Adds or overwrites one or more tags for the specified resource.

Tags are metadata that you can assign to your automations, documents, managed nodes, maintenance windows, Parameter Store parameters, and patch baselines. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your account's managed nodes that helps you track each node's owner and stack level. For example:

• Key=Owner,Value=DbAdmin

• Key=Owner,Value=SysAdmin

• Key=Owner,Value=Dev

• Key=Stack,Value=Production

• Key=Stack,Value=Pre-Production

• Key=Stack,Value=Test

Most resources can have a maximum of 50 tags. Automations can have a maximum of 5 tags.

We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. Tags don't have any semantic meaning to and are interpreted strictly as a string of characters.

Associates a related item to a Systems Manager OpsCenter OpsItem.

Attempts to cancel the command specified by the Command ID.

Stops a maintenance window execution that is already in progress and cancels any tasks in the window that haven't already starting running.

Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager.

Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises machines using Systems Manager, see Setting up Amazon Web Services Systems Manager for hybrid environments: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-managedinstances.html in the Amazon Web Services Systems Manager User Guide.

A State Manager association defines the state that you want to maintain on your managed nodes.

Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified managed nodes or targets.

When you associate a document with one or more managed nodes using IDs or tags, Amazon Web Services Systems Manager Agent (SSM Agent) running on the managed node processes the document and configures the node as specified.

Creates a Amazon Web Services Systems Manager (SSM document).

Creates a new maintenance window.

Creates a new OpsItem.

You must have permission in Identity and Access Management (IAM) to create a new OpsItem. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.

Creates a patch baseline.

A resource data sync helps you view data from multiple sources in a single location.

Amazon Web Services Systems Manager offers two types of resource data sync: SyncToDestination and SyncFromSource.

You can configure Systems Manager Inventory to use the SyncToDestination type to synchronize Inventory data from multiple Amazon Web Services Regions to a single Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Configuring resource data sync for Inventory: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html in the Amazon Web Services Systems Manager User Guide.

You can configure Systems Manager Explorer to use the SyncFromSource type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple Amazon Web Services Regions to a single Amazon S3 bucket. This type can synchronize OpsItems and OpsData from multiple Amazon Web Services accounts and Amazon Web Services Regions or EntireOrganization by using Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions: https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer-resource-data-sync.html in the Amazon Web Services Systems Manager User Guide.

A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync.

Deletes an activation.

Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified managed node.

If you created the association by using the Targets parameter, then you must delete the association by using the association ID.

Deletes the Amazon Web Services Systems Manager document (SSM document) and all managed node associations to the document.

Delete a custom inventory type or the data associated with a custom Inventory type.

Delete an OpsItem.

You must have permission in Identity and Access Management (IAM) to delete an OpsItem.

Note the following important information about this operation.

Deleting an OpsItem is irreversible. You can't restore a deleted OpsItem.

This operation uses an eventual consistency model, which means the system can take a few minutes to complete this operation. If you delete an OpsItem and immediately call, for example, GetOpsItem, the deleted OpsItem might still appear in the response.

This operation is idempotent. The system doesn't throw an exception if you repeatedly call this operation for the same OpsItem. If the first call is successful, all additional calls return the same successful response as the first call.

Delete a parameter from the system.

Delete a list of parameters.

Deletes a resource data sync configuration.

Deletes a Systems Manager resource policy.

A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your Systems Manager resources. The following resources support Systems Manager resource policies.

• OpsItemGroup - The resource policy for OpsItemGroup enables Amazon Web Services accounts to view and interact with OpsCenter operational work items (OpsItems).

• Parameter - The resource policy is used to share a parameter with other accounts using Resource Access Manager (RAM). For more information about cross-account sharing of parameters, see Working with shared parameters: systems-manager/latest/userguide/parameter-store-shared-parameters.html in the Amazon Web Services Systems Manager User Guide.

Removes the server or virtual machine from the list of registered servers.

Describes the association for the specified target or managed node.

Lists all patches eligible to be included in a patch baseline.

Describes the permissions for a Amazon Web Services Systems Manager document (SSM document).

Retrieves the current effective patches (the patch and the approval state) for the specified patch baseline.

Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.

This operation does not return information for nodes that are either Stopped or Terminated.

