Vinay Kumar
AWS Systems Manager
LearningTree ยท AWS ยท Management

AWS Systems Manager โ€”
Operational Hub for Hybrid Cloud

Systems Manager (SSM) is the unified operations centre for AWS and on-premises infrastructure. It handles patching, configuration, secrets, automation, remote access, and inventory โ€” all without needing SSH or RDP.

01
Chapter One ยท Management

What is AWS Systems Manager?

AWS Systems Manager (SSM) is a collection of operational tools for managing infrastructure at scale. It provides a single pane of glass for patching, configuration, parameter/secret management, remote access, inventory, and automation โ€” across both AWS and on-premises servers.

Mental Model โ€” The IT Control Room Introductory
๐Ÿข

IT Control Room

  • Central dashboard showing all servers
  • Remote into any machine without walking to it
  • Push patches to 1,000 servers at once
  • Store passwords in a locked cabinet, not sticky notes
  • Run maintenance scripts on a schedule
โ˜๏ธ

Systems Manager

  • Fleet Manager shows all managed instances
  • Session Manager โ€” browser-based shell, no SSH keys
  • Patch Manager โ€” OS and application patching at scale
  • Parameter Store โ€” encrypted config and secrets
  • Automation โ€” multi-step runbooks on schedule or event
SSM Agent โ€” The Foundation Core

Everything in Systems Manager requires the SSM Agent running on managed instances:

SSM Agent โ€” How Instances Become Managed
Managed Instances EC2 (pre-installed) On-prem (install agent) Other VMs (install agent) + IAM Instance Profile HTTPS Systems Manager API Endpoints (outbound only) Run Command / Patch Manager Session Manager (shell access) Parameter Store / State Manager Inventory / Automation Agent calls SSM outbound over HTTPS โ€” no inbound ports needed (no SSH/RDP required)
RequirementDetails
SSM AgentPre-installed on Amazon Linux 2/2023, Ubuntu 16.04+, Windows Server 2016+. Must be installed manually on on-prem or other OSes.
IAM RoleEC2 instances need an instance profile with AmazonSSMManagedInstanceCore policy
NetworkOutbound HTTPS to SSM endpoints (port 443). No inbound ports required โ€” agent polls the service.
On-premisesInstall agent + create hybrid activation (activation code + ID). Instances appear with prefix mi-
SSM Capabilities Overview Introductory
๐Ÿ”‘

Parameter Store

Hierarchical config & secret storage with encryption, versioning, and IAM access control

๐Ÿฉน

Patch Manager

Automated OS and application patching with baselines, schedules, and compliance reporting

โ–ถ๏ธ

Run Command

Execute commands on managed instances at scale without SSH โ€” with output logging

๐Ÿ’ป

Session Manager

Browser-based shell access โ€” no SSH keys, no bastion hosts, full audit trail in CloudTrail

๐Ÿค–

Automation

Multi-step runbooks (SSM Documents) for operational tasks โ€” e.g., AMI creation, patching workflows

๐Ÿ“‹

Inventory

Collect metadata from instances โ€” installed software, OS versions, network config, Windows updates

๐ŸŽฏ Exam Insight
  • "Manage instances without SSH" โ†’ Systems Manager (Session Manager) โ€” requires SSM Agent + IAM role, no inbound ports
  • "SSM Agent pre-installed?" โ†’ Yes on Amazon Linux 2/2023, Ubuntu 16.04+, Windows Server 2016+
  • "On-premises server management" โ†’ Install SSM Agent + hybrid activation โ†’ managed as mi-* instances
  • "SSM requires what IAM policy?" โ†’ AmazonSSMManagedInstanceCore on EC2 instance profile
Chapter 01 โ€” Key Takeaway

Systems Manager is a collection of operational tools unified under one service โ€” Parameter Store, Patch Manager, Run Command, Session Manager, Automation, and Inventory. The SSM Agent (pre-installed on modern AMIs) communicates outbound over HTTPS โ€” no SSH/RDP ports needed. Instances need an IAM role with AmazonSSMManagedInstanceCore. On-premises servers use hybrid activations.

02
Chapter Two ยท Management

Parameter Store & Secrets Management

SSM Parameter Store provides secure, hierarchical storage for configuration data and secrets โ€” database connection strings, API keys, license codes, and feature flags. It's the recommended alternative to hard-coding values in application code.

Parameter Types Core
TypeUse CaseEncryptionMax Size
StringPlain text config (AMI ID, URL)None4 KB (standard) / 8 KB (advanced)
StringListComma-separated valuesNone4 KB / 8 KB
SecureStringPasswords, DB connection strings, API keysKMS encryption4 KB / 8 KB
Hierarchical Naming Core

Parameters use a path-based hierarchy โ€” like a filesystem:

  • /myapp/prod/db/connection-string
  • /myapp/prod/db/password (SecureString)
  • /myapp/staging/db/connection-string
  • /shared/ami/amazon-linux-latest

Use GetParametersByPath to fetch all parameters under /myapp/prod/ in one call. IAM policies can scope access to specific paths: arn:aws:ssm:*:*:parameter/myapp/prod/*.

