agent support for CentOS Stream 9 was previously released.) For complete lists of supported OSs and versions, see the following topics:

November 22, 2024

New topic: AWS KMS encryption for Parameter Store SecureString parameters

Learn how AWS Systems Manager Parameter Store uses AWS Key Management Service to encrypt the values of SecureString parameters in Parameter Store in the following topic:

November 22, 2024

New and updated managed policies for Systems Manager

To support new features for Systems Manager, we are releasing multiple new managed policies to support new Systems Manager configurations and operations, and updating other managed policies. For more information, see Systems Manager updates to AWS managed policies.

November 21, 2024

A new, simplified node management experience for Systems Manager

AWS Systems Manager has released a new unified console experience for managing nodes at scale across accounts and Regions. You can now see all managed and unmanaged nodes across your organizations’ AWS accounts and Regions from a single place. You can also identify, diagnose, and remediate unmanaged nodes. Systems Manager is also now integrated with (Amazon Q Developer (Amazon Q), which extends your ability to see and control your nodes from anywhere in the AWS Management Console by entering natural language prompts. With this release, you can also now use AWS Organizations to allow a delegated administrator account to manage nodes across the organization from a central viewpoint. For more information, see the following topics:

November 21, 2024

Session Manager plugin bug fix

The Session Manager plugin was recently updated with the following bug fix: Rolled back change that added credentials to OpenDataChannel requests.

November 20, 2024

Session Manager plugin enhancements

This version was deprecated on 11/20/2024.

The Session Manager plugin was recently updated with the following enhancements.

  • Added credentials to OpenDataChannel requests.

  • Upgraded the testify and objx dependent packages.

November 6, 2024

Additional OS version support for macOS

Systems Manager now supports version 15.x (Sequoia) of the macOS operating system (EC2 instances only). For a list of all supported OSs and versions, see Supported operating systems for Systems Manager.

November 6, 2024

Patch Manager: Updates to supportd package name formats for Approved and Rejected lists

For several operating systems, we have updated and expanded the lists of formats for package names that you can specify in Approved patches and Rejected patches lists in your patch baselines. For information, see Package name formats for Amazon Linux 1, Amazon Linux 2, Amazon Linux 2022, Amazon Linux 2023, CentOS, Oracle Linux, and Red Hat Enterprise Linux (RHEL).

November 1, 2024

Additional operating version support for Patch Manager

Patch Manager now supports additional versions of Oracle Linux (8.10 and 9.4) and Ubuntu Server (23.10 and 24.04). For lists of all supported operating systems and versions, see the following topics:

November 1, 2024

SSM Agent support for additional versions: CentOS Stream, Oracle Linux, and Ubuntu Server

SSM Agent now supports CentOS Stream 9, Oracle Linux 8.10 and 9.4, and Ubuntu Server 24.04 LTS, in addition to earlier supported versions. For complete lists of supported OSs and versions for Systems Manager, see Supported operating systems for Systems Manager.

October 25, 2024

Session Manager plugin enhancement

Added support for passing the plugin version with OpenDataChannel requests.

October 10, 2024

New: View details about RDP connections made using Fleet Manager

You can now view information about Remote Desktop Protocol connections that have been made by users in your AWS account. For information, see Viewing information about current and completed connections.

October 10, 2024

Patch Manager now supports SLES version 15.6

Patching support for SUSE Linux Enterprise Server (SLES) 15.6 has been released. You can now patch SLES 15.6 machines using Patch Manager. For a full list of operating systems and versions supportd by Patch Manager, see Supported operating systems for Patch Manager.

September 29, 2024

New versions of the AWS Parameters and Secrets Lambda Extension

New versions of the AWS Parameters and Secrets Lambda Extension are now available. Support for all architectures has been introduced for the Asia Pacific (Malaysia) Region (ap-southeast-5). In addition, ARM64 and Mac with Apple silicon architecture extension support has been added for the following Regions:

  • Asia Pacific (Hyderabad) (ap-south-2)

  • Asia Pacific (Melbourne) (ap-southeast-4)

  • Canada West (Calgary) (ca-west-1)

  • Europe (Zurich) (eu-central-2)

  • Europe (Spain) (eu-south-2)

  • Middle East (UAE) (me-central-)

  • China (Beijing) (cn-north-1)

  • China (Ningxia) (cn-northwest-1)

  • Israel (Tel Aviv) (il-central-1)

  • AWS GovCloud (US-East) (us-gov-east-1)

  • AWS GovCloud (US-West) (us-gov-west-1)

September 19, 2024

New topic: Configuring permissions for maintenance windows using the AWS CLI

The topic Configuring permissions for maintenance windows using the AWS CLI provides instructions for creating a custom service role (and its policies) for running maintenance window tasks on a user's behalf.

August 19, 2024

SSM Agent and Patch Manager support for additional versions: AlmaLinux, Oracle Linux, and Rocky Linux

SSM Agent and Patch Manager now support versions 8.10, 9.3, and 9.4 of AlmaLinux and Rocky Linux, and version 9.3 of Oracle Linux, in addition to earlier supported versions. For complete lists of supported OSs and versions, see the following topics:

August 14, 2024

New IAM policy condition for Parameter Store support: ssm:Policies

Using ssm:Policies, a newly supported condition for IAM policies, you can prevent Entities from creating or updating parameter that include a parameter policy. For more information, see the following topics:

August 14, 2024

Updated managed policy for Quick Setup: SSMQuickSetupRolePolicy

Systems Manager has updated the managed policy SSMQuickSetupRolePolicy to provide access to additional AWS CloudFormation stack sets. For information, see Systems Manager updates to AWS managed policies.

August 13, 2024

Support for provisioning and managing Systems Manager resources using Terraform

We have added HashiCorp Terraform to the list of supported third-party integrations with Systems Manager. Terraform is an open-source infrastructure as code (IaC) software tool that provides a command line interface (CLI) workflow to manage various cloud services. You can use Terraform to provision and manage a number of commonly used Systems Manager resources and data sources. For information about this and other third-party integrations with Systems Manager, see Integration with other products and services.

August 1, 2024

New Quick Setup console experience and API

Systems Manager Quick Setup has released a new console experience and API. Now you can interact with this API using the console, AWS CLI, AWS CloudFormation, and SDKs. You can opt in to the new console using the Quick Setup console. For more information about onboarding to the new Quick Setup experience, see Getting started with Quick Setup. For more details about the API operations available through the Quick Setup API, see the Quick Setup API Reference.

August 1, 2024

New topic: Rejected patch list options in custom patch baselines

For patching operations that use a custom patch baseline in Patch Manager, we have clarified the behavior when a patch added to the Rejected patch list is assigned the action Allow as dependency. Because Windows Server doesn't support the concept of patch dependencies, patches not already installed on a managed node are skipped. Patches that are already installed on the node are assigned the status INSTALLED_REJECTED. For more information, see Rejected patch list options in custom patch baselines and Patch compliance values for other operating systems.

July 23, 2024

New topic: Configuring SSM Agent for use with the Federal Information Processing Standard (FIPS)

We have provided instructions for configuring SSM Agent for use with the Federal Information Processing Standard (FIPS). For information, see Configuring SSM Agent for use with the Federal Information Processing Standard (FIPS).

July 22, 2024

Update: Clarified support for @ symbol in Fleet Manager user names

If an IAM Identity Center user name contains one or more @ symbols, Fleet Manager RDP disregards the first @ symbol and all characters that follow it, whether or not the @ introduces the domain portion of an email address. For more information about supported characters for user names in Fleet Manager RDP connections, see Authenticating Remote Desktop connections.

July 21, 2024

Updated managed policy: AmazonSSMManagedEC2InstanceDefaultPolicy

Systems Manager has updated the managed policy AmazonSSMManagedEC2InstanceDefaultPolicy by providing inline statement IDs (Sids) to clarify the purpose of each policy statment. For information, see Systems Manager updates to AWS managed policies.

July 18, 2024

Name changes to AWS managed buckets for Patch Manager patching operations

AWS owns and maintains a number of Amazon S3 buckets that SSM Agent accesses in the course of performing various Patch Manager patching operations. These S3 buckets are publicly accessible, and by default, SSM Agent connects to them using HTTP calls. However, if you're using a virtual private cloud (VPC) endpoint in your Systems Manager operations, you must provide explicit permission in an Amazon EC2 instance profile for Systems Manager, or in a service role for non-EC2 machines in a hybrid and multicloud environment. Otherwise, your resources can't access these public buckets. In most cases, we are changing the names of these buckets. For example, for patching operations, the bucket aws-patchmanager-macos-us-east-2 is replaced by aws-patchmanager-macos-us-east-2-552881074, and the bucket aws-ssm-us-east-2 is replaced by aws-patch-manager-us-east-2-552881074. For more information, see the following topics:

July 18, 2024

New service-linked role for Quick Setup

Systems Manager has released a new service-linked role, AWSServiceRoleForSSMQuickSetup. Systems Manager uses this role to check configuration health of resources set up using Quick Setup, to ensure consistent use of parameters and provisioned resources, and to remediate resources when drift is detected. The managed policy associated with this role is SSMQuickSetupRolePolicy. For more information, see AWSServiceRoleForSSMQuickSetup service-linked role permissions for Systems Manager.

July 3, 2024

New managed policies for Quick Setup configuration types

Systems Manager has released an additional 12 new managed policies to support various Quick Setup configuration types and processes. For information, see Systems Manager updates to AWS managed policies.

July 3, 2024

Support for RHEL 8.10 and 9.4

Systems Manager and Patch Manager now support Red Hat Enterprise Linux versions 8.10 and 9.4. For more information, see Supported operating systems and machine types and Supported operating systems for Patch Manager.

June 26, 2024

Patch Manager support for 8.8 and 8.9 versions: AlmaLinux, Oracle Linux, and Rocky Linux

Patch Manager now supports versions 8.8 and 8.9 of AlmaLinux, Oracle Linux, and Rocky Linux, in addition to earlier 8.x versions. For complete lists of supported OSs and versions for Patch Manager, see Supported operating systems for Patch Manager.

June 17, 2024

New public parameters for macOS Amazon EC2 AMIs

Public parameters have been released to support Amazon Machine Images for macOS Amazon Elastic Compute Cloud instances. For more information, see the following topics.

June 17, 2024

Update: Regional availability of the /aws/service/global-infrastructure parameter path

We have clarified which commercial Regions the /aws/service/global-infrastructure public parameter path can be queried from, and how to run a query for the path if you are working in a different commerical AWS Region. For information, see Calling public parameters for AWS services, Regions, endpoints, Availability Zones, local zones, and Wavelength Zones.

June 12, 2024

New: Code examples chapter

A new chapter, Code examples for Systems Manager using AWS SDKs, provides examples in different SDK languages for how to work with the Systems Manager service.

May 8, 2024

Changes to ec2messages:* endpoint support

For AWS Regions launching in 2024 or later, the ec2messages:* endpoints are not supported by SSM Agent for sending status and execution information back to the Systems Manager service. Accounts in these Regions must use ssmmessages:*. In Regions launched before 2024, both ssmmessages:* and ec2messages:* are still supported, but we recommend using only the ssmmessages:* endpoint (Amazon Message Gateway Service) now. You can safely remove ec2messages:* permissions from your policies at this time. For more information, see Working with SSM Agent and Agent-related API operations (ssmmessages and ec2messages endpoints).

May 3, 2024

Additional runtimes available for running scripts in Automation runbooks

The aws:executeScript action now supports the Python 3.9, 3.10, and 3.11 runtimes. For more information about how to use this action, see aws:executeScript.

April 23, 2024

Support for 8.8 and 8.9 versions: AlmaLinux, Oracle Linux, and Rocky Linux

Systems Manager now supports versions 8.8 and 8.9 of AlmaLinux, Oracle Linux, and Rocky Linux, in addition to earlier 8.x versions. For complete lists of supported OSs and versions, see Supported operating systems for Systems Manager.

April 22, 2024

Patch Manager: Change to patching status 'INSTALLED_PENDING_REBOOT'

Previously, only patches installed by Patch Manager could be marked as INSTALLED_PENDING_REBOOT. Patches installed outside of Patch Manager were never given this status. Now, INSTALLED_PENDING_REBOOT can apply to any patch that has been applied to a managed node since it was last rebooted. This includes patches installed by Patch Manager with the NoReboot option selected, and to patches installed outside of Patch Manager after the node's most recent reboot. For descriptions of all Patch Manager patching status values, see Understanding patch compliance state values.

April 16, 2024

Support for RHEL 8.9 and 9.3

Systems Manager, including Patch Manager, now supports Red Hat Enterprise Linux (RHEL) versions 8.9 and 9.3, in addition to earlier 8.x and 9.x versions.

March 26, 2024

Topic update: AWS managed policies for AWS Systems Manager

The topic AWS managed policies for AWS Systems Manager has provided information about the four managed policies for Systems Manager that have been introduced or updated since March 12, 2021. We have added a section to this topic with information about the 12 other managed policies for use with Systems Manager that were created or last updated before that date. For details, see Additional managed policies for Systems Manager.

March 1, 2024

Parameter Store now supports cross-account sharing

You can now share advanced parameters securely and efficiently across AWS accounts or within your AWS Organization by setting up resource sharing. Resource sharing allows you to centralize application configuration management and reduce the operational overhead of sharing the parameters with every single account you own. Parameters can be shared across accounts using the Parameter Store console, the AWS RAM console, or the AWS CLI. For more information, see Working with shared parameters.

February 21, 2024

Automation action enhancement

You can now use the onFailure and isCritical properties with the aws:approve action. For more information about the aws:approve action, see aws:approve – Pause an automation for manual approval.

February 12, 2024

Additional operating version support for Patch Manager

We have added to the list of supported operating system versions for Patch Manager. Support has been added for the following:

  • Debian Server 11.x and 12.x

  • macOS 14.x (Sonoma)

  • SUSE Linux Enterprise Server (SLES) 15.5

  • Ubuntu Server 23.04

January 4, 2024

Configure automated SSM Agent updates using the Application Manager console

You can now use the Application Manager console to automate SSM Agent updates for your application instances. For more information, see Working with your application instances.

December 21, 2023

Updated process for registering non Amazon EC2 machines in hybrid and multicloud environments

Systems Manager now provides the ssm-setup-cli to help you register non Amazon Elastic Compute Cloud (Amazon EC2) machines in hybrid and multicloud environments. For more information, see How to install the SSM Agent on hybrid Linux nodes and How to install the SSM Agent on hybrid Windows nodes.

December 20, 2023

Manage Amazon EBS volumes using Fleet Manager

You can now use Fleet Manager, a capability of AWS Systems Manager, to manage Amazon Elastic Block Store volumes on your managed instances. For example, you can initialize an EBS volume, format a partition, and mount the volume to make it available for use. For more information, see EBS volume management.

December 14, 2023

Session Manager plugin enhancement

Added support for passing a StartSession API response as an environment variable to session-manager-plugin.

December 4, 2023

New visual design experience for Automation runbooks

You can now create and edit runbooks using a new visual design experience developed by Systems Manager Automation. The visual design experience provides a low-code, drag-and-drop interface so you can create and edit runbooks more easily. For more information, see Visual design experience for Automation runbooks.

