View Source aws_ssm (aws v1.0.4)
Amazon Web Services Systems Manager is the operations hub for your Amazon Web Services applications and resources and a secure end-to-end management solution for hybrid cloud environments that enables safe and secure operations at scale.
This reference is intended to be used with the Amazon Web Services Systems Manager User Guide: https://docs.aws.amazon.com/systems-manager/latest/userguide/. To get started, see Setting up Amazon Web Services Systems Manager: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up.html.
Related resources
For information about each of the capabilities that comprise Systems Manager, see Systems Manager capabilities: https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html#systems-manager-capabilities in the Amazon Web Services Systems Manager User Guide.
For details about predefined runbooks for Automation, a capability of Amazon Web Services Systems Manager, see the Systems Manager Automation runbook reference: https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-runbook-reference.html .
For information about AppConfig, a capability of Systems Manager, see the AppConfig User Guide: https://docs.aws.amazon.com/appconfig/latest/userguide/ and the AppConfig API Reference: https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/ .
For information about Incident Manager, a capability of Systems Manager, see the Systems Manager Incident Manager User Guide: https://docs.aws.amazon.com/incident-manager/latest/userguide/ and the Systems Manager Incident Manager API Reference: https://docs.aws.amazon.com/incident-manager/latest/APIReference/ .
Summary
Functions
Adds or overwrites one or more tags for the specified resource.
Associates a related item to a Systems Manager OpsCenter OpsItem.
Attempts to cancel the command specified by the Command ID.
Stops a maintenance window execution that is already in progress and cancels any tasks in the window that haven't already starting running.
Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager.
A State Manager association defines the state that you want to maintain on your managed nodes.
Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified managed nodes or targets.
Creates a Amazon Web Services Systems Manager (SSM document).
Creates a new maintenance window.
Creates a new OpsItem.
Creates a patch baseline.
A resource data sync helps you view data from multiple sources in a single location.
Deletes an activation.
Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified managed node.
Deletes the Amazon Web Services Systems Manager document (SSM document) and all managed node associations to the document.
Delete a custom inventory type or the data associated with a custom Inventory type.
Delete an OpsItem.
Delete a parameter from the system.
Delete a list of parameters.
Deletes a resource data sync configuration.
Deletes a Systems Manager resource policy.
Removes the server or virtual machine from the list of registered servers.
Describes the association for the specified target or managed node.
Lists all patches eligible to be included in a patch baseline.
Describes the permissions for a Amazon Web Services Systems Manager document (SSM document).
Retrieves the current effective patches (the patch and the approval state) for the specified patch baseline.
Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.
Lists the executions of a maintenance window.
Lists the tasks in a maintenance window.
Query a set of OpsItems.
Lists the parameters in your Amazon Web Services account or the parameters shared with you when you enable the Shared: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html#systemsmanager-DescribeParameters-request-Shared option.
Lists the properties of available patches organized by product, product family, classification, severity, and other properties of available patches.
Deletes the association between an OpsItem and a related item.
Gets the state of a Amazon Web Services Systems Manager change calendar at the current time or a specified time.
Returns detailed information about command execution for an invocation or plugin.
Retrieves the default patch baseline.
Retrieves the current snapshot for the patch baseline the managed node uses.
Query inventory information.
Retrieves the details of a maintenance window task.
Get information about an OpsItem by using the ID.
View a summary of operations metadata (OpsData) based on specified filters and aggregators.
Get information about a single parameter by specifying the parameter name.
Retrieves the history of all changes to a parameter.
Get information about one or more parameters by specifying multiple parameter names.
Retrieve information about one or more parameters in a specific hierarchy.
Policy
object.ServiceSetting
is an account-level setting for an Amazon Web Services service.
A parameter label is a user-defined alias to help you manage different versions of a parameter.
Returns all State Manager associations in the current Amazon Web Services account and Amazon Web Services Region.
An invocation is copy of a command sent to a specific managed node.
For a specified resource ID, this API operation returns a list of compliance statuses for different resource types.
