A collection of AWS Systems Manager (SSM) configuration templates for the automation of security and operation tasks in AWS environments. Configuration items include templates to configure patching, maintenance windows, required IAM roles for SSM operations, as well as security configurations to support AWS SSM such as IAM policies, config rules, and more.

SSM Documents
AWS SSM Document: Automation Runbook to Run Commands on an EC2 Linux Instance

This template creates an AWS::SSM::Document resource that represents an Automation runbook. The runbook runs the specified commands on an EC2 Linux instance. The template includes parameters for the Automation assume role, commands to run, and the instance ID. The main step of the runbook uses the AWS-RunShellScript document to execute the commands on the specified instance.

CloudFormationTerraform
AWS SSM Document: Run Commands on an EC2 Linux instance

This template creates an AWS::SSM::Document resource that represents a document for running commands on an EC2 Linux instance.

CloudFormationTerraform
AWS SSM Document: Join an Instance to AWS Directory Service

This template creates an AWS::SSM::Document resource that represents a document for joining instances to a directory in AWS Directory Service.

CloudFormationTerraform
AWS SSM Document for Session Manager Preferences

This template creates an AWS SSM Document for Session Manager preferences, allowing you to configure regional settings for Session Manager. It includes options for S3 bucket, CloudWatch logs, encryption, shell profiles, and more.

CloudFormationTerraform
AWS SSM Document: Distributor Package

This template creates an AWS::SSM::Document resource that represents a Systems Manager Distributor package. The template includes the package content, publisher, schema version, and version. The package is associated with a source URL for distribution.

CloudFormationTerraform
AWS SSM Document: Change Calendar Document

This template creates an AWS::SSM::Document resource that represents a Systems Manager Change Calendar document. The template includes the content of the document in text format.

CloudFormationTerraform
SSM Maintenance Window
AWS SSM Maintenance Window

This template creates an AWS Systems Manager maintenance window. The maintenance window runs for two hours with a one hour cutoff every Sunday at 04:00 AM US Eastern Time. It does not allow unregistered targets.

CloudFormationTerraform
AWS SSM Maintenance Window Target

This template creates an AWS Systems Manager maintenance window target that targets managed instances with a specific tag.

CloudFormationTerraform
AWS SSM Maintenance Window Task: Run Command Task with Resource Group Target

This template creates an AWS Systems Manager maintenance window task that runs a Run Command task. The task targets instances using a resource group name. The task installs patches on the instances without rebooting them.

CloudFormationTerraform
AWS SSM Maintenance Window Task: Run Command Task with Maintenance Window Target Id

This template creates an AWS Systems Manager maintenance window task that runs a Run Command task. The task targets instances using a maintenance window target ID. The task installs patches on the instances without rebooting them.

CloudFormationTerraform
AWS SSM Maintenance Window Task: Run a PowerShell Script

This template creates an AWS Systems Manager maintenance window task that runs a Run Command task. The task targets instances using a maintenance window target ID. The task runs a PowerShell script that includes commands to restart a service, get the execution policy, and set the execution policy.

CloudFormationTerraform
AWS SSM Maintenance Window Task with an Automation runbook

This template creates an AWS Systems Manager maintenance window task that runs an Automation runbook. The task targets instances using a maintenance window target ID. The runbook is specified as `AWS-PatchInstanceWithRollback` and the task uses the specified service role.

CloudFormationTerraform
AWS SSM Maintenance Window Task with Step Functions

This template creates a Step Functions task that targets a maintenance window target ID. The task is invoked with specific parameters and has a priority, concurrency, and error handling settings.

CloudFormationTerraform
AWS SSM Maintenance Window Task with Step Functions with EC2 Instance Target

This template creates an AWS Systems Manager maintenance window task that runs a Step Function. The task targets instances using the specified instance ID.

CloudFormationTerraform
AWS SSM Maintenance Window Task with Lambda Function

This template creates a maintenance window task that invokes a Lambda function. The task is associated with a specific maintenance window and has a priority of 1.

CloudFormationTerraform
SSM
AWS SSM Patch Baseline

This template creates a Systems Manager patch baseline that approves patches for Windows Server 2019 instances seven days after they are released by Microsoft. The patch baseline also approves patches for Active Directory seven days after they are released by Microsoft.

CloudFormationTerraform
SSM Resource Data Sync with SyncToDestination

This template creates a resource data sync for Systems Manager. It synchronizes Systems Manager Inventory metadata in the US East (Ohio) Region (us-east-2) to a single Amazon S3 bucket. The resource data sync automatically updates the centralized data when new data is collected.

CloudFormationTerraform
SSM Resource Data Sync From an AWS Account with Multiple Regions

This template creates a resource data sync for Systems Manager Explorer. It synchronizes Systems Manager Explorer OpsData and OpsItems from multiple AWS Regions in a single AWS account.

CloudFormationTerraform
SSM Resource Data Sync From an Organization

This template creates a resource data sync for Systems Manager Explorer. It synchronizes Systems Manager Explorer OpsData and OpsItems from your entire organization in AWS Organizations in the us-west-1 Region.

CloudFormationTerraform
SSM Resource Data Sync From Organizations OUs

This template creates an AWS Systems Manager (SSM) Resource Data Sync that syncs data from an AWS Organizations organizational unit in the us-west-1 region. The sync is named 'test-sync' and includes only the specified organizational unit and does not include future regions.

CloudFormationTerraform
AWS SSM Resource Policy for OpsCenter

This template creates resources needed for a member account to work with OpsCenter OpsItems across multiple accounts. It creates an AWS::SSM::ResourcePolicy and an AWS::IAM::Role. The resource policy allows specified AWS Organizations management or delegated administrator account IDs to access OpsItems and perform actions such as creating, updating, and getting OpsItems. The IAM role is used by the management account or delegated administrator to remediate OpsItems.

CloudFormationTerraform
Config Rule
EC2 Instances Managed by Systems Manager (SSM) Check

A Config rule that checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.

CloudFormationTerraformAWS CLI
EC2 SSM Association Compliance Status Check

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager (SSM) association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI
EC2 SSM Patch Compliance Status Check

A Config rule that checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.

CloudFormationTerraformAWS CLI
ec2-managedinstance-platform-check

A Config rule that checks whether EC2 managed instances have the desired configurations.

CloudFormationTerraformAWS CLI
EC2 Check Required Applications Check (SSM)

A Config rule that checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI
EC2 Check Blacklisted Applications Check (SSM)

A Config rule that checks that none of the specified applications are installed on the instance. Optionally, specify the application version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the rule only to instances running that platform.

CloudFormationTerraformAWS CLI
EC2 Check Blacklisted Inventory (SSM)

A Config rule that checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.

CloudFormationTerraformAWS CLI