Getting started with OpsCenter - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Getting started with OpsCenter

Set up for Amazon Systems Manager OpsCenter is integrated with set up for Amazon Systems Manager Explorer. Explorer is a customizable operations dashboard that reports information about your Amazon resources. Explorer displays an aggregated view of operations data (OpsData) for your Amazon Web Services accounts and across Amazon Web Services Regions. In Explorer, OpsData includes metadata about your EC2 instances, patch compliance details, and operational work items (OpsItems). Explorer provides context about how OpsItems are distributed across your business units or applications, how they trend over time, and how they vary by category. You can group and filter information in Explorer to focus on items that are relevant to you and that require action. When you identify high priority issues, you can use OpsCenter to run Automation runbooks and quickly resolve those issues.

If you already set up OpsCenter, you still need to complete Integrated Setup to verify settings and options. If you haven't set up OpsCenter, then you can use Integrated Setup to get started with both capabilities. For more information, see Getting started with Systems Manager Explorer and OpsCenter.

Note

Integrated Setup is only available in the Amazon Systems Manager console. You can't set up Explorer and OpsCenter programmatically.

(Optional) Receive OpsItem notifications

You can configure OpsCenter to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic when the system creates a new OpsItem or updates an existing OpsItem. Complete the following tasks to receive notifications for OpsItems.

Task 1: Create and subscribe to an Amazon SNS topic

To receive notifications, you must create and subscribe to an Amazon SNS topic. For more information, see Create a Topic and Subscribing an Endpoint to an Amazon SNS Topic in the Amazon Simple Notification Service Developer Guide.

Note

To receive notifications, you must specify the Amazon Resource Name (ARN) of an Amazon SNS topic that is in the same Amazon Web Services Region and Amazon Web Services account as the OpsItem. If you're using OpsCenter in multiple Regions or accounts, then you must create and subscribe to an Amazon SNS topic in each Region or account where you want to receive OpsItem notifications.

Task 2: Update the Amazon SNS access policy

Use the following procedure to update the Amazon SNS access policy so that Systems Manager can publish OpsItem notifications to the Amazon SNS topic you created in task 1.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon SNS console at https://console.amazonaws.cn/sns/v3/home.

  2. In the navigation pane, choose Topics.

  3. Choose the topic you created in task 1, and then choose Edit.

  4. Expand Access policy.

  5. Add the following Sid block to the existing policy. Replace each example resource placeholder with your own information.

    { "Sid": "Allow OpsCenter to publish to this topic", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws-cn:sns:region:account ID:topic name" }

    Enter this block after the existing Sid block.

  6. Choose Save changes.

The system now sends notifications to the Amazon SNS topic when OpsItems are created or updated.

Important

If you configured the Amazon SNS topic with an Amazon Key Management Service (Amazon KMS) server-side encryption key, then you must complete task 3. If you want to configure OpsItems created by the default OpsItem rules to publish to the Amazon SNS topic, then you must also complete task 4.

Task 3: Update the Amazon KMS access policy (optional)

If you turned on Amazon KMS server-side encryption for your Amazon SNS topic, then you must also update the access policy of the Amazon KMS key you chose when you configured the topic. Use the following procedure to update the access policy so that Systems Manager can publish OpsItem notifications to the Amazon SNS topic you created in task 1.

Note

OpsCenter doesn't support publishing OpsItems to an Amazon SNS topic configured with an Amazon managed key.

  1. Open the Amazon KMS console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Choose the ID of the KMS key you chose when you created the topic.

  5. In the Key policy section, choose Switch to policy view.

  6. Choose Edit.

  7. Add the following Sid block to the existing policy. Replace each example resource placeholder with your own information.

    { "Sid": "Allow OpsItems to decrypt the key", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": ["kms:Decrypt", "kms:GenerateDataKey*"], "Resource": "arn:aws-cn:kms:region:account ID:key/key ID" }

    Enter this block after one of the existing Sid blocks. In the following example, the new block is entered at line 14.

    
                                Editing the Amazon KMS Access Policy of an Amazon SNS topic
  8. Choose Save changes.

Task 4: Turn on default OpsItems rules to send notifications for new OpsItems

Default OpsItems rules in Amazon EventBridge aren't configured with an ARN for Amazon SNS notifications. Use the following procedure to edit a rule in EventBridge and enter a notifications block.

