Home DevOps AWS Systems Manager: Operations Hub and SSM Agent
Intermediate 6 min · July 12, 2026

AWS Systems Manager: Operations Hub and SSM Agent

A comprehensive guide to AWS Systems Manager: Operations Hub and SSM Agent on AWS, covering core concepts, configuration, best practices, and real-world use cases..

N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.

Follow
Verified
production tested
July 12, 2026
last updated
2,165
articles · all by Naren
Before you start⏱ 25 min
  • Basic understanding of AWS services and cloud computing concepts.
✦ Definition~90s read
What is AWS Systems Manager?

AWS Systems Manager is a unified operations hub that gives you operational control over your AWS and on-premises infrastructure through a single pane of glass. It matters because it replaces the need for bastion hosts, manual patching, and ad-hoc scripting with automated, auditable, and secure management.

AWS Systems Manager: Operations Hub and SSM Agent is like having a smart assistant that handles the heavy lifting so you don't have to manage servers yourself.

Use it when you need to patch fleets at scale, run commands without SSH, or maintain compliance across hybrid environments.

Plain-English First

AWS Systems Manager: Operations Hub and SSM Agent is like having a smart assistant that handles the heavy lifting so you don't have to manage servers yourself.

You're SSHing into 200 EC2 instances to apply a critical security patch. Halfway through, your session drops. You don't know which instances are patched, which are still vulnerable, and your audit trail is a mess of terminal logs. This is the reality of managing infrastructure without AWS Systems Manager. Systems Manager isn't just another AWS service — it's the operational backbone that eliminates the need for bastion hosts, SSH keys, and manual runbooks. By centralizing patch management, session management, and inventory tracking, it turns chaotic fleet operations into a repeatable, auditable process. If you're still managing instances with SSH and hoping for the best, you're doing it wrong.

What Is AWS Systems Manager and Why It Matters

AWS Systems Manager is the operational hub for managing EC2 instances, on-premises servers, and other AWS resources at scale. It centralizes operational data, automates routine tasks, and enforces compliance without requiring bastion hosts or SSH keys. The SSM Agent, installed on each managed instance, is the workhorse that executes commands, collects inventory, and applies patches. In production, Systems Manager replaces ad-hoc SSH access with auditable, role-based actions. It's not optional — if you manage more than a handful of instances, you need it to avoid configuration drift and security gaps. The key insight: Systems Manager turns instance management into API calls, enabling automation and reducing human error.

install-ssm-agent.shBASH
1
2
3
4
5
6
7
#!/bin/bash
# Install SSM Agent on Amazon Linux 2
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent
# Verify agent is running
sudo systemctl status amazon-ssm-agent
Output
● amazon-ssm-agent.service - Amazon SSM Agent
Loaded: loaded (/usr/lib/systemd/system/amazon-ssm-agent.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2025-03-17 10:00:00 UTC; 5s ago
🔥SSM Agent Pre-installed on Many AMIs
Amazon Linux 2, Ubuntu 18.04+, and Windows Server 2016+ AMIs come with SSM Agent pre-installed. For custom AMIs or on-premises servers, you must install it manually. Always verify the agent is running after launch.
📊 Production Insight
In production, we once had a fleet of 200 instances where SSM Agent silently failed after a kernel update. We didn't notice until patching automation stopped working. Always monitor agent health with CloudWatch metrics and set alarms for 'ssm-agent-status'.
🎯 Key Takeaway
AWS Systems Manager centralizes instance management via API calls, eliminating SSH and reducing operational overhead.
aws-systems-manager THECODEFORGE.IO SSM Agent Communication Flow Step-by-step process from instance registration to command execution Instance Launch EC2 instance starts with SSM Agent pre-installed IAM Role Assigned Instance profile with SSM permissions attached Agent Registration SSM Agent registers with AWS Systems Manager service Heartbeat Polling Agent sends heartbeat to SSM service every 5 seconds Command Received SSM service pushes command to agent via HTTPS Execution & Reporting Agent executes command and reports status back ⚠ Missing outbound HTTPS access blocks agent communication Ensure security groups allow HTTPS egress to SSM endpoints THECODEFORGE.IO
thecodeforge.io
Aws Systems Manager

