# Systems Manager
AWS Systems Manager Automation provides predefined runbooks for Systems Manager. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [
# `AWS-BulkDeleteAssociation`
](aws-bulkdeleteassociation.md)
+ [
# `AWS-BulkEditOpsItems`
](automation-aws-bulk-edit-opsitems.md)
+ [
# `AWS-BulkResolveOpsItems`
](automation-aws-bulk-resolve-opsitems.md)
+ [
# `AWS-ConfigureMaintenanceWindows`
](aws-configuremaintenancewindows.md)
+ [
# `AWS-CreateManagedLinuxInstance`
](automation-aws-createmanagedlinuxinstance.md)
+ [
# `AWS-CreateManagedWindowsInstance`
](automation-aws-createmanagedwindowsinstance.md)
+ [
# `AWSConfigRemediation-EnableCWLoggingForSessionManager`
](automation-aws-enable-cw-log-sm.md)
+ [
# `AWS-ExportOpsDataToS3`
](automation-aws-exportopsdatatos3.md)
+ [
# `AWS-ExportPatchReportToS3`
](automation-aws-exportpatchreporttos3.md)
+ [
# `AWS-SetupInventory`
](automation-aws-setupinventory.md)
+ [
# `AWS-SetupManagedInstance`
](automation-aws-setupmanagedinstance.md)
+ [
# `AWS-SetupManagedRoleOnEC2Instance`
](automation-aws-setupmanagedroleonec2instance.md)
+ [
# `AWSSupport-TroubleshootManagedInstance`
](automation-awssupport-troubleshoot-managed-instance.md)
+ [
# `AWSSupport-TroubleshootPatchManagerLinux`
](automation-troubleshoot-patch-manager-linux.md)
+ [
# `AWSSupport-TroubleshootSessionManager`
](automation-awssupport-troubleshoot-session-manager.md)
# `AWS-BulkDeleteAssociation`
**Description**
The `AWS-BulkDeleteAssociation` runbook helps you to delete up to 50 Systems Manager State Manager associations at a time.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-BulkDeleteAssociation)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ AssociationIds
Type: StringList
Description: (Required) A comma-separated list of the IDs of the associations you want to delete.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:DeleteAssociation`
**Document Steps**
+ `aws:executeScript` - Deletes the associations you specify in the `AssociationIds` parameter.
# `AWS-BulkEditOpsItems`
**Description**
The `AWS-BulkEditOpsItems` runbook helps you edit the status, severity, category, or priority of AWS Systems Manager OpsItems. This automation can edit a maximum of 50 OpsItems at a time.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-BulkEditOpsItems)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ Category
Type: String
Valid values:
+ Availability
+ Cost
+ No change
+ Performance
+ Recovery
+ Security
Default: No change
Description: (Optional) The new category you want to specify for the edited OpsItems.
+ OpsItemIds
Type: StringList
Description: (Required) A comma-separated list of OpsItems IDs you want to edit (for example, oi-XXXXXXXXXXXX,oi-XXXXXXXXXXXX).
+ Priority
Type: String
Valid values:
+ No change
+ 1
+ 2
+ 3
+ 4
+ 5
Default: No change
Description: (Optional) The importance of the edited OpsItems in relation to other OpsItems in the system.
+ Severity
Type: String
Valid values:
+ No change
+ 1
+ 2
+ 3
+ 4
Default: No change
Description: (Optional) The severity of the edited OpsItems.
+ WaitTimeBetweenEditsInSecs
Type: String
Valid values: 0.0-2.0
Default: 0.8
Description: (Optional) The time the automation waits between calling the `UpdateOpsItems` operation.
+ Status
Type: String
Valid values:
+ InProgress
+ No change
+ Open
+ Resolved
Default: No change
Description: (Optional) The new status of the edited OpsItems.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:GetAutomationExecution`
+ `ssm:StartAutomationExecution`
+ `ssm:UpdateOpsItem`
**Document Steps**
+ `aws:executeScript` - Edits the OpsItems you specified in the `OpsItemIds` parameter based on the values you specify for the `Category` , `Priority` , `Severity` , and `Status` parameters.