If you specify one or more node IDs, the operation returns information for those managed nodes. If you don't specify node IDs, it returns information for all your managed nodes. If you specify a node ID that isn't valid or a node that you don't own, you receive an error.

Lists the executions of a maintenance window.

Lists the tasks in a maintenance window.

Query a set of OpsItems.

You must have permission in Identity and Access Management (IAM) to query a list of OpsItems. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.

Lists the parameters in your Amazon Web Services account or the parameters shared with you when you enable the Shared: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html#systemsmanager-DescribeParameters-request-Shared option.

Request results are returned on a best-effort basis. If you specify MaxResults in the request, the response includes information up to the limit specified. The number of items returned, however, can be between zero and the value of MaxResults. If the service reaches an internal limit while processing the results, it stops the operation and returns the matching values up to that point and a NextToken. You can specify the NextToken in a subsequent call to get the next set of results.

Lists the properties of available patches organized by product, product family, classification, severity, and other properties of available patches.

You can use the reported properties in the filters you specify in requests for operations such as CreatePatchBaseline, UpdatePatchBaseline, DescribeAvailablePatches, and DescribePatchBaselines.

The following section lists the properties that can be used in filters for each major operating system type:

AMAZON_LINUX

Valid properties: PRODUCT | CLASSIFICATION | SEVERITY

AMAZON_LINUX_2

Valid properties: PRODUCT | CLASSIFICATION | SEVERITY

CENTOS

Valid properties: PRODUCT | CLASSIFICATION | SEVERITY

DEBIAN

Valid properties: PRODUCT | PRIORITY

MACOS

Valid properties: PRODUCT | CLASSIFICATION

ORACLE_LINUX

Valid properties: PRODUCT | CLASSIFICATION | SEVERITY

REDHAT_ENTERPRISE_LINUX

Valid properties: PRODUCT | CLASSIFICATION | SEVERITY

SUSE

Valid properties: PRODUCT | CLASSIFICATION | SEVERITY

UBUNTU

Valid properties: PRODUCT | PRIORITY

WINDOWS

Valid properties: PRODUCT | PRODUCT_FAMILY | CLASSIFICATION | MSRC_SEVERITY

Deletes the association between an OpsItem and a related item.

Gets the state of a Amazon Web Services Systems Manager change calendar at the current time or a specified time.

If you specify a time, GetCalendarState returns the state of the calendar at that specific time, and returns the next time that the change calendar state will transition. If you don't specify a time, GetCalendarState uses the current time. Change Calendar entries have two possible states: OPEN or CLOSED.

If you specify more than one calendar in a request, the command returns the status of OPEN only if all calendars in the request are open. If one or more calendars in the request are closed, the status returned is CLOSED.

Returns detailed information about command execution for an invocation or plugin.

Retrieves the default patch baseline.

Amazon Web Services Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system.

Retrieves the current snapshot for the patch baseline the managed node uses.

This API is primarily used by the AWS-RunPatchBaseline Systems Manager document (SSM document).

Query inventory information.

Retrieves the details of a maintenance window task.

For maintenance window tasks without a specified target, you can't supply values for --max-errors and --max-concurrency. Instead, the system inserts a placeholder value of 1, which may be reported in the response to this command. These values don't affect the running of your task and can be ignored.

Get information about an OpsItem by using the ID.

You must have permission in Identity and Access Management (IAM) to view information about an OpsItem. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.

View a summary of operations metadata (OpsData) based on specified filters and aggregators.

Get information about a single parameter by specifying the parameter name.

Retrieves the history of all changes to a parameter.

Get information about one or more parameters by specifying multiple parameter names.

Retrieve information about one or more parameters in a specific hierarchy.

ServiceSetting is an account-level setting for an Amazon Web Services service.

This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of false. This means the user can't use this feature unless they change the setting to true and intentionally opt in for a paid feature.

Services map a SettingId object to a setting value. Amazon Web Services services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the UpdateServiceSetting API operation to change the default setting. Or use the ResetServiceSetting to change the value back to the original value defined by the Amazon Web Services service team.

A parameter label is a user-defined alias to help you manage different versions of a parameter.

When you modify a parameter, Amazon Web Services Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter when there are multiple versions.

Parameter labels have the following requirements and restrictions.

• A version of a parameter can have a maximum of 10 labels.