Standard vs Advanced Parameters Core
FeatureStandardAdvanced
Max parameters per account10,000100,000
Max value size4 KB8 KB
Parameter policies (TTL, expiry)NoYes
CostFree$0.05/parameter/month
Higher throughput40 TPS default1,000 TPS ($0.05/10K interactions)
Parameter Store vs Secrets Manager Core
FeatureParameter StoreSecrets Manager
Automatic rotationNo (manual via Lambda)Yes โ€” built-in for RDS, Redshift, DocumentDB
Cross-account sharingNo (reference by ARN only)Yes โ€” resource policies
Cross-region replicationNoYes
KMS encryptionOptional (SecureString)Always encrypted
CostFree (standard)$0.40/secret/month + $0.05/10K API calls
VersioningYes (labels)Yes (staging labels)
IntegrationSSM ecosystem, CloudFormation, SDKsRDS, Redshift, Lambda, ECS, EKS
๐Ÿง  Decision Rule

Need auto-rotation for RDS/Redshift? โ†’ Secrets Manager. Need cross-account or cross-region secret sharing? โ†’ Secrets Manager. Just storing config values or simple secrets without rotation? โ†’ Parameter Store (free). Budget-conscious? โ†’ Parameter Store SecureString is free with KMS.

๐ŸŽฏ Exam Insight
  • "Store DB password encrypted, free" โ†’ Parameter Store SecureString (KMS encrypted, standard tier free)
  • "Auto-rotate RDS credentials" โ†’ Secrets Manager (not Parameter Store)
  • "Fetch all config for an environment" โ†’ GetParametersByPath(/myapp/prod/)
  • "Parameter Store max throughput" โ†’ 40 TPS standard, 1,000 TPS advanced ($)
  • "Expiring parameter (TTL)" โ†’ Advanced parameter with parameter policy
  • "Cross-account secret sharing" โ†’ Secrets Manager (resource policies), not Parameter Store
Chapter 02 โ€” Key Takeaway

Parameter Store provides free, hierarchical, versioned storage for config and secrets. SecureString type encrypts with KMS. Use path-based naming (/app/env/key) for organisation and IAM scoping. Standard tier is free (10K params, 4 KB). Choose Secrets Manager over Parameter Store when you need automatic rotation, cross-account sharing, or cross-region replication.

03
Chapter Three ยท Management

Patch Manager & Run Command

Patch Manager automates the process of patching managed instances with OS and application updates. Run Command executes commands on instances at scale without SSH. Together they form the core operational toolkit.

Patch Manager Core
Patch Manager โ€” Automated Patching Flow
Patch Baseline Rules + approvals Maintenance Window (schedule) Patch Group Tag: Patch Group Scan / Install Compliance report Dashboard Baseline defines which patches โ†’ maintenance window schedules โ†’ patch group targets โ†’ scan or install
ConceptWhat It Does
Patch BaselineDefines which patches are approved/rejected (by severity, classification, auto-approve after N days)
Patch GroupEC2 tag (Patch Group = Production) that associates instances with a baseline
Maintenance WindowScheduled time window (e.g., Sunday 2 AMโ€“5 AM) when patches are applied
Scan vs InstallScan = report compliance only. Install = scan + apply missing patches + optional reboot
ComplianceDashboard showing compliant/non-compliant instances + missing patches
Run Command Core
โ–ถ๏ธ

What Run Command Does

  • Execute commands on 1 or 1,000+ instances simultaneously
  • No SSH/RDP needed โ€” uses SSM Agent
  • Uses pre-built or custom SSM Documents
  • Target by tags, instance IDs, or resource groups
  • Rate control: max concurrent + max errors before stop
๐Ÿ“„

Common SSM Documents

  • AWS-RunShellScript โ€” run bash on Linux
  • AWS-RunPowerShellScript โ€” run PS on Windows
  • AWS-RunPatchBaseline โ€” scan or install patches
  • AWS-ConfigureAWSPackage โ€” install software (e.g., CloudWatch Agent)
  • AWS-UpdateSSMAgent โ€” update the SSM Agent itself
๐Ÿ“ Output & Logging

Run Command output can be sent to S3 (full output) and CloudWatch Logs (streaming). All command executions are logged in CloudTrail. For long-running commands (>2.5 hours), use SSM Automation instead.