SSM Agent Architecture and Communication Flow

The SSM Agent runs as a service on each instance and communicates with the Systems Manager service over HTTPS (outbound only). It uses an IAM role (instance profile) to authenticate and authorize actions. The agent polls the Systems Manager service every 5 seconds for pending commands, state changes, or session requests. This polling model means instances don't need inbound ports — a huge security win. The agent stores operational data locally in a SQLite database and sends it to Systems Manager for inventory, patch compliance, and execution history. Understanding this flow is critical: if the agent can't reach the service endpoint (ssm.<region>.amazonaws.com), all management stops. In production, we route traffic through VPC endpoints to avoid internet dependency and reduce latency.

ssm-agent-config.jsonJSON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
  "settings": {
    "telemetry": {
      "enableTelemetry": true
    },
    "ssm": {
      "endpoint": "https://ssm.us-east-1.amazonaws.com",
      "healthCheckIntervalSeconds": 300
    },
    "agent": {
      "logLevel": "info",
      "maxLogLines": 10000
    }
  }
}
Output
Agent configuration applied. Restart agent to take effect: sudo systemctl restart amazon-ssm-agent
💡Use VPC Endpoints for SSM
Create VPC endpoints for SSM, EC2, and S3 (for patch baselines) to keep traffic within AWS network. This improves reliability and avoids data transfer costs.
📊 Production Insight
We learned the hard way that SSM Agent can't fall back to a different endpoint if the configured one is unreachable. During a regional DNS outage, our entire fleet became unmanageable. Now we always configure multiple endpoints in agent config and use Route 53 health checks.
🎯 Key Takeaway
SSM Agent uses outbound polling over HTTPS, eliminating inbound ports and improving security posture.

Setting Up SSM Agent with IAM Roles and Permissions

Every managed instance needs an IAM role (instance profile) with permissions to call Systems Manager APIs. The minimum policy is AmazonSSMManagedInstanceCore, which allows the agent to send heartbeats, receive commands, and upload logs. For advanced features like inventory or patch management, add policies like AmazonSSMInventoryFullAccess or AmazonSSMPatchAssociation. Never attach policies directly to instances — always use instance profiles. In production, we enforce least privilege by creating custom policies that restrict actions to specific resources (e.g., allow RunCommand only on tagged instances). A common mistake is forgetting to attach the instance profile to the EC2 instance at launch. You can attach it later, but the instance must be rebooted for the agent to pick up the new role.

ssm-instance-policy.jsonJSON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:DescribeAssociation",
        "ssm:GetDeployablePatchSnapshotForInstance",
        "ssm:GetDocument",
        "ssm:GetManifest",
        "ssm:GetParameters",
        "ssm:ListAssociations",
        "ssm:ListInstanceAssociations",
        "ssm:PutInventory",
        "ssm:PutComplianceItems",
        "ssm:PutConfigurePackageResult",
        "ssm:UpdateAssociationStatus",
        "ssm:UpdateInstanceAssociationStatus",
        "ssm:UpdateInstanceInformation"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstanceStatus"
      ],
      "Resource": "*"
    }
  ]
}
Output
IAM policy created. Attach to instance profile and associate with EC2 instances.
⚠ Avoid Overly Permissive Policies
Using AmazonSSMManagedInstanceCore is safe for most cases, but if you need to restrict commands to specific documents, create a custom policy. Overly permissive policies can allow unintended actions like stopping instances.
📊 Production Insight
We once had a security incident where a developer attached a policy with ssm:SendCommand to all resources. An attacker used it to run a malicious script on every instance. Now we enforce resource-level restrictions and use SCPs to prevent policy escalation.
🎯 Key Takeaway
Attach the AmazonSSMManagedInstanceCore policy to instance profiles; never use access keys for SSM Agent.
aws-systems-manager THECODEFORGE.IO Systems Manager Operations Hub Stack Layered architecture from infrastructure to automation Managed Instances EC2 Instances | On-Premises Servers | Edge Devices SSM Agent Layer Agent Service | Plugin Executor | Health Monitor Systems Manager Service Run Command | Session Manager | Patch Manager Operations Hub Central Dashboard | Automation Workflows | Compliance Reports IAM & Security Instance Profiles | Service Roles | KMS Encryption THECODEFORGE.IO
thecodeforge.io
Aws Systems Manager

