General
Open all
Amazon Systems Manager is a flexible and easy to use management service that enables enterprises to securely manage and administer their workloads, running on-premises or in Amazon Web Services, using a single unified Amazon Web Services experience. Systems Manager is designed to be highly automation-focused to enable configuration and management of instances at a large scale, while making it really simple to write and maintain automation artifacts.
The best way to get started is to ensure your instance has met the necessary requirements in our Getting Started Guide. Once you've confirmed the requirements have been met, you can access the various Systems Manager capabilities from the left navigation bar in the EC2 Management Console or use the Amazon SDKs and Amazon Command Line Interface.
Systems Manager is optimized to manage both Windows and Linux platforms from a single unified experience. Refer to Supported Operating Systems for more details on managing on-premises systems.
Yes, Systems Manager supports managing instances that are running on-premises data center. Refer to Systems Manager Prerequisites for more details.
There is no charge for Systems Manager.
OpsCenter
Open allOpsCenter is a Systems Manager capability that provides a central location where operations engineers, IT professionals, and others can view, investigate, and resolve operational issues related to their environment. OpsCenter is designed to reduce mean time to resolution for impacted Amazon Web Services and hybrid cloud resources. OpsCenter aggregates and standardizes operational issues, referred to as OpsItems, while providing contextually relevant data that helps with diagnosis and remediation. Information includes Config changes, Amazon CloudTrail logs, resource description, Amazon CloudWatch alarms, related OpsItems, and related resources. You can use our public APIs to create OpsItems from any source or use OpsItems integrated with Amazon CloudWatch Events. This means you can configure CloudWatch to automatically create OpsItems for any Amazon Web Services service that publishes events to CloudWatch Events.
You can create the following types of OpsItems leveraging manual or automated configurations:
- Resource failures, such as an Amazon EC2 Auto Scaling group failure to launch an instance or a Systems Manager Automation execution failure
- Resource performance issues, such as a throttling event for Amazon DynamoDB or degraded Amazon EBS volume performance
- Health alerts from various Amazon Web Services services, such as scheduled maintenance for an RDS DB instance or EC2 instance
- Resource state changes, such as an Amazon EC2 instance state change from running to stopped
- Or any other work item that needs someone’s attention
An Opsitem is an Amazon Web Services resource-related operational event which needs a user’s attention, and potentially, an investigation and resolution. It could be a resource-related failure, a maintenance notification, security alert, or a performance issue. An Opsitem includes relevant information that aids with investigation and resolution of the underlying event, such as impacted resources, similar past events, and recommended runbooks. High EC2 instance CPU utilization, CodeDeploy Deployment Failed, or EC2 Automation Execution failed are some examples of common OpsItems.
OpsCenter enables users to reduce their mean time to resolution (MTTR) for operational issues, in some cases by over 50%. OpsCenter enables standardization and aggregation of operational issues (aka OpsItems) across various resources in a single place. Additionally, it brings together contextual information and operational tooling required to investigate and remediate issues. This reduces the time it takes engineers to navigate different tools to get relevant information. Working from a single location also minimizes the chances of manual errors, and reduces training time for newly hired engineers.
Medium to large enterprises, who use multiple Amazon Web Services services for their infrastructure needs, can leverage OpsCenter to manage their day-to-day operations. Additionally, Managed Service Provider (MSP) partners can also leverage OpsCenter as they manage infrastructure on behalf of other Amazon Web Services customers. MSP customers can have a read-only role for better transparency into the MSP’s day-to-day operations.
Primary users of the service will be operations engineers, such as DevOps engineers and IT service desk professionals.
OpsCenter is designed to complement your existing case management systems. You can integrate OpsCenter into your existing case management system by using public API actions. You can also maintain manual lifecycle workflows in your current systems and use OpsCenter as an investigation and remediation hub.
OpsCenter pricing can be found on the Amazon Systems Manager pricing page.
You can use the Amazon Systems Manager console to turn on OpsCenter in just a few clicks.
Getting started with OpsCenter doesn’t require the use of the Systems Manager Agent.
