AWSGlossary

AWS Systems Manager: What It Is and When to Use It

Definition

AWS Systems Manager (SSM) is a unified operations and management service for EC2 instances, on-premises servers, and edge devices. It's not one product but a suite of capabilities — Fleet Manager, Session Manager, Run Command, Patch Manager, Automation, Parameter Store, Inventory, State Manager, Maintenance Windows, OpsCenter, and more — that share a common identity and communication model: a lightweight SSM Agent installed on managed nodes, plus IAM permissions and (optionally) VPC endpoints. Systems Manager replaces dozens of ad-hoc tools — SSH, WinRM, cron, config management, secret files, patch cycles — with a managed, IAM-governed, auditable alternative.

How It Works

The SSM Agent is pre-installed on Amazon Linux, Ubuntu (newer AMIs), and Windows Server AMIs; on Linux it's amazon-ssm-agent, on Windows a Windows service. For on-premises servers or edge devices, you install the agent and register them as managed instances (historically via an activation code; now also via Default Host Management Configuration, which registers EC2 without a per-instance instance profile).

The agent maintains an outbound TLS connection to the SSM service. You grant a role (AmazonSSMManagedInstanceCore managed policy) to EC2 or to the on-prem registration, and SSM sees the instance in Fleet Manager. From then on, every capability in the suite is available.

SSM traffic uses public regional endpoints by default. For private-only VPCs, create VPC interface endpoints for ssm, ssmmessages, and ec2messages (and s3 / kms for some features).

Key Features and Limits

Fleet Manager

A managed web console for Linux and Windows: view hardware, OS, running processes, storage, event logs, and registry (Windows). Remote Desktop-style access without exposing RDP.

Session Manager

Browser-based or CLI-based shell access to instances without SSH, bastion hosts, or open inbound ports. All sessions are optionally logged to CloudWatch Logs or S3. Port forwarding and SSH-over-SSM are supported (aws ssm start-session --target i-... --document-name AWS-StartSSHSession). This is the modern replacement for SSH to private EC2 instances.

Run Command

Execute commands (Shell, PowerShell, Ansible, Chef) on one instance, a tag-selected fleet, or the whole account. Under the hood it uses SSM Documents — JSON/YAML runbooks — such as AWS-RunShellScript, AWS-UpdateSSMAgent, or your own. Invocations are audited via CloudTrail and streamed to CloudWatch Logs / S3.

Automation runbooks

SSM Automation runs multi-step workflows across AWS APIs and instances: AMI creation, patch with reboot, troubleshooting runbooks, failover drills. Hundreds of pre-built documents (AWS-*) ship with AWS. Automation is idempotent, approvable, and integrates with EventBridge to drive auto-remediation — e.g., Config rule detects noncompliant SG → EventBridge → Automation → fix.

Patch Manager

Scans and applies OS and application patches on a schedule defined by patch baselines (one per OS family, by severity/classification). Works on Linux, Windows, macOS. Uses Maintenance Windows to bound downtime; supports prebuilt baselines from AWS plus custom ones.

Parameter Store

A free-to-use (Standard tier) or pay-per-parameter (Advanced tier) key–value store for configuration and secrets. Supports String, StringList, and SecureString (KMS-encrypted). Hierarchical paths (/prod/db/url). IAM-controlled; referenced by CloudFormation, CDK, Lambda env, ECS task defs, and EC2 user data. Secrets Manager is a heavier, paid alternative with rotation — Parameter Store handles most config/low-sensitivity secrets at no cost.

State Manager

Ensures managed instances stay in a desired state — SSM Agent version, CloudWatch Agent installed, files present — by re-running documents on a schedule. Desired-state config without Chef/Puppet.

Inventory

Collects installed applications, network config, Windows updates, services, AWS components. Queryable via Resource Data Sync into S3 and Athena.

Maintenance Windows

Schedules a recurring window (e.g., Saturdays 02:00 UTC for 4 hours) during which Run Command / Automation / Patch Manager tasks may execute on target tags.

OpsCenter

A central queue for OpsItems — tickets aggregated from CloudWatch Alarms, Config, Security Hub, GuardDuty. Teams triage, comment, and resolve in one place; integrates with runbooks for remediation.

Application Manager, AppConfig, Incident Manager

  • Application Manager — one-pane view of all resources in an application (tag-based).
  • AppConfig — feature flags and dynamic application config with validation and rollout.
  • Incident Manager — on-call rotations, runbook execution, post-incident review.

Common Use Cases

  1. Secure shell access — Session Manager instead of SSH + bastion; private subnets with no inbound ports.
  2. Fleet-wide patching — Patch Manager with Maintenance Windows across thousands of instances.
  3. Config/secret storage — Parameter Store SecureString replaces env-file sprawl.
  4. Auto-remediation — Config → EventBridge → Automation runbook fixes noncompliant resources.
  5. Operational runbooks — Reboot, rotate, snapshot, restart service with one API call across a tag-targeted fleet.
  6. Hybrid management — on-prem servers registered as managed instances, unified with EC2 ops.
  7. Compliance — auditable, IAM-scoped access with full CloudTrail / CloudWatch Logs trail for every command and session.

Pricing Model

Most Systems Manager capabilities are free for EC2 and for on-premises managed instances up to a limit:

  • Free: Session Manager, Run Command, State Manager, Patch Manager, Automation, Inventory, Maintenance Windows, OpsCenter (first tier), Fleet Manager, Parameter Store Standard tier.
  • Paid: Parameter Store Advanced tier (per parameter-month + per API interaction), Automation executions beyond free tier (per step), Incident Manager (per incident), Change Manager, AppConfig (per configuration + request), and on-prem managed instances beyond the free tier (per instance-hour after the included allowance).
  • Data transfer to S3 / CloudWatch Logs for session and command output bills normally.