# `AWS-BulkResolveOpsItems`
**Description**
The `AWS-BulkResolveOpsItems` runbook resolves AWS Systems Manager OpsItems that match the filter you specify. You can also specify an OpsItemId to add to the resolved OpsItems using the `OpsInsightsId` parameter. If you specify a value for the `S3BucketName` parameter, a result summary is sent to the Amazon Simple Storage Service (Amazon S3) bucket. To receive a notification once the result summary has been sent to the Amazon S3 bucket, specify a value for the `SnsTopicArn` parameter. This automation will resolve a maximum of 1,000 OpsItems at a time.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-BulkResolveOpsItems)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ Filters
Type: String
Description: (Required) The key-value pairs of filters to return the OpsItems you want to resolve. For example, `[{"Key": "Status", "Values": ["Open"], "Operator": "Equal"}]` . To learn more about the options available for filtering OpsItems responses, see [OpsItemFilters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeOpsItems.html#systemsmanager-DescribeOpsItems-request-OpsItemFilters) in the *AWS Systems Manager API Reference* .
+ OpsInsightId
Type: String
Description: (Optional) The related resource identifier you want to add to resolved OpsItems.
+ S3BucketName
Type: String
Description: (Optional) The name of the Amazon S3 bucket you want to send the result summary to.
+ SnsMessage
Type: String
Description: (Optional) The notification you want Amazon Simple Notification Service (Amazon SNS) to send when the automation completes.
+ SnsTopicArn
Type: String
Description: (Optional) The ARN of the Amazon SNS topic you want to notify when the result summary has been sent to Amazon S3.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `s3:GetBucketAcl`
+ `s3:PutObject`
+ `sns:Publish`
+ `ssm:DescribeOpsItems`
+ `ssm:GetAutomationExecution`
+ `ssm:StartAutomationExecution`
+ `ssm:UpdateOpsItem`
**Document Steps**
+ `aws:executeScript` - Gathers and resolves the OpsItems based on the filters you specify. If you specified a value for the `OpsInsightId` parameter, the value is added as a related resource.
+ `aws:executeScript` - If you specified a value for the `S3BucketName` parameter, a result summary is then sent to the Amazon S3 bucket.
+ `aws:executeScript` - If you specified a value for the `SnsTopicArn` parameter, a notification is sent to the Amazon SNS topic after the result summary has been sent to Amazon S3 including the `SnsMessage` parameter value if specified.
# `AWS-ConfigureMaintenanceWindows`
**Description**
The `AWS-ConfigureMaintenanceWindows` runbook helps you to enable or disable multiple Systems Manager maintenance windows.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ConfigureMaintenanceWindows)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ MaintenanceWindows
Type: StringList
Description: (Required) A comma-separated list of the IDs of the maintenance windows you want to enable or disable.
+ MaintenanceWindowsStatus
Type: String
Valid values: "True" \$1 "False"
Default: "False"
Description: (Required) Determines whether maintenance windows are enabled or disabled. Specify "True" to enable maintenance windows, and "False" to disable them.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:GetMaintenanceWindow`
+ `ssm:UpdateMaintenanceWindow`
**Document Steps**
+ `aws:executeScript` - Gathers the status of the maintenance windows you specify in the `MaintenanceWindows` parameter, and enables or disables the maintenance windows.
# `AWS-CreateManagedLinuxInstance`
**Description**
Create an EC2 instance for Linux that is configured for Systems Manager.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CreateManagedLinuxInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux
**Parameters**
+ AmiId
Type: String
Description: (Required) AMI ID to use for launching the instance.
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ GroupName
Type: String
Default: SSMSecurityGroupForLinuxInstances
Description: (Required) Security group name to create.
+ HttpTokens
Type: String
Valid values: optional \$1 required
Default: optional
Description: (Optional) IMDSv2 uses token-backed sessions. Set the use of HTTP tokens to `optional` or `required` to determine whether IMDSv2 is optional or required.
+ InstanceType
Type: String
Default: t2.medium
Description: (Required) Type of instance to launch. Default is t2.medium.
+ KeyPairName
Type: String
Description: (Required) Key pair to use when creating instance.