Run Command
Open all
Run Command is a feature of Systems Manager that provides a simple and secure way to remotely execute commands or run scripts against EC2 instances or on-premises servers, all from the EC2 API, CLI, or console. With Run Command, you can perform commands which make it easy to accomplish common administrative tasks like installing software, executing scripts, making configuration changes, and more.
Run Command is designed for developers, system administrators, and other IT professionals who need to remotely manage their EC2 instances in a secure, reliable, and scalable way.
Yes. There are predefined commands available which are designed to help with commonly used administrative tasks. For Windows you can run a PowerShell command or script, configure Windows Update settings, deploy an MSI application and more. For Linux you run any Shell command or script, and remotely update the installed agent.
Yes. Run Command allows you to easily create custom commands to perform common tasks required for your environment.
You can run any command or script that you can type into a command window on your EC2 instances.
Yes. You can easily issue a command to a fleet of instances by providing a list of instances when issuing a command.
Yes. Run Command keeps the output for each command for 30 days. In addition, you can have Run Command store a copy of all log files in Amazon S3 or capture the output of your commands using Amazon CloudTrail.
Yes. Using the published Amazon Identity and Access Management (IAM) permissions and policies, you can control who has access to execute commands or documents on specific instances. For example, you can specify an IAM user who can run PowerShell commands, but not join an instance to a domain. Another IAM user can only be given access to run a very specific command like restarting services, giving you the flexibility to specify how much access any given user can have.
Run Command provides the status of a command for each instance it is running on. All of this can be retrieved from the Amazon CLI, SDK, or the EC2 Management Console.
State Manager
Open all
State Manager automates the process of defining and maintaining a consistent configuration of OS and applications across your entire fleet of systems. For example – configuring and enforcing firewall policies, keeping anti-malware definitions current. Through reapplication of your configuration policies, State Manager ensures that your systems are always compliant with your enterprise policies.
Businesses are moving towards automated IT with applications across environments and locations, including on Amazon Web Services and on-premises data centers. However, ensuring that the infrastructure powering your applications is consistent is a challenge. State Manager allows you create policies, reapply these policies to prevent configuration drift, and monitor the status of your intended state.
Policies can be easily created through Systems Manager Documents. In addition, you also have predefined configurations that you can use for installing applications, joining instances to domain and so on.
You have the flexibility to target instances or tags. This means you have the flexibility to have specific configurations for groups of instances such as webservers.
Patch Manager
Open all
Patch Manager is an automation-focused patching service which makes it easy for customers to keep their Windows instances up to date. Patch Manager helps you streamline your patching process through the implementation of built in best practices, such as maintenance windows and dynamic patch approval policies.
You use Maintenance Windows to define when patching occurs. Maintenance Windows are a new feature of EC2 which provide you the ability to define one or more recurring windows of time during which it is acceptable for your own maintenance to occur. By defining these windows and associating your instances with them, it is easier for you to ensure that any maintenance activities you perform on your instances which may impact the availability of a workload is done so during a well-defined window of time. Maintenance windows make it easy to schedule when you would like your own Run Command tasks to occur.
Patch Manager leverages Run Command to provide a fully automated patching process. While Patch Manager provides a pre-built Run Command document, you can easily customize the patching process by writing your own Run Command Document. For example, you can stop an NT service before rolling out the patches.
Patch Manager supports the patching of Windows based instances, and provides the ability to select and deploy patches for Windows Server 2008 through Windows Server 2016 and Windows 7 – Windows 10.
Patch Manager provides you with the ability to create Patch Baselines, which define the set of patches you have approved or blocked for deployment to your instances. In a Patch Baseline, you can select patches by the products (e.g. Windows Server 2008, Windows Server 2012, etc.), categories (e.g. Critical Updates, Security Updates, etc.) and severities for which you would like to review patches for deployment. For each category selected, you can then define a schedule on which the contained patches will be automatically approved for distribution. In addition to the rules, you can also specify a whitelist and blacklist of patches which indicate patches which are to be installed or blocked respectively. At the time of patching, Patch Manager will assess targeted instances for only the patches that have been approved prior to that point in time.