November 26, 2023

New Systems Manager Automation actions, data element, and functional enhancements for runbooks

You can now loop over multiple actions in a runbook using the aws:loop action. This new action supports do while and for each style loops. Additionally, using the new variables data element, you can define, reference and update values dynamically within the context of a runbook. To update the value of a variable in your runbook, use the new aws:updateVariable action. Automation has also added support for dynamic data type conversions for outputs. This means that if the value of an output doesn't match the data type you've specified, Automation tries to convert the data type. For example, if the value returned is an Integer, but the Type specified is String, the final output value is a String value. Lastly, Automation now supports JSONPath filter expressions for selectors. For more information, see the following topics:

November 17, 2023

Updated Region support for Remote Desktop Protocol (RDP) connections

Fleet Manager Remote Desktop, which is powered by Amazon DCV, provides you with secure connectivity to your Windows Server instances directly from the Systems Manager console. The following three additional Regions have been enabled for Fleet Manager Remote Desktop connections:

  • Africa (Cape Town) (af-south-1)

  • Asia Pacific (Jakarta) (ap-southeast-3)

  • Israel (Tel Aviv) (il-central-1)

November 15, 2023

Patch Manager: Expanded OS version support for RHEL and macOS

Patch Manager now supports the following additional operating system versions:

  • Red Hat Enterprise Linux: version 8.8

  • macOS: 11.5–11:7 (Big Sur)

  • macOS: 12.0–12.6 (Monterey)

  • macOS: 13.0–13.5 (Ventura)

October 23, 2023

New OpsCenter API - DeleteOpsItem

OpsCenter now offers the DeleteOpsItem API for deleting individual OpsItems. For more information, see DeleteOpsItem in the AWS Systems Manager API Reference.

October 20, 2023

New Quick Setup configuration type: SSM Agent updates for entire organization

The new configuration type Default Host Management Configuration makes it possible for an organization administrator, as defined in AWS Organizations, to prompt automatic check and updates of SSM Agent on all EC2 instances in the organization's accounts and Regions. For more information, see Default Host Management for an organization.

October 16, 2023

New title and description format for OpsItems created by CloudWatch Application Insights

The title and description for OpsItems created by CloudWatch Application Insights is changing to an improved format on October 16, 2023. To view the new format, see Amazon CloudWatch Application Insights.

September 29, 2023

Support for multiple display resolutions in Fleet Manager RDP connections

When you connect to Windows Server managed nodes using the Remote Desktop protocol (RDP) option in Fleet Manager, you can now choose the display resolution. Previously, all connections used a fixed 720P (1366 x 768) resolution. You can now choose from the following for each connection:

  • Adapt Automatically (determines optimum resolution based on your detected screen size)

  • 1920 x 1080

  • 1400 x 900

  • 1366 x 768

  • 800 x 600

For information, see Connect to a managed node using Remote Desktop.

September 22, 2023

New topic: Random patch baseline IDs in patch policy operations

We have added content to describe how Quick Setup patch policies use the BaselineOverride parameter in the AWS-RunPatchBaseline SSM Command document to generate random IDs for patch baselines each time a patch policy operation is run. For information, see Random patch baseline IDs in patch policy operations.

September 22, 2023

A new operational insight for managing OpsItems

OpsCenter now includes an operational insight called Resources generating the most OpsItems. An insight of this type is generated when an AWS resource has more than 10 open OpsItems. Use this insight to locate problematic resources. Use the AWS-BulkResolveOpsItems runbook from within an insight to quickly resolve OpsItems associated with a resource. For more information, see Analyzing operational insights to reduce OpsItems.

September 22, 2023

GPG public key updated

A new public key has been created to verify the signature of SSM Agent. For more information, see Verifying the signature of SSM Agent.

September 5, 2023

Support added for additional versions of AlmaLinux, Oracle Linux, RHEL, and Rocky Linux

The lists of supported operating systems for AWS Systems Manager and Patch Manager have been updated to reflect support the following additional OS versions:

  • AlmaLinux: 9.2

  • Oracle Linux: 8.7 and 9.2

  • Red Hat Enterprise Linux (RHEL): 8.7, 9.1, and 9.2

  • Rocky Linux: 8.6 and 8.7, 9.0–9.2

August 30, 2023

OpsCenter added support for Markdown formatting in the OpsItem description field.

OpsCenter now supports Markdown formatting in the OpsItem description field. The following types of Markdown formatting are supported:

  • Paragraphs

  • Line spacing

  • Horizontal Lines

  • Headings

  • Text Formatting

  • Links

  • Lists

For more information, see Using Markdown in the Console in the Getting Started with the AWS Management Console Getting Started Guide.

August 18, 2023

New versions of the AWS Parameters and Secrets Lambda Extension

New versions of the AWS Parameters and Secrets Lambda Extension are now available. In addition, extension support has been added for the Asia Pacific (Melbourne) (ap-southeast-4) and Israel (Tel Aviv) (il-central-1) Regions (x86_64 and x86 architectures only.) For more information, see Using Parameter Store parameters in AWS Lambda functions.

August 16, 2023

Update: Added information about required permissions for Quick Setup patch policy buckets

When you create a patch policy, Quick Setup creates an Amazon S3 bucket that contains a file named baseline_overrides.json. This file stores information about the patch baselines that you specified for your patch policy. When configuring the patch policy, you have the option of selecting an Add required IAM policies to existing instance profiles attached to your instances check box. If you choose not to select this option, then you must manually provide certain resources with permissions to access this bucket or your policy operations might fail. For more information, see the following topics:

July 6, 2023

Use Quick Setup to configure OpsCenter for multi-account OpsItem management

Quick Setup for OpsCenter helps you complete the following tasks for managing OpsItems across accounts:

  • Specifying the delegated administrator account

  • Creating required AWS Identity and Access Management (IAM) policies and roles

  • Specifying an AWS Organizations organization, or a subset of member accounts, where a delegated administrator can manage OpsItems across accounts

For more information, see (Optional) Configure OpsCenter to manage OpsItems across accounts by using Quick Setup.

June 19, 2023

Update Amazon EC2 launch agents using Quick Setup

You can now allow Systems Manager to check every 30 days for a new version of the launch agent installed on your instance. If a new version is available, Systems Manager updates the agent on your instance. For more information, see Quick Setup Host Management.

June 19, 2023

Patch Manager now supports Ubuntu Server 22.04 LTS

You can now use Patch Manager to patch Ubuntu Server 22.04 LTS nodes. Like other supported versions of Ubuntu Server, version 22.04 LTS, uses the AWS managed AWS-UbuntuDefaultPatchBaseline patch baseline.

May 15, 2023

Systems Manager now supports AlmaLinux, including Patch Manager

You can now use Systems Manager to manage AlmaLinux 8.3-8.7; 9.0-9.1 nodes. Many of the rules that apply to RHEL 8 for patching also apply to AlmaLinux. AlmaLinux uses the new AWS-DefaultAlmaLinuxPatchBaseline. For more information, see the following topics:

May 8, 2023

Deploy the EC2Launch v2 agent using Quick Setup

You can now deploy the EC2Launch v2 agent using Quick Setup. For more information, see Deploy Distributor packages with Quick Setup.

April 13, 2023

Systems Manager now supports Amazon Linux 2023

Systems Manager now supports the new Amazon Linux 2023 (AL2023) EC2 instance type, including support for Patch Manager operations. Many of the rules for patching that apply to Amazon Linux 2 also apply to Amazon Linux 2023. (Patch Manager also continues to support the preview release Amazon Linux 2022.) For more information, see the following topics:

March 23, 2023

Revised setting up content for Amazon EC2 instances

We have revised the setting up content for Amazon EC2 instances. It is now recommended to use the newly released Default Host Management Configuration for instance permissions. For more information, see Configure instance permissions required for Systems Manager.

February 15, 2023

Automatic instance management with the Default Host Management Configuration

You can now automatically manage Amazon EC2 instances in an entire AWS Region using Systems Manager. For more information, see Default Host Management Configuration.

February 15, 2023

Add SSM documents to your favorites

To help you find frequently used SSM documents, you can now add documents to your favorites. You can favorite up to 20 documents per document type, per AWS account and AWS Region. You can choose, modify, and view your favorites from the Systems Manager Documents console. For more information, see Adding documents to your favorites.

February 7, 2023

Implement change controls for Automation using Change Calendar

By integrating Automation with Change Calendar, you can now implement change controls to all automations in your AWS account. For more information, see Implement change controls for Automation.

January 24, 2023

New Change Manager approval workflow

The Change Manager approval workflow now supports per-level approvals instead of per-line approvals. Previously, every approver you added to an approval level had to approve a change request. Otherwise, the level was not approved. Now, you specify how many approvals are required for the level and can add that many or more approvers. For example, you can require three approvals for a level but specify up to five approvers. Approvals from any three of those approvers are sufficient to approve the level. For more information, see About approvals in your change templates.

January 23, 2023

New: Configure patching for an entire organization using a patch policy in Quick Setup

With Quick Setup, a capability of Systems Manager, you can now create patch policies powered by Patch Manager. A patch policy defines the schedule and patch baseline to use when automatically patching your managed nodes. Using a single patch policy configuration, you can define patching for all accounts in all Regions in your organization, for only the accounts and Regions you choose, or for a single account-Region pair. For more information, see the following topics.

December 22, 2022

Application Manager integrates with Amazon EC2 to display information about your instances in the context of an application.

Application Manager displays instance state, status, and Amazon EC2 Auto Scaling health for a selected application in a graphical format. The Instances tab also includes a table with the following information for each instance in your application.

  • Instance state (Pending, Stopping, Running, Stopped)

  • Ping status for SSM Agent

  • Status and name of the last Systems Manager Automation runbook processed on the instance

  • A count of Amazon CloudWatch Logs alarms per state.

    • ALARM – The metric or expression is outside of the defined threshold.

    • OK – The metric or expression is within the defined threshold.

    • INSUFFICIENT_DATA – The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state.

  • Auto Scaling group health for the parent and individual autoscaling groups

December 22, 2022

Schedule the starting and stopping of your Amazon EC2 instances using Quick Setup

You can now deploy the Resource Scheduler solution to automate the starting and stopping of your Amazon EC2 instances using Quick Setup. For more information, see Resource Scheduler.

December 19, 2022

OpsCenter now supports working with OpsItems across accounts

OpsCenter supports working with OpsItems from a management account (either an AWS Organizations management account or a Systems Manager delegated administrator account) and a member account during a session. Once configured, users can perform the following types of actions:

  • Create, view, and update OpsItems in a member account

  • View detailed information about AWS resources specified in OpsItems in a member account

  • Start Systems Manager Automation runbooks to remediate issues with AWS resources in a member account

For more information, see Setting up OpsCenter to work with OpsItems across accounts.

November 16, 2022

Track details of Change Manager change requests using AWS CloudTrail Lake

You can now use an event data store in AWS CloudTrail Lake to capture and review details about the change requests that are run in Change Manager for your organization or account. This information includes auditable details about the user identity that created the change request, the IP address from which the request was made, the AWS Regions in which the changes were made, the targeted resources, and more. For information, see Monitoring your change request events and Reviewing change request details, tasks, and timelines.

November 11, 2022

Additional Systems Manager Automation task controls using CloudWatch alarms

You can now implement additional control when running automations across multiple accounts and Regions by using CloudWatch alarms. By applying a metric or composite CloudWatch alarm to an automation, you can control when an automation stops based on the metrics you define. For more information about applying a CloudWatch alarm to an automation running across multiple accounts and Regions see Run an automation in multiple Regions and accounts (console)

November 9, 2022

Updated: 'Using Parameter Store parameters in AWS Lambda functions'

We have provided additional information to help you use the AWS Parameters and Secrets Lambda Extension to retrieve parameter values and cache them for future use in Lambda functions. Using the Lambda extension can reduce your costs by reducing the number of API calls to Parameter Store. For information, see Using Parameter Store parameters in AWS Lambda functions.

October 25, 2022

Additional Systems Manager task controls using CloudWatch alarms

You can now implement additional control when running automations and commands by using CloudWatch alarms. A CloudWatch alarm can also be added to an automation or command when it is registered with a State Manager association or maintenance window task. By applying a composite CloudWatch alarm to an automation or command, you can control when an automation or command stops based on the metric you define. For more information about applying a CloudWatch alarm to an automation or command see the following procedures:

September 26, 2022

Additional Systems Manager task controls using CloudWatch alarms

You can now implement additional control when running automations and commands by using CloudWatch alarms. A CloudWatch alarm can also be added to an automation or command when it is registered with a State Manager association or maintenance window task. By applying a composite CloudWatch alarm to an automation or command, you can control when an automation or command stops based on the metric you define. For more information about applying a CloudWatch alarm to an automation or command see the following procedures:

September 26, 2022

Clarifying advanced-instances tier requirements

Based on customer feedback, we have clarified the scenarios that require you to activate the advanced-instances tier in Configuring instance tiers.

September 21, 2022

Deploy the Amazon CloudWatch Agent using Quick Setup

You can now deploy the Amazon CloudWatch agent using Quick Setup. For more information, see Deploy Distributor packages with Quick Setup.

September 20, 2022

'PatchGroup' key now supported for patch groups when EC2 instance metadata is allowed

When you allow tags in EC2 instance metadata, the tag keys you create must not contain any spaces. Previously, this prevented customers from adding some of their EC2 instances to patch groups in Patch Manager because the tag key Patch Group had to be applied to the instances. Patch Manager now supports both Patch Group (with a space) and PatchGroup (without a space) as the tag key for identifying instances for a patch group. EC2 instances where tags are allowed in instance metadata can now be added to patch groups in Patch Manager. For information, see About patch groups.

August 31, 2022

New topic: "How package release dates and update dates are calculated"

In patch baselines managed by AWS, new patches are auto-approved 7 days after they are released or updated. In custom patch baselines you create, you can optionally specify how many days to wait after they are released or updated to auto-approve their installation. For Amazon Linux 1 and Amazon Linux 2, various factors influence how the latest release dates and update dates are calculated. To help you avoid unexpected results when choosing auto-approval delays, these factors are explained in the topic How package release dates and update dates are calculated.

August 24, 2022

Updated content: Patch an AMI and update an Auto Scaling group

We have updated the Updating AMIs for Auto Scaling groups walkthrough to use launch templates instead of launch configurations. Additionally, we've implemented the latest Automation actions and runtimes in the runbook content.

June 22, 2022

Change Manager: Prevent users from creating auto-approvable requests

You can configure change templates in Change Manager to support automatic approvals, meaning that users with the necessary IAM permissions can choose to start the change request without requiring additional approval. Now, you can also restrict individual users, groups, or IAM roles from submitting auto-approval requests, even if a change template supports them. This is achieved through the use of a new IAM condition key, ssm:AutoApprove. For more information, see Controlling access to auto-approval runbook workflows

June 15, 2022

Updated guidance for maintenance window task roles

Previously, the Systems Manager console provided you with the ability to choose the AWS managed IAM service-linked role AWSServiceRoleForAmazonSSM to use as the maintenance role for your tasks. Using this role and its associated policy, AmazonSSMServiceRolePolicy, for maintenance window tasks is no longer recommended. You should create a custom policy and role for maintenance window tasks instead. For more information, see Setting up Maintenance Windows.

June 9, 2022

Port forwarding to remote hosts support for Session Manager

Session Manager now supports port forwarding sessions to remote hosts. The remote host isn't required to be managed by Systems Manager. For more information, see Starting a session (port forwarding to remote host).

May 25, 2022

Updated content: Instructions for manually installing SSM Agent on Amazon EC2 Linux instances

In response to customer feedback, we have overhauled the topics that provide instructions for manually installing SSM Agent on Amazon EC2 instances. These topics now provide commands using globally available files that you can copy and paste for quick installation on EC2 instances in any AWS Region. These topics also provide information to help you creating installation commands that use files available in your own working Region. The latter approach is recommended when you are installing the agent on multiple instances using a script or template. For more information, see the instructions for your Linux operating system in the section Manually installing SSM Agent on EC2 instances for Linux.

May 9, 2022

New topic: Amazon Machine Images (AMIs) with SSM Agent preinstalled

In response to customer feedback, we have centralized information about which AWS managed AMIs include SSM Agent preinstalled. This topic also provides instructions for how to verify that an Amazon EC2 instance created from these AMIs was successfully installed and is running. For rare cases where the agent might not install successfully, or install but not start, we also provide information about starting or manually installing the agent on these instances. For details, see Amazon Machine Images (AMIs) with SSM Agent preinstalled.

