1. What is Systems Manager?

AWS Systems Manager is a management service that helps you manage your EC2 instances, on-premises servers, and other AWS resources at scale. It provides operational tools for patching, running commands, managing configuration, and maintaining compliance.

Core Concept

Systems Manager = manage servers at scale without SSH. Run commands, patch OS, collect inventory, manage configuration, automate operational tasks — all from a central console. Works on EC2 AND on-premises servers. Requires the SSM Agent (pre-installed on Amazon Linux 2, Ubuntu, Windows AMIs).

2. SSM Agent & Prerequisites

  1. SSM Agent: software installed on managed instances that communicates with SSM service
  2. Pre-installed on: Amazon Linux 2/2023, Ubuntu 16.04+, Windows Server 2016+
  3. Must install manually on: older AMIs, custom AMIs, on-premises servers
  4. IAM Role: EC2 instance must have IAM role with AmazonSSMManagedInstanceCore policy
  5. No SSH/RDP needed: SSM communicates over HTTPS (port 443) to the SSM service endpoint
  6. On-premises: requires Hybrid Activation (registration with SSM) + SSM Agent

3. Key SSM Capabilities


Session Manager

  1. Secure shell access to EC2/on-premises without opening SSH port 22 or RDP port 3389
  2. No bastion hosts needed. No SSH keys to manage.
  3. All sessions are logged to S3 and/or CloudWatch Logs (full audit trail)
  4. IAM-based access control: who can start sessions on which instances
  5. Port forwarding: tunnel to private resources through Session Manager
  6. Works through the AWS Console, CLI, or SDK

Session Manager vs Bastion Host

Session Manager eliminates the need for bastion hosts. No inbound SSH/RDP ports open, no SSH key management, full audit logging, IAM-controlled access. The exam often presents a scenario where SSH access is needed to private instances — the answer is Session Manager (not bastion host) for security best practices.

Run Command

  1. Execute commands or scripts on managed instances remotely (no SSH)
  2. Run on: individual instances, groups by tag, all instances, Resource Groups
  3. Pre-built commands (SSM Documents): AWS-RunShellScript, AWS-RunPowerShellScript, AWS-UpdateSSMAgent
  4. Rate control: limit how many instances execute simultaneously (concurrency + error threshold)
  5. Output to: S3, CloudWatch Logs, or Console
  6. Notifications via SNS on command completion/failure
  7. No SSH keys needed. IAM-based authorization.


Patch Manager

  1. Automate OS and application patching across your fleet
  2. Patch Baselines: define which patches to approve (by classification, severity, auto-approval delay)
  3. AWS provides default baselines for each OS. Create custom baselines for more control.
  4. Maintenance Windows: schedule when patching occurs (e.g., Sunday 2–4 AM)
  5. Patch Groups: tag-based grouping (e.g., PatchGroup=Production, PatchGroup=Dev)
  6. Compliance reporting: see which instances are compliant/non-compliant
  7. Supports: Linux, Windows, macOS


Parameter Store

  1. Centralized storage for configuration data and secrets (covered in Security module)
  2. Hierarchical: /app/dev/db/password
  3. Types: String, StringList, SecureString (KMS encrypted)
  4. Free Standard tier (10K params, 4 KB) + paid Advanced tier
  5. Used by: EC2, Lambda, ECS, CloudFormation, CodeDeploy


State Manager

  1. Define and maintain a desired configuration state for your instances
  2. Associations: apply an SSM Document to instances on a schedule
  3. Example: ensure CloudWatch Agent is always installed and running on all EC2 instances
  4. Auto-remediation: if an instance drifts from desired state, State Manager re-applies


Inventory

  1. Collect metadata from managed instances: installed apps, OS version, network config, Windows updates, running services
  2. Automatic and scheduled collection
  3. View in SSM Console or query with S3 + Athena for fleet-wide analysis
  4. Use for: software license compliance, audit, fleet visibility


Automation

  1. Define and execute multi-step operational workflows (runbooks)
  2. SSM Automation Documents (runbooks): sequence of steps (API calls, scripts, approvals)
  3. Pre-built runbooks: AWS-RestartEC2Instance, AWS-StopEC2Instance, AWS-CreateSnapshot, AWS-EnableS3BucketEncryption
  4. Integration: Config Remediation, EventBridge, CloudWatch Alarms use SSM Automation
  5. Can include manual approval steps (human-in-the-loop)
  6. Use for: auto-remediate Config findings, incident response, scheduled maintenance


OpsCenter

  1. Centralized location to view, investigate, and resolve operational issues (OpsItems)
  2. Aggregates issues from: CloudWatch Alarms, Config non-compliance, EventBridge events, manual creation
  3. Links related resources, runbooks, and timeline for each issue
  4. Integrated with SSM Automation for one-click remediation

4. SSM Capabilities Summary

Exam Tip

SSM: "Access EC2 without SSH/bastion" = Session Manager. "Run command on fleet" = Run Command. "Automate patching" = Patch Manager. "Auto-remediate Config" = SSM Automation. "Store config" = Parameter Store. SSM Agent required. IAM role: AmazonSSMManagedInstanceCore. Works on EC2 + on-premises. No port 22 needed.