Operations Hub: Centralized Visibility and Automation

The Operations Hub is the Systems Manager console that aggregates operational data from all managed instances. It provides dashboards for inventory, patch compliance, session history, and Run Command execution. You can filter by tags, resource groups, or custom attributes. The real power is automation: you can create associations that automatically apply documents (e.g., patch baselines, inventory collections) on a schedule or on instance launch. In production, we use Operations Hub to enforce compliance: every instance must report inventory every 30 minutes and apply patches within 7 days. If an instance fails to report, we trigger a Lambda function to investigate. The hub also integrates with CloudWatch and AWS Config for a unified view. Without it, you're flying blind.

association-patch-baseline.jsonJSON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
  "Name": "PatchBaselineAssociation",
  "DocumentName": "AWS-RunPatchBaseline",
  "Targets": [
    {
      "Key": "tag:Environment",
      "Values": ["production"]
    }
  ],
  "ScheduleExpression": "cron(0 2 ? * SUN *)",
  "Parameters": {
    "Operation": ["Install"]
  }
}
Output
Association created. It will run every Sunday at 2 AM UTC on all production-tagged instances.
🔥Use Resource Groups for Targeting
Create resource groups based on tags (e.g., Environment=production, Role=web) to target associations. This scales better than listing individual instance IDs.
📊 Production Insight
We once had a misconfigured association that targeted all instances instead of just production. It patched development instances during business hours, causing outages. Always test associations on a small set first and use AWS Config rules to validate targeting.
🎯 Key Takeaway
Operations Hub centralizes visibility and automates compliance through associations and dashboards.

Run Command: Ad-Hoc and Automated Script Execution

Run Command lets you execute scripts or commands on one or many instances without SSH. You can run shell scripts, PowerShell, or SSM documents. Commands are executed via the SSM Agent, and output is streamed to CloudWatch Logs or S3. In production, we use Run Command for emergency patching, log collection, and configuration changes. The key advantage is auditability: every command is logged with who ran it, when, and the output. You can also use rate control to limit concurrency and error thresholds to prevent blast radius. A common pattern is to wrap Run Command in a Step Functions workflow for multi-step automation. Never use Run Command for long-running processes — it has a 30-minute timeout. For longer tasks, use State Manager associations.

run-command-example.shBASH
1
2
3
4
5
6
7
8
9
# Send a command to check disk usage on all production instances
aws ssm send-command \
    --document-name "AWS-RunShellScript" \
    --targets "Key=tag:Environment,Values=production" \
    --parameters '{"commands":["df -h"]}' \
    --comment "Check disk usage" \
    --output-s3-bucket-name my-ssm-logs \
    --max-concurrency 10 \
    --max-errors 2
Output
{
"Command": {
"CommandId": "abc123",
"Status": "Pending",
"TargetCount": 50
}
}
💡Use Rate Control to Avoid Overload
Set max-concurrency and max-errors to limit blast radius. For critical commands, start with 1 instance and increase gradually.
📊 Production Insight
We once ran a command to restart a service on 100 instances simultaneously. The service had a dependency that caused a cascading failure. Now we always use max-concurrency=5 and test on a canary instance first.
🎯 Key Takeaway
Run Command executes scripts on instances without SSH, with full audit logging and rate control.

Session Manager: Secure Shell Access Without Bastions

Session Manager provides browser-based or CLI shell access to instances without SSH keys, bastion hosts, or open inbound ports. It uses the SSM Agent to create a secure tunnel over HTTPS. Sessions are logged to CloudTrail and optionally to S3 for audit. In production, we've eliminated all SSH bastions — Session Manager is more secure and easier to manage. You can restrict access using IAM policies (e.g., allow session only for specific instances or during business hours). A common pitfall is forgetting to attach the necessary IAM policy to users: they need ssm:StartSession and ssm:TerminateSession. Also, ensure the instance profile has ssm:UpdateInstanceInformation. For Windows, you need to enable PowerShell remoting. Session Manager is not just a convenience — it's a security best practice.