May 8, 2022

New State Manager section

Added a new section that describes the details of when State Manager runs associations. For more information, see About association scheduling.

April 27, 2022

Patch Manager now supports Rocky Linux

You can now use Patch Manager to patch Rocky Linux nodes. Many of the rules that apply to RHEL 8 for patching also apply to Rocky Linux. Rocky Linux 8 uses the new AWS-DefaultRockyLinuxPatchBaseline. For more information, see the following topics:

April 14, 2022

Patch Manager now supports CentOS Stream 8

You can now use Patch Manager to patch CentOS Stream 8 instances and Red Hat Enterprise Linux (RHEL) 4.4-4.5 instances. Many of the rules that apply to RHEL 8 for patching also apply CentOS Stream 8. CentOS Stream 8 uses the AWS-DefaultCentOSPatchBaseline. For more information, see the following topics:

April 4, 2022

Create an assume role for Change Manager

A new section clarifies the requirements for creating and implementing an assume role for Change Manager. An assume role is an AWS Identity and Access Management (IAM) service role that enables Change Manager to securely run the runbook workflows specified in an approved change request on your behalf. The role grants AWS Systems Manager (AWS STS) AssumeRole trust to Change Manager. For information, see Configuring roles and permissions for Change Manager.

March 18, 2022

Approve or reject Change Manager change requests in bulk

In the Systems Manager console, you can now select multiple change requests to approve or reject in a single operation. For information, see Reviewing and approving or rejecting change requests (console).

March 8, 2022

Support for Rocky Linux and Windows Server 2022 managed nodes

Systems Manager supports Rocky Linux and Windows Server 2022 managed nodes, including edge devices and hybrid machines located on-premises or with other cloud providers. To use Systems Manager with these operating systems, you must complete all required Systems Manager set up procedures, including procedures for hybrid environments or edge devices, if applicable. For more information, see Setting up Systems Manager. For Rocky Linux machines, you must also manually install SSM Agent. For more information, see Manually install SSM Agent on Rocky Linux instances. For Windows Server 2022 Amazon Elastic Compute Cloud (Amazon EC2) instances, SSM Agent is installed by default.

March 1, 2022

Allow Automation to adapt to your concurrency needs and view Automation usage metrics

You can now allow Automation to automatically adjust your concurrent automation quota, and view Automation usage metrics that are published to CloudWatch. For more information about adaptive concurrency, see Allowing Automation to adapt to your concurrency needs. For more information about how to view Automation usage metrics, see Monitoring Automation metrics using Amazon CloudWatch.

January 27, 2022

Allow Automation to adapt to your concurrency needs and view Automation usage metrics

You can now allow Automation to automatically adjust your concurrent automation quota, and view Automation usage metrics that are published to CloudWatch. For more information about adaptive concurrency, see Allowing Automation to adapt to your concurrency needs. For more information about how to view Automation usage metrics, see Monitoring Automation metrics using Amazon CloudWatch.

January 27, 2022

Systems Manager documents organized by categories

Amazon owned Systems Manager documents are now organized by type and categories to help you find the documents you need.

January 13, 2022

Create and invoke integrations for Automation

You can now send messages using webhooks during an automation by creating an integration. Integrations can be invoked during an automation using the new aws:invokeWebhook action in your runbook. For more information about creating integrations, see Creating webhook integrations for Automation. To learn more about the aws:invokeWebhook action, see aws:invokeWebhook – Invoke an Automation webhook integration.

January 13, 2022

Capabilities not available in new AWS Region

The following Systems Manager capabilities currently aren't available in the new Asia Pacific (Jakarta) Region.

  • Application Manager

  • Change Calendar

  • Change Manager

  • Explorer

  • Fleet Manager

  • Incident Manager

  • Quick Setup

December 13, 2021

View resource cost details for an application

Application Manager is integrated with AWS Billing and Cost Management through the Cost Explorer widget. After you enable Cost Explorer in the Billing and Cost Management console, the Cost Explorer widget in Application Manager shows cost data for a specific non-container application or application component. You can use filters in the widget to view cost data according to different time periods, granularities, and cost types in either a bar or line chart. For more information, see Viewing overview information about an application.

December 7, 2021

Manage processes using Fleet Manager

You can now use Fleet Manager to manage processes on your nodes. For more information, see Working with processes.

December 6, 2021

Terminology change: managed instances are now managed nodes

With support for AWS IoT Greengrass core devices, the phrase managed instance has been changed to managed node in most of the Systems Manager documentation. The Systems Manager console, API calls, error messages, and SSM documents still use the term instance.

November 29, 2021

Support for edge devices

Systems Manager supports the following edge device configurations.

  • AWS IoT Greengrass: Systems Manager now supports any device that is configured for AWS IoT Greengrass and runs the AWS IoT Greengrass Core software. To onboard your AWS IoT Greengrass core devices, you must create an AWS Identity and Access Management (IAM) service role. You must also use the AWS IoT Greengrass console to deploy SSM Agent as a AWS IoT Greengrass component on your devices. For more information, see Setting up AWS Systems Manager for edge devices.

  • Edge devices in a hybrid environment: Systems Manager also supports AWS IoT Core devices and non-AWS IoT devices after you configure them as on-premises machines. To onboard your devices, you must create an IAM service role, create a managed-node activation for a hybrid environment, and manually install SSM Agent on your devices. For more information, see Setting up AWS Systems Manager for hybrid environments

November 29, 2021

Connect to managed instances using Remote Desktop

You can now use Fleet Manager to connect to managed Windows instances using the Remote Desktop Protocol (RDP). These Remote Desktop sessions powered by Amazon DCV provide secure connections to your instances directly from your browser. For more information, see Connect using Remote Desktop.

November 23, 2021

Specify a maximum session duration and provide reasons for sessions

You can now specify a maximum session duration for all Session Manager sessions in an AWS Region in your AWS account. When a session reaches reaches the duration you specify, it's terminated. You can now also optionally add a reason when starting a session. For more information, see Specify maximum session duration.

November 16, 2021

Patch Manager now supports the Raspberry Pi OS operating system

You can now use Patch Manager to patch Raspberry Pi OS instances. Patch Manager supports patching Raspberry Pi OS 9 (Stretch) and 10 (Buster). Because the Raspberry Pi OS is Debian-based OS, many of the same patching rules apply to it as to Debian Server. For more information, see the following topics:

November 16, 2021

Access the Red Hat Knowledgebase portal

Use Fleet Manager to access the RHEL Knowledgebase portal to find solutions, articles, documentation, and videos about using Red Hat products. For more information, see Accessing the Red Hat Knowledge base portal.

November 3, 2021

Bulk edit OpsItems

OpsCenter now supports bulk editing OpsItems. You can select multiple OpsItems and edit one of the following fields: Status, Priority, Severity, Category. For more information, see Editing OpsItems.

October 15, 2021

Create input parameters that populate AWS resources

You can now create input parameters in Automation runbooks that populate AWS resources in the AWS Management Console. For information, see Creating input parameters that populate AWS resources.

October 14, 2021

New task invocation cutoff option for maintenance windows

You can now choose to block any new task invocations from starting after the cutoff time specified for a maintenance window is reached. For information, see Assign tasks to a maintenance window (console).

October 13, 2021

Patch Manager support for macOS 11.3.1 and 11.4 (Big Sur)

Amazon Elastic Compute Cloud (Amazon EC2) instances for macOS 11.3.1 and 11.4 (Big Sur) can now be patched using Patch Manager. This is in addition to existing support for macOS 10.14.x (Mojave) and 10.15.x (Catalina). For information about working with Patch Manager, see AWS Systems Manager Patch Manager.

October 1, 2021

Application insights in Application Manager

Application Manager integrates with Amazon CloudWatch Application Insights. Application Insights identifies and sets up key metrics, logs, and alarms across your application resources and technology stack. Application Insights continually monitors metrics and logs to detect and correlate anomalies and errors. When the system detects errors or anomalies, Application Insights generates CloudWatch Events that you can use to set up notifications or take actions. You can enable and view Application Insights on the Overview and Monitoring tabs in Application Manager. For more information about Application Insights, see What is Amazon CloudWatch Application Insights in the Amazon CloudWatch User Guide.

September 21, 2021

Import events from other calendars into Change Calendar

You can now import the events from a third-party calendar into a calendar in Change Calendar. Previously, each event had to be entered manually into a calendar. After you export a calendar from a supported third-party calendar provider to an iCalendar (.ics) file, import it into Change Calendar, and its events are included in the rules for your open or closed calendar in Systems Manager. Supported providers include iCloud Calendar, Google Calendar, and Microsoft Outlook. For more information, see Importing and managing events from third-party calendars.

September 8, 2021

New tagging and runbook features in Application Manager

Tagging enhancements include the ability to add tags to or delete tags from a specific resource or all resources in an Application Manager application. Runbook enhancements include the ability to view a filtered list of runbooks for a specific resource type or initiate a runbook on all resources of the same type. For more information, see Working with tags in Application Manager and Working with runbooks in Application Manager.

August 31, 2021

New example: Create a change request using the AWS CLI

An example of creating a change request with the AWS CLI has been added to the Change Manager chapter. The example uses the sample AWS-HelloWorldChangeTemplate change template and AWS-HelloWorld runbook:

August 20, 2021

New section: Use parameters in Amazon EKS

A new section has been added to the Parameter Store chapter. This topic is a walkthrough on how to use your parameters in Amazon EKS clusters. For more information, see Use Parameter Store parameters in Amazon Elastic Kubernetes Service.

August 19, 2021

Updated Patch Manager lifecycle hooks

Patch Manager now provides a lifecycle hook–the ability to run a Systems Manager Command document–for an additional point during a Patch now patching operation. If you schedule instance reboots after running Patch now, you can specify a lifecycle hook to run after the reboot is complete. For more information, see Using 'Patch now' lifecycle hooks and About the AWS-RunPatchBaselineWithHooks SSM document.

August 9, 2021

Auto-approvals now supported for Change Manager requests

You can now configure change templates in Change Manager to support automatic approvals, meaning that users with the necessary IAM permissions can choose to start the change request without requiring additional approval. Users who have access to auto-approval templates can still choose to specify approvers if they choose. To help you control your Change Manager processes, approvals are still required for all requests during change freeze periods. For more information, see the following topics:

July 30, 2021

OpsCenter operational insights

OpsCenter automatically analyzes OpsItems in your account and generates insights. An insight includes information to help you understand how many duplicate OpsItems are in your account and which sources are creating them. Insights also provide recommended best practices and Automation runbooks to help you resolve duplicate OpsItems. For more information, see Working with operational insights.

July 13, 2021

View stopped instances in Fleet Manager

You can now view which instances are running and which instances are stopped from the Fleet Manager console. For more information, see AWS Systems Manager Fleet Manager.

July 12, 2021

New topic: Authoring Automation runbooks

A new topic, Authoring Automation runbooks, provides guidance and narrative examples of how to author content for custom Automation runbooks.

July 8, 2021

AWS CloudFormation stack and template creation in Application Manager

Application Manager helps you provision and manage resources for your applications by integrating with CloudFormation. You can create, edit, and delete AWS CloudFormation templates and stacks in Application Manager. Application Manager also includes a template library where you can clone, create, and store templates. Application Manager and CloudFormation display the same information about the current status of a stack. Templates and template updates are stored in Systems Manager until you provision the stack, at which time the changes are also displayed in CloudFormation. For more information, see Working with AWS CloudFormation Stacks in Application Manager.

July 8, 2021

New topic: Automatically rotate private keys for SSM Agent on hybrid instances

A new topic, Setting up private key auto rotation, provides instructions on how to strengthen your security posture by configuring SSM Agent to rotate the hybrid environment private key automatically.

June 15, 2021

Session Manager plugin for the AWS CLI version 1.2.205.0

A new version of the Session Manager plugin for the AWS CLI has been released. For more information, see Session Manager plugin latest version and release history.

June 10, 2021

New IAM service-linked role

When you enable OpsCenter operational insights, Systems Manager creates a new AWS Identity and Access Management (IAM) service-linked role called AWSSSMOpsInsightsServiceRolePolicy. For more information about this role, see Using roles to create operational insight OpsItems in Systems Manager OpsCenter: AWSSSMOpsInsightsServiceRolePolicy.

June 9, 2021

New Patch Manager troubleshooting content for Linux

A new topic, Errors when running AWS-RunPatchBaseline on Linux, provides descriptions and solutions for several issues that might be encountered when patching managed instances with Linux operating systems.

June 8, 2021

Improved support for maintenance window tasks that don't require specified targets (console)

You can now create maintenance window tasks in the console without having to specify a target in the task if one isn't required. Previously, this option was available only when using the AWS CLI or API. This option applies to Automation, AWS Lambda, and AWS Step Functions task types. For example, if you create an Automation task and the resources to update are specified in the Automation document parameters, you no longer need to specify a target in the task itself. For more information, see Registering maintenance window tasks without targets, Assign tasks to a maintenance window (console), and Schedule automations with maintenance windows.

May 28, 2021

Automation runbook reference relocated

The Automation runbook reference has been moved to a new location. For more information, see Systems Manager Automation runbook reference.

May 10, 2021

AWS Systems Manager Incident Manager launch

Incident Manager is an incident management console designed to help users mitigate and recover from incidents affecting their AWS hosted applications. For more information, see the AWS Systems Manager Incident Manager User Guide.

May 10, 2021

State Manager supports Change Calendar

You can now specify Change Calendar names or Amazon Resource Names (ARNs) when you create or update a State Manager association. State Manager applies associations only when the change calendar is open, not when it's closed. For more information, see Creating associations and Editing and creating a new version of an association.

May 6, 2021

Clone Systems Manager documents

Using the Systems Manager Documents console, you can now copy content from an existing document to a new document that you can modify. To learn more, see Cloning an SSM document.

May 4, 2021

Integrate Security Hub with Explorer and OpsCenter

You can now integrate Explorer and OpsCenter with AWS Security Hub. Security Hub provides a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. When integrated with Explorer, you can view security findings in the Security Hub widget on the Explorer dashboard. When integrated with OpsCenter, you can create OpsItems for Security Hub findings. For more information, see Receiving findings from AWS Security Hub in Explorer and Receiving findings from AWS Security Hub in OpsCenter.

April 27, 2021

New topic: Document conventions

We've added a new topic to help users understand the common typographical conventions for the AWS Systems Manager User Guide. For more information, see Document conventions.

April 21, 2021

Updated topic: About patching applications released by Microsoft on Windows Server

The topic About patching applications released by Microsoft on Windows Server now clarifies that, in order for Patch Manager to be able to patch applications released by Microsoft on your Windows Server managed instances, the Windows update option Give me updates for other Microsoft products when I update Windows must be allowed on the instance.

April 12, 2021

Automation runbook reference reorganization

To help you find the runbooks you need and navigate the reference more efficiently, we reorganized the content in the Automation runbook reference by the relevant AWS service. To view these changes, see Systems Manager Automation runbook reference.

April 12, 2021

Patch Manager: Generate .csv patch compliance reports

Patch Manager now supports the ability to generate patch compliance reports for your instances and save the report in an S3 bucket of your choice, in .csv format. Then, using a tool like Amazon QuickSight, you can analyze the patch compliance report data. You can generate a patch compliance report for a single instance, or for all instances in your AWS account. You can generate a one-time report on demand, or set up a schedule for reports to be created automatically. You can also specify an Amazon Simple Notification Service topic to provide notifications when a report is generated. For more information, see Generating CSV patch compliance reports.

April 9, 2021

Delete Parameter Store parameter labels

You can now delete Parameter Store parameter labels by using either the Systems Manager console or the AWS CLI. For more information, see Working with parameter labels.

April 6, 2021

Schedule instance reboots when using Patch Now

Patch Manager now supports scheduling a time for your instances to reboot after patches are installed using the Patch Now feature. This is in addition to existing options to reboot instances only if needed to complete a patch installation or to skip all rebooting after the patching operation. For information, see Patching instances on demand.