Returns a summary count of compliant and non-compliant resources for a compliance type.
Returns all Systems Manager (SSM) documents in the current Amazon Web Services account and Amazon Web Services Region.
Returns a list of all OpsItem events in the current Amazon Web Services Region and Amazon Web Services account.
Lists all related-item resources associated with a Systems Manager OpsCenter OpsItem.
Returns a resource-level summary count.
Lists your resource data sync configurations.
Returns a list of the tags assigned to the specified resource.
Shares a Amazon Web Services Systems Manager document (SSM document)publicly or privately.
Registers a compliance type and other compliance details on a designated resource.
Bulk update custom inventory items on one or more managed nodes.
Creates or updates a Systems Manager resource policy.
Defines the default patch baseline for the relevant operating system.
ServiceSetting
is an account-level setting for an Amazon Web Services service.
Reconnects a session to a managed node after it has been disconnected.
Runs an association immediately and only one time.
Creates a change request for Change Manager.
Initiates a connection to a target (for example, a managed node) for a Session Manager session.
Permanently ends a session and closes the data connection between the Session Manager client and SSM Agent on the managed node.
Updates an association.
Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified managed node.
Set the default version of a document.
Updates an existing maintenance window.
Modifies the target of an existing maintenance window.
Modifies a task assigned to a maintenance window.
Changes the Identity and Access Management (IAM) role that is assigned to the on-premises server, edge device, or virtual machines (VM).
Edit or change an OpsItem.
Modifies an existing patch baseline.
Update a resource data sync.
ServiceSetting
is an account-level setting for an Amazon Web Services service.
Functions
Adds or overwrites one or more tags for the specified resource.
Tags are metadata that you can assign to your automations, documents, managed nodes, maintenance windows, Parameter Store parameters, and patch baselines. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your account's managed nodes that helps you track each node's owner and stack level. For example:
Key=Owner,Value=DbAdmin
Key=Owner,Value=SysAdmin
Key=Owner,Value=Dev
Key=Stack,Value=Production
Key=Stack,Value=Pre-Production
Key=Stack,Value=Test
Most resources can have a maximum of 50 tags. Automations can have a maximum of 5 tags.
We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. Tags don't have any semantic meaning to and are interpreted strictly as a string of characters.
For more information about using tags with Amazon Elastic Compute Cloud (Amazon EC2) instances, see Tagging your Amazon EC2 resources: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html in the Amazon EC2 User Guide.Attempts to cancel the command specified by the Command ID.
There is no guarantee that the command will be terminated and the underlying process stopped.Stops a maintenance window execution that is already in progress and cancels any tasks in the window that haven't already starting running.
Tasks already in progress will continue to completion.Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager.
Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises machines using Systems Manager, see Setting up Amazon Web Services Systems Manager for hybrid environments: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-managedinstances.html in the Amazon Web Services Systems Manager User Guide.
Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and VMs that are configured for Systems Manager are all called managed nodes.A State Manager association defines the state that you want to maintain on your managed nodes.
For example, an association can specify that anti-virus software must be installed and running on your managed nodes, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an Amazon Web Services resource group or an Amazon Web Services autoscaling group, State Manager, a capability of Amazon Web Services Systems Manager applies the configuration when new managed nodes are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified managed nodes or targets.
When you associate a document with one or more managed nodes using IDs or tags, Amazon Web Services Systems Manager Agent (SSM Agent) running on the managed node processes the document and configures the node as specified.
If you associate a document with a managed node that already has an associated document, the system returns the AssociationAlreadyExists exception.Creates a Amazon Web Services Systems Manager (SSM document).
An SSM document defines the actions that Systems Manager performs on your managed nodes. For more information about SSM documents, including information about supported schemas, features, and syntax, see Amazon Web Services Systems Manager Documents: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-ssm-docs.html in the Amazon Web Services Systems Manager User Guide.Creates a new maintenance window.