+ RemoteAccessCidr
Type: String
Default: 0.0.0.0/0
Description: (Required) Creates Security group with port for SSH(Port range 22) open to IPs specified by CIDR (default is 0.0.0.0/0). If the security group already exists it will not be modified and rules will not be changed.
+ RoleName
Type: String
Default: SSMManagedInstanceProfileRole
Description: (Required) Role name to create.
+ StackName
Type: String
Default: CreateManagedInstanceStack\$1\$1automation:EXECUTION\$1ID\$1\$1
Description: (Optional) Specify stack name used by this runbook
+ SubnetId
Type: String
Default: Default
Description: (Required) New instance will be deployed into this subnet or in the default subnet if not specified.
+ VpcId
Type: String
Default: Default
Description: (Required) New instance will be deployed into this Amazon Virtual Private Cloud (Amazon VPC) or in the default Amazon VPC if not specified.
# `AWS-CreateManagedWindowsInstance`
**Description**
Create an EC2 instance for a Windows Server that is configured for Systems Manager.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CreateManagedWindowsInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Windows
**Parameters**
**Parameters**
+ AmiId
Type: String
Default: `{{ssm:/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base}}`
Description: (Required) AMI ID to use for launching the instance.
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ GroupName
Type: String
Default: SSMSecurityGroupForLinuxInstances
Description: (Required) Security group name to create.
+ HttpTokens
Type: String
Valid values: optional \$1 required
Default: optional
Description: (Optional) IMDSv2 uses token-backed sessions. Set the use of HTTP tokens to `optional` or `required` to determine whether IMDSv2 is optional or required.
+ InstanceType
Type: String
Default: t2.medium
Description: (Required) Type of instance to launch. Default is t2.medium.
+ KeyPairName
Type: String
Description: (Required) Key pair to use when creating instance.
+ RemoteAccessCidr
Type: String
Default: 0.0.0.0/0
Description: (Required) Creates security group with port for RDP (Port range 3389) open to IPs specified by CIDR (default is 0.0.0.0/0). If the security group already exists it will not be modified and rules will not be changed.
+ RoleName
Type: String
Default: SSMManagedInstanceProfileRole
Description: (Required) Role name to create.
+ StackName
Type: String
Default: CreateManagedInstanceStack\$1\$1automation:EXECUTION\$1ID\$1\$1
Description: (Optional) Specify stack name used by this runbook
+ SubnetId
Type: String
Default: Default
Description: (Required) New instance will be deployed into this subnet or in the default subnet if not specified.
+ VpcId
Type: String
Default: Default
Description: (Required) New instance will be deployed into this Amazon Virtual Private Cloud (Amazon VPC) or in the default Amazon VPC if not specified.
# `AWSConfigRemediation-EnableCWLoggingForSessionManager`
**Description**
The `AWSConfigRemediation-EnableCWLoggingForSessionManager` runbook enables AWS Systems Manager Session Manager (Session Manager) sessions to store output logs to an Amazon CloudWatch (CloudWatch) log group.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCWLoggingForSessionManager)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ DestinationLogGroup
Type: String
Description: (Required) The name of the CloudWatch log group.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ssm:GetDocument`
+ `ssm:UpdateDocument`
+ `ssm:CreateDocument`
+ `ssm:UpdateDefaultDocumentVersion`
+ `ssm:DescribeDocument`
**Document Steps**
+ `aws:executeScript` - Accepts the CloudWatch log group to update the document which stores Session Manager session output logs preferences, or creates one if it doesn't exist.
# `AWS-ExportOpsDataToS3`
**Description**
This runbook retrieves a list of OpsData summaries in AWS Systems Manager Explorer and exports them to an object in a specified Amazon Simple Storage Service (Amazon S3) bucket.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ExportOpsDataToS3)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
+ columnFields
Type: StringList
Description: (Required) Column fields to write to the output file.
+ filters
Type: String
Description: (Optional) Filters for the getOpsSummary request.
+ resultAttribute
Type: String
Description: (Optional) The result attribute for getOpsSummary request.
+ s3BucketName
Type: String
Description: (Required) S3 bucket where you want to download the output file.
+ snsSuccessMessage
Type: String
Description: (Optional) Message to send when runbook finishes.