With Patch Manager you can view patch compliance information which tells you the detailed results of the patching process. From the EC2 Management Console or API you can easily get aggregate compliance details per instance. In addition, you drill in further and for each instance you can determine which patches are installed, missing, not applicable, and which failed to install.
Inventory
Open all
The Inventory capability in Systems Manager provides visibility into an instance's software catalog and configuration. You can set up Inventory to gather detail on a variety of instance attributes such as installed applications, Amazon Web Services components and agents, network configuration, OS details, and more. Then use the powerful query feature to assess compliance and identify instances in need of remediation across your fleet.
IT administrators and devops professionals will find this capability useful in understanding the configuration and composition of their fleets. Users can quickly determine which instances are missing a patch or are running an outdated application version. Similarly admins can run licensing audits to understand software usage. The net result is that systems administrators are better able to troubleshoot issues and assess security posture.
Yes, you can create your own custom Inventory types and effectively extend Inventory's schema. For example, you can configure your instance to gather additional OS and CIM details, or record items like rack location and in-service date for on-premise servers.
Using Amazon Config, you can monitor an instance's compliance with a desired configuration through Config Rules. This capability allows security experts and compliance auditors to have a complete audit trail of instance configuration changes, as well as receive proactive notifications in the event of non-compliance.
Automation
Open all
The Automation capability in Systems Manager simplifies the process of building and maintaining Amazon Machine Images (AMIs). This provides you a repeatable process to apply patches, application updates, and other changes to your AMIs.
AMI maintenance is greatly simplified by Automation feature of Systems Manager, allowing you to patch, update agents, or bake-in applications using a streamlined, repeatable, and auditable process.
Parameter Store
Open all
Amazon Systems Manager provides a centralized store to manage your configuration data, whether plain-text data such as database strings or secrets such as passwords. This allows you to separate your secrets and configuration data from your code. Parameters can be tagged and organized into hierarchies, helping you manage parameters more easily. For example, you can use the same parameter name, "db-string", with a different hierarchical path, "dev/db-string” or “prod/db-string", to store different values. Systems Manager is integrated with Amazon Key Management Service (KMS), allowing you to automatically encrypt the data you store. You can also control user and resource access to parameters using Amazon Identity and Access Management (IAM). Parameters can be referenced through other Amazon Web Services services, such as Amazon Elastic Container Service, Amazon Lambda, and Amazon CloudFormation.
It is a best practice to store configuration data and secrets separately from your code. You can use Amazon Systems Manager parameter store to quickly store and reference configuration and sensitive information. Rather than storing data in config files or referencing them in plain text, you can store and obtain this information in your applications or scripts. Additionally, you control who has access to parameters so that only the right set of users has access to the appropriate information.
A secure string is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you do not want users to reference in clear text or have access to data that can be tampered with or misused, you should use secure strings in Amazon Systems Manager parameter store. You can encrypt your sensitive data using your own Amazon Key Management Service (KMS) key or your user account default key provided by Amazon KMS.
You can easily reference your parameters across Amazon Web Services services such as Amazon Elastic Container Service, Amazon Lambda, and Amazon Systems Manager, or any service through which you can use the Amazon Systems Manager parameter store APIs.
Yes. You can provide granular access control through customized permissions to users and resources (such as instances) for parameters access using Amazon Identity and Access Management (IAM). This means you can control who can access which parameter on what resource. You can also set up Amazon CloudWatch Events rules based on parameter change events. Additionally, you can also track and audit parameter API calls using Amazon CloudTrail.
Yes, you can see history of parameter changes. You can also use versions that are automatically incremented upon change to look up specific parameter value bases on its version.
Yes, you can use a hierarchical structure to store parameters. You can also control and audit access at every level of the hierarchy.
Yes, you can set up Amazon CloudWatch and Amazon Simple Notification Service (SNS) notifications for individual parameter values, and receive notifications upon change.
Amazon Secrets Manager is a service to manage the lifecycle for the secrets used in your organization centrally including rotation, audit, and access control. Secrets Manager helps you meet your security and compliance requirements by enabling you to rotate secrets automatically. Secrets Manager offers built-in integration for MySQL, PostgreSQL, and Amazon Aurora on Amazon RDS that's extensible to other types of secrets by customizing Lambda functions.