Pros and Cons

Pros

  • Unified, IAM-governed alternative to SSH, WinRM, cron, and config management.
  • Session Manager removes the need for bastion hosts and inbound SG rules.
  • Parameter Store is free and ubiquitous for config.
  • Auto-remediation loops (Config → EventBridge → Automation) are simple and powerful.
  • Hybrid (on-prem) support is genuine — same console, IAM, audit trail.

Cons

  • Requires SSM Agent — older AMIs may not have it, on-prem needs install.
  • Private VPCs need three VPC endpoints (ssm, ssmmessages, ec2messages) for no-internet operation.
  • Parameter Store Standard has a 4 KB value and 10,000-parameter soft limit; high-traffic use benefits from the Advanced tier or Secrets Manager.
  • Many sub-products; pricing and feature boundaries can be confusing at first.
  • Session Manager logging is optional — teams must enable it for compliance.

Comparison with Alternatives

| | Systems Manager | Bastion + SSH keys | AWS Secrets Manager | Config management (Ansible/Chef) | | --- | --- | --- | --- | --- | | Access | Session Manager (no ports) | Inbound SSH to bastion | n/a | SSH-based | | Secrets | Parameter Store (SecureString) | File-based | Full secrets + rotation | External tools | | Audit | CloudTrail + session logs | Bastion logs | CloudTrail | Tool-specific | | Cross-account | IAM | Complex | IAM | Tool-specific | | Scale | Tag-driven fleet | Manual | Per secret | Master/server model | | Hybrid | Yes (managed instances) | Yes | n/a | Yes |

Exam Relevance

  • Solutions Architect Associate (SAA-C03) — know SSM Session Manager as the modern alternative to SSH + bastion for private EC2, and Parameter Store for config.
  • Developer Associate (DVA-C02) — Parameter Store (SecureString, hierarchy), referencing parameters from CloudFormation / Lambda env vars, and Secrets Manager contrast.
  • SysOps Administrator (SOA-C02) — heavy coverage: Patch Manager baselines, Maintenance Windows, Automation runbooks, Run Command, State Manager, Inventory, OpsCenter.
  • DevOps Professional (DOP-C02) — Automation for auto-remediation (Config → EventBridge → SSM), Change Manager approvals, hybrid management, integration with CodePipeline.
  • Security Specialty (SCS-C02) — Session Manager logging, least-privilege IAM for SSM, VPC endpoints, SecureString with customer-managed KMS.

Exam trap: Systems Manager Parameter Store vs Secrets Manager — Parameter Store is free (Standard), simpler, no built-in rotation; Secrets Manager is paid with automatic rotation and cross-account sharing. For DB passwords with rotation, Secrets Manager; for most config, Parameter Store.

Frequently Asked Questions

Q: How is Session Manager better than SSH with a bastion host?

A: Session Manager provides shell access with no inbound network ports, no SSH keys to rotate, no bastion host to patch, and every session automatically authenticated via IAM. Sessions can be recorded to CloudWatch Logs or S3 for audit, commands can be restricted via session document policies, and you can start a session from the AWS Console, CLI, or via SSH-over-SSM (ProxyCommand). For compliance-driven environments, that audit trail plus least-privilege IAM grants is often a compelling reason to eliminate traditional bastion architecture entirely.

Q: When should I use Parameter Store vs Secrets Manager?

A: Use Parameter Store for application configuration, feature flags, and low-to-medium-sensitivity secrets — it's free (Standard tier), integrates with CloudFormation / CDK / ECS / Lambda env vars natively, supports hierarchical paths, and encrypts SecureString with KMS. Use Secrets Manager when you need automatic rotation of database credentials, API keys, or OAuth tokens — it rotates via Lambda and integrates with RDS, DocumentDB, and Redshift out of the box. It also supports resource policies for cross-account sharing more cleanly. Many organizations use both: Parameter Store for config, Secrets Manager for rotated credentials.

Q: How do auto-remediation loops work with Systems Manager?

A: The canonical pattern is AWS Config + EventBridge + Systems Manager Automation. AWS Config evaluates resources against rules (e.g., "S3 bucket must block public access"). When a resource is noncompliant, Config emits an event to EventBridge. An EventBridge rule targets an SSM Automation document that runs the fix (e.g., AWS-DisableS3BucketPublicReadWrite) with the noncompliant resource ID as input. Automation logs the remediation, and Config re-evaluates on the next run. The same pattern works for GuardDuty findings, Security Hub controls, and CloudWatch Alarms — any EventBridge source can drive a runbook.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS Systems Manager documentation before making production decisions.

Published: 4/17/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Monitoring

AWS X-Ray: Distributed Tracing for Microservices

AWS X-Ray provides distributed tracing across Lambda, ECS, API Gateway, and more. Learn segments, service maps, sampling rules, Insights, and pricing.

Amazon EventBridge: Serverless Event Bus and Pipes

Amazon EventBridge is AWS's serverless event bus. Learn event buses, rules, targets, Pipes, Schemas, Archive/Replay, SaaS partners, and pricing.

Amazon CloudWatch: AWS Metrics, Logs, Alarms & Dashboards

Amazon CloudWatch is AWS's monitoring and observability service. Learn metrics, logs, alarms, events/EventBridge, Logs Insights, Container Insights, and pricing.

AWS CloudTrail: Audit Logs for Every AWS API Call

AWS CloudTrail records every API call in your account for security, auditing, and compliance. Learn Management Events, Data Events, Insights, Lake, and CloudTrail vs CloudWatch.

View all Monitoringterms →