Remediating compliance issues using EventBridge - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Remediating compliance issues using EventBridge

You can quickly remediate patch and association compliance issues by using Run Command, a capability of Amazon Systems Manager. You can target instance or Amazon IoT Greengrass core device IDs or tags and run the AWS-RunPatchBaseline document or the AWS-RefreshAssociation document. If refreshing the association or re-running the patch baseline fails to resolve the compliance issue, then you need to investigate your associations, patch baselines, or instance configurations to understand why the Run Command operations didn't resolve the problem.

For more information about patching, see Amazon Systems Manager Patch Manager and About the AWS-RunPatchBaseline SSM document.

For more information about associations, see Working with associations in Systems Manager.

For more information about running a command, see Amazon Systems Manager Run Command.

Specify Compliance as the target of an EventBridge event

You can also configure Amazon EventBridge to perform an action in response to Systems Manager Compliance events. For example, if one or more managed nodes fail to install Critical patch updates or run an association that installs anti-virus software, then you can configure EventBridge to run the AWS-RunPatchBaseline document or the AWS-RefreshAssocation document when the Compliance event occurs.

Use the following procedure to configure Compliance as the target of an EventBridge event.

To configure Compliance as the target of a EventBridge event (console)
  1. Open the Amazon EventBridge console at

  2. In the navigation pane, choose Rules.

  3. Choose Create rule.

  4. Enter a name and description for the rule.

    A rule can't have the same name as another rule in the same Amazon Web Services Region and on the same event bus.

  5. For Event bus, choose the event bus that you want to associate with this rule. If you want this rule to respond to matching events that come from your own Amazon Web Services account, select default. When an Amazon Web Service in your account emits an event, it always goes to your account’s default event bus.

  6. For Rule type, choose Rule with an event pattern.

  7. Choose Next.

  8. For Event source, choose Amazon events or EventBridge partner events.

  9. In the Event pattern section, choose Event pattern form.

  10. For Event source, choose Amazon services.

  11. For Amazon service, choose Systems Manager.

  12. For Event type, choose Configuration Compliance.

  13. For Specific detail type(s), choose Configuration Compliance State Change.

  14. Choose Next.

  15. For Target types, choose Amazon service.

  16. For Select a target, choose Systems Manager Run Command.

  17. In the Document list, choose a Systems Manager document (SSM document) to run when your target is invoked. For example, choose AWS-RunPatchBaseline for a non-compliant patch event, or choose AWS-RefreshAssociation for a non-compliant association event.

  18. Specify information for the remaining fields and parameters.


    Required fields and parameters have an asterisk (*) next to the name. To create a target, you must specify a value for each required parameter or field. If you don't, the system creates the rule, but the rule won't be run.

  19. Choose Next.

  20. (Optional) Enter one or more tags for the rule. For more information, see Tagging Your Amazon EventBridge Resources in the Amazon EventBridge User Guide.

  21. Choose Next.

  22. Review the details of the rule and choose Create rule.