+ snsTopicArn
Type: String
Description: (Required) Amazon Simple Notification Service (Amazon SNS) topic ARN to notify when the download completes.
+ syncName
Type: String
Description: (Optional) The name of the resource data sync.
**Document Steps**
getOpsSummaryStep – Retrieves up to 5,000 ops summaries to export in a CSV file now.
**Outputs**
OpsData object – If the runbook runs successfully, you will find the exported OpsData object in your target S3 bucket.
# `AWS-ExportPatchReportToS3`
**Description**
This runbook retrieves lists of patch summary data and patch details in AWS Systems Manager Patch Manager and exports them to .csv files in a specified Amazon Simple Storage Service (Amazon S3) bucket.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-ExportPatchReportToS3)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ assumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that runs this document.
+ s3BucketName
Type: String
Description: (Required) The S3 bucket where you want to download the output file.
+ snsTopicArn
Type: String
Description: (Optional) The Amazon Simple Notification Service (Amazon SNS) topic Amazon Resource Name (ARN) to notify when the download completes.
+ snsSuccessMessage
Type: String
Description: (Optional) Text of the message to send when the runbook finishes.
+ targets
Type: String
Description: (Required) The instance ID or a wildcard character (\$1) to indicate whether to report patch data for a specific instance or for all instances.
**Document Steps**
ExportReportStep – The action for this step depends on the value of the `targets` parameter. If `targets` is in the format of `instanceids=*` , the step retrieves up to 10,000 patch summaries for instances in your account and exports the data to a .csv file.
If `targets` is in the format `instanceids=` , the step retrieves both the patch summary and all the patches for the specified instance in your account and exports them to a .csv file.
**Outputs**
PatchSummary/Patches object – If the runbook runs successfully, the exported patch report object is downloaded to your target S3 bucket.
# `AWS-SetupInventory`
**Description**
Create a Systems Manager Inventory association for one or more managed instances. The system collects metadata from your instances according to the schedule in the association. For more information, see [AWS Systems Manager Inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html) .
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-SetupInventory)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ Applications
Type: String
Default: Enabled
Description: (Optional) Collect metadata about installed applications.
+ AssociatedDocName
Type: String
Default: `AWS-GatherSoftwareInventory`
Description: (Optional) The name of the runbook used to collect Inventory from the managed instance.
+ AssociationName
Type: String
Description: (Optional) A name for the Inventory association that will be assigned to the instance.
+ AssocWaitTime
Type: String
Default: PT5M
Description: (Optional) Amount of time that Inventory collection should pause when the Inventory association start time is reached. The time uses ISO 8601 format.
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ `AwsComponents`
Type: String
Default: Enabled
Description: (Optional) Collect metadata for AWS Components like amazon-ssm-agent.
+ CustomInventory
Type: String
Default: Enabled
Description: (Optional) Collect custom inventory metadata.
+ Files
Type: String
Description: (Optional) Collect metadata about files on your instances. For more information about how to collect this type of Inventory data, see [Working with file and Windows registry inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-file-and-registry.html) . Requires SSMAgent version 2.2.64.0 or later. Linux example: `[{"Path":"/usr/bin", "Pattern":["aws*", "*ssm*"],"Recursive":false},{"Path":"/var/log", "Pattern":["amazon*.*"], "Recursive":true, "DirScanLimit":1000}] Windows example: [{"Path":"%PROGRAMFILES%", "Pattern":["*.exe"],"Recursive":true}]`
+ InstanceDetailedInformation
Type: String
Default: Enabled
Description: (Optional) Collect additional information about the instance, including the CPU model, speed, and the number of cores, to name a few.
+ InstanceIds
Type: String
Default: \$1
Description: (Required) EC2 instances that you want to inventory.
+ LambdaAssumeRole
Type: String
Description: (Optional) The ARN of the role that allows Lambda created by Automation to perform the actions on your behalf. If not specified a transient role will be created to run the Lambda function.
+ NetworkConfig
Type: String
Default: Enabled
Description: (Optional) Collect metadata about network configurations.
+ OutputS3BucketName
Type: String
Description: (Optional) Name of an Amazon S3 bucket where you want to write Inventory log data.