start-session.shBASH
1
2
3
4
5
# Start a session on an instance by instance ID
aws ssm start-session --target i-1234567890abcdef0

# Or start a session using a tag (requires AWS CLI v2)
aws ssm start-session --target "tag:Name=web-server-01"
Output
Starting session with SessionId: user-1234567890abcdef0
[ssm-user@ip-10-0-0-1 ~]$
⚠ Session Manager Requires Outbound Internet or VPC Endpoint
Instances must be able to reach the SSM endpoint. If they are in a private subnet without NAT, create a VPC endpoint for SSM.
📊 Production Insight
We migrated from SSH bastions to Session Manager and immediately saw a reduction in security incidents. However, we forgot to enable session logging to S3 initially. When an engineer ran a destructive command, we had no record. Now we enforce session logging via SCP.
🎯 Key Takeaway
Session Manager replaces SSH bastions with secure, auditable, and IAM-controlled shell access.

Patch Manager: Automated OS Patching at Scale

Patch Manager automates the process of patching OS-level vulnerabilities across your fleet. You define patch baselines (rules for which patches are approved automatically) and create associations to apply them on a schedule. In production, we use Patch Manager to enforce a 7-day patch window for critical vulnerabilities. The system reports compliance per instance, and you can generate reports via Systems Manager or export to Athena. A common mistake is not testing patches on a canary group first — we once had a kernel patch that broke our monitoring agent. Always use maintenance windows to control when patches are applied, and set up CloudWatch Events to notify on patch failures. Patch Manager also supports custom patch baselines for third-party applications like MySQL or Apache.

patch-baseline.jsonJSON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{
  "Name": "Production-Patch-Baseline",
  "OperatingSystem": "AMAZON_LINUX_2",
  "ApprovalRules": {
    "PatchRules": [
      {
        "PatchFilterGroup": {
          "PatchFilters": [
            {
              "Key": "CLASSIFICATION",
              "Values": ["Security"]
            },
            {
              "Key": "SEVERITY",
              "Values": ["Critical", "Important"]
            }
          ]
        },
        "ApproveAfterDays": 7
      }
    ]
  }
}
Output
Patch baseline created. It will auto-approve critical and important security patches after 7 days.
🔥Use Maintenance Windows for Patch Application
Maintenance windows ensure patches are applied during defined time windows. They also allow you to stop/start instances if needed.
📊 Production Insight
We once had a patch baseline that approved all updates, including a kernel update that required a reboot. The reboot happened during business hours because we didn't set a maintenance window. Now we always combine patch baselines with maintenance windows and test on a canary group.
🎯 Key Takeaway
Patch Manager automates OS patching with approval rules, schedules, and compliance reporting.

Inventory Manager: Collecting and Querying Instance Metadata

Inventory Manager collects metadata from instances — installed applications, network configuration, services, and custom data — and stores it in a centralized Systems Manager inventory. You can query inventory using the console, CLI, or integrate with Athena for complex analysis. In production, we use inventory to track software versions, detect unauthorized applications, and audit compliance. The agent collects inventory every 30 minutes by default, but you can customize the interval. A key limitation: inventory only captures data at collection time — it's not real-time. For real-time monitoring, use CloudWatch metrics. Also, inventory data is stored in the Systems Manager service, which has a 30-day retention for some data types. Export to S3 for long-term storage. We once discovered a rogue application running on 20 instances only after inventory flagged it.

inventory-association.jsonJSON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
  "Name": "InventoryCollection",
  "DocumentName": "AWS-GatherSoftwareInventory",
  "Targets": [
    {
      "Key": "tag:Environment",
      "Values": ["production"]
    }
  ],
  "ScheduleExpression": "rate(1 hour)",
  "Parameters": {
    "applications": ["Enabled"],
    "awsComponents": ["Enabled"],
    "networkConfig": ["Enabled"],
    "windowsRoles": ["Disabled"],
    "windowsUpdates": ["Disabled"]
  }
}
Output
Inventory association created. It will collect application, AWS component, and network config data every hour.
💡Export Inventory to S3 for Long-Term Analysis
Set up inventory export to S3 and use Athena to query historical data. This helps with compliance audits and trend analysis.
📊 Production Insight
We relied on inventory to detect unauthorized software, but the 30-minute collection window meant a malicious app could run for 29 minutes before detection. For security-critical environments, combine inventory with real-time GuardDuty and CloudWatch events.
🎯 Key Takeaway
Inventory Manager collects instance metadata on a schedule, enabling software tracking and compliance auditing.

