Configuration to create an IAM role for EC2 instances to access to AWS Systems Manager (SSM) services, with the least permissions required

A configuration guide for setting up the necessary configuration for AWS Systems Manager Patch Manager to automatically scan and/or apply patches to EC2 instances in an AWS environment.

Configure an AWS Systems Manager Custom Patch Baseline and Patch Groups

This CloudFormation template creates a replication set in AWS using the AWS::SSMIncidents::ReplicationSet resource type. The replication set is configured to be deletion protected and is tagged with a specific key-value pair.

This template creates an association that uses the AWS-UpdateSSMAgent SSM document. The association updates SSM Agent on all managed instances (instances configured for Systems Manager) in the user's AWS account according to the specified CRON schedule.

This template creates an association that uses the AWS-UpdateSSMAgent SSM document. The association updates SSM Agent on all managed instances that are assigned a tag key of `Environment` and value of `Production`. The association runs every seven days according to the specified rate expression.

This template creates an IAM role and an SSM association to automate the stopping of an EC2 instance. The IAM role has the necessary permissions to execute the automation and the SSM association specifies the target instance to stop.

This template creates an association that uses rate controls. The association attempts to update SSM Agent on only 20% of instances at one time. Systems Manager stops the association from running on any additional instances if the execution fails on 5% of the total number of instances. Systems Manager also logs the association output to Amazon S3.

This template creates an AWS::SSM::Document resource that represents an Automation runbook. The runbook runs the specified commands on an EC2 Linux instance. The template includes parameters for the Automation assume role, commands to run, and the instance ID. The main step of the runbook uses the AWS-RunShellScript document to execute the commands on the specified instance.

This template creates an AWS::SSM::Document resource that represents a document for running commands on an EC2 Linux instance.

This template creates an AWS::SSM::Document resource that represents a document for joining instances to a directory in AWS Directory Service.

This template creates an AWS SSM Document for Session Manager preferences, allowing you to configure regional settings for Session Manager. It includes options for S3 bucket, CloudWatch logs, encryption, shell profiles, and more.

This template creates an AWS::SSM::Document resource that represents a Systems Manager Distributor package. The template includes the package content, publisher, schema version, and version. The package is associated with a source URL for distribution.

This template creates an AWS::SSM::Document resource that represents a Systems Manager Change Calendar document. The template includes the content of the document in text format.

This template creates an AWS Systems Manager maintenance window. The maintenance window runs for two hours with a one hour cutoff every Sunday at 04:00 AM US Eastern Time. It does not allow unregistered targets.

This template creates an AWS Systems Manager maintenance window target that targets managed instances with a specific tag.

This template creates an AWS Systems Manager maintenance window task that runs a Run Command task. The task targets instances using a resource group name. The task installs patches on the instances without rebooting them.

This template creates an AWS Systems Manager maintenance window task that runs a Run Command task. The task targets instances using a maintenance window target ID. The task installs patches on the instances without rebooting them.

This template creates an AWS Systems Manager maintenance window task that runs a Run Command task. The task targets instances using a maintenance window target ID. The task runs a PowerShell script that includes commands to restart a service, get the execution policy, and set the execution policy.

This template creates an AWS Systems Manager maintenance window task that runs an Automation runbook. The task targets instances using a maintenance window target ID. The runbook is specified as `AWS-PatchInstanceWithRollback` and the task uses the specified service role.

This template creates a Step Functions task that targets a maintenance window target ID. The task is invoked with specific parameters and has a priority, concurrency, and error handling settings.

This template creates an AWS Systems Manager maintenance window task that runs a Step Function. The task targets instances using the specified instance ID.

This template creates a maintenance window task that invokes a Lambda function. The task is associated with a specific maintenance window and has a priority of 1.

This template creates a Systems Manager parameter named command with a String type.

This template creates a Systems Manager parameter named commands with a StringList type.

This template creates a Systems Manager advanced tier parameter named command with a String type. . It is assigned an advanced tier and a parameter policy.

This template creates a Systems Manager patch baseline that approves patches for Windows Server 2019 instances seven days after they are released by Microsoft. The patch baseline also approves patches for Active Directory seven days after they are released by Microsoft.

This template creates a resource data sync for Systems Manager. It synchronizes Systems Manager Inventory metadata in the US East (Ohio) Region (us-east-2) to a single Amazon S3 bucket. The resource data sync automatically updates the centralized data when new data is collected.

This template creates a resource data sync for Systems Manager Explorer. It synchronizes Systems Manager Explorer OpsData and OpsItems from multiple AWS Regions in a single AWS account.

This template creates a resource data sync for Systems Manager Explorer. It synchronizes Systems Manager Explorer OpsData and OpsItems from your entire organization in AWS Organizations in the us-west-1 Region.

This template creates an AWS Systems Manager (SSM) Resource Data Sync that syncs data from an AWS Organizations organizational unit in the us-west-1 region. The sync is named 'test-sync' and includes only the specified organizational unit and does not include future regions.

This template creates resources needed for a member account to work with OpsCenter OpsItems across multiple accounts. It creates an AWS::SSM::ResourcePolicy and an AWS::IAM::Role. The resource policy allows specified AWS Organizations management or delegated administrator account IDs to access OpsItems and perform actions such as creating, updating, and getting OpsItems. The IAM role is used by the management account or delegated administrator to remediate OpsItems.

This template creates an EC2 instance and associates it with a License Manager configuration.

A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager (SSM) association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.

A Config rule that checks whether EC2 managed instances have the desired configurations.

A Config rule that checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.

A Config rule that checks that none of the specified applications are installed on the instance. Optionally, specify the application version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the rule only to instances running that platform.

A Config rule that checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.

An IAM policy that provides end users the ability start a session to a particular instance and the ability to terminate only their own sessions.

An IAM policy that provides end users the ability start a session to instances based on the tags assigned and the ability to terminate only their own sessions.

An IAM policy that allows a user to fully interact with all instances and all sessions created by all users for all instances, as well as permissions to permission to create, update and delete preferences. It should be granted only to an Administrator who needs full control over your organization's Session Manager activities.