+ OutputS3KeyPrefix
Type: String
Description: (Optional) An Amazon S3 key prefix (subfolder) where you want to write Inventory log data.
+ OutputS3Region
Type: String
Description: (Optional) The name of the AWS Region where the Amazon S3 exists.
+ Schedule
Type: String
Default: cron(0 \$1/30 \$1 \$1 \$1 ? \$1)
Description: (Optional) A cron expression for the Inventory association schedule. The default is every 30 minutes.
+ Services
Type: String
Default: Enabled
Description: (Optional, Windows OS only, requires SSMAgent version 2.2.64.0 and above) Collect data for service configurations.
+ WindowsRegistry
Type: String
Description: (Optional) Collect metadata about Microsoft Windows Registry keys. For more information about how to collect this type of Inventory data, see [Working with file and Windows registry inventory](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-file-and-registry.html) . Requires SSM Agent version 2.2.64.0 or later. Example: [ \$1"Path":"HKEY\$1CURRENT\$1CONFIG\$1System","Recursive":true\$1,\$1"Path":"HKEY\$1LOCAL\$1MACHINE\$1SOFTWARE\$1Amazon\$1MachineImage", "ValueNames":["AMIName"]\$1]
+ WindowsRoles
Type: String
Default: Enabled
Description: (Optional) Collect information about Windows roles on the instance. Applies to Windows operating systems only. Requires SSMAgent version 2.2.64.0 or later.
+ WindowsUpdates
Type: String
Default: Enabled
Description: (Optional) Collect data about all Windows Updates on the instance.
# `AWS-SetupManagedInstance`
**Description**
Configure an instance with an AWS Identity and Access Management (IAM) role for Systems Manager access.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-SetupManagedInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ InstanceId
Type: String
Description: (Required) ID of the EC2 instance to configure
+ LambdaAssumeRole
Type: String
Description: (Optional) The ARN of the role that allows Lambda created by Automation to perform the actions on your behalf. If not specified a transient role will be created to run the Lambda function.
+ RoleName
Type: String
Default: SSMRoleForManagedInstance
Description: (Optional) The name of the IAM role for the EC2 instance. If this role does not exist, it will be created. When specifying this value, verify that the role contains the **AmazonSSMManagedInstanceCore** Managed Policy.
# `AWS-SetupManagedRoleOnEC2Instance`
**Description**
Configure an instance with the SSMRoleForManagedInstance managed IAM role for Systems Manager access.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-SetupManagedRoleOnEC2Instance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ InstanceId
Type: String
Description: (Required) ID of the EC2 instance to configure
+ LambdaAssumeRole
Type: String
Description: (Optional) The ARN of the role that allows Lambda created by Automation to perform the actions on your behalf. If not specified a transient role will be created to run the Lambda function.
+ RoleName
Type: String
Default: SSMRoleForManagedInstance
Description: (Optional) The name of the IAM role for the EC2 instance. If this role does not exist, it will be created. When specifying this value, verify that the role contains the **AmazonSSMManagedInstanceCore** Managed Policy.
# `AWSSupport-TroubleshootManagedInstance`
**Description**
The `AWSSupport-TroubleshootManagedInstance` runbook helps you to determine why an Amazon Elastic Compute Cloud (Amazon EC2) instance does not report as managed by AWS Systems Manager. This runbook reviews the VPC configuration for the instance including security group rules, VPC endpoints, network access control list (ACL) rules, and route tables. It also confirms an AWS Identity and Access Management (IAM) instance profile that contains the required permissions is attached to the instance.
**Important**
This automation runbook does not evaluate IPv6 rules.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootManagedInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ InstanceId
Type: String
Description: (Required) The ID of the Amazon EC2 instance that is not reporting as managed by Systems Manager.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:DescribeAutomationExecutions`
+ `ssm:DescribeAutomationStepExecutions`
+ `ssm:DescribeInstanceInformation`
+ `ssm:DescribeInstanceProperties`
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `ssm:GetDocument`
+ `ssm:ListDocuments`
+ `ssm:StartAutomationExecution`
+ `iam:ListRoles`
+ `iam:GetInstanceProfile`
+ `iam:ListAttachedRolePolicies`
+ `ec2:DescribeInstances`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeVpcEndpoints`
**Document Steps**
+ `aws:executeScript` - Gathers the `PingStatus` of the instance.