The value you specify forDuration
determines the specific end time for the maintenance window based on the time it begins. No maintenance window tasks are permitted to start after the resulting endtime minus the number of hours you specify for Cutoff
. For example, if the maintenance window starts at 3 PM, the duration is three hours, and the value you specify for Cutoff
is one hour, no maintenance window tasks can start after 5 PM.
Creates a new OpsItem.
You must have permission in Identity and Access Management (IAM) to create a new OpsItem. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see Amazon Web Services Systems Manager OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html in the Amazon Web Services Systems Manager User Guide.Creates a patch baseline.
For information about valid key-value pairs inPatchFilters
for each supported operating system type, see PatchFilter
.
A resource data sync helps you view data from multiple sources in a single location.
Amazon Web Services Systems Manager offers two types of resource data sync: SyncToDestination
and SyncFromSource
.
You can configure Systems Manager Inventory to use the SyncToDestination
type to synchronize Inventory data from multiple Amazon Web Services Regions to a single Amazon Simple Storage Service (Amazon S3) bucket. For more information, see Configuring resource data sync for Inventory: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-datasync.html in the Amazon Web Services Systems Manager User Guide.
You can configure Systems Manager Explorer to use the SyncFromSource
type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple Amazon Web Services Regions to a single Amazon S3 bucket. This type can synchronize OpsItems and OpsData from multiple Amazon Web Services accounts and Amazon Web Services Regions or EntireOrganization
by using Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions: https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer-resource-data-sync.html in the Amazon Web Services Systems Manager User Guide.
A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync
.
Deletes an activation.
You aren't required to delete an activation. If you delete an activation, you can no longer use it to register additional managed nodes. Deleting an activation doesn't de-register managed nodes. You must manually de-register managed nodes.Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified managed node.
If you created the association by using the Targets
parameter, then you must delete the association by using the association ID.
Deletes the Amazon Web Services Systems Manager document (SSM document) and all managed node associations to the document.
Before you delete the document, we recommend that you useDeleteAssociation
to disassociate all managed nodes that are associated with the document.
Delete a custom inventory type or the data associated with a custom Inventory type.
Deleting a custom inventory type is also referred to as deleting a custom inventory schema.Delete an OpsItem.
You must have permission in Identity and Access Management (IAM) to delete an OpsItem.
Note the following important information about this operation.
Deleting an OpsItem is irreversible. You can't restore a deleted OpsItem.
This operation uses an eventual consistency model, which means the system can take a few minutes to complete this operation. If you delete an OpsItem and immediately call, for example, GetOpsItem
, the deleted OpsItem might still appear in the response.
This operation is idempotent. The system doesn't throw an exception if you repeatedly call this operation for the same OpsItem. If the first call is successful, all additional calls return the same successful response as the first call.
This operation doesn't support cross-account calls. A delegated administrator or management account can't delete OpsItems in other accounts, even if OpsCenter has been set up for cross-account administration. For more information about cross-account administration, see Setting up OpsCenter to centrally manage OpsItems across accounts: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setting-up-cross-account.html in the Systems Manager User Guide.Delete a parameter from the system.
After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.Delete a list of parameters.
After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.Deletes a resource data sync configuration.
After the configuration is deleted, changes to data on managed nodes are no longer synced to or from the target. Deleting a sync configuration doesn't delete data.Deletes a Systems Manager resource policy.
A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your Systems Manager resources. The following resources support Systems Manager resource policies.
OpsItemGroup
- The resource policy forOpsItemGroup
enables Amazon Web Services accounts to view and interact with OpsCenter operational work items (OpsItems).Parameter
- The resource policy is used to share a parameter with other accounts using Resource Access Manager (RAM). For more information about cross-account sharing of parameters, see Working with shared parameters: systems-manager/latest/userguide/parameter-store-shared-parameters.html in the Amazon Web Services Systems Manager User Guide.
Removes the server or virtual machine from the list of registered servers.
You can reregister the node again at any time. If you don't plan to use Run Command on the server, we suggest uninstalling SSM Agent first.Describes the association for the specified target or managed node.
If you created the association by using theTargets
parameter, then you must retrieve the association by using the association ID.