State Manager: Enforcing Desired Configuration

State Manager ensures instances are in a desired state by applying SSM documents on a schedule or on events. It's like a lightweight configuration management tool (similar to Chef or Ansible) but native to AWS. You define associations that specify a document, targets, and schedule. State Manager automatically runs the document on new instances that match the targets. In production, we use State Manager to enforce security configurations: disable root SSH access, install the CloudWatch agent, and apply CIS benchmarks. The key advantage is that it's idempotent — running the same association multiple times won't cause issues. However, State Manager does not handle complex dependencies or ordering. For that, use Step Functions. A common failure mode is when an association fails due to a missing parameter — always validate documents in a test environment first.

state-manager-association.jsonJSON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
{
  "Name": "Enforce-CloudWatch-Agent",
  "DocumentName": "AWS-ConfigureAWSPackage",
  "Targets": [
    {
      "Key": "tag:Role",
      "Values": ["web"]
    }
  ],
  "ScheduleExpression": "cron(0 0 * * ? *)",
  "Parameters": {
    "action": ["Install"],
    "name": ["AmazonCloudWatchAgent"],
    "version": ["latest"]
  }
}
Output
Association created. It will install/update CloudWatch Agent daily on all web instances.
⚠ State Manager Associations Are Not Real-Time
Associations run on a schedule or on instance launch. For immediate enforcement, use Run Command or Lambda.
📊 Production Insight
We used State Manager to enforce a security baseline, but we didn't account for instances that were stopped during the association run. When they started, they were out of compliance for up to 24 hours. Now we trigger associations on instance launch using CloudWatch Events.
🎯 Key Takeaway
State Manager enforces desired configuration on instances via scheduled associations, acting as a native configuration management tool.

Automation: Runbooks for Incident Response and Remediation

Automation allows you to create runbooks (SSM documents) that automate common operational tasks like restarting services, replacing instances, or rolling back deployments. Runbooks can include multiple steps, conditional logic, and error handling. They integrate with other AWS services via AWS SDK calls. In production, we use Automation runbooks for incident response: when an instance fails health checks, a runbook automatically terminates it, launches a replacement, and updates the load balancer. The key is to design runbooks idempotently — running them multiple times should be safe. A common mistake is hardcoding instance IDs or regions. Use dynamic parameters and AWS Systems Manager Parameter Store for configuration. Automation is powerful but can be dangerous: always test runbooks in a sandbox account first.

automation-runbook.jsonJSON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{
  "description": "Replace unhealthy EC2 instance",
  "schemaVersion": "0.3",
  "assumeRole": "arn:aws:iam::123456789012:role/AutomationRole",
  "parameters": {
    "InstanceId": {
      "type": "String",
      "description": "ID of the unhealthy instance"
    },
    "AmiId": {
      "type": "String",
      "description": "AMI ID for replacement"
    }
  },
  "mainSteps": [
    {
      "name": "TerminateInstance",
      "action": "aws:executeAwsApi",
      "inputs": {
        "Service": "ec2",
        "Api": "TerminateInstances",
        "InstanceIds": ["{{ InstanceId }}"]
      }
    },
    {
      "name": "LaunchReplacement",
      "action": "aws:executeAwsApi",
      "inputs": {
        "Service": "ec2",
        "Api": "RunInstances",
        "ImageId": "{{ AmiId }}",
        "InstanceType": "t3.micro",
        "MinCount": 1,
        "MaxCount": 1
      }
    }
  ]
}
Output
Runbook created. It terminates the specified instance and launches a new one from the given AMI.
🔥Use AssumeRole for Cross-Account Automation
If your runbook needs to act in another account, specify an assumeRole ARN with appropriate permissions.
📊 Production Insight
We had a runbook that terminated instances based on a tag. A misconfigured tag caused it to terminate 50 production instances. Now we always add a manual approval step for destructive actions and use CloudTrail to monitor runbook executions.
🎯 Key Takeaway
Automation runbooks enable self-service incident response and remediation with idempotent, auditable workflows.