Amazon Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management, which can include secrets. Data such as database connection strings, passwords, and license codes can be stored as parameter values and can be audited and access controlled. Values stored can be either plain text or encrypted data. You can then reference values by using the unique name of the parameter. You can reference Systems Manager parameters to build generic configuration and automation scripts for use across Amazon Web Services services such as Amazon ECS and Amazon CloudFormation.
*Amazon Secrets Manager is currently available only in global regions
If you want a single store for configuration and secrets, you can use Parameter Store. If you want a dedicated secrets store with lifecycle management, use Secrets Manager. Parameter Store is available at no additional charge with limit of 10,000 parameters. Refer to Amazon Secrets Manager pricing page for pricing details.
*Amazon Secrets Manager is currently available only in global regions
No. Both Secrets Manager and Parameter Store are equally secure. Both services support encryption at rest using customer-owned KMS keys. For more information on how Parameter Store uses KMS, please see the KMS Developer Guide on how Parameter Store uses Amazon KMS.
*Amazon Secrets Manager is currently available only in global regions
No. You cannot reference a Secrets Manager secret with Parameter Store at this time.
*Amazon Secrets Manager is currently available only in global regions
Advanced parameters provide enhanced capabilities such as the ability to store more than 10,000 parameters, larger parameter value size (up to 8 KB) and parameter policies such as expiration and no-change notifications. The expiration policy provides the ability to specify an expiration date and time. The no-change notification policy helps you track parameters that have not changed for a specified period of time. Advanced parameters are priced for storage per month and per API interaction. See the pricing page for details.
A standard parameter may be converted into an advanced parameter at any time. Advanced parameters cannot be converted into standard parameters. If an advanced parameter’s enhanced capabilities are no longer required or you no longer want to incur charges for that parameter, you must delete the advanced parameter and then create a new parameter as a standard parameter.
Yes, API throughput can be raised to a higher limit through the Parameter Store settings tab. API throughput limits applies per region per account. Increased throughput limit incurs charges. See the pricing page for details. If you no longer need increased throughput, you may reset the limit at any time from the Settings tab.
Maintenance Windows
Open all
Maintenance windows is a feature of Systems Manager which provide you the ability to define one or more recurring windows of time during which it is acceptable for any disruptive operation to occur. By defining these windows and associating your instances with them, it is easier for you to ensure that any maintenance activities you perform on your instances which may impact the availability of a workload is done so during a well-defined window of time.
Maintenance windows help improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time, significantly reducing the impact of any operational or infrastructure failures.
Currently, you can only schedule any Run Command based task in a maintenance window.
Maintenance windows can be scheduled for a recurring date (e.g. Weekly on Tuesdays at 22:00:00 or 1st Sunday of every month at 22:00:00). You can define your schedule using cron or rate expression.
Fleet Manager
Open all
With Amazon Systems Manager Fleet Manager, you can streamline your remote server management process. Fleet Manager helps you to easily manage and troubleshoot your fleet of servers running on Amazon Web Services and on premise. You can drill down to individual servers to perform a variety of system administration tasks, including disk and file exploration, log management, Windows Registry operations, and user management, without needing to remotely connect to your virtual machines.
Amazon Systems Manager Fleet Manager streamlines your remote server management process in the following ways:
- With Fleet Manager’s centralized graphical user interface (GUI), you can easily manage your fleet of servers running on Amazon Web Services and on premise.
- Fleet Manager is operating system (OS) agnostic. You can use Fleet Manager to perform common OS operations on Windows, Linux, and Mac-based servers.
- With Fleet Manager, you can run these OS operations seamlessly through the Systems Manager console, by choosing pre-built automation runbooks or bringing your own automation runbooks.
Amazon Systems Manager Fleet Manager provides the following capabilities to manage your servers remotely:
- File system and log exploration: Use the Systems Manager console to browse through disks, folders, and files, including file-based logs, on servers.
- Performance counter monitoring: Monitor common server performance metrics, such as CPU utilization, network traffic, disk usage, and memory utilization.
- Windows Event management: View and troubleshoot Windows Events logs without the need to install additional agents.