Lists all patches eligible to be included in a patch baseline.
Currently,DescribeAvailablePatches
supports only the Amazon Linux 1, Amazon Linux 2, and Windows Server operating systems.
Describes the permissions for a Amazon Web Services Systems Manager document (SSM document).
If you created the document, you are the owner. If a document is shared, it can either be shared privately (by specifying a user's Amazon Web Services account ID) or publicly (All).Retrieves the current effective patches (the patch and the approval state) for the specified patch baseline.
Applies to patch baselines for Windows only.describe_effective_patches_for_patch_baseline(Client, Input, Options)
View SourceProvides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address.
This operation does not return information for nodes that are either Stopped or Terminated.
If you specify one or more node IDs, the operation returns information for those managed nodes. If you don't specify node IDs, it returns information for all your managed nodes. If you specify a node ID that isn't valid or a node that you don't own, you receive an error.
TheIamRole
field returned for this API operation is the Identity and Access Management (IAM) role assigned to on-premises managed nodes. This operation does not return the IAM role for EC2 instances.
describe_instance_patch_states_for_patch_group(Client, Input, Options)
View Sourcedescribe_maintenance_window_execution_task_invocations(Client, Input)
View Sourcedescribe_maintenance_window_execution_task_invocations(Client, Input, Options)
View Sourcedescribe_maintenance_window_execution_tasks(Client, Input, Options)
View SourceLists the executions of a maintenance window.
This includes information about when the maintenance window was scheduled to be active, and information about tasks registered and run with the maintenance window.Lists the tasks in a maintenance window.
For maintenance window tasks without a specified target, you can't supply values for--max-errors
and --max-concurrency
. Instead, the system inserts a placeholder value of 1
, which may be reported in the response to this command. These values don't affect the running of your task and can be ignored.
Query a set of OpsItems.
You must have permission in Identity and Access Management (IAM) to query a list of OpsItems. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html in the Amazon Web Services Systems Manager User Guide.Lists the parameters in your Amazon Web Services account or the parameters shared with you when you enable the Shared: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html#systemsmanager-DescribeParameters-request-Shared option.
Request results are returned on a best-effort basis. If you specify MaxResults
in the request, the response includes information up to the limit specified. The number of items returned, however, can be between zero and the value of MaxResults
. If the service reaches an internal limit while processing the results, it stops the operation and returns the matching values up to that point and a NextToken
. You can specify the NextToken
in a subsequent call to get the next set of results.
DescribeParameters
retrieves whatever the original key alias was referencing.
Lists the properties of available patches organized by product, product family, classification, severity, and other properties of available patches.
You can use the reported properties in the filters you specify in requests for operations such as CreatePatchBaseline
, UpdatePatchBaseline
, DescribeAvailablePatches
, and DescribePatchBaselines
.
The following section lists the properties that can be used in filters for each major operating system type:
- AMAZON_LINUX
Valid properties:
PRODUCT
|CLASSIFICATION
|SEVERITY
- AMAZON_LINUX_2
Valid properties:
PRODUCT
|CLASSIFICATION
|SEVERITY
- CENTOS
Valid properties:
PRODUCT
|CLASSIFICATION
|SEVERITY
- DEBIAN
Valid properties:
PRODUCT
|PRIORITY
- MACOS
Valid properties:
PRODUCT
|CLASSIFICATION
- ORACLE_LINUX
Valid properties:
PRODUCT
|CLASSIFICATION
|SEVERITY
- REDHAT_ENTERPRISE_LINUX
Valid properties:
PRODUCT
|CLASSIFICATION
|SEVERITY
- SUSE
Valid properties:
PRODUCT
|CLASSIFICATION
|SEVERITY
- UBUNTU
Valid properties:
PRODUCT
|PRIORITY
- WINDOWS
Valid properties:
PRODUCT
|PRODUCT_FAMILY
|CLASSIFICATION
|MSRC_SEVERITY
Gets the state of a Amazon Web Services Systems Manager change calendar at the current time or a specified time.
