AWS Systems Manager: Operations Hub and SSM Agent
A comprehensive guide to AWS Systems Manager: Operations Hub and SSM Agent on AWS, covering core concepts, configuration, best practices, and real-world use cases..
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
- ✓Basic understanding of AWS services and cloud computing concepts.
AWS Systems Manager: Operations Hub and SSM Agent is like having a smart assistant that handles the heavy lifting so you don't have to manage servers yourself.
You're SSHing into 200 EC2 instances to apply a critical security patch. Halfway through, your session drops. You don't know which instances are patched, which are still vulnerable, and your audit trail is a mess of terminal logs. This is the reality of managing infrastructure without AWS Systems Manager. Systems Manager isn't just another AWS service — it's the operational backbone that eliminates the need for bastion hosts, SSH keys, and manual runbooks. By centralizing patch management, session management, and inventory tracking, it turns chaotic fleet operations into a repeatable, auditable process. If you're still managing instances with SSH and hoping for the best, you're doing it wrong.
What Is AWS Systems Manager and Why It Matters
AWS Systems Manager is the operational hub for managing EC2 instances, on-premises servers, and other AWS resources at scale. It centralizes operational data, automates routine tasks, and enforces compliance without requiring bastion hosts or SSH keys. The SSM Agent, installed on each managed instance, is the workhorse that executes commands, collects inventory, and applies patches. In production, Systems Manager replaces ad-hoc SSH access with auditable, role-based actions. It's not optional — if you manage more than a handful of instances, you need it to avoid configuration drift and security gaps. The key insight: Systems Manager turns instance management into API calls, enabling automation and reducing human error.
SSM Agent Architecture and Communication Flow
The SSM Agent runs as a service on each instance and communicates with the Systems Manager service over HTTPS (outbound only). It uses an IAM role (instance profile) to authenticate and authorize actions. The agent polls the Systems Manager service every 5 seconds for pending commands, state changes, or session requests. This polling model means instances don't need inbound ports — a huge security win. The agent stores operational data locally in a SQLite database and sends it to Systems Manager for inventory, patch compliance, and execution history. Understanding this flow is critical: if the agent can't reach the service endpoint (ssm.<region>.amazonaws.com), all management stops. In production, we route traffic through VPC endpoints to avoid internet dependency and reduce latency.
Setting Up SSM Agent with IAM Roles and Permissions
Every managed instance needs an IAM role (instance profile) with permissions to call Systems Manager APIs. The minimum policy is AmazonSSMManagedInstanceCore, which allows the agent to send heartbeats, receive commands, and upload logs. For advanced features like inventory or patch management, add policies like AmazonSSMInventoryFullAccess or AmazonSSMPatchAssociation. Never attach policies directly to instances — always use instance profiles. In production, we enforce least privilege by creating custom policies that restrict actions to specific resources (e.g., allow RunCommand only on tagged instances). A common mistake is forgetting to attach the instance profile to the EC2 instance at launch. You can attach it later, but the instance must be rebooted for the agent to pick up the new role.
Operations Hub: Centralized Visibility and Automation
The Operations Hub is the Systems Manager console that aggregates operational data from all managed instances. It provides dashboards for inventory, patch compliance, session history, and Run Command execution. You can filter by tags, resource groups, or custom attributes. The real power is automation: you can create associations that automatically apply documents (e.g., patch baselines, inventory collections) on a schedule or on instance launch. In production, we use Operations Hub to enforce compliance: every instance must report inventory every 30 minutes and apply patches within 7 days. If an instance fails to report, we trigger a Lambda function to investigate. The hub also integrates with CloudWatch and AWS Config for a unified view. Without it, you're flying blind.
Run Command: Ad-Hoc and Automated Script Execution
Run Command lets you execute scripts or commands on one or many instances without SSH. You can run shell scripts, PowerShell, or SSM documents. Commands are executed via the SSM Agent, and output is streamed to CloudWatch Logs or S3. In production, we use Run Command for emergency patching, log collection, and configuration changes. The key advantage is auditability: every command is logged with who ran it, when, and the output. You can also use rate control to limit concurrency and error thresholds to prevent blast radius. A common pattern is to wrap Run Command in a Step Functions workflow for multi-step automation. Never use Run Command for long-running processes — it has a 30-minute timeout. For longer tasks, use State Manager associations.
Session Manager: Secure Shell Access Without Bastions
Session Manager provides browser-based or CLI shell access to instances without SSH keys, bastion hosts, or open inbound ports. It uses the SSM Agent to create a secure tunnel over HTTPS. Sessions are logged to CloudTrail and optionally to S3 for audit. In production, we've eliminated all SSH bastions — Session Manager is more secure and easier to manage. You can restrict access using IAM policies (e.g., allow session only for specific instances or during business hours). A common pitfall is forgetting to attach the necessary IAM policy to users: they need ssm:StartSession and ssm:TerminateSession. Also, ensure the instance profile has ssm:UpdateInstanceInformation. For Windows, you need to enable PowerShell remoting. Session Manager is not just a convenience — it's a security best practice.
