Working with Compliance - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Compliance

Compliance, a capability of Amazon Systems Manager, collects and reports data about the status of patching in Patch Manager patching and associations in State Manager. (Patch Manager and State Manager are also both capabilities of Amazon Systems Manager.) Compliance also reports on custom compliance types you have specified for your managed nodes. This section includes details about each of these compliance types and how to view Systems Manager compliance data. This section also includes information about how to view compliance history and change tracking.

Note

Systems Manager integrates with Chef InSpec. InSpec is an open-source, runtime framework that allows you to create human-readable profiles on GitHub or Amazon Simple Storage Service (Amazon S3). Then you can use Systems Manager to run compliance scans and view compliant and noncompliant instances. For more information, see Using Chef InSpec profiles with Systems Manager Compliance.

About patch compliance

After you use Patch Manager to install patches on your instances, compliance status information is immediately available to you in the console or in response to Amazon Command Line Interface (Amazon CLI) commands or corresponding Systems Manager API operations.

For information about patch compliance status values, see Understanding patch compliance state values.

About State Manager association compliance

After you create one or more State Manager associations, compliance status information is immediately available to you in the console or in response to Amazon CLI commands or corresponding Systems Manager API operations. For associations, Compliance shows statuses of Compliant or Non-compliant and the severity level assigned to the association, such as Critical or Medium.

About custom compliance

You can assign compliance metadata to a managed node. This metadata can then be aggregated with other compliance data for compliance reporting purposes. For example, say that your business runs versions 2.0, 3.0, and 4.0 of software X on your managed nodes. The company wants to standardize on version 4.0, meaning that instances running versions 2.0 and 3.0 are non-compliant. You can use the PutComplianceItems API operation to explicitly note which managed nodes are running older versions of software X. You can only assign compliance metadata by using the Amazon CLI, Amazon Tools for Windows PowerShell, or the SDKs. The following CLI sample command assigns compliance metadata to a managed instance and specifies the compliance type in the required format Custom:. Replace each example resource placeholder with your own information.

Linux & macOS
aws ssm put-compliance-items \ --resource-id i-1234567890abcdef0 \ --resource-type ManagedInstance \ --compliance-type Custom:SoftwareXCheck \ --execution-summary ExecutionTime=AnyStringToDenoteTimeOrDate \ --items Id=Version2.0,Title=SoftwareXVersion,Severity=CRITICAL,Status=NON_COMPLIANT
Windows
aws ssm put-compliance-items ^ --resource-id i-1234567890abcdef0 ^ --resource-type ManagedInstance ^ --compliance-type Custom:SoftwareXCheck ^ --execution-summary ExecutionTime=AnyStringToDenoteTimeOrDate ^ --items Id=Version2.0,Title=SoftwareXVersion,Severity=CRITICAL,Status=NON_COMPLIANT
Note

The ResourceType parameter only supports ManagedInstance. If you add custom compliance to a managed Amazon IoT Greengrass core device, you must specify a ResourceType of ManagedInstance.

Compliance managers can then view summaries or create reports about which managed nodes are or aren't compliant. You can assign a maximum of 10 different custom compliance types to a managed node.

For an example of how to create a custom compliance type and view compliance data, see Compliance walkthrough (Amazon CLI).

Viewing current compliance data

This section describes how to view compliance data in the Systems Manager console and by using the Amazon CLI. For information about how to view patch and association compliance history and change tracking, see Viewing compliance configuration history and change tracking.

Viewing current compliance data (console)

Use the following procedure to view compliance data in the Systems Manager console.

To view current compliance reports in the Systems Manager console
  1. Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/.

  2. In the navigation pane, choose Compliance.

    -or-

    If the Amazon Systems Manager home page opens first, choose the menu icon ( 
    The menu icon
  ) to open the navigation pane, and then choose Compliance in the navigation pane.

  3. In the Compliance dashboard filtering section, choose an option to filter compliance data. The Compliance resources summary section displays counts of compliance data based on the filter you chose.

  4. To drill down into a resource for more information, scroll down to the Details overview for resources area and choose the ID of a managed node.

  5. On the Instance ID or Name details page, choose the Configuration compliance tab to view a detailed configuration compliance report for the managed node.

Note

For information about fixing compliance issues, see Remediating compliance issues using EventBridge.

Viewing current compliance data (Amazon CLI)

You can view summaries of compliance data for patching, associations, and custom compliance types in the in the Amazon CLI by using the following Amazon CLI commands.

list-compliance-summaries

Returns a summary count of compliant and non-compliant association statuses according to the filter you specify. (API: ListComplianceSummaries)

list-resource-compliance-summaries

Returns a resource-level summary count. The summary includes information about compliant and non-compliant statuses and detailed compliance-item severity counts, according to the filter criteria you specify. (API: ListResourceComplianceSummaries)

You can view additional compliance data for patching by using the following Amazon CLI commands.

describe-patch-group-state

Returns high-level aggregated patch compliance state for a patch group. (API: DescribePatchGroupState)

describe-instance-patch-states-for-patch-group

Returns the high-level patch state for the instances in the specified patch group. (API: DescribeInstancePatchStatesForPatchGroup)

Note

For an illustration of how to configure patching and view patch compliance details by using the Amazon CLI, see Tutorial: Patch a server environment (Amazon CLI).

Viewing compliance configuration history and change tracking

Systems Manager Compliance displays current patching and association compliance data for your managed nodes. You can view patching and association compliance history and change tracking by using Amazon Config. Amazon Config provides a detailed view of the configuration of Amazon resources in your Amazon Web Services account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. To view patching and association compliance history and change tracking, you must turn on the following resources in Amazon Config:

  • SSM:PatchCompliance

  • SSM:AssociationCompliance

For information about how to choose and configure these specific resources in Amazon Config, see Selecting Which Resources Amazon Config Records in the Amazon Config Developer Guide.

Note

For information about Amazon Config pricing, see Pricing.