If you specify a time, GetCalendarState
returns the state of the calendar at that specific time, and returns the next time that the change calendar state will transition. If you don't specify a time, GetCalendarState
uses the current time. Change Calendar entries have two possible states: OPEN
or CLOSED
.
If you specify more than one calendar in a request, the command returns the status of OPEN
only if all calendars in the request are open. If one or more calendars in the request are closed, the status returned is CLOSED
.
Returns detailed information about command execution for an invocation or plugin.
GetCommandInvocation
only gives the execution status of a plugin in a document. To get the command execution status on a specific managed node, use ListCommandInvocations
. To get the command execution status across managed nodes, use ListCommands
.
Retrieves the default patch baseline.
Amazon Web Services Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system.
If you don't specify an operating system value, the default patch baseline for Windows is returned.Retrieves the current snapshot for the patch baseline the managed node uses.
This API is primarily used by the AWS-RunPatchBaseline
Systems Manager document (SSM document).
AWS-RunShellScript
document or the AWS-RunPowerShellScript
document.
get_deployable_patch_snapshot_for_instance(Client, Input, Options)
View SourceQuery inventory information.
This includes managed node status, such asStopped
or Terminated
.
get_maintenance_window_execution_task_invocation(Client, Input, Options)
View SourceRetrieves the details of a maintenance window task.
For maintenance window tasks without a specified target, you can't supply values for --max-errors
and --max-concurrency
. Instead, the system inserts a placeholder value of 1
, which may be reported in the response to this command. These values don't affect the running of your task and can be ignored.
DescribeMaintenanceWindowTasks
command.
Get information about an OpsItem by using the ID.
You must have permission in Identity and Access Management (IAM) to view information about an OpsItem. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html in the Amazon Web Services Systems Manager User Guide.View a summary of operations metadata (OpsData) based on specified filters and aggregators.
OpsData can include information about Amazon Web Services Systems Manager OpsCenter operational workitems (OpsItems) as well as information about any Amazon Web Services resource or service configured to report OpsData to Amazon Web Services Systems Manager Explorer.Get information about a single parameter by specifying the parameter name.
To get information about more than one parameter at a time, use theGetParameters
operation.
Retrieves the history of all changes to a parameter.
If you change the KMS key alias for the KMS key used to encrypt a parameter, then you must also update the key alias the parameter uses to reference KMS. Otherwise,GetParameterHistory
retrieves whatever the original key alias was referencing.
Get information about one or more parameters by specifying multiple parameter names.
To get information about a single parameter, you can use theGetParameter
operation instead.
Retrieve information about one or more parameters in a specific hierarchy.
Request results are returned on a best-effort basis. If you specifyMaxResults
in the request, the response includes information up to the limit specified. The number of items returned, however, can be between zero and the value of MaxResults
. If the service reaches an internal limit while processing the results, it stops the operation and returns the matching values up to that point and a NextToken
. You can specify the NextToken
in a subsequent call to get the next set of results.
Policy
object.
ServiceSetting
is an account-level setting for an Amazon Web Services service.
This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of false
. This means the user can't use this feature unless they change the setting to true
and intentionally opt in for a paid feature.
Services map a SettingId
object to a setting value. Amazon Web Services services teams define the default value for a SettingId
. You can't create a new SettingId
, but you can overwrite the default value if you have the ssm:UpdateServiceSetting
permission for the setting. Use the UpdateServiceSetting
API operation to change the default setting. Or use the ResetServiceSetting
to change the value back to the original value defined by the Amazon Web Services service team.
A parameter label is a user-defined alias to help you manage different versions of a parameter.
When you modify a parameter, Amazon Web Services Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter when there are multiple versions.
Parameter labels have the following requirements and restrictions.
A version of a parameter can have a maximum of 10 labels.
You can't attach the same label to different versions of the same parameter. For example, if version 1 has the label Production, then you can't attach Production to version 2.
You can move a label from one version of a parameter to another.
You can't create a label when you create a new parameter. You must attach a label to a specific version of a parameter.