Monitoring and Troubleshooting SSM Agent and Operations

Monitoring SSM Agent health is critical. Use CloudWatch metrics (ssm-agent-status, ssm-agent-version) and set alarms for instances that stop reporting. Common issues: agent not running, network connectivity problems, IAM role misconfiguration, or disk space full. The agent logs are in /var/log/amazon/ssm/ on Linux and C:\ProgramData\Amazon\SSM\Logs on Windows. For troubleshooting, check the agent log for errors like 'Unable to connect to service' or 'Invalid instance profile'. Also, use the Systems Manager console's 'Instance Management' page to see the last ping time. If an instance shows 'Connection Lost', it's likely a network or IAM issue. In production, we run a scheduled Lambda that checks agent status and auto-remediates by restarting the agent or re-attaching the instance profile.

check-ssm-agent.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/bash
# Check SSM Agent status and restart if not running
if ! systemctl is-active --quiet amazon-ssm-agent; then
    echo "SSM Agent is not running. Restarting..."
    sudo systemctl restart amazon-ssm-agent
    sleep 5
    if systemctl is-active --quiet amazon-ssm-agent; then
        echo "SSM Agent restarted successfully."
    else
        echo "Failed to restart SSM Agent."
        exit 1
    fi
else
    echo "SSM Agent is running."
fi
Output
SSM Agent is running.
⚠ Agent Logs Can Fill Up Disk Space
SSM Agent logs are rotated, but in high-volume environments, they can still consume significant disk. Monitor disk usage and configure log retention in agent settings.
📊 Production Insight
We once had a fleet-wide agent failure due to a misconfigured VPC endpoint that blocked traffic to SSM. The agent logs showed 'Connection refused' but we didn't have alarms. Now we monitor agent connectivity with a synthetic canary instance and alert if it goes offline.
🎯 Key Takeaway
Monitor SSM Agent health with CloudWatch metrics and logs; common failures are network, IAM, or disk issues.
Session Manager vs Traditional Bastion Secure shell access without managing jump hosts Session Manager Bastion Host Network Access No inbound ports required Requires open SSH port (22) Key Management IAM-based authentication SSH key pairs need rotation Audit Trail Built-in session logging to CloudWatch Requires additional logging setup Infrastructure No bastion instance to maintain Dedicated EC2 instance needed Compliance Supports session recording and approval Manual compliance controls THECODEFORGE.IO
thecodeforge.io
Aws Systems Manager

Production Best Practices and Common Pitfalls

After years of running Systems Manager in production, here are the non-negotiables: 1) Always use VPC endpoints for SSM, EC2, and S3 to avoid internet dependency. 2) Enforce least privilege IAM policies — never use wildcards for actions. 3) Test all associations and runbooks in a staging environment first. 4) Enable CloudTrail logging for all Systems Manager actions. 5) Set up CloudWatch alarms for agent health and patch compliance. 6) Use maintenance windows for patching and reboots. 7) Regularly audit inventory and compliance reports. Common pitfalls: forgetting to attach instance profiles, using default patch baselines without testing, and not handling agent failures gracefully. Also, be aware of service limits: you can have up to 5000 instances per account, but associations and documents have limits. Plan for scale by using resource groups and tagging strategies.