+ `aws:branch` - Branches based on whether the instance is already reporting as managed by Systems Manager.
+ `aws:executeAwsApi` - Gathers details about the instance including the VPC configuration.
+ `aws:executeScript` - If applicable, gathers additional details related to VPC endpoints that have been deployed to use with Systems Manager, and confirms the security groups attached to the VPC endpoint allow inbound traffic on TCP port 443 from the instance.
+ `aws:executeScript` - Checks whether the route table allows traffic to the VPC endpoint or public Systems Manager endpoints.
+ `aws:executeScript` - Checks whether the network ACL rules allow traffic to the VPC endpoint or public Systems Manager endpoints.
+ `aws:executeScript` - Checks whether outbound traffic to the VPC endpoint or public Systems Manager endpoints is allowed by the security group associated with the instance.
+ `aws:executeScript` - Checks if the instance profile attached to the instance includes a managed policy that provides the required permissions.
+ `aws:branch` - Branches based on the operating system of the instance.
+ `aws:executeScript` - Provides reference to `ssmagent-toolkit-linux` shell script.
+ `aws:executeScript` - Provides reference to `ssmagent-toolkit-windows` PowerShell script.
+ `aws:executeScript` - Generates final output for the automation.
+ `aws:executeScript` - If the `PingStatus` of the instance is `Online` , returns that the instance is already managed by Systems Manager.
# `AWSSupport-TroubleshootPatchManagerLinux`
**Description**
The `AWSSupport-TroubleshootPatchManagerLinux` runbook troubleshoots common issues that can cause a patch failure on Linux-based managed nodes using Patch Manager, a tool in AWS Systems Manager. The main goal of this runbook is to identify the patch command failure root cause and suggest a remediation plan.
**How does it work?**
The `AWSSupport-TroubleshootPatchManagerLinux` runbook considers the couple instance ID/Command ID provided by you for troubleshooting. If no Command ID is provided, it selects the latest failed patch command within the last 30 days on the provided instance. After checking the command status, the prerequisites fulfillment, and the OS distribution, the runbook downloads and runs a log analyzer package. The output includes the issue root cause as well as the needed action to fix the issue.
**Document Type**
Automation
**Owner**
Amazon
**Platforms**
+ Amazon Linux 2 and AL2023
+ Red Hat Enterprise Linux 8.X and 9.X
+ Centos 8.X and 9.X
+ SUSE 15.X
**Parameters**
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:SendCommand`
+ `ssm:DescribeDocument`
+ `ssm:GetCommandInvocation`
+ `ssm:ListCommands`
+ `ssm:DescribeInstanceInformation`
+ `ssm:ListCommandInvocations`
+ `ssm:GetDocument`
+ `ssm:DescribeAutomationExecutions`
+ `ssm:GetAutomationExecution`
**Instructions**
Follow these steps to configure the automation:
1. Navigate to the [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootPatchManagerLinux/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootPatchManagerLinux/description) in the AWS Systems Manager console.
1. Select Execute automation.
1. For the input parameters, enter the following:
+ **InstanceId (Required):**
Use the interactive instance picker to choose the ID of the Linux Based SSM Managed Node (Amazon Elastic Compute Cloud (Amazon EC2) or Hybrid Activated server) that the patch command failed against, or manually enter the ID of the SSM Managed instance.
+ **AutomationAssumeRole (Optional):**
Enter the ARN of the IAM role that allows Automation to perform actions on your behalf. If a role isn't specified, Automation uses the permissions of the user who starts this runbook.
+ **RunCommandId (Optional):**
Enter the Failed Run Command ID of the `AWS-RunPatchBaseline` document. If you don't provide a Command ID, the runbook will look for the latest failed patch command within the last 30 days on the selected instance.
![\[Input parameters form for EC2 Instance Connect troubleshooting with instance ID and optional fields.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-patch-manager-linux_input_parameters.png)
1. Select Execute.
1. The automation initiates.
1. The document performs the following steps:
+ **CheckConcurrency:**
Ensures that there is only one execution of this runbook targeting the same instance. If the runbook finds another execution in progress targeting the same instance, it returns an error and ends.
