What is Amazon Systems Manager? - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What is Amazon Systems Manager?

Amazon Systems Manager is the operations hub for your Amazon applications and resources and a secure end-to-end management solution for hybrid and multicloud environments that enables secure operations at scale.

How Systems Manager works

The following diagram describes how some Systems Manager capabilities perform actions on your resources. The diagram doesn't cover all capabilities. Each enumerated interaction is described before the diagram.

  1. Access Systems Manager – Use one of the available options for accessing Systems Manager.

  2. Choose a Systems Manager capability – Determine which capability can help you perform the action you want to perform on your resources. The diagram shows only a few of the capabilities that IT administrators and DevOps personnel use to manage their applications and resources.

  3. Verification and processing – Systems Manager verifies that your user, group, or role has the required Amazon Identity and Access Management (IAM) permissions to perform the action you specified. If the target of your action is a managed node, the Systems Manager Agent (SSM Agent) running on the node performs the action. For other types of resources, Systems Manager performs the specified action or communicates with other Amazon Web Services to perform the action on behalf of Systems Manager.

  4. Reporting – Systems Manager, SSM Agent, and other Amazon Web Services that performed an action on behalf of Systems Manager report status. Systems Manager can send status details to other Amazon Web Services, if configured.

  5. Systems Manager operations management capabilities – If enabled, Systems Manager operations management capabilities such as Explorer, OpsCenter, and Incident Manager aggregate operations data or create artifacts in response to events or errors with your resources. These artifacts include operational work items (OpsItems) and incidents. Systems Manager operations management capabilities provide operational insight into your applications and resources and automated remediation solutions to help troubleshoot problems.

Systems Manager capabilities perform actions on your resources.

Systems Manager capabilities

Systems Manager groups capabilities into the following categories. Choose the tabs under each category to learn more about each capability.

Application management

Application Manager

Application Manager helps DevOps engineers investigate and remediate issues with their Amazon resources in the context of their applications and clusters. In Application Manager, an application is a logical group of Amazon resources that you want to operate as a unit. This logical group can represent different versions of an application, ownership boundaries for operators, or developer environments, to name a few. Application Manager support for container clusters includes both Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Elastic Container Service (Amazon ECS) clusters. Application Manager aggregates operations information from multiple Amazon Web Services and Systems Manager capabilities to a single Amazon Web Services Management Console.


AppConfig helps you create, manage, and deploy application configurations and feature flags. AppConfig supports controlled deployments to applications of any size. You can use AppConfig with applications hosted on Amazon EC2 instances, Amazon Lambda containers, mobile applications, or edge devices. To prevent errors when deploying application configurations, AppConfig includes validators. A validator provides a syntactic or semantic check to verify that the configuration you want to deploy works as intended. During a configuration deployment, AppConfig monitors the application to verify that the deployment is successful. If the system encounters an error or if the deployment invokes an alarm, AppConfig rolls back the change to minimize impact for your application users.

Parameter Store

Parameter Store provides secure, hierarchical storage for configuration data and secrets management. You can store data such as passwords, database strings, Amazon Elastic Compute Cloud (Amazon EC2) instance IDs and Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can then reference values by using the unique name you specified when you created the parameter.

Change management

Change Manager

Change Manager is an enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure. From a single delegated administrator account, if you use Amazon Organizations, you can manage changes across multiple Amazon Web Services accounts in multiple Amazon Web Services Regions. Alternatively, using a local account, you can manage changes for a single Amazon Web Services account. Use Change Manager for managing changes to both Amazon resources and on-premises resources.


Use Automation to automate common maintenance and deployment tasks. You can use Automation to create and update Amazon Machine Images (AMIs), apply driver and agent updates, reset passwords on Windows Server instance, reset SSH keys on Linux instances, and apply OS patches or application updates.

Change Calendar

Change Calendar helps you set up date and time ranges when actions you specify (for example, in Systems Manager Automation runbooks) can or can't be performed in your Amazon Web Services account. In Change Calendar, these ranges are called events. When you create a Change Calendar entry, you're creating a Systems Manager document of the type ChangeCalendar. In Change Calendar, the document stores iCalendar 2.0 data in plaintext format. Events that you add to the Change Calendar entry become part of the document. You can add events manually in the Change Calendar interface or import events from a supported third-party calendar using an .ics file.

Maintenance Windows

Use Maintenance Windows to set up recurring schedules for managed instances to run administrative tasks such as installing patches and updates without interrupting business-critical operations.

Node management

A managed node is any machine configured for use with Systems Manager in hybrid and multicloud environments.