audit-ssm-compliance.shBASH
1
2
3
4
5
6
#!/bin/bash
# List instances not compliant with patch baseline
aws ssm describe-instance-patch-states \
    --instance-ids $(aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceId' --output text) \
    --query 'InstancePatchStates[?PatchComplianceStatus!=`COMPLIANT`].[InstanceId, PatchComplianceStatus]' \
    --output table
Output
----------------------------------------------------
| DescribeInstancePatchStates |
+----------------------+--------------------------+
| i-1234567890abcdef0 | NON_COMPLIANT |
| i-0987654321fedcba0 | NON_COMPLIANT |
+----------------------+--------------------------+
💡Use AWS Config Rules for Continuous Compliance
Create Config rules to check that instances have required SSM associations, are patched, and have inventory enabled. Automate remediation with Systems Manager Automation.
📊 Production Insight
Our biggest outage was caused by hitting the SSM API rate limit during a mass patching event. We now spread patching across multiple maintenance windows and use exponential backoff in automation scripts. Always monitor API usage and request limit increases proactively.
🎯 Key Takeaway
Production success with Systems Manager requires VPC endpoints, least privilege IAM, testing, and continuous monitoring.
⚙ Quick Reference
12 commands from this guide
FileCommand / CodePurpose
install-ssm-agent.shsudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/late...What Is AWS Systems Manager and Why It Matters
ssm-agent-config.json{SSM Agent Architecture and Communication Flow
ssm-instance-policy.json{Setting Up SSM Agent with IAM Roles and Permissions
association-patch-baseline.json{Operations Hub
run-command-example.shaws ssm send-command \Run Command
start-session.shaws ssm start-session --target i-1234567890abcdef0Session Manager
patch-baseline.json{Patch Manager
inventory-association.json{Inventory Manager
state-manager-association.json{State Manager
automation-runbook.json{Automation
check-ssm-agent.shif ! systemctl is-active --quiet amazon-ssm-agent; thenMonitoring and Troubleshooting SSM Agent and Operations
audit-ssm-compliance.shaws ssm describe-instance-patch-states \Production Best Practices and Common Pitfalls

Key takeaways

1
Centralized Operations Hub
AWS Systems Manager replaces bastion hosts and manual SSH with a unified interface for patching, running commands, and managing inventory across EC2 and on-premises instances.
2
SSM Agent is Mandatory
Every managed instance requires the SSM Agent. It handles communication with the Systems Manager service and executes commands. Without it, you have no management plane.
3
IAM Permissions are Critical
The instance profile must grant the agent permissions to perform actions. Overly restrictive policies break functionality; overly permissive policies create security risks. Use least privilege with AmazonSSMManagedInstanceCore as a baseline.
4
Production Failure Mode
Agent Health** — A common outage scenario is the SSM Agent crashing due to memory leaks or disk full. Monitor agent health with CloudWatch and implement auto-recovery or restart mechanisms to avoid losing operational control.

Common mistakes to avoid

2 patterns
×

Overlooking aws systems manager basic configuration

Symptom
Unexpected behavior in production
Fix
Follow AWS best practices and review documentation thoroughly
×

Ignoring cost implications

Symptom
Unexpected AWS bill at end of month
Fix
Set up billing alerts and use cost explorer to monitor usage
INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01JUNIOR
What is AWS Systems Manager: Operations Hub and SSM Agent and when would...
Q02SENIOR
How do you secure AWS Systems Manager: Operations Hub and SSM Agent in p...
Q03SENIOR
What are the cost optimization strategies for AWS Systems Manager: Opera...
Q01 of 03JUNIOR

What is AWS Systems Manager: Operations Hub and SSM Agent and when would you use it?

ANSWER
AWS Systems Manager: Operations Hub and SSM Agent is an AWS service that helps manage cloud infrastructure efficiently. Use it when you need scalable, reliable cloud solutions.
FAQ · 6 QUESTIONS

Frequently Asked Questions

01
Do I need to install the SSM Agent on every EC2 instance?
02
Can Systems Manager manage on-premises servers?
03
How does Systems Manager handle IAM permissions for running commands?
04
What happens if the SSM Agent stops responding?
05
How do I audit who ran what command and when?
06
Can I use Systems Manager to patch instances that are in a private subnet without NAT?
N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Drawn from code that ran under real load.

Follow
Verified
production tested
July 12, 2026
last updated
2,165
articles · all by Naren
🔥

That's AWS. Mark it forged?

6 min read · try the examples if you haven't

Previous
AWS X-Ray: Distributed Tracing and Observability
34 / 54 · AWS
Next
Amazon VPC Networking: NAT Gateway, VPN, and Direct Connect