• You can't attach the same label to different versions of the same parameter. For example, if version 1 has the label Production, then you can't attach Production to version 2.

• You can move a label from one version of a parameter to another.

• You can't create a label when you create a new parameter. You must attach a label to a specific version of a parameter.

• If you no longer want to use a parameter label, then you can either delete it or move it to a different version of a parameter.

• A label can have a maximum of 100 characters.

• Labels can contain letters (case sensitive), numbers, periods (.), hyphens (-), or underscores (_).

• Labels can't begin with a number, "aws" or "ssm" (not case sensitive). If a label fails to meet these requirements, then the label isn't associated with a parameter and the system displays it in the list of InvalidLabels.

Returns all State Manager associations in the current Amazon Web Services account and Amazon Web Services Region.

An invocation is copy of a command sent to a specific managed node.

For a specified resource ID, this API operation returns a list of compliance statuses for different resource types.

Returns a summary count of compliant and non-compliant resources for a compliance type.

Returns all Systems Manager (SSM) documents in the current Amazon Web Services account and Amazon Web Services Region.

Returns a list of all OpsItem events in the current Amazon Web Services Region and Amazon Web Services account.

Lists all related-item resources associated with a Systems Manager OpsCenter OpsItem.

Returns a resource-level summary count.

Lists your resource data sync configurations.

Includes information about the last time a sync attempted to start, the last sync status, and the last time a sync successfully completed.

Returns a list of the tags assigned to the specified resource.

Shares a Amazon Web Services Systems Manager document (SSM document)publicly or privately.

Registers a compliance type and other compliance details on a designated resource.

This operation lets you register custom compliance details with a resource. This call overwrites existing compliance information on the resource, so you must provide a full list of compliance items each time that you send the request.

ComplianceType can be one of the following:

• ExecutionId: The execution ID when the patch, association, or custom compliance item was applied.

• ExecutionType: Specify patch, association, or Custom:string.

• ExecutionTime. The time the patch, association, or custom compliance item was applied to the managed node.

• Id: The patch, association, or custom compliance ID.

• Title: A title.

• Status: The status of the compliance item. For example, approved for patches, or Failed for associations.

• Severity: A patch severity. For example, Critical.

• DocumentName: An SSM document name. For example, AWS-RunPatchBaseline.

• DocumentVersion: An SSM document version number. For example, 4.

• Classification: A patch classification. For example, security updates.

• PatchBaselineId: A patch baseline ID.

• PatchSeverity: A patch severity. For example, Critical.

• PatchState: A patch state. For example, InstancesWithFailedPatches.

• PatchGroup: The name of a patch group.

• InstalledTime: The time the association, patch, or custom compliance item was applied to the resource. Specify the time by using the following format: yyyy-MM-dd'T'HH:mm:ss'Z'

Bulk update custom inventory items on one or more managed nodes.

Creates or updates a Systems Manager resource policy.

A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your Systems Manager resources. The following resources support Systems Manager resource policies.

• OpsItemGroup - The resource policy for OpsItemGroup enables Amazon Web Services accounts to view and interact with OpsCenter operational work items (OpsItems).

• Parameter - The resource policy is used to share a parameter with other accounts using Resource Access Manager (RAM).

  To share a parameter, it must be in the advanced parameter tier. For information about parameter tiers, see Managing parameter tiers: https://docs.aws.amazon.com/parameter-store- advanced-parameters.html. For information about changing an existing standard parameter to an advanced parameter, see Changing a standard parameter to an advanced parameter: https://docs.aws.amazon.com/parameter-store-advanced-parameters.html#parameter- store-advanced-parameters-enabling.

  To share a SecureString parameter, it must be encrypted with a customer managed key, and you must share the key separately through Key Management Service. Amazon Web Services managed keys cannot be shared. Parameters encrypted with the default Amazon Web Services managed key can be updated to use a customer managed key instead. For KMS key definitions, see KMS concepts: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt in the Key Management Service Developer Guide.

  While you can share a parameter using the Systems Manager PutResourcePolicy operation, we recommend using Resource Access Manager (RAM) instead. This is because using PutResourcePolicy requires the extra step of promoting the parameter to a standard RAM Resource Share using the RAM PromoteResourceShareCreatedFromPolicy: https://docs.aws.amazon.com/ram/latest/APIReference/API_PromoteResourceShareCreatedFromPolicy.html API operation. Otherwise, the parameter won't be returned by the Systems Manager DescribeParameters: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html API operation using the --shared option.