Use Compliance to scan your fleet of managed nodes for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple Amazon Web Services accounts and Amazon Web Services Regions, and then drill down into specific resources that aren’t compliant. By default, Compliance displays compliance data about Patch Manager patching and State Manager associations. You can also customize the service and create your own compliance types based on your IT or business requirements.

Fleet Manager

Fleet Manager is a unified user interface (UI) experience that helps you remotely manage your nodes. With Fleet Manager, you can view the health and performance status of your entire fleet from one console. You can also gather data from individual devices and instances to perform common troubleshooting and management tasks from the console. This includes viewing directory and file contents, Windows registry management, operating system user management, and more.


Inventory automates the process of collecting software inventory from your managed nodes. You can use Inventory to gather metadata about applications, files, components, patches, and more.

Session Manager

Use Session Manager to manage your edge devices and Amazon Elastic Compute Cloud (Amazon EC2) instances through an interactive one-click browser-based shell or through the Amazon CLI. Session Manager provides secure and auditable edge device and instance management without needing to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also allows you to comply with corporate policies that require controlled access to edge devices and instances, strict security practices, and fully auditable logs with edge device and instance access details, while still providing end users with simple one-click cross-platform access to your edge devices and EC2 instances. To use Session Manager, you must enable the advanced-instances tier. For more information, see Turning on the advanced-instances tier.

Run Command

Use Run Command to remotely and securely manage the configuration of your managed nodes at scale. Use Run Command to perform on-demand changes such as updating applications or running Linux shell scripts and Windows PowerShell commands on a target set of dozens or hundreds of managed nodes.

State Manager

Use State Manager to automate the process of keeping your managed nodes in a defined state. You can use State Manager to guarantee that your managed nodes are bootstrapped with specific software at startup, joined to a Windows domain (Windows Server nodes only), or patched with specific software updates.

Patch Manager

Use Patch Manager to automate the process of patching your managed nodes with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for applications released by Microsoft.)

This capability allows you to scan managed nodes for missing patches and apply missing patches individually or to large groups of managed nodes by using tags. Patch Manager uses patch baselines, which can include rules for auto-approving patches within days of their release, and a list of approved and rejected patches. You can install security patches on a regular basis by scheduling patching to run as a Systems Manager maintenance window task, or you can patch your managed nodes on demand at any time.

For Linux operating systems, you can define the repositories that should be used for patching operations as part of your patch baseline. This allows you to ensure that updates are installed only from trusted repositories regardless of what repositories are configured on the managed node. For Linux, you also have the ability to update any package on the managed node, not just those that are classified as operating system security updates. You can also generate patch reports that are sent to an S3 bucket of your choice. For a single managed node, reports include details of all patches for the machine. For a report on all managed nodes, only a summary of how many patches are missing is provided.


Use Distributor to create and deploy packages to managed nodes. With Distributor, you can package your own software—or find Amazon-provided agent software packages, such as AmazonCloudWatchAgent—to install on Systems Manager managed nodes. After you install a package for the first time, you can use Distributor to uninstall and reinstall a new package version, or perform an in-place update that adds new or changed files. Distributor publishes resources, such as software packages, to Systems Manager managed nodes.

Hybrid Activations

To set up non-EC2 machines in your hybrid and multicloud environment as managed nodes, create a hybrid activation. After you complete the activation, you receive an activation code and ID. This code and ID combination functions like an Amazon Elastic Compute Cloud (Amazon EC2) access ID and secret key to provide secure access to the Systems Manager service from your managed instances.

You can also create an activation for edge devices if you want to manage them by using Systems Manager.

Operations management

Incident Manager

Incident Manager is an incident management console that helps users mitigate and recover from incidents affecting their Amazon hosted applications.

Incident Manager increases incident resolution by notifying responders of impact, highlighting relevant troubleshooting data, and providing collaboration tools to get services back up and running. Incident Manager also automates response plans and allows responder team escalation.


Explorer is a customizable operations dashboard that reports information about your Amazon resources. Explorer displays an aggregated view of operations data (OpsData) for your Amazon Web Services accounts and across Amazon Web Services Regions. In Explorer, OpsData includes metadata about your Amazon EC2 instances, patch compliance details, and operational work items (OpsItems). Explorer provides context about how OpsItems are distributed across your business units or applications, how they trend over time, and how they vary by category. You can group and filter information in Explorer to focus on items that are relevant to you and that require action. When you identify high priority issues, you can use OpsCenter, a capability of Systems Manager, to run Automation runbooks and resolve those issues.