If you no longer want to use a parameter label, then you can either delete it or move it to a different version of a parameter.
A label can have a maximum of 100 characters.
Labels can contain letters (case sensitive), numbers, periods (.), hyphens (-), or underscores (_).
Labels can't begin with a number, "
aws
" or "ssm
" (not case sensitive). If a label fails to meet these requirements, then the label isn't associated with a parameter and the system displays it in the list of InvalidLabels.
Returns all State Manager associations in the current Amazon Web Services account and Amazon Web Services Region.
You can limit the results to a specific State Manager association document or managed node by specifying a filter. State Manager is a capability of Amazon Web Services Systems Manager.An invocation is copy of a command sent to a specific managed node.
A command can apply to one or more managed nodes. A command invocation applies to one managed node. For example, if a user runsSendCommand
against three managed nodes, then a command invocation is created for each requested managed node ID. ListCommandInvocations
provide status about command execution.
For a specified resource ID, this API operation returns a list of compliance statuses for different resource types.
Currently, you can only specify one resource ID per call. List results depend on the criteria specified in the filter.Returns a summary count of compliant and non-compliant resources for a compliance type.
For example, this call can return State Manager associations, patches, or custom compliance types according to the filter criteria that you specify.Returns all Systems Manager (SSM) documents in the current Amazon Web Services account and Amazon Web Services Region.
You can limit the results of this request by using a filter.Returns a list of all OpsItem events in the current Amazon Web Services Region and Amazon Web Services account.
You can limit the results to events associated with specific OpsItems by specifying a filter.Returns a resource-level summary count.
The summary includes information about compliant and non-compliant statuses and detailed compliance-item severity counts, according to the filter criteria you specify.Lists your resource data sync configurations.
Includes information about the last time a sync attempted to start, the last sync status, and the last time a sync successfully completed.
The number of sync configurations might be too large to return using a single call toListResourceDataSync
. You can limit the number of sync configurations returned by using the MaxResults
parameter. To determine whether there are more sync configurations to list, check the value of NextToken
in the output. If there are more sync configurations to list, you can request them by specifying the NextToken
returned in the call to the parameter of a subsequent call.
Returns a list of the tags assigned to the specified resource.
For information about the ID format for each supported resource type, seeAddTagsToResource
.
Shares a Amazon Web Services Systems Manager document (SSM document)publicly or privately.
If you share a document privately, you must specify the Amazon Web Services user IDs for those people who can use the document. If you share a document publicly, you must specify All as the account ID.Registers a compliance type and other compliance details on a designated resource.
This operation lets you register custom compliance details with a resource. This call overwrites existing compliance information on the resource, so you must provide a full list of compliance items each time that you send the request.
ComplianceType can be one of the following:
ExecutionId: The execution ID when the patch, association, or custom compliance item was applied.
ExecutionType: Specify patch, association, or Custom:
string
.ExecutionTime. The time the patch, association, or custom compliance item was applied to the managed node.
Id: The patch, association, or custom compliance ID.
Title: A title.
Status: The status of the compliance item. For example,
approved
for patches, orFailed
for associations.Severity: A patch severity. For example,
Critical
.DocumentName: An SSM document name. For example,
AWS-RunPatchBaseline
.DocumentVersion: An SSM document version number. For example, 4.
Classification: A patch classification. For example,
security updates
.PatchBaselineId: A patch baseline ID.
PatchSeverity: A patch severity. For example,
Critical
.PatchState: A patch state. For example,
InstancesWithFailedPatches
.PatchGroup: The name of a patch group.
InstalledTime: The time the association, patch, or custom compliance item was applied to the resource. Specify the time by using the following format: yyyy-MM-dd'T'HH:mm:ss'Z'
Bulk update custom inventory items on one or more managed nodes.
The request adds an inventory item, if it doesn't already exist, or updates an inventory item, if it does exist.Creates or updates a Systems Manager resource policy.
A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your Systems Manager resources. The following resources support Systems Manager resource policies.
