Viewing inventory history and change tracking
You can view Amazon Systems Manager Inventory history and change tracking for all of your managed nodes by using Amazon Config. Amazon Config provides a detailed view of the configuration of Amazon resources in your Amazon Web Services account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. To view inventory history and change tracking, you must turn on the following resources in Amazon Config:
-
SSM:ManagedInstanceInventory
-
SSM:PatchCompliance
-
SSM:AssociationCompliance
-
SSM:FileData
Note
Note the following important details about Inventory history and change tracking:
-
If you use Amazon Config to track changes in your system, you must configure Systems Manager Inventory to collect
AWS:File
metadata so that you can view file changes in Amazon Config (SSM:FileData
). If you don't, then Amazon Config doesn't track file changes on your system. -
By turning on SSM:PatchCompliance and SSM:AssociationCompliance, you can view Systems Manager Patch Manager patching and Systems Manager State Manager association compliance history and change tracking. For more information about compliance management for these resources, see Working with Compliance.
The following procedure describes how to turn on inventory history and change-track
recording in Amazon Config by using the Amazon Command Line Interface (Amazon CLI). For more information about how to
choose and configure these resources in Amazon Config, see Selecting Which Resources Amazon Config
Records in the Amazon Config Developer Guide. For information about
Amazon Config pricing, see Pricing
Before you begin
Amazon Config requires Amazon Identity and Access Management (IAM) permissions to get configuration details about Systems Manager
resources. In the following procedure, you must specify an Amazon Resource Name (ARN)
for an IAM role that gives Amazon Config permission to Systems Manager resources. You can attach the
Amazon_ConfigRole
managed policy to the IAM role that you assign to
Amazon Config. For more information about this role, see Amazon managed policy: Amazon_ConfigRole in the
Amazon Config Developer Guide. For information about how to create an IAM
role and assign the Amazon_ConfigRole
managed policy to that role, see
Creating a role to
delegate permissions to an Amazon Web Service in the
IAM User Guide.
To turn on inventory history and change-track recording in Amazon Config
Install and configure the Amazon Command Line Interface (Amazon CLI), if you haven't already.
For information, see Installing or updating the latest version of the Amazon CLI.
-
Copy and paste the following JSON sample into a simple text file and save it as recordingGroup.json.
{ "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::SSM::AssociationCompliance", "AWS::SSM::PatchCompliance", "AWS::SSM::ManagedInstanceInventory", "AWS::SSM::FileData" ] }
-
Run the following command to load the recordingGroup.json file into Amazon Config.
aws configservice put-configuration-recorder --configuration-recorder name=
myRecorder
,roleARN=arn:aws-cn:iam::123456789012:role/myConfigRole
--recording-group file://recordingGroup.json
-
Run the following command to start recording inventory history and change tracking.
aws configservice start-configuration-recorder --configuration-recorder-name
myRecorder
After you configure history and change tracking, you can drill down into the history for a specific managed node by choosing the Amazon Config button in the Systems Manager console. You can access the Amazon Config button from either the Managed Instances page or the Inventory page. Depending on your monitor size, you might need to scroll to the right side of the page to see the button.