  For more information, see Sharing a parameter: https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html#share in the Amazon Web Services Systems Manager User Guide

Defines the default patch baseline for the relevant operating system.

ServiceSetting is an account-level setting for an Amazon Web Services service.

This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of "false". This means the user can't use this feature unless they change the setting to "true" and intentionally opt in for a paid feature.

Services map a SettingId object to a setting value. Amazon Web Services services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the GetServiceSetting API operation to view the current value. Use the UpdateServiceSetting API operation to change the default setting.

Reconnects a session to a managed node after it has been disconnected.

Connections can be resumed for disconnected sessions, but not terminated sessions.

Runs an association immediately and only one time.

Creates a change request for Change Manager.

Initiates a connection to a target (for example, a managed node) for a Session Manager session.

Returns a URL and token that can be used to open a WebSocket connection for sending input and receiving outputs.

Amazon Web Services CLI usage: start-session is an interactive command that requires the Session Manager plugin to be installed on the client machine making the call. For information, see Install the Session Manager plugin for the Amazon Web Services CLI: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html in the Amazon Web Services Systems Manager User Guide.

Permanently ends a session and closes the data connection between the Session Manager client and SSM Agent on the managed node.

Updates an association.

You can update the association name and version, the document version, schedule, parameters, and Amazon Simple Storage Service (Amazon S3) output. When you call UpdateAssociation, the system removes all optional parameters from the request and overwrites the association with null values for those parameters. This is by design. You must specify all optional parameters in the call, even if you are not changing the parameters. This includes the Name parameter. Before calling this API action, we recommend that you call the DescribeAssociation API operation and make a note of all optional parameters required for your UpdateAssociation call.

In order to call this API operation, a user, group, or role must be granted permission to call the DescribeAssociation API operation. If you don't have permission to call DescribeAssociation, then you receive the following error: An error occurred (AccessDeniedException) when calling the UpdateAssociation operation: User: <user_arn> isnt authorized to perform: ssm:DescribeAssociation on resource: <resource_arn>'

Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified managed node.

Set the default version of a document.

Updates an existing maintenance window.

Only specified parameters are modified.

Modifies the target of an existing maintenance window.

You can change the following:

• Name

• Description

• Owner

• IDs for an ID target

• Tags for a Tag target

• From any supported tag type to another. The three supported tag types are ID target, Tag target, and resource group. For more information, see Target.

Modifies a task assigned to a maintenance window.

You can't change the task type, but you can change the following values:

• TaskARN. For example, you can change a RUN_COMMAND task from AWS-RunPowerShellScript to AWS-RunShellScript.

• ServiceRoleArn

• TaskInvocationParameters

• Priority

• MaxConcurrency

• MaxErrors

One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets: https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html in the Amazon Web Services Systems Manager User Guide.

If the value for a parameter in UpdateMaintenanceWindowTask is null, then the corresponding field isn't modified. If you set Replace to true, then all fields required by the RegisterTaskWithMaintenanceWindow operation are required for this request. Optional fields that aren't specified are set to null.

Changes the Identity and Access Management (IAM) role that is assigned to the on-premises server, edge device, or virtual machines (VM).

Edit or change an OpsItem.

You must have permission in Identity and Access Management (IAM) to update an OpsItem. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.

Modifies an existing patch baseline.

Fields not specified in the request are left unchanged.

Update a resource data sync.

After you create a resource data sync for a Region, you can't change the account options for that sync. For example, if you create a sync in the us-east-2 (Ohio) Region and you choose the Include only the current account option, you can't edit that sync later and choose the Include all accounts from my Organizations configuration option. Instead, you must delete the first resource data sync, and create a new one.

ServiceSetting is an account-level setting for an Amazon Web Services service.

This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of "false". This means the user can't use this feature unless they change the setting to "true" and intentionally opt in for a paid feature.

Services map a SettingId object to a setting value. Amazon Web Services services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the GetServiceSetting API operation to view the current value. Or, use the ResetServiceSetting to change the value back to the original value defined by the Amazon Web Services service team.