๐ŸŽฏ Exam Insight
  • "Patch all production servers on Sunday" โ†’ Patch Manager + maintenance window + patch group tag
  • "Run a script on 500 instances" โ†’ Run Command with AWS-RunShellScript
  • "Check patch compliance without patching" โ†’ Patch Manager scan operation (not install)
  • "Install CloudWatch Agent on all instances" โ†’ Run Command with AWS-ConfigureAWSPackage
  • "Rate-limit command execution" โ†’ Max concurrency + max errors in Run Command
Chapter 03 โ€” Key Takeaway

Patch Manager automates patching with baselines (approved patches), maintenance windows (scheduled time), and patch groups (EC2 tags). Scan reports compliance; Install applies patches. Run Command executes commands at scale without SSH โ€” target by tags, control rate, log output to S3/CloudWatch. Both use SSM Documents (pre-built or custom YAML/JSON templates).

04
Chapter Four ยท Management

Session Manager, Inventory & State Manager

Session Manager replaces SSH/RDP with secure, auditable, browser-based shell access. Inventory collects metadata from instances. State Manager enforces desired configuration continuously.

Session Manager Core
โœ…

Why Session Manager

  • No SSH keys to manage or rotate
  • No bastion hosts โ€” direct secure access
  • No inbound ports โ€” port 22/3389 closed
  • IAM-controlled โ€” who can start sessions
  • Full audit trail โ€” every keystroke logged
  • Works through AWS PrivateLink (no internet needed)
๐Ÿ”

Security Features

  • Session logs โ†’ S3 and/or CloudWatch Logs
  • Session activity logged in CloudTrail
  • KMS encryption for session data in transit
  • IAM policies control: who, which instances, when
  • Can enforce run-as user (e.g., root/ec2-user)
  • Port forwarding for RDS, databases, internal services
๐Ÿ† Best Practice

Replace SSH entirely with Session Manager. Close port 22 on all security groups. Use Session Manager port forwarding for database access (aws ssm start-session --target i-xxx --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters host=mydb.rds.amazonaws.com,portNumber=5432,localPortNumber=5432).

Inventory Core

SSM Inventory collects metadata from managed instances and stores it centrally:

Data CollectedExamples
ApplicationsInstalled software, versions, publishers
AWS componentsSSM Agent version, CloudWatch Agent
Network configIP addresses, MAC addresses, DNS settings
Windows updatesInstalled KB patches, update history
Instance detailsOS name, version, hostname, CPU, RAM
Custom inventoryYour own metadata (rack location, business unit)

Inventory data can be synced to S3 (via Resource Data Sync) and queried with Athena for fleet-wide analysis (e.g., "which instances run Java 8?").

State Manager Core

State Manager ensures instances stay in a defined state by applying SSM Documents on a schedule or at launch:

๐Ÿ”„

How It Works

  • Create an association: SSM Document + target instances + schedule
  • State Manager applies the document automatically
  • If instance drifts, re-applies on next schedule
  • Reports compliance status per association
๐Ÿ“‹

Common Use Cases

  • Ensure CloudWatch Agent is always installed + running
  • Apply security baseline on every launch
  • Join instances to Active Directory domain
  • Keep SSM Agent updated automatically
๐ŸŽฏ Exam Insight
  • "Secure access without SSH keys or bastion" โ†’ Session Manager
  • "Audit every command typed on instances" โ†’ Session Manager with logging to S3/CW Logs
  • "Find all instances running outdated OpenSSL" โ†’ SSM Inventory โ†’ Athena query
  • "Ensure CloudWatch Agent always installed" โ†’ State Manager association
  • "Port 22 must be closed โ€” how to access?" โ†’ Session Manager (uses HTTPS, port 443 outbound)
  • "Access RDS without public endpoint" โ†’ Session Manager port forwarding
Chapter 04 โ€” Key Takeaway

Session Manager replaces SSH with IAM-controlled, auditable, browser-based shell access โ€” no keys, no bastion hosts, no inbound ports. Inventory collects fleet metadata (software, OS, network) โ€” sync to S3 and query with Athena. State Manager enforces desired configuration by applying SSM Documents on a schedule โ€” if instances drift, it re-applies. Together they provide access, visibility, and configuration enforcement.

05
Chapter Five ยท Management

Automation, Documents & Cost

SSM Automation orchestrates multi-step operational workflows using runbooks โ€” from AMI creation to incident response to Config remediation. It's the engine behind many AWS auto-remediation patterns.