April 1, 2021

New topic: Discover public parameters

Parameter Store public parameters can now be found using the AWS CLI or Systems Manager console. For more information, see Finding public parameters.

April 1, 2021

Patch now updates: Store logs in S3 & and run lifecycle hooks

When you run the Patch Manager Patch now operation, you can choose an S3 bucket in which to automatically store patching logs. In addition, you can choose to run Systems Manager Command documents (SSM documents) as lifecycle hooks at three points during the operation: Before installation, After installation, and On exit. For more information, see Patching instances on demand.

March 31, 2021

Systems Manager now reports changes to its AWS managed policies

Beginning March 24, 2021, changes to managed policies are reported in the topic Systems Manager updates to AWS managed policies. The first change listed is the addition of support for the Explorer capability to report OpsData and OpsItems from multiple accounts and Regions.

March 24, 2021

Explorer automatically allows all OpsData sources for resource data syncs based on accounts in AWS Organizations

When you create a resource data sync, if you choose one of the AWS Organizations options, Systems Manager automatically allows all OpsData sources in the selected AWS Regions for all AWS accounts in your organization (or in the selected organization units). This means, for example, that even if you haven't allowed Explorer in an AWS Region, if you select an AWS Organizations option for your resource data sync, then Systems Manager automatically collects OpsData from that Region. For more information, see About multiple account and Region resource data syncs.

March 24, 2021

Systems Manager Automation provides a new system variable for your runbooks

With the new global:AWS_PARTITION system variable, you can specify the AWS partition a resource is located in when authoring your runbooks. For more information, see Automation system variables.

March 18, 2021

Allow multiple levels of approval for Change Manager change requests

When you create a Change Manager change template, you can now require that more than one level of approvers grant permission for a change request to run. For example, you might require technical reviewers to approve a change request created from a change template first, and then require a second level of approvals from one or more managers. For more information, see Creating change templates.

March 4, 2021

Patch Manager now supports Oracle Linux 8.x

You can now use Patch Manager to patch Oracle Linux 8.x instances, through version 8.3. For more information, see the following topics:

March 1, 2021

OpsCenter displays other OpsItems for a selected resource

To help you investigate issues and provide context for a problem, you can view a list of OpsItems for a specific AWS resource. The list displays the status, severity, and title of each OpsItem. The list also includes deep links to each OpsItem. For more information, see Viewing other OpsItems for a specific resource.

March 1, 2021

Define patching preferences at runtime

You can now define patching preferences at runtime using the baseline override feature. For information more, see Using the BaselineOverride parameter.

February 25, 2021

New Systems Manager document type

AWS CloudFormation templates can now be stored as Systems Manager documents. Storing CloudFormation templates as Systems Manager documents allows you to benefit from Systems Manager document features like versioning, comparing version content, and sharing with accounts. For more information, see AWS Systems Manager documents.

February 9, 2021

Patch instances using optional hooks

The new SSM document AWS-RunPatchBaselineWithHooks provides hooks you can use to run SSM documents at three points during the instance patching cycle. For information about AWS-RunPatchBaselineWithHooks, see About the AWS-RunPatchBaselineWithHooks SSM document. For a sample walkthrough of a patching operation that uses all three hooks, see Walkthrough: Update application dependencies, patch an instance, and perform an application-specific health check.

February 2, 2021

New topic: Validating on-premises servers and virtual machines using a hardware fingerprint

SSM Agent verifies the identify of on-premises servers and virtual machines and VMs that you register with the service by using a computed fingerprint. The fingerprint is an opaque string, stored in the Vault that the agent passes to certain Systems Manager APIs. For information about the hardware fingerprint and instructions for configuring a similarity threshold to assist in machine verification, see Validating on-premises servers and virtual machines using a hardware fingerprint.

January 25, 2021

New topic: SSM Agent technical reference

The topic SSM Agent technical reference brings together information to help you implement AWS Systems Manager SSM Agent and understand how the agent works. This topic includes an all-new section, SSM Agent rolling updates by AWS Regions.

January 21, 2021

SSM Agent on Windows Server 2008

As of January 14, 2020, Windows Server 2008 is no longer supported for feature or security updates from Microsoft. Windows Server 2008 AMIs do include SSM Agent, but the agent is no longer updated for this operating system.

January 5, 2021

Improved support for maintenance window tasks that don't require specified targets (AWS CLI and API only)

You can now create maintenance window tasks without having specify a target in the task if one isn't required (AWS CLI and API only). This applies to Automation, AWS Lambda and AWS Step Functions task types. For example, if you create an Automation task and the resources to update are specified in the Automation runbook parameters, you no longer need to specify a target in the task itself. For more information, see Registering maintenance window tasks without targets and Schedule automations with maintenance windows.

December 23, 2020

New Automation features

A new shared property has been added to Systems Manager Automation runbooks. The onCancel property allows you to specify which step the automation should go to in the event that a user cancels the automation. For more information, see Properties shared by all actions.

December 21, 2020

New topic: Working with associations using IAM

A new topic has been added to the Systems Manager State Manager chapter that describes the best practices for creating associations using IAM. For more information, see Working with associations using IAM.

December 18, 2020

State Manager now supports multi-regions and multi-accounts

Associations can now be created or updated with multiple regions or accounts. For more information, see Creating associations.

December 15, 2020

New capability: Fleet Manager

Fleet Manager, a capability of AWS Systems Manager, is a unified user interface (UI) experience that helps you remotely manage your server fleet running on AWS, or on-premises. With Fleet Manager, you can view the health and performance status of your entire server fleet from one console. You can also gather data from individual instances to perform common troubleshooting and management tasks from the console. For information, see AWS Systems Manager Fleet Manager.

December 15, 2020

New capability: Change Manager

Amazon Web Services has released Change Manager, an enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure. From a single delegated administrator account, if you use AWS Organizations, you can manage changes across multiple AWS accounts in multiple AWS Regions. Alternatively, using a local account, you can manage changes for a single AWS account. Use Change Manager for managing changes to both AWS resources and on-premises resources. For information, see AWS Systems Manager Change Manager.

December 15, 2020

New capability: Application Manager

Application Manager helps you investigate and remediate issues with your AWS resources in the context of your applications. Application Manager aggregates operations information from multiple AWS services and Systems Manager capabilities to a single AWS Management Console. For information, see AWS Systems Manager Application Manager.

December 15, 2020

AWS Systems Manager supports Amazon EC2 instances for macOS

In tandem with the release of Amazon Elastic Compute Cloud (Amazon EC2) support for macOS instances, Systems Manager now supports many operations on EC2 instances for macOS. Supported versions include macOS 10.14.x (Mojave) and 10.15.x (Catalina). For more information, see the following topics.

November 30, 2020

Maintenance window pseudo parameters: New resource type supported for {{TARGET_ID}} and {{RESOURCE_ID}}

An additional resource type is now available for use with the pseudo parameters {{TARGET_ID}} and {{RESOURCE_ID}}. You can now use the resource type AWS::RDS::DBCluster with both these pseudo parameters. For information about maintenance window pseudo parameters, see Using pseudo parameters when registering maintenance window tasks.

November 27, 2020

Session Manager plugin for the AWS CLI version 1.2.30.0

A new version of the Session Manager plugin for the AWS CLI has been released. For more information, see Session Manager plugin latest version and release history.

November 24, 2020

New topic: Comparing SSM document versions

You can now compare the differences in content between versions of SSM documents in the Systems Manager Documents console. For more information, see Comparing SSM document versions.

November 24, 2020

Systems Manager now supports VPC endpoint policies

You can now create policies for VPC interface endpoints for Systems Manager. For more information, see Create an interface VPC endpoint policy.

November 18, 2020

New topic: Specify an idle session timeout value

You can now specify the amount of time to allow a user to be inactive before a session ends with Session Manager. For more information, see Specify an idle session timeout value.

November 18, 2020

New Session Manager logging feature

You can now send a continual stream of JSON-formatted session data logs to Amazon CloudWatch Logs. For more information, see Streaming session data using Amazon CloudWatch Logs.

November 18, 2020

New topic: Verify the signature of the SSM Agent

You can now verify the cryptographic signature of the installer package for the SSM Agent on Linux instances. For more information, see SSM document schemas and features.

November 17, 2020

New topic: Understanding automation statuses

A new topic has been added to the Systems Manager Automation chapter that describes the statuses for actions and automations. For more information, see Understanding automation statuses.

November 17, 2020

New source types for the aws:downloadContent plugin

Git and HTTP are now supported as source types for the aws:downloadContent plugin. For more information, see aws:downloadContent.

November 17, 2020

New Systems Manager document (SSM document) schema feature

In SSM documents with schema version 2.2 or later, the precondition parameter now supports referencing your document's input parameters. For more information, see SSM document schemas and features.

November 17, 2020

New data source in Explorer: AWS Config

Explorer now displays information about AWS Config compliance, including an overall summary of compliant and non-compliant AWS Config rules, the number of compliant and non-compliant resources, and specific details about each (when you drill down into a non-compliant rule or resource). For more information, see Editing Systems Manager Explorer data sources.

November 11, 2020

New topic: Running Auto Scaling groups with associations

A new section has been added to State Manager that describes the best practices for creating associations to run Auto Scaling groups. For more information, see Running Auto Scaling groups with associations.

November 10, 2020

Quick Setup now supports targeting a resource group

Quick Setup now supports choosing a resource group as a target for the local setup type. For more information, see Choosing Targets for Quick Setup.

November 5, 2020

Patch Manager adds support for Debian Server 10 LTS, Oracle Linux 7.9 LTS, and Ubuntu Server 20.10 STR

You can now use Patch Manager to patch Debian Server 10 LTS, Oracle Linux 7.9 LTS, and Ubuntu Server 20.10 STR instances. For more information, see the following topics:

November 4, 2020

New EventBridge support for AWS Systems Manager Change Calendar

Amazon EventBridge now provides support for Change Calendar events events in event rules. When the state of a calendar changes, EventBridge can initiate the target action you defined an EventBridge rule. For information about working with EventBridge and Systems Manager events, see the following topics.

November 4, 2020

Configure CloudWatch to create OpsItems from alarms

You can configure Amazon CloudWatch to automatically create an OpsItem in Systems Manager OpsCenter when an alarm enters the ALARM state. Doing so allows you to quickly diagnose and remediate issues with AWS resources from a single console. For more information, see Configuring CloudWatch to create OpsItems from alarms.

November 4, 2020

Support for Ubuntu Server 20.10

AWS Systems Manager now supports Ubuntu Server 20.10 short-term release (STR). For more information, see the following topics:

October 22, 2020

New topic: Allow configurable shell profiles

You can now allow configurable shell profiles with Session Manager. By allowing configurable shell profiles, you can customize preferences within sessions such as shell preferences, environment variables, working directories, and running multiple commands when a session is started. For more information, see Allow configurable shell profiles.

October 21, 2020

Patch compliance results now report which CVEs are resolved by which patches

For most supported Linux systems, when you view patch compliance results for your managed instances, the details you can view now report which Common Vulnerabilities and Exposure (CVE) bulletin issues are resolved by which available patches. This information can help you determine how urgently you need to install a missing or failed patch. For more information, see Viewing patch compliance results.

October 20, 2020

Expanded support for Linux patch metadata

You can now view many details about available Linux patches in Patch Manager. You can choose to view patch data such as architecture, epoch, version, CVE ID, Advisory ID, Bugzilla ID, repository, and more. In addition, the DescribeAvailablePatches API operation has been updated to support Linux operating systems and filtering according to these newly available patch metadata types. For more information, see the following topics:

October 16, 2020

Session Manager plugin for the AWS CLI version 1.2.7.0

A new version of the Session Manager plugin for the AWS CLI has been released. For more information, see Session Manager plugin latest version and release history.

October 15, 2020

New topic: Session document schema

The new topic Session document schema describes the schema elements for a Session document. This information can help you create custom Session documents where you specify preferences for the types of sessions you use with Session Manager.

October 15, 2020

New topic: Free text search for SSM documents

The search box on the Systems Manager Documents page now supports free text search. Free text search compares the search term or terms that you enter against the document name in each SSM document. For more information, see Using free text search.

October 15, 2020

New topic: Troubleshooting Amazon EC2 managed instance availability

The new topic Troubleshooting Amazon EC2 managed instance availability helps you investigate why an Amazon EC2 instance that you have confirmed is running isn't available in lists of available managed instances in Systems Manager.

October 6, 2020

Parameter Store chapter reorganization

To help you find the information you need more efficiently, we reorganized content in the Parameter Store chapter of the AWS Systems Manager User Guide. Most content is now organized in the sections Setting up Parameter Store and Working with Parameter Store. In addition, the topic AWS Systems Manager Parameter Store has been expanded to include the following sections:

  • How can Parameter Store benefit my organization?

  • Who should use Parameter Store?

  • What are the features of Parameter Store?

  • What is a parameter?

October 1, 2020

New patch compliance-related topics

The following topics have been added to help you identify managed instances that are out of patch compliance, understand the different types of patch compliance scans, and take the appropriate steps to bring your instances into compliance.

September 24, 2020

SSM Agent version 3.0

Systems Manager launched a new version of SSM Agent.

September 21, 2020

New and updated topics: Amazon EventBridge replaces CloudWatch Events for event management

CloudWatch Events and EventBridge are the same underlying service and API, but EventBridge provides more features and is now the preferred way to manage your events in AWS. (Changes you make in either CloudWatch or EventBridge are reflected in each console.) References to CloudWatch Events and existing procedures throughout the AWS Systems Manager User Guide have been updated to reflect EventBridge support. In addition, the following new topics have been added.

September 18, 2020

Integrating AWS Security Hub and Patch Manager

You can now integrate Patch Manager with AWS Security Hub. Security Hub provides a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. When integrated with Patch Manager, Security Hub monitors the patching status of your fleets from a security point of view. For more information, see Integrating Patch Manager with AWS Security Hub.

September 17, 2020

Maintenance window pseudo parameters: New resource types supported for {{TARGET_ID}} and {{RESOURCE_ID}}

When you register a maintenance window task, you use the --task-invocation-parameters option to specify the parameters that are unique to each of the four task types. You can also reference certain values using pseudo parameter syntax, such as {{TARGET_ID}} and {{RESOURCE_ID}}. When the maintenance window task runs, it passes the correct values instead of the pseudo parameter placeholders. Two additional resource types are now available for use with the pseudo parameters {{TARGET_ID}} and {{RESOURCE_ID}}. You can now use the resources types AWS::RDS::DBInstance and AWS::SSM::ManagedInstance with both these pseudo parameters. For information about maintenance window pseudo parameters, see Using pseudo parameters when registering maintenance window tasks.

September 14, 2020

Patch instances on demand with new 'Patch now' option

You can now use the Systems Manager console to patch instances, or scan for missing patches, at any time. You can do this without having to create or modify a schedule, or specify full patching configuration options to accommodate an immediate patching need. You need only specify whether to scan or install patches and identify the target instances for the operation. Patch Manager automatically applies the current default patch baseline for your instance types and applies best practice options for how many instances are patched at once, and how many errors are permitted before the operation fails. For more information, see Patching instances on demand.

September 9, 2020

New topic: Checking SSM Agent status and starting the agent

The new topic Checking SSM Agent status and starting the agent provides commands to check whether SSM Agent is running on each supporting operating system. It also provides the commands to start the agent if it isn't running.

September 7, 2020

Patch Manager now supports Ubuntu Server 20.04 LTS

You can now use Patch Manager to patch Ubuntu Server 20.04 LTS instances. For more information, see the following topics:

August 31, 2020

New topic for Use cases and best practices

We've added a new topic to help users quickly understand the differences between Maintenance Windows and State Manager. For more information, see Choosing between State Manager and Maintenance Windows.

August 28, 2020

New OpsCenter features

OpsCenter include new features to help you quickly locate and run Automation runbooks to remediate issues. For more information, see Automation runbook features in OpsCenter.