OpsCenter provides a central location where operations engineers and IT professionals can view, investigate, and resolve operational work items (OpsItems) related to Amazon resources. OpsCenter is designed to reduce mean time to resolution for issues impacting Amazon resources. This Systems Manager capability aggregates and standardizes OpsItems across services while providing contextual investigation data about each OpsItem, related OpsItems, and related resources. OpsCenter also provides Systems Manager Automation runbooks that you can use to resolve issues. You can specify searchable, custom data for each OpsItem. You can also view automatically generated summary reports about OpsItems by status and source.

CloudWatch Dashboards

Amazon CloudWatch Dashboards are customizable pages in the CloudWatch console that you can use to monitor your resources in a single view, even those resources that are spread across different regions. You can use CloudWatch dashboards to create customized views of the metrics and alarms for your Amazon resources.

Quick Setup

Use Quick Setup to configure frequently used Amazon Web Services and features with recommended best practices. You can use Quick Setup in an individual Amazon Web Services account or across multiple Amazon Web Services accounts and Amazon Web Services Regions by integrating with Amazon Organizations. Quick Setup simplifies setting up services, including Systems Manager, by automating common or recommended tasks. These tasks include, for example, creating required Amazon Identity and Access Management (IAM) instance profile roles and setting up operational best practices, such as periodic patch scans and inventory collection.

Shared resources


A Systems Manager document (SSM document) defines the actions that Systems Manager performs. SSM document types include Command documents, which are used by State Manager and Run Command, and Automation runbooks, which are used by Systems Manager Automation. Systems Manager includes dozens of pre-configured documents that you can use by specifying parameters at runtime. Documents can be expressed in JSON or YAML, and include steps and parameters that you specify.

Accessing Systems Manager

You can work with Systems Manager in any of the following ways:

Systems Manager console

The Systems Manager console is a browser-based interface to access and use Systems Manager.

Amazon IoT Greengrass V2 console

You can view and manage edge devices that are configured for Amazon IoT Greengrass in the Greengrass console.

Amazon command line tools

By using the Amazon command line tools, you can issue commands at your system's command line to perform Systems Manager and other Amazon tasks. The tools are supported on Linux, macOS, and Windows. Using the Amazon Command Line Interface (Amazon CLI) can be faster and more convenient than using the console. The command line tools also are useful if you want to build scripts that perform Amazon tasks.

Amazon provides two sets of command line tools: the Amazon Command Line Interface and the Amazon Tools for Windows PowerShell. For information about installing and using the Amazon CLI, see the Amazon Command Line Interface User Guide. For information about installing and using the Tools for Windows PowerShell, see the Amazon Tools for Windows PowerShell User Guide.


On your Windows Server instances, Windows PowerShell 3.0 or later is required to run certain SSM documents (for example, the legacy AWS-ApplyPatchBaseline document). Verify that your Windows Server instances are running Windows Management Framework 3.0 or later. The framework includes Windows PowerShell.

Amazon SDKs

Amazon provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (for example, Java, Python, Ruby, .NET, iOS and Android, and others). The SDKs provide a convenient way to grant programmatic access to Systems Manager. For information about the Amazon SDKs, including how to download and install them, see Tools for Amazon Web Services.

Systems Manager service name history

Amazon Systems Manager (Systems Manager) was formerly known as "Amazon Simple Systems Manager (SSM)" and "Amazon EC2 Systems Manager (SSM)". The original abbreviated name of the service, "SSM", is still reflected in various Amazon resources, including a few other service consoles. Some examples:

  • Systems Manager Agent: SSM Agent

  • Systems Manager parameters: SSM parameters

  • Systems Manager service endpoints: ssm.region.amazonaws.com.cn

  • Amazon CloudFormation resource types: AWS::SSM::Document

  • Amazon Config rule identifier: EC2_INSTANCE_MANAGED_BY_SSM

  • Amazon Command Line Interface (Amazon CLI) commands: aws ssm describe-patch-baselines

  • Amazon Identity and Access Management (IAM) managed policy names: AmazonSSMReadOnlyAccess

  • Systems Manager resource ARNs: arn:aws-cn:ssm:region:account-id:patchbaseline/pb-07d8884178EXAMPLE

Supported Amazon Web Services Regions

Systems Manager is available in the Amazon Web Services Regions listed in Systems Manager service endpoints in the Amazon Web Services General Reference. Before starting your Systems Manager configuration process, we recommend that you verify the service is available in each of the Amazon Web Services Regions you want to use it in.

For non-EC2 machines in your hybrid and multicloud environment, we recommend that you choose the Region closest to your data center or computing environment.