SSM Automation Core
๐Ÿค–

What Automation Does

  • Multi-step runbooks (SSM Documents type: Automation)
  • Steps can: run commands, invoke Lambda, call APIs, approve, wait
  • Built-in error handling and rollback
  • Triggered manually, on schedule, or by EventBridge
  • Cross-account and cross-region execution
๐Ÿ“„

Common Automation Runbooks

  • AWS-CreateImage โ€” create AMI from running instance
  • AWS-StopEC2Instance / AWS-StartEC2Instance
  • AWS-RestartEC2Instance โ€” stop, wait, start
  • AWS-DisableS3BucketPublicReadWrite โ€” Config remediation
  • AWS-PatchInstanceWithRollback โ€” patch + rollback on failure
SSM Documents โ€” The Building Blocks Core
Document TypeUsed ByExample
Command documentRun Command, State ManagerAWS-RunShellScript
Automation documentSSM Automation, Config remediationAWS-CreateImage
Session documentSession ManagerAWS-StartInteractiveCommand
Package documentDistributorCustom software packages
Policy documentState ManagerInventory collection policy
โšก Automation + EventBridge + Config

The most powerful SSM pattern: Config rule detects non-compliance โ†’ triggers SSM Automation runbook โ†’ auto-remediates the resource โ†’ Config re-evaluates โ†’ compliant. This is the engine behind AWS Config auto-remediation. You can also trigger Automation from EventBridge rules for any operational event.

Change Manager & Change Calendar In-Depth
๐Ÿ“‹

Change Manager

  • Approval workflows for operational changes
  • Change templates with required approvers
  • Integration with SSM Automation for execution
  • Audit trail of who approved what
  • SNS notifications for pending approvals
๐Ÿ“…

Change Calendar

  • Define allowed/blocked time windows for changes
  • Calendar state: OPEN (changes allowed) or CLOSED
  • Automation checks calendar before executing
  • Prevent changes during: holidays, peak hours, launches
  • Integrates with Change Manager and Automation
Systems Manager Pricing Core
FeatureCost
Parameter Store (standard)Free (up to 10,000 parameters, 40 TPS)
Parameter Store (advanced)$0.05/parameter/month
Run CommandFree
Session ManagerFree
Patch ManagerFree (AWS instances), $5/server/month (on-prem)
AutomationFree (first 100K steps/month), $0.00025/step after
State ManagerFree
InventoryFree
Change Manager$0.36/change request
OpsCenter$0.00356/OpsItem
๐Ÿ’ฐ Cost Highlight

Most SSM features are free โ€” Parameter Store (standard), Run Command, Session Manager, State Manager, Inventory, and Patch Manager for AWS instances. The main costs come from: advanced parameters, on-premises patch management ($5/server/month), Change Manager, and high-volume automation steps.

SSM vs Third-Party Tools Introductory
NeedSSM SolutionThird-Party Alternative
Remote accessSession ManagerSSH + bastion, Teleport
Config managementState ManagerAnsible, Chef, Puppet
PatchingPatch ManagerWSUS, SCCM, Ansible
SecretsParameter StoreHashiCorp Vault, Doppler
AutomationSSM AutomationAnsible, Terraform, Jenkins
๐ŸŽฏ Exam Insight
  • "Create AMI automatically" โ†’ SSM Automation AWS-CreateImage
  • "Multi-step operational workflow with approval" โ†’ Change Manager + Automation
  • "Block changes during peak hours" โ†’ Change Calendar (CLOSED state)
  • "Config remediation engine" โ†’ SSM Automation documents (behind Config auto-remediation)
  • "Free operational tools" โ†’ Run Command, Session Manager, State Manager, Inventory, standard Parameter Store โ€” all free
  • "On-prem patching cost" โ†’ $5/instance/month (managed by SSM)
Chapter 05 โ€” Key Takeaway

SSM Automation orchestrates multi-step runbooks for operational tasks โ€” triggered manually, on schedule, or by EventBridge/Config. SSM Documents are the building blocks (command, automation, session, package, policy types). Change Manager adds approval workflows; Change Calendar blocks changes during sensitive periods. Most SSM features are free โ€” the service is remarkably cost-effective for its breadth of capabilities.

Systems Manager โ€” Complete Domain Summary

  • Foundation โ€” SSM Agent (pre-installed on modern AMIs) + IAM instance profile + outbound HTTPS. No SSH/inbound ports needed.
  • Parameter Store โ€” free hierarchical config/secret storage. SecureString encrypts with KMS. Use Secrets Manager when you need auto-rotation or cross-account sharing.
  • Patch Manager โ€” baselines define approved patches, maintenance windows schedule, patch groups target via tags. Scan or install mode.
  • Run Command โ€” execute commands at scale without SSH using SSM Documents. Target by tags, control rate, log to S3/CloudWatch.
  • Session Manager โ€” replaces SSH/RDP entirely. IAM-controlled, auditable, encrypted. No keys, no bastions, no inbound ports.
  • Automation โ€” multi-step runbooks for operational workflows. Powers Config auto-remediation. Change Manager adds approvals; Change Calendar blocks changes.
  • Cost โ€” most features free (Run Command, Session Manager, State Manager, Inventory, standard Parameter Store). On-prem patching: $5/server/month.