August 19, 2020

New data source in Explorer: AWS Support cases

Explorer now displays information about AWS Support cases. You must have either an Enterprise or Business account set up with AWS Support. For more information, see Editing Systems Manager Explorer data sources.

August 13, 2020

Distributor now provides a third-party package from Trend Micro.

Distributor now includes a third-party package from Trend Micro. You can use Distributor to install the Trend Micro Cloud One agent on your managed instances. Trend Micro Cloud One helps you secure your workloads in the cloud. For more information, see AWSDistributor.

August 12, 2020

The aws:configurePackage document plugin now includes the additionalArguments parameter.

The Systems Manager Command document plugin aws:configurePackage now supports providing additional parameters to your scripts (install, uninstall, and update) with the new additionalArguments parameter. For more information, see the topic aws:configurePackage.

August 11, 2020

AppConfig content moved into a separate user guide

Information about AWS AppConfig has been moved into a separate user guide. For more information, see What Is AWSAppConfig? AppConfig also has a separate documentation landing page with links to the user guide, the AppConfig API reference, and a new AppConfig workshop.

August 3, 2020

Quick Setup now supports AWS Organizations

Quick Setup now supports AWS Organizations allowing you to quickly configure required security roles and commonly used Systems Manager capabilities across multiple accounts and Regions. For more information, see AWS Systems Manager Quick Setup.

July 23, 2020

New data source in Explorer: association compliance

Explorer now displays association compliance data from State Manager. For more information, see Editing Systems Manager Explorer data sources .

July 23, 2020

New Systems Manager Command document to turn on and turn off Kernel Live Patching

The document AWS-ConfigureKernelLivePatching is now available to use with Run Command when you want to turn on or turn off Kernel Live Patching on Amazon Linux 2 instances. This document replaces the need for creating your own custom Command documents for these tasks. For more information, see Use Kernel Live Patching on Amazon Linux 2 instances

July 22, 2020

Updated Automation quotas

Service quotas for Automation have been updated including a separate queue for rate control automations. For more information, see AWS Systems Manager Automation.

July 20, 2020

Specify the number of schedule offset days for a maintenance window using the console

Using the Systems Manager console, you can now specify a number of days to wait after the date and time specified by a CRON expression before running a maintenance window. (Previously, this option was available only when using an AWS SDK or a command line tool.) For example, if your CRON expression schedules a maintenance window to run on the third Tuesday of every month at 11:30 PM – cron(0 30 23 ? * TUE#3 *) – and you specify a schedule offset of 2, the window won't run until two days later at 11:30 PM. For more information, see Cron and rate expressions for Systems Manager and Specify the number of schedule offset days for a maintenance window.

July 17, 2020

Update PowerShell using Run Command

To help you update PowerShell to version 5.1 on your Windows Server 2012 and 2012 R2 instances, we added a walkthrough to the AWS Systems Manager User Guide. For more information, see Update PowerShell using Run Command.

June 30, 2020

Patch Manager now supports CentOS 8.0 and 8.1

You can now use Patch Manager to patch CentOS 8.0 and 8.1 instances. For more information, see the the following topics:

June 27, 2020

AppConfig integrates with AWS CodePipeline

AppConfig is an integrated deploy action for AWS CodePipeline (CodePipeline). CodePipeline is a fully managed continual delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates. CodePipeline automates the build, test, and deploy phases of your release process every time there is a code change, based on the release model you define. The integration of AppConfig with CodePipeline offers the following benefits. For more information, see AppConfig integration with CodePipeline.

  • Customers who use CodePipeline to manage orchestration now have a lightweight means of deploying configuration changes to their applications without having to deploy their entire codebase.

  • Customers who want to use AppConfig to manage configuration deployments but are limited because AppConfig doesn't support their current code or configuration store, now have additional options. CodePipeline supports AWS CodeCommit, GitHub, and BitBucket (to name a few).

June 25, 2020

New chapter: Product and service integrations

To help you understand how Systems Manager integrates with AWS services and other products and services, a new chapter has been added to the AWS Systems Manager User Guide. For more information, see Product and service integrations with Systems Manager.

June 23, 2020

Automation chapter reorganization

To help you find what you need, we reorganized topics in the Automation chapter of the AWS Systems Manager User Guide. For example, the Automation actions and Automation runbooks references are now top-level sections in the chapter. For more information, see AWS Systems Manager Automation.

June 23, 2020

Specify the number of schedule offset days for a maintenance window

Using a command line tool or AWS SDK, you can now specify a number of days to wait after the date and time specified by a CRON expression before running a maintenance window. For example, if your CRON expression schedules a maintenance window to run on the third Tuesday of every month at 11:30 PM – cron(0 30 23 ? * TUE#3 *) – and you specify a schedule offset of 2, the window won't run until two days later at 11:30 PM. For more information, see Cron and rate expressions for Systems Manager and Specify the number of schedule offset days for a maintenance window.

June 19, 2020

Patch Manager support for Kernel Live Patching on Amazon Linux 2 instances

Kernel Live Patching for Amazon Linux 2 allows you to apply security vulnerability and critical bug patches to a running Linux kernel, without reboots or disruptions to running applications. You can now allow the feature and apply kernel live patches using Patch Manager. For information, see Use Kernel Live Patching on Amazon Linux 2 instances.

June 16, 2020

Patch Manager increases Oracle Linux version support

Previously, Patch Manager supported only version 7.6 of Oracle Linux. As listed in Patch Manager prerequisites, support now covers versions 7.5-7.8.

June 16, 2020

Sample scenario for using the InstallOverrideList parameter in patching operations

The new topic Sample scenario for using the InstallOverrideList parameter describes a strategy for using the InstallOverrideList parameter in the AWS-RunPatchBaseline document to apply different types of patches to a target group, on different maintenance window schedules, while still using a single patch baseline.

June 11, 2020

Predefined deployment strategies for AppConfig

AppConfig now offers predefined deployment strategies. For more information, see Creating a deployment strategy.

June 10, 2020

Patch Manager now supports Red Hat Enterprise Linux (RHEL) 7.8-8.2

You can now use Patch Manager to patch RHEL 7.8–8.2 instances. For more information, see the the following topics:

June 9, 2020

Explorer supports delegated administration

If you aggregate Explorer data from multiple AWS Regions and AWS accounts by using resource data sync with AWS Organizations, then we suggest that you configure a delegated administrator for Explorer. A delegated administrator improves Explorer security by limiting the number of Explorer administrators who can create or delete multi-account and Region resource data syncs to only one individual. You also no longer need to be logged into the AWS Organizations management account to administer resource data syncs in Explorer. For more information, see Configuring a Delegated Administrator.

June 3, 2020

Apply State Manager association only at the next specified Cron interval

If you don't want a State Manager association to run immediately after you create it, you can choose the Apply association only at the next specified Cron interval option in the Systems Manager console. For more information, see Creating associations.

June 3, 2020

New data source in Explorer: AWS Compute Optimizer

Explorer now displays data from AWS Compute Optimizer. This includes a count of Under provisioned and Over provisioned EC2 instances, optimization findings, on-demand pricing details, and recommendations for instance type and price. For more information, see the details for setting up AWS Compute Optimizer in Setting up related services.

May 26, 2020

Install Windows Service Packs and Linux minor version upgrades using Patch Manager

The new topic Tutorial: Create a patch baseline for installing Windows Service Packs (console) demonstrates how you can create a patch baseline devoted exclusively to installing Windows Service Packs. The topic Create a custom patch baseline (Linux) has been updated with information about including minor version upgrades for Linux operating systems in patch baselines.

May 21, 2020

Parameter Store chapter reorganization

All topics that deal with configuring or setting options for Parameter Store operations have been consolidated into the Setting up Parameter Store section. This includes the topics Managing parameter tiers and Increasing Parameter Store throughput, which have been relocated from other parts of the chapter.

May 18, 2020

New topic for creating date and time strings for interacting with Systems Manager API operations.

The new topic Creating formatted date and time strings for Systems Manager describes how to create formatted date and time strings for interacting with Systems Manager API operations.

May 13, 2020

About permissions for encrypting SecureString parameters

The new topic Restricting access to Systems Manager parameters using IAM policies explains the difference between encrypting your SecureString parameters using an AWS KMS key and using the AWS managed key provided by AWS.

May 13, 2020

Patch Manager now supports the Debian Server and Oracle Linux 7.6 operating systems

You can now use Patch Manager to patch Debian Server and Oracle Linux instances. Patch Manager supports patching Debian Server 8.x and 9.x and Oracle Linux 7.6 versions. For more information, see the following topics:

May 7, 2020

Create State Manager associations that target AWS Resource Groups

In addition to targeting tags, individual instances, and all instances in your AWS account, you can now create State Manager associations that target instances in AWS Resource Groups. For more information, see About targets and rate controls in State Manager associations

May 7, 2020

New aws:ec2:image data type in Parameter Store to validate AMI IDs

When you create a String parameter, you can now specify a data type as aws:ec2:image to ensure that the parameter value you enter is a valid Amazon Machine Image (AMI) ID format. Support for AMI ID formats means you don't have to update all your scripts and templates with a new ID each time the AMI that you want to use in your processes changes. You can create a parameter with the data type aws:ec2:image, and for its value, enter the ID of an AMI. This is the AMI from which you want new instances to be created. You then reference this parameter in your templates, commands. When you're ready to use a different AMI, update the parameter value. Parameter Store validates the new AMI ID, and you don't need to update your scripts and templates. For more information, see Native parameter support for Amazon Machine Image IDs.

May 5, 2020

Managing exit codes in Run Command commands

Run Command enables you to define how exit codes are handled in your scripts. By default, the exit code of the last command run in a script is reported as the exit code for the entire script. However, you can include a shell conditional statement to exit the script if any command before the final one fails using the following approach. For examples, see the new topic Managing exit codes in Run Command commands.

May 5, 2020

New public parameters released for availability zones and local zones

Public parameters have been released to make information about AWS availability zones and local zones available programmatically. These are in addition to existing global infrastructure public parameters for AWS services and AWS Regions. For more information, see Calling public parameters for AWS services, Regions, endpoints, Availability Zones, local zones, and Wavelength Zones .

May 4, 2020

New data source in Explorer: AWS Trusted Advisor

Explorer now displays data from AWS Trusted Advisor. This includes the status of best practice checks and recommendations in the following areas: cost optimization, security, fault tolerance, performance, and service quotas. For more information, see the details for setting up Trusted Advisor in Setting up related services.

May 4, 2020

Create State Manager associations that run Chef recipes

You can create State Manager associations that run Chef cookbooks and recipes by using the AWS-ApplyChefRecipes document. This document offers the following benefits for running Chef recipes:

  • Supports multiple releases of Chef (Chef 11 through Chef 14).

  • Automatically installs the Chef client software on target instances.

  • Optionally runs Systems Manager compliance checks on target instances, and stores the results of compliance checks in an S3 bucket.

  • Runs multiple cookbooks and recipes in a single run of the document.

  • Optionally runs recipes in why-run mode, to show which recipes will change on target instances without making changes.

  • Optionally applies custom JSON attributes to chef-client runs.

For more information, see Creating associations that run Chef recipes

March 19, 2020

Synchronize inventory data from multiple AWS accounts to a central Amazon S3 bucket

You can synchronize Systems Manager Inventory data from multiple AWS accounts to a central S3 bucket. The accounts must be defined in AWS Organizations. For more information, see Creating an Inventory resource data sync for multiple accounts defined in AWS Organizations.

March 16, 2020

Store AppConfig configurations in Amazon S3

Previously, AppConfig only supported application configurations that were stored in Systems Manager (SSM) documents or Parameter Store parameters. In addition to these options, AppConfig now supports storing configurations in Amazon S3. For more information, see About configurations stored in Amazon S3.

March 13, 2020

SSM Agent installed by default on Amazon ECS-optimized AMIs

SSM Agent is now installed by default on Amazon ECS-Optimized AMIs. For more information, see Working with SSM Agent.

February 25, 2020

Create AppConfig configurations in the console

AppConfig now allows you to create an application configuration in the console at the time you create a configuration profile. For more information, see Creating a configuration and a configuration profile.

February 13, 2020

Auto-approve only patches released up to a specified date

In addition to the option for automatically approving patches for installation a specified number of days after they're released, Patch Manager now supports the ability to auto-approve only patches released on or before a date that you specify. For example, if you specify July 7, 2020, as the cutoff date in your patch baseline, no patches released on or after July 8, 2020, are installed automatically. For more information, see About custom baselines and Working with custom patch baselines (console).

February 12, 2020

Use the {{RESOURCE_ID}} pseudo parameter in maintenance window tasks

When you register a maintenance window task, you specify the parameters that are unique to the task type. You can reference certain values using pseudo parameter syntax, such as {{TARGET_ID}}, {{TARGET_TYPE}}, and {{WINDOW_TARGET_ID}}. When the maintenance window task runs, it passes the correct values instead of the pseudo parameter placeholders. To support resources that are part of a resource group as a target, you can use the {{RESOURCE_ID}} pseudo parameter to pass values for resources such as DynamoDB tables, S3 buckets, and other supported types. For more information, see the following topics in Tutorial: Create and configure a maintenance window (AWS CLI):

February 6, 2020

Quickly rerun commands

Systems Manager includes two options to help you rerun a command from the Run Command page in the AWS Systems Manager console. Rerun: This button allows you to run the same command without making changes to it. Copy to new: This button copies the settings of one command to a new command and gives you the option to edit those settings before you run it. For more information, see Rerunning commands.

February 5, 2020

Reverting from the advanced-instances tier to the standard-instances tier

If you previously configured all on-premises instances running in your hybrid environment to use the advanced-instances tier, you can now quickly configure those instances to use the standard-instance tier. Reverting to the standard-instances tier applies to all hybrid instances in an AWS account and a single AWS Region. Reverting to the standard-instances tier impacts the availability of some Systems Manager capabilities. For more information, see Reverting from the advanced-instances tier to the standard-instances tier.

January 16, 2020

New option to skip instance reboots after patch installation

Previously, managed instances were always rebooted after Patch Manager installed patches on them. A new RebootOption parameter in the SSM document AWS-RunPatchBaseline allows you to specify whether or not you want your instances to reboot automatically after new patches are installed. For more information, see Parameter name: RebootOption in the topic About the SSM document AWS-RunPatchBaseline.

January 15, 2020

New topic: 'Running PowerShell scripts on Linux instances'

A new topic that describes how to use Run Command to run PowerShell scripts on Linux instances. For more information, see Running PowerShell scripts on Linux instances.

January 10, 2020

Updates to 'configure SSM Agent to use a proxy'

The values to specify when configuring SSM Agent to use a proxy have been updated to reflect options for both HTTP proxy servers and HTTPS proxy servers. For more information, see Configure SSM Agent to use a proxy.

January 9, 2020

New "Security" chapter outlines practices for securing Systems Manager resources

A new Security chapter in the AWS Systems Manager User Guide helps you understand how to apply the shared responsibility model when using Systems Manager. Topics in the chapter show you how to configure Systems Manager to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Systems Manager resources.

Note

As part of this update, the user guide chapter "Authentication and Access Control" has been replaced by a new, simpler section, Identity and access management for AWS Systems Manager.

December 24, 2019

New sample custom Automation runbooks

A set of sample custom Automation runbooks has been added to the user guide. These samples show how to use various Automation actions to simplify deployment, troubleshooting, and maintenance tasks, and are intended to help you write your own custom Automation runbooks. For more information, see Custom Automation runbook samples. You can also view Amazon managed Automation runbook content in the Systems Manager console. For more information, see Systems Manager Automation runbook reference.

December 23, 2019

Support for the Oracle Linux

Systems Manager now supports Oracle Linux 7.5 and 7.7. For information about manually installing SSM Agent on EC2 instances for Oracle Linux instances, see Oracle Linux. For information about installing SSM Agent on Oracle Linux servers in a hybrid environment, see How to install the SSM Agent on hybrid Linux nodes.