- User and group administration: View a list of users and/or groups with access to a server and change their permissions.
- Registry operations: View and modify registry values on your Windows servers.
Use Amazon Systems Manager Fleet Manager across your Amazon Web Services and on-premise environments to manage Windows, Linux, and Mac-based virtual machines.
The quickest way to get started with Amazon Systems Manager Fleet Manager is to use the Amazon Web Services Management Console. You can turn on Fleet Manager in a few clicks. For additional details, see the Getting Started documentation.
Amazon Systems Manager Fleet Manager is available at no additional charge for servers running on Amazon Web Services. For on-premise instance management using an Amazon Systems Manager agent, you are charged based on the public pricing.
Distributor
Open all
Distributor is an Amazon Systems Manager feature that enables you to securely store and distribute software packages in your organization. You can use Distributor with existing Systems Manager features like Run Command and State Manager to control the lifecycle of the packages running on your instances.
Distributor helps you scale software package rollouts by enabling standardization of package distribution. By using Distributor with Amazon Systems Manager Run Command and State Manager, you eliminate the need to build and maintain your own package distribution and installation tooling. Distributor also simplifies software package management by using a centralized repository for all of your packages. Distributor supports the use of IAM policies, providing full control over who can create and update packages. Distributor also helps enable secure software package distribution, because your packages are encrypted in storage and all communication between Distributor and your instance is signed and encrypted.
Any Amazon customer who regularly distributes software packages and wants a secure way to scale package management, a centralized repository for packages, or to eliminate the need for self-maintained distribution tooling should use Distributor. IT professionals who want to control who can create or update software packages and which versions are distributed to each Amazon Web Services account will benefit from Distributor.
Distributor pricing can be found on the Systems Manager Pricing page.
You can use the Amazon Web Services Management Console to turn on Distributor in just a few clicks. For more information, see the Getting Started documentation.
Yes. Getting started with Distributor requires the use of the latest version of the SSM Agent. The SSM Agent is open-sourced and available on GitHub. The SSM Agent is also installed by default on Amazon Linux, Amazon Linux 2, Windows, and Ubuntu AMIs.
Change Manager
Open all
Amazon Systems Manager Change Manager is a change management capability. With Change Manager, you can request, approve, implement, and report on operational changes to your application configuration and infrastructure. Change Manager streamlines change processes with pre-approved change workflows and automated approvals. It integrates with Amazon Systems Manager Automation to make changes, tying the implementation directly to the change request. Change Manager integrates with both Amazon Systems Manager Change Calendar to block changes during specified periods and Amazon CloudWatch to automatically roll back changes based on alarms. From Change Manager, you can review changes made across your organization, helping you to identify which changes are pending approval and to audit the results of completed changes.
With Amazon Systems Manager Change Manager, you can improve the safety and governance of changes to application configuration and infrastructure, reducing the risk of service disruption. Change Manager helps to make operational changes safer by tracking required approvals and implementing only approved changes. Finally, Change Manager provides a consistent way to record and audit changes made across your organization, the intent of the changes, and who approved and implemented those changes, helping you to increase accountability.
You can create a change request for each operational change to be made using Amazon Systems Manager Change Manager. A change request can include information about the change such as the intent, the runbook to be used, and any specified rollback procedures. A change request also maintains a timeline of its lifecycle events such as submission, approval, implementation, and completion.
Each change request is created from a specified change template that defines the approval workflow that the change request is required to go through. You can create change templates through the console or with an API. You can also require that any change template be reviewed and approved before it can be used to create change requests. You can use templates to model general change types such as standard, major, minor, and emergency, or more specific change types such as patching or rotating certificates.
Amazon Systems Manager Change Manager pricing can be found on the Amazon Systems Manager pricing page.
You can use the Amazon Systems Manager console to turn on Amazon Systems Manager Change Manager in just a few clicks.
With Amazon Systems Manager Change Manager, you can manage operational changes across Amazon Web Services accounts and Regions using Amazon Organizations. You can designate an account in your organization as a delegated administrator. From that delegated account, you can request, approve, implement, and review changes across your Amazon Web Services accounts and Regions. See the user guide to learn more.