OpsItemGroup
- The resource policy forOpsItemGroup
enables Amazon Web Services accounts to view and interact with OpsCenter operational work items (OpsItems).Parameter
- The resource policy is used to share a parameter with other accounts using Resource Access Manager (RAM).To share a parameter, it must be in the advanced parameter tier. For information about parameter tiers, see Managing parameter tiers: https://docs.aws.amazon.com/parameter-store- advanced-parameters.html. For information about changing an existing standard parameter to an advanced parameter, see Changing a standard parameter to an advanced parameter: https://docs.aws.amazon.com/parameter-store-advanced-parameters.html#parameter- store-advanced-parameters-enabling.
To share a
SecureString
parameter, it must be encrypted with a customer managed key, and you must share the key separately through Key Management Service. Amazon Web Services managed keys cannot be shared. Parameters encrypted with the default Amazon Web Services managed key can be updated to use a customer managed key instead. For KMS key definitions, see KMS concepts: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt in the Key Management Service Developer Guide.While you can share a parameter using the Systems Manager
PutResourcePolicy
operation, we recommend using Resource Access Manager (RAM) instead. This is because usingPutResourcePolicy
requires the extra step of promoting the parameter to a standard RAM Resource Share using the RAM PromoteResourceShareCreatedFromPolicy: https://docs.aws.amazon.com/ram/latest/APIReference/API_PromoteResourceShareCreatedFromPolicy.html API operation. Otherwise, the parameter won't be returned by the Systems Manager DescribeParameters: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html API operation using the--shared
option.For more information, see Sharing a parameter: https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html#share in the Amazon Web Services Systems Manager User Guide
Defines the default patch baseline for the relevant operating system.
To reset the Amazon Web Services-predefined patch baseline as the default, specify the full patch baseline Amazon Resource Name (ARN) as the baseline ID value. For example, for CentOS, specifyarn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0574b43a65ea646ed
instead of pb-0574b43a65ea646ed
.
ServiceSetting
is an account-level setting for an Amazon Web Services service.
This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of "false". This means the user can't use this feature unless they change the setting to "true" and intentionally opt in for a paid feature.
Services map a SettingId
object to a setting value. Amazon Web Services services teams define the default value for a SettingId
. You can't create a new SettingId
, but you can overwrite the default value if you have the ssm:UpdateServiceSetting
permission for the setting. Use the GetServiceSetting
API operation to view the current value. Use the UpdateServiceSetting
API operation to change the default setting.
Reconnects a session to a managed node after it has been disconnected.
Connections can be resumed for disconnected sessions, but not terminated sessions.
This command is primarily for use by client machines to automatically reconnect during intermittent network issues. It isn't intended for any other use.Runs an association immediately and only one time.
This operation can be helpful when troubleshooting associations.Creates a change request for Change Manager.
The Automation runbooks specified in the change request run only after all required approvals for the change request have been received.Initiates a connection to a target (for example, a managed node) for a Session Manager session.
Returns a URL and token that can be used to open a WebSocket connection for sending input and receiving outputs.
Amazon Web Services CLI usage: start-session
is an interactive command that requires the Session Manager plugin to be installed on the client machine making the call. For information, see Install the Session Manager plugin for the Amazon Web Services CLI: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html in the Amazon Web Services Systems Manager User Guide.
Permanently ends a session and closes the data connection between the Session Manager client and SSM Agent on the managed node.
A terminated session can't be resumed.Updates an association.
You can update the association name and version, the document version, schedule, parameters, and Amazon Simple Storage Service (Amazon S3) output. When you call UpdateAssociation
, the system removes all optional parameters from the request and overwrites the association with null values for those parameters. This is by design. You must specify all optional parameters in the call, even if you are not changing the parameters. This includes the Name
parameter. Before calling this API action, we recommend that you call the DescribeAssociation
API operation and make a note of all optional parameters required for your UpdateAssociation
call.