December 19, 2019

Launch Session Manager sessions from the Amazon EC2 console

You can now start Session Manager sessions from the Amazon Elastic Compute Cloud (Amazon EC2) console. Working with session-related tasks from the Amazon EC2 console requires different IAM permissions for both users and administrators. You can provide permissions for using the Session Manager console and AWS CLI only, for using the Amazon EC2 console only, or for using all three tools. For more information, see the following topics.

December 18, 2019

CloudWatch support for Run Command metrics and alarms

AWS Systems Manager now publishes metrics about the status of Run Command commands to CloudWatch, allowing you to set alarms based on those metrics. The terminal status values for commands for which you can track metrics include Success, Failed, and Delivery Timed Out. For more information, see Monitoring Run Command metrics using Amazon CloudWatch.

December 17, 2019

New Systems Manager capability: Change Calendar

Use Systems Manager Change Calendar to specify periods of time (events) during which you want to limit or prevent code changes (such as from Systems Manager Automation runbooks or AWS Lambda functions) to resources. A change calendar is a new Systems Manager document type that stores iCalendar 2.0 data in plaintext format. For more information, see AWS Systems Manager Change Calendar.

December 11, 2019

New Systems Manager capability: AWSAppConfig

Use AppConfig to create, manage, and quickly deploy application configurations. AppConfig supports controlled deployments to applications of any size. You can use AppConfig with applications hosted on EC2 instances, AWS Lambda, containers, mobile applications, or IoT devices. To prevent errors when deploying application configurations, AppConfig includes validators. A validator provides a syntactic or semantic check to ensure that the configuration you want to deploy works as intended. During a configuration deployment, AppConfig monitors the application to ensure that the deployment is successful. If the system encounters an error or if the deployment starts an alarm, AppConfig rolls back the change to minimize impact for your application users. For more information, see AWSAppConfig.

November 25, 2019

New Systems Manager capability: Systems Manager Explorer

AWS Systems Manager Explorer is a customizable operations dashboard that reports information about your AWS resources. Explorer displays an aggregated view of operations data (OpsData) for your AWS accounts and across AWS Regions. In Explorer, OpsData includes metadata about your EC2 instances, patch compliance details, and operational work items (OpsItems). Explorer provides context about how OpsItems are distributed across your business units or applications, how they trend over time, and how they vary by category. You can group and filter information in Explorer to focus on items that are relevant to you and that require action. When you identify high priority issues, you can use Systems Manager OpsCenter to run Automation runbooks and quickly resolve those issues. For information see, AWS Systems Manager Explorer.

Note

Set up for Systems Manager OpsCenter is integrated with set up for Explorer. If you already set up OpsCenter, you still need to complete Integrated Setup to verify settings and options. If you haven't set up OpsCenter, then you can use Integrated Setup to get started with both capabilities. For more information, see Getting started with Explorer and OpsCenter.

November 18, 2019

Improved parameter search capabilities

The tools for searching for parameters now make it easier to find parameters when you have large number of them in your account or when you don't remember the exact name of a parameter. With the search tool, you filter by contains. Previously, the search tools supported searching for parameter names only by equals and begins-with. For more information, see Searching for Systems Manager parameters.

November 15, 2019

New console-based Document Builder for Automation | Support for running scripts in Automation steps

You can now use Systems Manager Automation to build and share standardized operational playbooks to ensure consistency across users, AWS accounts, and AWS Regions. With this ability to run scripts and add inline documentation to your Automation runbooks using Markdown, you can reduce errors and eliminate manual steps such as navigating written procedures in wikis and running terminal commands.

For more information, see the following topics.

November 14, 2019

Perform an in-place package update using Distributor

Previously, when you wanted to install an update to a package using Distributor, your only choice was to uninstall the entire package and reinstall the new version. Now you can choose to perform an in-place update instead. During an in-place update, Distributor installs only files that are new or changed since the last installation, according to the update script you include in your package. With this option, your package application can remain available and not be taken offline during the update. For more information, see the following topics.

November 11, 2019

New SSM Agent auto update feature

With one click, you can configure all instances in your AWS account to automatically check for and download new versions of SSM Agent. To do this, choose Agent auto update on the Managed instances page in the AWS Systems Manager console. For information, see Automate updates to SSM Agent.

November 5, 2019

Restrict Session Manager access using AWS-supplied tags

A second method for controlling user access to session actions is now available. With this new method, you create IAM access policies using AWS-supplied session tags instead of using the {aws:username} variable. Using these AWS-supplied session tags makes it possible for organizations that use federated IDs to control user access to sessions. For information, see Allow a user to terminate only sessions they started.

October 2, 2019

New SSM Command document to apply Ansible Playbooks

You can create State Manager associations that run Ansible Playbooks by using the AWS-ApplyAnsiblePlaybooks document. This document offers the following benefits for running Playbooks:

  • Support for running complex Playbooks

  • Support for downloading Playbooks from GitHub and Amazon Simple Storage Service (Amazon S3)

  • Support for compressed Playbook structure

  • Enhanced logging

  • Ability to specify which Playbook to run when Playbooks are bundled

For more information, see Creating associations that run Ansible playbooks

September 24, 2019

Port forwarding support for Session Manager

Session Manager now supports port forwarding sessions. Port forwarding allows you to securely create tunnels between your instances deployed in private subnets, without the need to start the SSH service on the server, to open the SSH port in the security group, or to use a bastion host. Similar to SSH tunnels, port forwarding allows you to forward traffic between your laptop to open ports on your instance. Once port forwarding is configured, you can connect to the local port and access the server application running inside the instance. For more information, see the following topics:

August 29, 2019

Specify a default parameter tier or automate tier selection

You can now specify a default parameter tier to use for requests to create or update a parameter that don't specify a tier. You can set the default tier to standard parameters, advanced parameters, or a new option, Intelligent-Tiering. Intelligent-Tiering evaluates each PutParameter request and creates an advanced parameter only when required. (Advanced parameters are required if the size of the parameter value is more than 4 KB, a parameter policy is associated with the parameter, or the maximum 10,000 parameters supported for the standard tier are already created.) For more information about specifying a default tier and using Intelligent-Tiering, see Specifying a default parameter tier.

August 27, 2019

Working with associations section updated with CLI and PowerShell procedures

The Working with Associations section has been updated to include procedural documentation for managing associations using the AWS CLI or AWS Tools for PowerShell. For information see, Working with associations in Systems Manager.

August 26, 2019

Working with Automation executions section updated with CLI and PowerShell procedures

The Working with Automation Executions section has been updated to include procedural documentation for running Automation workflows using the AWS CLI or AWS Tools for PowerShell. For information see, Working with Automation executions.

August 20, 2019

OpsCenter integrates with application insights

OpsCenter integrates with Amazon CloudWatch Application Insights for .NET and SQL Server. This means you can automatically create OpsItems for problems detected in your applications. For information about how to configure Application Insights to create OpsItems, see Set up, configure, and manage your application for monitoring in the Amazon CloudWatch User Guide.

August 7, 2019

New console feature: AWS Systems Manager Quick Setup

Quick Setup is a new feature in the Systems Manager console that helps you quickly configure several Systems Manager components on your EC2 instances. Specifically, Quick Setup helps you configure the following components on the instances you choose or target by using tags:

  • An AWS Identity and Access Management (IAM) instance profile role for Systems Manager.

  • A scheduled, bi-monthly update of SSM Agent.

  • A scheduled collection of Inventory metadata every 30 minutes.

  • A daily scan of your instances to identify missing patches.

  • A one-time installation and configuration of the Amazon CloudWatch agent.

  • A scheduled, monthly update of the CloudWatch agent.

For more information, see AWS Systems Manager Quick Setup.

August 7, 2019

Register a resource group as a maintenance window target

In addition to registering managed instances as the target of a maintenance window, you can now register a resource group as a maintenance window target. Maintenance Windows supports all the AWS resource types that are supported by AWS Resource Groups including AWS::EC2::Instance, AWS::DynamoDB::Table, AWS::OpsWorks::Instance, AWS::Redshift::Cluster, and more. With this release you can also send commands to a resource group, for example by using the Run Command console or the AWS CLI send-command command. For more information, see the following topics:

July 23, 2019

Simplified package creation and versioning with AWS Systems Manager Distributor

Distributor has a new, simplified package creation workflow that can generate a package manifest, scripts, and file hashes for you. You can also use the simplified workflow when you add a version to an existing package.

July 22, 2019

New document categories pane for Systems Manager Automation

Systems Manager includes a new Document categories pane when you run an Automation in the console. Use this pane to filter Automation runbooks based on their purpose.

July 18, 2019

Support for starting Session Manager sessions using operating system user credentials

By default, Session Manager sessions are launched using the credentials of a system-generated ssm-user account that is created on a managed instance. On Linux machines, you can now instead launch sessions using the credentials of an operating system account. For information, see Turn on Run As support for Linux instances.

July 9, 2019

Support for starting Session Manager sessions using SSH

You can now use the AWS CLI to start an SSH session on a managed instance using Session Manager. For information about allowing SSH sessions with Session Manager, see (Optional) Turn on SSH Session Manager sessions. For information about starting an SSH session using Session Manager, see Starting a session (SSH).

July 9, 2019

Support for changing passwords on managed instances

You can now reset passwords on machines that you manage using Systems Manager (managed instances). You can reset the password using the Systems Manager console or the AWS CLI. For information, see Resetting passwords on managed instances.

July 9, 2019

Revisions to "What is AWS Systems Manager?"

The introductory content in What is AWS Systems Manager? has been expanded to provide a broader introduction to the service and reflect Systems Manager capabilities that have been released recently. In addition, other content in the section has been moved into individual topics for better discoverability.

June 10, 2019

New Systems Manager capability: OpsCenter

OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to AWS resources. OpsCenter is designed to reduce mean time to resolution for issues impacting AWS resources. This Systems Manager capability aggregates and standardizes OpsItems across services while providing contextual investigation data about each OpsItem, related OpsItems, and related resources. OpsCenter also provides Systems Manager Automation runbooks that you can use to quickly resolve issues. You can specify searchable, custom data for each OpsItem. You can also view automatically-generated summary reports about OpsItems by status and source. For more information, see AWS Systems Manager OpsCenter.

June 6, 2019

Changes to Systems Manager left navigation pane in the AWS Management Console

The Systems Manager left navigation pane in the AWS Management Console includes new headings, including a new heading for Ops Center, that provide a more logical grouping of Systems Manager capabilities.

June 6, 2019

Revised tutorial for creating and configuring a maintenance window using the AWS CLI

Tutorial: Create and configure a maintenance window (AWS CLI) has been overhauled to provide a simple path through the practice steps. You create a single maintenance window, identify a single target, and set up a simple task for the maintenance window to run. Along the way, we provide information and examples you can use to create your own task registration commands, including information for using pseudo parameters such as {{TARGET_ID}}. For additional information and examples, see the following topics:

May 31, 2019

Notifications about SSM Agent updates

To be notified about SSM Agent updates, subscribe to the SSM Agent Release Notes page on GitHub.

May 24, 2019

Receive notifications or trigger actions based on changes in Parameter Store

The topic Set up notifications or trigger actions based on Parameter Store events now helps you set up Amazon EventBridge rules to respond to changes in Parameter Store. You can receive notifications or trigger other actions when any of the following occur:

  • A parameter is created, updated, or deleted.

  • A parameter label version is created, updated, or deleted.

  • A parameter expires, is going to expire, or hasn't changed in a specified period of time.

May 22, 2019

Major revisions to setting up and getting started content

We have expanded and reorganized the Setting Up and Getting Started content in the AWS Systems Manager User Guide. Setting Up content has been divided into two sections. One section focuses on tasks for setting up Systems Manager to configure and manage your EC2 instances. The other focuses on tasks for setting up Systems Manager to configure and manage your on-premises servers and virtual machines (VMs) in a hybrid environment. Both sections now present all setup topics as major numbered steps, in the recommended order of completion. A new Getting Started chapter focuses on helping end-users get started with Systems Manager after account and service configuration tasks have been completed.

May 15, 2019

Include patches for applications released by Microsoft in patch baselines (Windows)

Patch Manager now supports patch updates for applications released by Microsoft on Windows Server instances. Previously, only patches for the Windows Server operating system were supported. Patch Manager provides two predefined patch baselines for Windows Server instances. The patch baseline AWS-WindowsPredefinedPatchBaseline-OS applies to operating system patches only. AWS-WindowsPredefinedPatchBaseline-OS-Applications applies to both the Windows Server operating system and applications released by Microsoft on Windows. For information about creating a custom patch baseline that includes patches for applications released by Microsoft, see the first procedure in Create a custom patch baseline. Also, as part of this update, the names of AWS-provided predefined patch baselines are being changed. For more information, see Predefined baselines.

May 7, 2019

Examples for registering maintenance window targets using the AWS CLI

The new topic Examples: Register targets with a maintenance window provides three sample commands to demonstrate different ways you can specify the targets for a maintenance window when you use the AWS CLI. The topic also explains the best use case for each of the sample commands.

May 3, 2019

Updates to patch group topics

The topic About patch groups has been updated to include a section on how managed instances determine the appropriate patch baseline to use during patching operations. Additionally, instructions have been added for using the AWS CLI or Systems Manager console to add Patch Group or PatchGroup tags to your managed instances, and how to add a Patch Group or PatchGroup to a patch baseline. (You must use PatchGroup, without a space, if you have allowed tags in EC2 instance metadata.) For more information see Create a patch group and Add a patch group to a patch baseline.

May 1, 2019

New Parameter Store features

Parameter Store offers the following new features:

  • Advanced parameters: Parameter Store now allows you to individually configure parameters to use either a standard-parameter tier (the default tier) or an advanced-parameter tier. Advanced parameters offer a larger size quota for the parameter value, a higher quota for the number of parameters you can create per AWS account and AWS Region, and the ability to use parameter policies. For more information about advanced parameters, see About Systems Manager advanced parameters.

  • Parameter policies: Parameter policies help you manage a growing set of parameters by allowing you to assign specific criteria to a parameter, such as an expiration date or time to live. Parameter policies are especially helpful in forcing you to update or delete passwords and configuration data stored in Parameter Store. Parameter policies are only available for parameters that use the advanced-parameter tier. For more information, see Working with parameter policies.

  • Higher throughput: You can now increase the Parameter Store throughput quota to a maximum of 1,000 transactions per second. For more information, see Increasing Parameter Store throughput.

April 25, 2019

Updates to the Automation section

The Automation section has been updated for improved discoverability. In addition, three new topics have been added to the Automation section:

April 17, 2019

Encrypt session data using an AWS KMS key

By default, Session Manager uses TLS 1.2 to encrypt session data transmitted between the local machines of users in your account and your EC2 instances. Now you can choose to further encrypt that data using an AWS KMS key that has been created in AWS Key Management Service. You can use a KMS key that has been created in your AWS account or one that has been shared with you from another account. For information about specifying a KMS key to encrypt session data, see Turn on AWS KMS key encryption of session data (console), Create Session Manager preferences (AWS CLI), or Update Session Manager preferences (AWS CLI).

April 4, 2019

Configuring Amazon SNS notifications for AWS Systems Manager

Added instructions for using the AWS CLI or Systems Manager console to configure Amazon SNS notifications for Run Command and Run Command tasks registered to a maintenance window. For more information see Configuring Amazon SNS notifications for AWS Systems Manager.

March 6, 2019

Advanced instances for servers and VMs in hybrid environments

AWS Systems Manager offers a standard-instances tier and an advanced-instances tier for servers and VMs in your hybrid environment. The standard-instances tier allows you to register a maximum of 1,000 servers or VMs per AWS account per AWS Region. If you need to register more than 1,000 servers or VMs in a single account and Region, then use the advanced-instances tier. You can create as many instances as you like in the advanced-instances tier, but all instances configured for Systems Manager are available on a pay-per-use basis. Advanced instances also allow you to connect to your hybrid machines by using AWS Systems Manager Session Manager. Session Manager provides interactive shell access to your instances. For more information about allowing advanced instances, see Using the advanced-instances tier.