+ **ValidateCommandID:**
Validates if the provided Command ID, as input parameter, was executed for the `AWS-RunPatchBaseline` SSM Document. If no Command ID is provided, the runbook will consider the latest failed execution of `AWS-RunPatchBaseline` within the last 30 days on the selected instance.
+ **BranchOnCommandStatus:**
Confirms that the status of the provided command is failed. Otherwise, the runbook ends the execution and generates a report stating that the provided command was successfully executed.
+ **VerifyPrerequistes:**
Confirms that the Prerequisites mentioned above are fulfilled.
+ **GetPlatformDetails:**
Retrieves the Operating System (OS) distribution and version.
+ **GetDownloadURL:**
Retrieves the download URL for the PatchManager Log Analyzer package.
+ **EvaluatePatchManagerLogs:**
Downloads and executes the PatchManager Log Analyzer python package on the instance to evaluate the log file.
+ **GenerateReport:**
Generates a final report of the runbook execution that includes the identified problem and suggested solution.
1. After completed, review the Outputs section for the detailed results of the execution:
![\[Troubleshooting results showing an error downloading payload and suggested solutions.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-patch-manager-linux_outputs.png)
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootPatchManagerLinux/description)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)
# `AWSSupport-TroubleshootSessionManager`
**Description**
The `AWSSupport-TroubleshootSessionManager` runbook helps you troubleshoot common issues that prevent you from connecting to managed Amazon Elastic Compute Cloud (Amazon EC2) instances using Session Manager. Session Manager is a tool in AWS Systems Manager. This runbook checks the following:
+ Checks whether the instance is running and reporting as managed by Systems Manager.
+ Runs the `AWSSupport-TroubleshootManagedInstance` runbook if the instance is not reporting as managed by Systems Manager.
+ Checks the version of the SSM Agent installed on the instance.
+ Checks whether an instance profile containing a recommended AWS Identity and Access Management (IAM) policy for Session Manager is attached to the Amazon EC2 instance.
+ Collects SSM Agent logs from the instance.
+ Analyzes your Session Manager preferences.
+ Runs the `AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2` runbook to analyze the instance's connectivity to the endpoints for Session Manager, AWS Key Management Service (AWS KMS), Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs (CloudWatch Logs).
**Considerations**
+ Hybrid managed nodes are not supported.
+ This runbook only checks whether a recommended managed IAM policy is attached to the instance profile. It does not analyze IAM or AWS KMS permissions contained in your instance profile.
**Important**
The `AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2` runbook uses [VPC Reachability Analyzer](https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html) to analyze the network connectivity between a source and a service endpoint. You are charged per analysis run between a source and destination. For more details, see [Amazon VPC Pricing](https://aws.amazon.com/vpc/pricing/).
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootSessionManager)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ InstanceId
Type: String
Description: (Required) The ID of the Amazon EC2 instance that you are unable to connect to using Session Manager.