In order to call this API operation, a user, group, or role must be granted permission to call the DescribeAssociation
API operation. If you don't have permission to call DescribeAssociation
, then you receive the following error: An error occurred (AccessDeniedException) when calling the UpdateAssociation operation: User: <user_arn> isn
t authorized to perform: ssm:DescribeAssociation on resource: <resource_arn>'
ApplyOnlyAtCronInterval
parameter to run the association during the next schedule run.
Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified managed node.
UpdateAssociationStatus
is primarily used by the Amazon Web Services Systems Manager Agent (SSM Agent) to report status updates about your associations and is only used for associations created with the InstanceId
legacy parameter.
Set the default version of a document.
If you change a document version for a State Manager association, Systems Manager immediately runs the association unless you previously specifed theapply-only-at-cron-interval
parameter.
Updates an existing maintenance window.
Only specified parameters are modified.
The value you specify forDuration
determines the specific end time for the maintenance window based on the time it begins. No maintenance window tasks are permitted to start after the resulting endtime minus the number of hours you specify for Cutoff
. For example, if the maintenance window starts at 3 PM, the duration is three hours, and the value you specify for Cutoff
is one hour, no maintenance window tasks can start after 5 PM.
Modifies the target of an existing maintenance window.
You can change the following:
Name
Description
Owner
IDs for an ID target
Tags for a Tag target
From any supported tag type to another. The three supported tag types are ID target, Tag target, and resource group. For more information, see
Target
.
Modifies a task assigned to a maintenance window.
You can't change the task type, but you can change the following values:
TaskARN
. For example, you can change aRUN_COMMAND
task fromAWS-RunPowerShellScript
toAWS-RunShellScript
.ServiceRoleArn
TaskInvocationParameters
Priority
MaxConcurrency
MaxErrors
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets: https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html in the Amazon Web Services Systems Manager User Guide.
If the value for a parameter in UpdateMaintenanceWindowTask
is null, then the corresponding field isn't modified. If you set Replace
to true, then all fields required by the RegisterTaskWithMaintenanceWindow
operation are required for this request. Optional fields that aren't specified are set to null.
TaskInvocationParameters
, you must provide again all the TaskInvocationParameters
values that you want to retain. The values you don't specify again are removed. For example, suppose that when you registered a Run Command task, you specified TaskInvocationParameters
values for Comment
, NotificationConfig
, and OutputS3BucketName
. If you update the maintenance window task and specify only a different OutputS3BucketName
value, the values for Comment
and NotificationConfig
are removed.
Changes the Identity and Access Management (IAM) role that is assigned to the on-premises server, edge device, or virtual machines (VM).
IAM roles are first assigned to these hybrid nodes during the activation process. For more information, seeCreateActivation
.
Edit or change an OpsItem.
You must have permission in Identity and Access Management (IAM) to update an OpsItem. For more information, see Set up OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see OpsCenter: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html in the Amazon Web Services Systems Manager User Guide.Modifies an existing patch baseline.
Fields not specified in the request are left unchanged.
For information about valid key-value pairs inPatchFilters
for each supported operating system type, see PatchFilter
.
Update a resource data sync.
After you create a resource data sync for a Region, you can't change the account options for that sync. For example, if you create a sync in the us-east-2 (Ohio) Region and you choose the Include only the current account
option, you can't edit that sync later and choose the Include all accounts from my Organizations configuration
option. Instead, you must delete the first resource data sync, and create a new one.
SyncType
.
ServiceSetting
is an account-level setting for an Amazon Web Services service.
This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an Amazon Web Services service charges money to the account based on feature or service usage, then the Amazon Web Services service team might create a default setting of "false". This means the user can't use this feature unless they change the setting to "true" and intentionally opt in for a paid feature.
Services map a SettingId
object to a setting value. Amazon Web Services services teams define the default value for a SettingId
. You can't create a new SettingId
, but you can overwrite the default value if you have the ssm:UpdateServiceSetting
permission for the setting. Use the GetServiceSetting
API operation to view the current value. Or, use the ResetServiceSetting
to change the value back to the original value defined by the Amazon Web Services service team.