March 4, 2019

Create State Manager associations that use shared SSM documents

You can create State Manager associations that use SSM Command and Automation runbooks shared from other AWS accounts. Creating associations by using shared SSM documents helps to keep your Amazon EC2 and hybrid infrastructure in a consistent state even when instances aren't in the same account. For information about sharing SSM documents, see AWS Systems Manager Documents. For information about creating a State Manager association, see Create an association.

February 28, 2019

View lists of Systems Manager events supported for Amazon EventBridge rules

The new topic Monitoring Systems Manager events with Amazon EventBridge provides a summary of the various events emitted by Systems Manager for which you can set up event monitoring rules in EventBridge.

February 25, 2019

Add tags when you create Systems Manager resources

Systems Manager now supports the ability to add tags to certain resource types when you create them. The resources you can tag when you create them with the AWS CLI or an SDK include maintenance windows, patch baselines, Parameter Store parameters, and SSM documents. You can also assign tags to a managed instance when you create an activation for it. When you use the Systems Manager console, you can add tags to maintenance windows, patch baselines, and parameters.

February 24, 2019

Automatic IAM role creation for Systems Manager Inventory

Previously you had to create an AWS Identity and Access Management (IAM) role and attach separate policies to this role to view inventory data on the Inventory Detail View page in the console. You no longer need to create this role or attach policies to it. When you choose a Remote Data Sync on the Inventory Detail View page, Systems Manager automatically creates the Amazon-GlueServicePolicyForSSM role and assigns the Amazon-GlueServicePolicyForSSM-{S3 bucket name} policy and the AWSGlueServiceRole policy to it. For more information, see Querying inventory data from multiple Regions and accounts.

February 14, 2019

Maintenance Windows walkthroughs to update SSM Agent

Added two new walkthroughs to the Maintenance Windows documentation. The walkthroughs detail how to use the Systems Manager console or the AWS CLI to create a maintenance window that keeps SSM Agent up-to-date automatically. For more information, see Maintenance Windows walkthroughs.

February 11, 2019

Using Parameter Store public parameters

Added short section describing Parameter Store public parameters. For more information, see Using Systems Manager public parameters.

January 31, 2019

Use the AWS CLI to create Session Manager preferences

Added instructions for using the AWS CLI to create Session Manager preferences, such as CloudWatch Logs, S3 bucket logging options, and session encryption settings. For more information, see Use the AWS CLI to create Session Manager preferences.

January 22, 2019

Executing Systems Manager automation workflows by using State Manager

AWS Systems Manager State Manager now supports creating associations that use SSM Automation runbooks. State Manager previously supported only command and policy documents, which meant that you could only create associations that targeted managed instances. With support for SSM Automation runbooks, you can now create associations that target different types of AWS resources. For more information, see Executing Systems Manager Automation workflows by using State Manager.

January 22, 2019

Reference updates for cron and rate expressions and maintenance window scheduling options

The reference topic Cron and rate expressions for Systems Manager has been revised. The new version provides more examples and improved explanations of how to use cron and rate expressions to schedule your maintenance windows and State Manager associations. In addition, the new topic Maintenance Windows scheduling and active period options explains how the various schedule-related options for maintenance windows (Start date, End date, Time zone, Schedule frequency) relate to one another.

December 6, 2018

Turn on SSM Agent debug logging

You can turn on SSM Agent debug logging by editing the seelog.xml.template file on the managed instance. For more information, see Turn on SSM Agent debug logging.

November 30, 2018

Support for ARM64 processor architectures

AWS Systems Manager now supports ARM64 versions of the Amazon Linux 2, Red Hat Enterprise Linux 7.6, and Ubuntu Server (18.04 LTS and 16.04 LTS) operating systems. For more information, see the instructions for installing Amazon Linux 2, RHEL, and Ubuntu Server 18.04 and 16.04 LTS with Snap packages. For more information about the A1 instance type, see General purpose instances in the Amazon EC2 User Guide.

November 26, 2018

Create and deploy packages by using AWS Systems Manager Distributor

Using AWS Systems Manager Distributor, you package your own software—or find AWS-provided agent software packages, such as AmazonCloudWatchAgent—to install on AWS Systems Manager managed instances. Distributor publishes resources, such as software packages, to AWS Systems Manager managed instances. Publishing a package advertises specific versions of the package's document—a Systems Manager document that you create when you add the package in Distributor—to managed instances that you identify by managed instance IDs, AWS account IDs, tags, or an AWS Region. For more information, see AWS Systems ManagerDistributor.

November 20, 2018

Concurrently run AWS Systems Manager Automation workflows across multiple AWS Regions and AWS accounts from a central account

You can concurrently run AWS Systems Manager automation workflows across multiple AWS Regions and AWS accounts or AWS Organizational Units (OUs) from an Automation management account. Concurrently executing Automations in multiple Regions and accounts or OUs reduces the time required to administer your AWS resources while enhancing the security of your computing environment. For more information see Executing Automation workflows in multiple AWS Regions and AWS accounts.

November 19, 2018

Query inventory data from multiple AWS Regions and AWS accounts

Systems Manager Inventory integrates with Amazon Athena to help you query inventory data from multiple AWS Regions and AWS accounts. Athena integration uses resource data sync so that you can view inventory data from all of your managed instances on the Inventory Detail View page in the AWS Systems Manager console. For more information see Querying Inventory data from multiple Regions and accounts.

November 15, 2018

Create State Manager associations that run MOF files

You can run Managed Object Format (MOF) files to enforce a targeted state on Windows Server managed instances with State Manager by using the AWS-ApplyDSCMofs SSM document. The AWS-ApplyDSCMofs document has two execution modes. With the first mode, you can configure the association to scan and report if the managed instances are currently in the targeted state defined in the specified MOF files. In the second mode, you can run the MOF files and change the configuration of your instances based on the resources and their values defined in the MOF files. The AWS-ApplyDSCMofs document allows you to download and run MOF configuration files from Amazon Simple Storage Service (Amazon S3), a local share, or from a secure web site with an HTTPS domain. For more information, see Creating associations that run MOF files.

November 15, 2018

Restrict administrative access in Session Manager sessions

Session Manager sessions are launched using the credentials of a user account that is created with default root or administrator permissions called ssm-user. Information about restricting administrative control for this account is now available in the topic Turn on or turn off ssm-user account administrative permissions.

November 13, 2018

YAML examples in Automation actions reference

The Automations actions reference now includes a YAML sample for each action that already includes a JSON sample.

October 31, 2018

Assign compliance severity levels to associations

You can now assign compliance severity levels to State Manager associations. These severity levels are reported in the Compliance Dashboard and can also be used to filter your compliance reports. The severity levels you can assign include Critical, High, Medium, Low, and Unspecified. For more information, see Create an association (console).

October 26, 2018

Use targets and rate controls with Automation and State Manager

Control the execution of Automations and State Manager associations across your fleet of resources by using targets, concurrency, and error thresholds. For more information see Using targets and rate controls to run Automation workflows on a fleet and Using targets and rate controls with State Manager associations.

October 23, 2018

Specify active time ranges and international time zones for maintenance windows

You can also specify dates that a maintenance window shouldn't run before or after (start date and end date), and you can specify the international time zone on which to base the maintenance window schedule. For more information see Create a maintenance window (console) and Update a maintenance window (AWS CLI).

October 9, 2018

Maintain a custom list of patches for your patch baseline in an S3 bucket

With the new 'InstallOverrideList' parameter in the SSM command document AWS-RunPatchBaseline, you can specify an https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL to a list of patches to be installed. This patch installation list, which you maintain in an S3 bucket in YAML format, overrides the patches specified by the default patch baseline. For more information, see Parameter name: InstallOverrideList.

October 5, 2018

Expanded control over whether patch dependencies are installed

Previously, if a patch in your Rejected patches list was identified as a dependency of another patch, it would still be installed. Now you can choose whether to install these dependencies or block them from being installed. For more information, see Create a patch baseline.

October 5, 2018

Create dynamic automation workflows with conditional branching

The aws:branch Automation action allows you to create a dynamic Automation workflow that evaluates multiple choices in a single step and then jumps to a different step in the Automation runbook based on the results of that evaluation. For more information, see Using conditional statements in runbooks.

September 26, 2018

Use the AWS CLI to update Session Manager preferences

Instructions for using the CLI to update Session Manager preferences, such as CloudWatch Logs and S3 bucket logging options, have been added to the AWS Systems Manager User Guide. For information, see Use the AWS CLI to update Session Manager preferences.

September 25, 2018

Updated SSM Agent requirement for Session Manager

Session Manager now requires SSM Agent version 2.3.68.0 or later. For more information about Session Manager prerequisites, see Complete Session Manager prerequisites.

September 17, 2018

Manage instances without opening inbound ports or maintaining bastion hosts using Session Manager

Using Session Manager, a fully managed capability of AWS Systems Manager, you can manage your EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your EC2 instances. For more information, see Learn more about Session Manager.

September 11, 2018

Invoking other AWS services from a Systems Manager Automation workflow

You can invoke other AWS services and other Systems Manager capabilities in your Automation workflow by using three new Automation actions (or plugins) in your Automation runbooks. For more information, see For more information, see Using action outputs as inputs.

August 28, 2018

Use Systems Manager-specific condition keys in IAM policies

The topic Specifying conditions in a policy has been updated to list the IAM condition keys for Systems Manager that you can incorporate in policies. You can use these keys to specify the conditions under which a policy should take effect. The topic also includes links to example policies and other related topics.

August 18, 2018

Aggregate inventory data with groups to see which instances are and aren't configured to collect an inventory type

Groups allow you to quickly see a count of which managed instances are and aren’t configured to collect one or more Inventory types. With groups, you specify one or more Inventory types and a filter that uses the exists operator. For more information, see Aggregating Inventory data.

August 16, 2018

View history and change tracking for Inventory and Configuration Compliance

You can now view history and change tracking for Inventory collected from your managed instances. You can also viewing history and changing tracking for Patch Manager patching and State Manager associations reported by Configuration Compliance. For more information, see Viewing Inventory history and change tracking.

August 9, 2018

Parameter Store integrates with Secrets Manager

Parameter Store is now integrated with AWS Secrets Manager so that you can retrieve Secrets Manager secrets when using other AWS services that already support references to Parameter Store parameters. These services include Amazon EC2, Amazon Elastic Container Service, AWS Lambda, AWS CloudFormation, AWS CodeBuild, AWS CodeDeploy, and other Systems Manager capabilities. By using Parameter Store to reference Secrets Manager secrets, you create a consistent and secure process for calling and using secrets and reference data in your code and configuration scripts. For information, see Referencing AWS Secrets Manager secrets from Parameter Store parameters.

July 26, 2018

Attach labels to Parameter Store parameters

A parameter label is a user-defined alias to help you manage different versions of a parameter. When you modify a parameter, Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter version when there are multiple versions. For information, see Labeling parameters.

July 26, 2018

Create dynamic Automation workflows

By default, the steps (or actions) that you define in the mainSteps section of an Automation runbook run in sequential order. After one action is complete, the next action specified in the mainSteps section begins. With this release, you can now create Automation workflows that perform conditional branching. This means that you can create Automation workflows that dynamically respond to condition changes and jump to a specified step. For information, see Using conditional statements in runbooks.

July 18, 2018

SSM Agent now pre-installed on Ubuntu Server 16.04 AMIs using Snap

Beginning with instances created from Ubuntu Server 16.04 AMIs identified with 20180627, the SSM Agent is pre-installed using Snap packages. On instances created from earlier AMIs, you should continue using deb installer packages. For information, see About SSM Agent installations on 64-bit Ubuntu Server 16.04 instances.

July 7, 2018

Review minimum S3 permissions required by SSM Agent

The new topic Minimum S3 bucket permissions for SSM Agent provides information about the Amazon Simple Storage Service (Amazon S3) buckets that resources might need to access to perform Systems Manager operations. You can specify these buckets in a custom policy if you want to limit S3 bucket access for an instance profile or VPC endpoint to the minimum required to use Systems Manager.

July 5, 2018

View complete execution history for a specific State Manager association ID

The new topic Viewing association histories describes how to view all executions for a specific association ID and then view execution details for one or more resources.

July 2, 2018

Patch Manager introduces support for Amazon Linux 2

You can now use Patch Manager to apply patches to Amazon Linux 2 instances. For general information about Patch Manager operating system support, see Patch Manager prerequisites. For information about the supported key-value pairs for Amazon Linux 2 when defining a patch filter, see PatchFilter in the AWS Systems Manager API Reference.

June 26, 2018

Send command output to Amazon CloudWatch Logs

The new topic Configuring Amazon CloudWatch Logs for Run Command describes how to send Run Command output to CloudWatch Logs.

June 18, 2018

Quickly create or delete resource data sync for Inventory by using AWS CloudFormation

You can use AWS CloudFormation to create or delete a resource data sync for Systems Manager Inventory. To use AWS CloudFormation, add the AWS::SSM::ResourceDataSync resource to your AWS CloudFormation template. For more information, see Working with AWS CloudFormation Templates in the AWS CloudFormation User Guide. You can also manually create a resource data sync for Inventory as described in Creating a resource data sync for Inventory.

June 11, 2018

AWS Systems Manager User Guide update notifications now available through RSS

The HTML version of the Systems Manager User Guide now supports an RSS feed of updates that are documented in the Systems Manager Documentation update history page. The RSS feed includes updates made in June, 2018, and later. Previously announced updates are still available in the Systems Manager documentation update history page. Use the RSS button in the top menu panel to subscribe to the feed.

June 6, 2018

Specify an exit code in scripts to reboot managed instances

The new topic Rebooting managed instances from scripts describes how to instruct Systems Manager to reboot managed instances by specifying an exit code in scripts that you run with Run Command.

June 3, 2018

Create an event in Amazon EventBridge whenever custom inventory is deleted

The new topic Viewing inventory delete actions in EventBridge describes how to configure Amazon EventBridge to create an event anytime a user deletes custom Inventory.

June 1, 2018

Updates prior to June 2018

The following table describes important changes in each release of the AWS Systems Manager User Guide before June 2018.

Change Description Release date
Inventory all managed instances in your AWS account

You can inventory all managed instances in your AWS account by creating a global inventory association. For more information, see Inventory all managed nodes in your AWS account.

Note

Global inventory associations are available in SSM Agent version 2.0.790.0 or later. For information about how to update SSM Agent on your instances, see Updating the SSM Agent using Run Command.

May 3, 2018
SSM Agent installed by default on Ubuntu Server 18

SSM Agent is installed, by default, on Ubuntu Server 18.04 LTS 64-bit and 32-bit AMIs.

May 2, 2018
New topic

The new topic Running commands using a specific document version describes how to use the document-version parameter to specify which version of an SSM document to use when the command runs.

May 1, 2018
New topic

The new topic Deleting custom inventory describes how to delete custom Inventory data from Amazon S3 by using the AWS CLI. The topic also describes how to use the SchemaDeleteOption to manage custom inventory by turning off or deleting a custom inventory type. This new feature uses the DeleteInventory API operation.

April 19, 2018
Amazon SNS notifications for SSM Agent

You can subscribe to an Amazon SNS topic to receive notifications when a new version of SSM Agent is available. For more information, see Subscribing to SSM Agent notifications.

April 9, 2018
CentOS patching support

Systems Manager now supports patching CentOS instances. For information about supported CentOS versions, see Patch Manager prerequisites. For more information about how patching works, see How Patch Manager operations work.

March 29, 2018
New section

To provide a single source for reference information in the AWS Systems Manager User Guide, a new section has been introduced, AWS Systems Manager reference. Additional content will be added to this section as it becomes available.

