Use cases and best practices - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use cases and best practices

This topic lists common use cases and best practices for Amazon Systems Manager capabilities. If available, this topic also includes links to relevant blog posts and technical documentation.


The title of each section here is an active link to the corresponding section in the technical documentation.

  • Create self-service Automation runbooks for infrastructure.

  • Use Automation, a capability of Amazon Systems Manager, to simplify creating Amazon Machine Images (AMIs) from the Amazon Web Services Marketplace or custom AMIs, using public Systems Manager documents (SSM documents) or by authoring your own workflows.

  • Build and maintain AMIs using the AWS-UpdateLinuxAmi and AWS-UpdateWindowsAmi Automation runbooks, or using custom Automation runbooks that you create.

  • Use Inventory, a capability of Amazon Systems Manager, with Amazon Config to audit your application configurations over time.

Maintenance Windows
  • Define a schedule to perform potentially disruptive actions on your nodes such as operating system (OS) patching, driver updates, or software installations.

  • For information about the differences between State Manager and Maintenance Windows, capabilities of Amazon Systems Manager, see Choosing between State Manager and Maintenance Windows.

Parameter Store
Patch Manager
  • Use Patch Manager, a capability of Amazon Systems Manager, to roll out patches at scale and increase fleet compliance visibility across your nodes.

  • Integrate Patch Manager with Amazon Security Hub to receive alerts when nodes in your fleet go out of compliance and monitor the patching status of your fleets from a security point of view. There is a charge to use Security Hub. For more information, see Pricing.

  • Use only one method at a time for scanning managed nodes for patch compliance to avoid unintentionally overwriting compliance data.

Run Command
State Manager
Managed nodes
  • Systems Manager requires accurate time references to perform its operations. If your node's date and time aren't set correctly, they might not match the signature date of your API requests. This might lead to errors or incomplete functionality. For example, nodes with incorrect time settings won't be included in your lists of managed nodes.

    For information about setting the time on your nodes, see the following topics:

  • On Linux managed nodes, verify the signature of SSM Agent.