Patch Manager: Automated OS Patching at Scale
Patch Manager automates the process of patching OS-level vulnerabilities across your fleet. You define patch baselines (rules for which patches are approved automatically) and create associations to apply them on a schedule. In production, we use Patch Manager to enforce a 7-day patch window for critical vulnerabilities. The system reports compliance per instance, and you can generate reports via Systems Manager or export to Athena. A common mistake is not testing patches on a canary group first — we once had a kernel patch that broke our monitoring agent. Always use maintenance windows to control when patches are applied, and set up CloudWatch Events to notify on patch failures. Patch Manager also supports custom patch baselines for third-party applications like MySQL or Apache.
Inventory Manager: Collecting and Querying Instance Metadata
Inventory Manager collects metadata from instances — installed applications, network configuration, services, and custom data — and stores it in a centralized Systems Manager inventory. You can query inventory using the console, CLI, or integrate with Athena for complex analysis. In production, we use inventory to track software versions, detect unauthorized applications, and audit compliance. The agent collects inventory every 30 minutes by default, but you can customize the interval. A key limitation: inventory only captures data at collection time — it's not real-time. For real-time monitoring, use CloudWatch metrics. Also, inventory data is stored in the Systems Manager service, which has a 30-day retention for some data types. Export to S3 for long-term storage. We once discovered a rogue application running on 20 instances only after inventory flagged it.
State Manager: Enforcing Desired Configuration
State Manager ensures instances are in a desired state by applying SSM documents on a schedule or on events. It's like a lightweight configuration management tool (similar to Chef or Ansible) but native to AWS. You define associations that specify a document, targets, and schedule. State Manager automatically runs the document on new instances that match the targets. In production, we use State Manager to enforce security configurations: disable root SSH access, install the CloudWatch agent, and apply CIS benchmarks. The key advantage is that it's idempotent — running the same association multiple times won't cause issues. However, State Manager does not handle complex dependencies or ordering. For that, use Step Functions. A common failure mode is when an association fails due to a missing parameter — always validate documents in a test environment first.
Automation: Runbooks for Incident Response and Remediation
Automation allows you to create runbooks (SSM documents) that automate common operational tasks like restarting services, replacing instances, or rolling back deployments. Runbooks can include multiple steps, conditional logic, and error handling. They integrate with other AWS services via AWS SDK calls. In production, we use Automation runbooks for incident response: when an instance fails health checks, a runbook automatically terminates it, launches a replacement, and updates the load balancer. The key is to design runbooks idempotently — running them multiple times should be safe. A common mistake is hardcoding instance IDs or regions. Use dynamic parameters and AWS Systems Manager Parameter Store for configuration. Automation is powerful but can be dangerous: always test runbooks in a sandbox account first.
Monitoring and Troubleshooting SSM Agent and Operations
Monitoring SSM Agent health is critical. Use CloudWatch metrics (ssm-agent-status, ssm-agent-version) and set alarms for instances that stop reporting. Common issues: agent not running, network connectivity problems, IAM role misconfiguration, or disk space full. The agent logs are in /var/log/amazon/ssm/ on Linux and C:\ProgramData\Amazon\SSM\Logs on Windows. For troubleshooting, check the agent log for errors like 'Unable to connect to service' or 'Invalid instance profile'. Also, use the Systems Manager console's 'Instance Management' page to see the last ping time. If an instance shows 'Connection Lost', it's likely a network or IAM issue. In production, we run a scheduled Lambda that checks agent status and auto-remediates by restarting the agent or re-attaching the instance profile.
Production Best Practices and Common Pitfalls
After years of running Systems Manager in production, here are the non-negotiables: 1) Always use VPC endpoints for SSM, EC2, and S3 to avoid internet dependency. 2) Enforce least privilege IAM policies — never use wildcards for actions. 3) Test all associations and runbooks in a staging environment first. 4) Enable CloudTrail logging for all Systems Manager actions. 5) Set up CloudWatch alarms for agent health and patch compliance. 6) Use maintenance windows for patching and reboots. 7) Regularly audit inventory and compliance reports. Common pitfalls: forgetting to attach instance profiles, using default patch baselines without testing, and not handling agent failures gracefully. Also, be aware of service limits: you can have up to 5000 instances per account, but associations and documents have limits. Plan for scale by using resource groups and tagging strategies.
| File | Command / Code | Purpose |
|---|---|---|
| install-ssm-agent.sh | sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/late... | What Is AWS Systems Manager and Why It Matters |
| ssm-agent-config.json | { | SSM Agent Architecture and Communication Flow |
| ssm-instance-policy.json | { | Setting Up SSM Agent with IAM Roles and Permissions |
| association-patch-baseline.json | { | Operations Hub |
| run-command-example.sh | aws ssm send-command \ | Run Command |
| start-session.sh | aws ssm start-session --target i-1234567890abcdef0 | Session Manager |
| patch-baseline.json | { | Patch Manager |
| inventory-association.json | { | Inventory Manager |
| state-manager-association.json | { | State Manager |
| automation-runbook.json | { | Automation |
| check-ssm-agent.sh | if ! systemctl is-active --quiet amazon-ssm-agent; then | Monitoring and Troubleshooting SSM Agent and Operations |
| audit-ssm-compliance.sh | aws ssm describe-instance-patch-states \ | Production Best Practices and Common Pitfalls |
Key takeaways
Common mistakes to avoid
2 patternsOverlooking aws systems manager basic configuration
Ignoring cost implications
Interview Questions on This Topic
What is AWS Systems Manager: Operations Hub and SSM Agent and when would you use it?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.
That's AWS. Mark it forged?
6 min read · try the examples if you haven't