March 15, 2018
New topic

The new topic Package name formats for approved and rejected patch lists details the package name formats you can enter in the lists of approved patches and rejected patches for a custom patch baseline. Sample formats are provided for each operating system type supported by Patch Manager.

March 9, 2018
New topic

Systems Manager now integrates with ChefChef InSpec. InSpec is an open-source, runtime framework that allows you to create human-readable profiles on GitHub or Amazon S3. Then you can use Systems Manager to run compliance scans and view compliant and noncompliant instances. For more information, see Using Chef InSpec profiles with Systems Manager Compliance.

March 7, 2018
New topic

The new topic Using service-linked roles for Systems Manager describes how to use an AWS Identity and Access Management (IAM) service-linked role with Systems Manager. Currently, service-linked roles are only required when using Systems Manager Inventory to collect metadata about tags and Resource Groups.

February 27, 2018
New and updated topics

You can now use Patch Manager to install patches that are in a different source repository than the default one configured on the instance. This is useful for patching instances with updates not related to security; with the content of Personal Package Archives (PPA) for Ubuntu Server; with updates for internal corporate applications; and so on. You specify alternative patch source repositories when you create a custom patch baseline. For more information, see the following topics:

In addition, you can now use Patch Manager to patch SUSE Linux Enterprise Server instances. Patch Manager supports patching SLES 12.* versions (64-bit only). For more information, see the SLES-specific information in the following topics:

February 6, 2018
New topic

The new topic SSM Command documents for patching managed nodes describes the seven SSM documents available to help you keep your managed instances patched with the latest security-related updates.

January 10, 2018
Important updates regarding Linux support

Updated various topics with the following information:

  • SSM Agent is installed, by default, on Amazon Linux 1 base AMIs dated 2017.09 and later.

  • Manually install SSM Agent on other versions of Linux, including non-base images like Amazon ECS-Optimized AMIs.

January 9, 2018
New topic

A new topic, SSM Command document for patching: AWS-RunPatchBaseline, provides details of how this SSM document operates on both Windows and Linux systems. It also provides information about the two available parameters in the AWS-RunPatchBaseline document, Operation and Snapshot ID.

January 5, 2018
New topics A new section, How Patch Manager operations work, provides technical details that explain how Patch Manager determines which security patches to install and how it installs them on each supported operating system. It also provides information about how patch baseline rules work on different distributions of the Linux operating system January 2, 2018
Retitled and moved the Systems Manager Automation Actions Reference

Based on customer feedback, the Automation actions reference is now called the Systems Manager Automation runbook reference. Furthermore, we moved the reference into the Shared Resources > Documents node so it is closer to the Command document plugin reference. For more information, see Systems Manager Automation actions reference.

December 20, 2017

New Monitoring chapter and content

A new chapter, Monitoring AWS Systems Manager, provides instructions for sending metrics and log data to Amazon CloudWatch Logs. A new topic, Sending node logs to unified CloudWatch Logs (CloudWatch agent), provides instructions for migrating on-instance monitoring tasks, on 64-bit Windows Server instances only, from SSM Agent to the CloudWatch agent.

December 14, 2017

New chapter A new chapter, Identity and access management for AWS Systems Manager, provides comprehensive information about using AWS Identity and Access Management (IAM) and AWS Systems Manager to help secure access to your resources through the use of credentials. These credentials provide the permissions required to access AWS resources, such as accessing data stored in S3 buckets and sending commands to and reading the tags on EC2 instances. December 11, 2017

Changes to the left navigation

We changed the headings in the left navigation of this user guide to match the headings in the new AWS Systems Manager console.

December 8, 2017

Multiple changes for re:Invent 2017

  • Official launch of AWS Systems Manager: AWS Systems Manager (formerly Amazon EC2 Systems Manager) is a unified interface that allows you to centralize operational data and automate tasks across your AWS resources. You can access the new AWS Systems Manager console here. For more information, see What is AWS Systems Manager?

  • YAML Support: You can create SSM documents in YAML. For more information, see AWS Systems Manager Documents.

November 29, 2017

Using Run Command to Take VSS-Enabled Snapshots of EBS Volumes

Using Run Command, you can take application-consistent snapshots of all Amazon Elastic Block Store (Amazon EBS) volumes attached to your Amazon EC2 Windows instances. The snapshot process uses the Windows Volume Shadow Copy Service (VSS) to take image-level backups of VSS-aware applications, including data from pending transactions between these applications and the disk. Furthermore, you don't need to shut down your instances or disconnect them when you need to back up all attached volumes. For more information, see Take Microsoft VSS-Enabled Snapshots Using AWS Systems Manager in the Amazon EC2 User Guide.

November 20, 2017

Enhanced Systems Manager Security Available By Using VPC Endpoints

You can improve the security posture of your managed instances (including managed instances in your hybrid environment) by configuring Systems Manager to use an interface VPC endpoint. Interface endpoints are powered by PrivateLink, a technology that allows you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. PrivateLink restricts all network traffic between your managed instances, Systems Manager, and EC2 to the Amazon network (managed instances don't have access to the Internet). Also, you don't need an Internet gateway, a NAT device, or a virtual private gateway. For more information, see Improve the security of EC2 instances by using VPC endpoints for Systems Manager.

November 7, 2017

Inventory Support for Files, Services, Windows Roles, and the Windows Registry

SSM Inventory now supports gathering the following information from your managed instances.

  • Files: Name, size, version, installed date, modification and last accessed times, and so on.

  • Services: Name, display name, status, dependent services, service type, start type, and so on.

  • Windows Registry: Registry key path, value name, value type, and value.

  • Windows roles: Name, display name, path, feature type, installed state, and so on.

Before you attempt to collect information for these inventory types, update SSM Agent on the instances you want to inventory. By running the latest version of SSM Agent, you ensure that you can collect metadata for all supported inventory types. For information about how to update SSM Agent by using State Manager, see Walkthrough: Automatically update SSM Agent with the AWS CLI.

For more information Inventory, see Learn more about Systems Manager Inventory.

November 6, 2017

Updates to Automation documentation

Fixed several issues in the information about setting up and configuring access for Systems Manager Automation. For more information, see Setting up Automation.

October 31, 2017

GitHub and Amazon S3 Integration

Run remote scripts: Systems Manager now supports downloading and running scripts from a private or public GitHub repository, and from Amazon S3. Using either the AWS-RunRemoteScript pre-defined SSM document or the aws:downloadContent plugin in a custom SSM document, you can run Ansible Playbooks and scripts in Python, Ruby, or PowerShell, to name a few. These changes further enhance infrastructure as code when you use Systems Manager to automate configuration and deployment of EC2 instances and on-premises managed instances in your hybrid environment. For more information, see Running scripts from GitHub and Running scripts from Amazon S3.

Create composite SSM documents: Systems Manager now supports running one or more secondary SSM documents from a primary SSM document. These primary documents that run other documents are called composite documents. Composite documents allow you to create and share a standard set of secondary SSM documents across AWS accounts for common tasks such as boot-strapping anti-virus software or domain-joining instances. You can run composite and secondary documents stored in Systems Manager, GitHub, or Amazon S3. After you create a composite document, you can run it by using the AWS-RunDocument pre-defined SSM document. For more information, see Creating composite documents and Running documents from remote locations.

SSM document plugin reference: For easier access, we moved the SSM Plugin Reference for SSM documents out of the Systems Manager API Reference and into the User Guide. For more information, see Command document plugin reference.

October 26, 2017

Support for Parameter Versions in Parameter Store

When you edit a parameter, Parameter Store now automatically iterates the version number by 1. You can specify a parameter name and a specific version number in API calls and SSM documents. If you don't specify a version number, the system automatically uses the latest version.

Parameter versions provide a layer of protection in the event that a parameter is accidentally changed. You can view the values of all versions, and reference older versions if necessary. You can also use parameter versions to see how many times a parameter changed over a period of time. For more information, see Working with parameter versions in Parameter Store.

October 24, 2017

Support for Tagging Systems Manager Documents

You can now use the AddTagsToResource API, the AWS CLI, or the AWS Tools for PowerShell to tag Systems Manager documents with key-value pairs. Tagging helps you quickly identify specific resources based on the tags you've assigned to them. This is in addition to existing tagging support for managed instances, maintenance windows, Parameter Store parameters, and patch baselines.

October 3, 2017

Various Documentation Updates to Fix Errors or Update Content Based on Feedback

October 2, 2017

Troubleshoot Unreachable Windows Instances by Using the EC2Rescue Automation Workflow

EC2Rescue can help you diagnose and troubleshoot problems on Amazon EC2 Windows Server instances. You can run the tool as a Systems Manager Automation workflow by using the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue. For more information, see Run the EC2Rescue tool on unreachable instances.

September 29, 2017

SSM Agent Installed By Default on Amazon Linux

SSM Agent is installed, by default, on Amazon Linux AMIs dated 2017.09 and later. Manually install SSM Agent on other versions of Linux, as described in Working with SSM Agent on EC2 instances for Linux.

September 27, 2017

Run Command Enhancements

Run Command includes the following enhancements.

  • You can restrict command execution to specific instances by creating and assigning an IAM policy that includes a condition that the user can only run commands on instances that are tagged with specific Amazon EC2 tags. For more information, see Restricting Run Command access based on tags.

  • You have more options for targeting instances by using Amazon EC2 tags. You can now specify multiple tag keys and multiple tag values when sending commands. For more information, see Run commands at scale.

September 12, 2017

Systems Manager Supported on Raspbian

Systems Manager can now run on Raspbian Jessie and Raspbian Stretch devices, including Raspberry Pi (32-Bit).

September 7, 2017

Automatically Send SSM Agent Logs to Amazon CloudWatch Logs

You can now make a simple configuration change on your instances to have SSM Agent send log files to CloudWatch. For more information, see Sending SSM Agent logs to CloudWatch Logs.

September 7, 2017

Encrypt resource data sync

With Systems Manager resource data sync, you can aggregate Inventory data collected on dozens or hundreds of managed instance in a central S3 bucket. You can now encrypt resource data sync by using an AWS Key Management Service key. For more information, see Walkthrough: Using resource data sync to aggregate inventory data.

September 1, 2017

New State Manager Walkthroughs

Added two new walkthroughs to the State Manager documentation:

Walkthrough: Automatically update SSM Agent with the AWS CLI

Walkthrough: Automatically update PV drivers on EC2 instances for Windows Server

August 31, 2017

Systems Manager Configuration Compliance

Use Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and AWS Regions, and then drill down into specific resources that aren’t compliant. By default, Configuration Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements. For more information, see AWS Systems Manager Compliance.

August 28, 2017

New Automation Action: aws:executeAutomation

Runs a secondary Automation workflow by calling a secondary Automation runbook. With this action, you can create Automation runbooks for your most common workflows, and reference those documents during an Automation execution. This action can simplify your Automation runbooks by removing the need to duplicate steps across similar runbooks. For more information, see aws:executeAutomation – Run another automation.

August 22, 2017

Automation as the Target of a CloudWatch Event

You can start an Automation workflow by specifying an Automation runbook as the target of an Amazon CloudWatch event. You can start workflows according to a schedule, or when a specific AWS system event occurs. For more information, see Run automations based on EventBridge events.

August 21, 2017

State Manager Association Versioning and General Updates

You can now create different State Manager association versions. There is a quota of 1,000 versions for each association. You can also specify names for your associations. Also, the State Manager documentation has been updated to address outdated information and inconsistencies. For more information, see AWS Systems Manager State Manager.

August 21, 2017

Changes to Maintenance Windows

Maintenance Windows include the following changes or enhancements:

  • Previously, Maintenance Windows could only perform tasks by using Run Command. You can now perform tasks by using Systems Manager Automation, AWS Lambda, and AWS Step Functions.

  • You can edit the targets of a maintenance window, specify a target name, description, and owner.

  • You can edit tasks in a maintenance window, including specifying a new SSM document for Run Command and Automation tasks.

  • All Run Command parameters are now supported, including DocumentHash, DocumentHashType, TimeoutSeconds, Comment, and NotificationConfig.

  • You can now use a safe flag when you attempt to deregister a target. If turned on, the system returns an error if the target is referenced by any task.

For more information, see AWS Systems Manager Maintenance Windows.

August 16, 2017

New Automation Action: aws:approve

This new action for Automation runbooks temporarily pauses an Automation execution until designated principals either approve or reject the action. After the required number of approvals is reached, the Automation execution resumes.

For more information, see Systems Manager Automation actions reference.

August 10, 2017

Automation assume role no longer required

Automation previously required that you specify a service role (or assume role) so that the service had permission to perform actions on your behalf. Automation no longer requires this role because the service now operates by using the context of the user who invoked the execution.

However, the following situations still require that you specify a service role for Automation:

  • When you want to restrict a user's permissions on a resource, but you want the user to run an Automation workflow that requires elevated permissions. In this scenario, you can create a service role with elevated permissions and allow the user to run the workflow.

  • Operations that you expect to run longer than 12 hours require a service role.

For more information, see Setting up Automation.

August 3, 2017

Configuration Compliance

Use Amazon EC2 Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and AWS Regions, and then drill down into specific resources that aren’t compliant. For more information, see AWS Systems Manager Compliance.

August 8, 2017

SSM Document Enhancements

SSM Command and Policy documents now offer cross-platform support. This means that a single SSM document can process plugins for Windows and Linux operating systems. Cross-platform support allows you to consolidate the number of documents you manage. Cross-platform support is offered in SSM documents that use schema version 2.2 or later.

SSM Command documents that use schema version 2.0 or later can now include multiple plugins of the same type. For example, you can create a Command document that calls the aws:runRunShellScript plugin multiple times.

For more information about schema version 2.2 changes, see AWS Systems Manager documents. For more information about SSM plugins, see Command document plugin reference.

July 12, 2017

Linux Patching

Patch Manager can now patch the following Linux distributions:

64-bit and 32-bit systems
  • Amazon Linux 2014.03, 2014.09, or later

  • Ubuntu Server 16.04 LTS, 14.04 LTS, or 12.04 LTS

  • Red Hat Enterprise Linux (RHEL) 6.5 or later

64-bit systems only
  • Amazon Linux 2015.03, 2015.09, or later

  • Red Hat Enterprise Linux (RHEL) 7.x or later

For more information, see AWS Systems Manager Patch Manager.

Note
  • To patch Linux instances, your instances must be running SSM Agent version 2.0.834.0 or later. For information about updating the agent, see the section titled Example: Update SSM Agent in Running commands from the console.

  • The AWS-ApplyPatchBaseline SSM document is being replaced by the AWS-RunPatchBaseline document.

July 6, 2017

Resource data sync

You can use Systems Manager resource data sync to send Inventory data collected from all of your managed instances to a single Amazon S3 bucket. Resource data sync then automatically updates the centralized data when new Inventory data is collected. With all Inventory data stored in a target S3 bucket, you can use services like Amazon Athena and Amazon QuickSight to query and analyze the aggregated data.For more information, see Creating a resource data sync for Inventory. For an example of how to work with resource data sync, see Walkthrough: Using resource data sync to aggregate inventory data.

June 29, 2017

Systems Manager Parameter Hierarchies

Managing dozens or hundreds of Systems Manager parameters as a flat list is time-consuming and prone to errors. You can use parameter hierarchies to help you organize and manage Systems Manager parameters. A hierarchy is a parameter name that includes a path that you define by using forward slashes. Here is an example that uses three hierarchy levels in the name to identify the following:

/Environment/Type of computer/Application/Data

/Dev/DBServer/MySQL/db-string13

For more information, see Working with parameter hierarchies in Parameter Store.

June 22, 2017

SSM Agent Support for SUSE Linux Enterprise Server

You can install SSM Agent on 64-bit SUSE Linux Enterprise Server (SLES). For more information, see Working with SSM Agent on EC2 instances for Linux.

June 14, 2017