To add a notifications block to a default OpsItem rule

  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  2. In the navigation pane, choose OpsCenter.

  3. Choose the OpsItems tab, and then choose Configure sources.

  4. Choose the name of the source rule that you want to configure with a notification block, as shown in the following example:

    
                            Choosing an Amazon EventBridge rule to add an Amazon SNS notifications
                                block

    The rule opens in Amazon EventBridge.

  5. On the rule details page, on the Targets tab, choose Edit.

  6. In the Additional settings section, choose Configure input transformer.

  7. In the Template box, add a notifications block in the following format:

    "notifications":[{"arn":"arn:aws-cn:sns:region:account ID:topic name"}],

    Here's an example.

    "notifications":[{"arn":"arn:aws-cn:sns:us-west-2:1234567890:MySNSTopic"}],

    Enter the notifications block before the resources block, as shown here.

    { "title": "EBS snapshot copy failed", "description": "CloudWatch Event Rule SSMOpsItems-EBS-snapshot-copy-failed was triggered. Your EBS snapshot copy has failed. See below for more details.", "category": "Availability", "severity": "2", "source": "EC2", "notifications": [{ "arn": "arn:aws:sns:us-west-2:1234567890:MySNSTopic" }], "resources": <resources>, "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{\"dedupString\":\"SSMOpsItems-EBS-snapshot-copy-failed\"}" }, "/aws/automations": { "value": "[ { \"automationType\": \"AWS:SSM:Automation\", \"automationId\": \"AWS-CopySnapshot\" } ]" }, "failure-cause": { "value": <failure - cause> }, "source": { "value": <source> }, "start-time": { "value": <start - time> }, "end-time": { "value": <end - time> } } }
  8. Choose Confirm.

  9. Choose Next.

  10. Choose Next.

  11. Choose Update rule.

The next time the systems creates an OpsItem for the default rule, it publishes a notification to the Amazon SNS topic.

(Optional) Create OpsItem guidelines for your organization

We recommend that each organization create a simple set of guidelines that promote consistency when creating and editing OpsItems. Guidelines make it easier for users to locate and resolve OpsItems. The guidelines for your organization should define best practices when users enter information into the following OpsItem fields.

Note

Amazon EventBridge populates the Title, Source, and Description fields of automatically generated OpsItems. You can edit the Title and the Description fields, but you can't edit the Source field.

Field Description

Title

Guidelines should encourage a consistent OpsItem naming experience. For example, your guidelines might require that each title include information about the impacted resource, the status, the environment, and the name or the alias of the engineer actively working the issue, if applicable. All OpsItems created by EventBridge include a title that describes the event that caused the creation of the OpsItem, but you can edit these titles.

You can search OpsItems for Title:contains. If your naming guidelines encourage consistent use of keywords, you improve your search results.

Source

Guidelines can include specifying IDs, software version numbers (if applicable) or other relevant data to help users identify the origin of the issue. You can't edit the Source field after the OpsItem is created.

Priority

(Optional) Guidelines should include determining the highest and lowest priority for your organization, and any service-level agreements based on priority. You can specify priority from 1 to 5.

Severity

(Optional) Guidelines should include determining the highest and lowest severity for your organization, and any service-level agreements based on severity. You can specify severity from 1 to 4.

Category

(Optional) Guidelines should include a list of categories to specify when creating or editing OpsItems.

Deduplication strings

(Optional) Guidelines should specify the length and standards for creating effective deduplication strings.

Description

Guidelines should suggest how much detail about the issue to include and any steps (if applicable) for reproducing the issue.

Notifications

Guidelines should suggest which Amazon Simple Notification Service (Amazon SNS) topic Amazon Resource Name (ARN) to specify when creating or editing OpsItems. Be aware that Amazon SNS notifications are region-specific. This means you must specify an ARN that is in the same Amazon Web Services Region as the OpsItem.

Related Resources

Guidelines can include details about which Resources should or shouldn't have an ARN specified. For supported Amazon resource types, the ARN creates a deep link to details about the Resource.

Operational data

You can specify custom data for each OpsItem that provides context about the issue and other relevant data for future reference. You can specify searchable custom data. All users with access to the OpsItem Overview page can search for and view this data. You can also specify private custom data that is only viewable by users who have access to this OpsItem.

Guidelines could specify structure and standards for key-value pairs. These key-value pairs can describe operational data and resolution details, leading to improved search results.