+ SessionPreferenceDocument
Type: String
Default: SSM-SessionManagerRunShell
Description: (Optional) The name of your session preferences document. If you don't specify a custom session preferences document when starting sessions, use the default value.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:CreateNetworkInsightsPath`
+ `ec2:DeleteNetworkInsightsAnalysis`
+ `ec2:DeleteNetworkInsightsPath`
+ `ec2:StartNetworkInsightsAnalysis`
+ `tiros:CreateQuery`
+ `ec2:DescribeAvailabilityZones`
+ `ec2:DescribeCustomerGateways`
+ `ec2:DescribeDhcpOptions`
+ `ec2:DescribeInstances`
+ `ec2:DescribeInstanceStatus`
+ `ec2:DescribeInternetGateways`
+ `ec2:DescribeManagedPrefixLists`
+ `ec2:DescribeNatGateways`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeNetworkInsightsAnalyses`
+ `ec2:DescribeNetworkInsightsPaths`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DescribePrefixLists`
+ `ec2:DescribeRegions`
+ `ec2:DescribeRouteTables`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeTransitGatewayAttachments`
+ `ec2:DescribeTransitGatewayConnects`
+ `ec2:DescribeTransitGatewayPeeringAttachments`
+ `ec2:DescribeTransitGatewayRouteTables`
+ `ec2:DescribeTransitGateways`
+ `ec2:DescribeTransitGatewayVpcAttachments`
+ `ec2:DescribeVpcAttribute`
+ `ec2:DescribeVpcEndpoints`
+ `ec2:DescribeVpcEndpointServiceConfigurations`
+ `ec2:DescribeVpcPeeringConnections`
+ `ec2:DescribeVpcs`
+ `ec2:DescribeVpnConnections`
+ `ec2:DescribeVpnGateways`
+ `ec2:GetManagedPrefixListEntries`
+ `ec2:GetTransitGatewayRouteTablePropagations`
+ `ec2:SearchTransitGatewayRoutes`
+ `elasticloadbalancing:DescribeListeners`
+ `elasticloadbalancing:DescribeLoadBalancerAttributes`
+ `elasticloadbalancing:DescribeLoadBalancers`
+ `elasticloadbalancing:DescribeRules`
+ `elasticloadbalancing:DescribeTags`
+ `elasticloadbalancing:DescribeTargetGroups`
+ `elasticloadbalancing:DescribeTargetHealth`
+ `iam:GetInstanceProfile`
+ `iam:ListAttachedRolePolicies`
+ `iam:ListRoles`
+ `iam:PassRole`
+ `ssm:DescribeAutomationStepExecutions`
+ `ssm:DescribeInstanceInformation`
+ `ssm:GetAutomationExecution`
+ `ssm:GetDocument`
+ `ssm:ListCommands`
+ `ssm:ListCommandInvocations`
+ `ssm:SendCommand`
+ `ssm:StartAutomationExecution`
+ `tiros:GetQueryAnswer`
+ `tiros:GetQueryExplanation`
**Document Steps**
1. `aws:waitForAwsResourceProperty`: Waits up to 6 minutes for your target instance to pass status checks.
1. `aws:executeScript`: Parses the session preference document.
1. `aws:executeAwsApi`: Gets the ARN of the instance profile attached to your instance.
1. `aws:executeAwsApi`: Checks whether your instance is reporting as managed by Systems Manager.
1. `aws:branch`: Branches based on whether your instance is reporting as managed by Systems Manager.
1. `aws:executeScript`: Checks whether the SSM Agent installed on your instance supports Session Manager.
1. `aws:branch`: Branches based on the platform of your instance to collect `ssm-cli` logs.
1. `aws:runCommand`: Collects logs output from `ssm-cli` from a Linux or macOS instance.
1. `aws:runCommand`: Collects logs output from `ssm-cli` from a Windows instance.
1. `aws:executeScript`: Parses the `ssm-cli` logs.
1. `aws:executeScript`: Checks whether a recommended IAM policy is attached to the instance profile.
1. `aws:branch`: Determines whether to evaluate `ssmmessages` endpoint connectivity based on `ssm-cli` logs.
1. `aws:executeAutomation`: Evaluates whether the instance can connect to an `ssmmessages` endpoint.
1. `aws:branch`: Determines whether to evaluate Amazon S3 endpoint connectivity based on `ssm-cli` logs and your session preferences.
1. `aws:executeAutomation`: Evaluates whether the instance can connect to an Amazon S3 endpoint.
1. `aws:branch`: Determines whether to evaluate AWS KMS endpoint connectivity based on `ssm-cli` logs and your session preferences.
1. `aws:executeAutomation`: Evaluates whether the instance can connect to an AWS KMS endpoint.
1. `aws:branch`: Determines whether to evaluate CloudWatch Logs endpoint connectivity based on `ssm-cli` logs and your session preferences.
1. `aws:executeAutomation`: Evaluates whether the instance can connect to an CloudWatch Logs endpoint.
1. `aws:executeAutomation`: Runs the `AWSSupport-TroubleshootManagedInstance` runbook.
1. `aws:executeScript`: Compiles the output of the previous steps and outputs a report.
**Ouputs**
+ `generateReport.EvalReport` - The results of the checks performed by the runbook in plain text.