Cargando...
Cargando...
Unified visibility and control across your entire AWS and hybrid infrastructure — no SSH, no bastion hosts, no excuses.
AWS Systems Manager (SSM) is a management service that gives you a unified interface to view operational data, automate operational tasks, and manage your AWS and on-premises resources at scale. It eliminates the need for bastion hosts and direct SSH/RDP access by providing secure, auditable shell access via Session Manager. SSM is the backbone of modern DevOps on AWS, enabling patch management, configuration compliance, run commands, and parameter storage — all without opening inbound ports.
Centralized operational management of EC2, on-premises servers, and edge devices — including patching, configuration, secrets, automation, and secure remote access — without requiring open inbound network ports or SSH keys.
Use When
Avoid When
Session Manager (browser/CLI shell without SSH)
No inbound ports required; sessions logged to S3/CloudWatch Logs
Run Command (remote execution at scale)
Target by tag, resource group, or instance ID; rate controls available
Parameter Store (config & secrets storage)
Standard (free, 4KB) and Advanced (paid, 8KB, policies) tiers
Patch Manager (automated patching)
Supports maintenance windows and patch baselines per OS
State Manager (configuration compliance enforcement)
Applies and re-applies desired state via associations
Automation (runbook execution)
Pre-built and custom runbooks (SSM Documents); supports approvals
Inventory (metadata collection)
Software, files, network, registry; queryable via Athena + S3
OpsCenter (operational issue management)
Aggregates OpsItems from multiple AWS services
Compliance (patch and association compliance)
Tracks compliance status, NOT regulatory compliance reports
Change Manager (change governance)
Multi-level approvals, integration with Change Calendar
Change Calendar (change windows)
Define open/closed periods for changes; integrates with Automation
Distributor (software package distribution)
Create and deploy software packages to managed instances
Fleet Manager (GUI-based instance management)
File system browsing, registry editing, log viewing via console
Hybrid/on-premises support
Requires SSM Agent + activation; instances get 'mi-' prefix
Cross-account/cross-Region management (via Organizations)
Resource Data Sync and Explorer support multi-account aggregation
SSM Documents (JSON/YAML runbooks)
Command, Automation, Session, Package, Policy document types
Parameter Store — SecureString (KMS encryption)
Uses AWS-managed key (aws/ssm) or customer-managed KMS key
Parameter Store — Parameter hierarchies
Path-based naming (e.g., /prod/db/password) for organized access
AppConfig (application configuration deployment)
Controlled config rollouts with validators and rollback
Explorer (aggregated operations dashboard)
Multi-account, multi-Region operational data aggregation
Config Rule Auto-Remediation via SSM Automation
high freqAWS Config detects a non-compliant resource (e.g., EC2 instance missing required tag or with unencrypted EBS volume) and triggers an SSM Automation runbook to automatically remediate it. This is the canonical pattern for automated compliance enforcement.
CloudWatch Alarm → OpsCenter OpsItem
high freqCloudWatch Alarms and CloudWatch Events (EventBridge) automatically create OpsItems in OpsCenter when thresholds are breached. Operators investigate and remediate from a single pane without context-switching.
EventBridge → SSM Automation Trigger
high freqEventBridge rules trigger SSM Automation runbooks in response to AWS events (e.g., EC2 instance state change, Config rule violation, Security Hub finding). Enables event-driven operational automation.
Parameter Store as Lambda Configuration Source
high freqLambda functions retrieve configuration values and secrets from SSM Parameter Store at runtime (or via Lambda Extensions for caching). This avoids hardcoding config in environment variables and enables centralized config management.
Multi-Account Fleet Management with Explorer + Resource Data Sync
high freqSSM Explorer aggregates operational data (patch compliance, inventory, OpsItems) across all accounts in an AWS Organization using Resource Data Sync to a central S3 bucket. Enables centralized fleet visibility.
Audit Trail for SSM API Calls
high freqAll SSM API calls (including Session Manager sessions, Run Command executions, Parameter Store access) are logged in CloudTrail. This provides the WHO/WHEN/WHAT audit trail. Session Manager additionally logs session CONTENT to S3/CloudWatch Logs.
Complementary Secrets Storage
high freqParameter Store SecureString is used for simple config values and non-rotating secrets (free at standard tier). Secrets Manager is used when automatic rotation is required (e.g., RDS credentials). They are complementary, not competing — choose based on rotation needs and cost.
Session Manager Replacing Bastion Hosts
high freqSession Manager provides browser-based and CLI shell access to EC2 instances without requiring open inbound ports, SSH keys, or bastion hosts. IAM policies control access; sessions are fully logged. This is the AWS-recommended replacement for SSH bastion architectures.
IAM-Controlled Access to Session Manager and Parameter Store
high freqAccess to SSM features is controlled entirely by IAM policies. Session Manager access requires the ssm:StartSession permission; Parameter Store access requires ssm:GetParameter(s). KMS key policies additionally control SecureString decryption.
Session Manager Session Logging + Inventory Resource Data Sync
high freqSession Manager can stream session logs to S3 for audit purposes. SSM Inventory uses Resource Data Sync to consolidate inventory data from multiple accounts/Regions into a single S3 bucket, queryable via Athena.
Session Manager requires NO inbound security group rules and NO SSH keys — the SSM Agent makes an OUTBOUND HTTPS call to the SSM service endpoint. If an exam question asks how to securely access EC2 instances without opening ports or managing SSH keys, Session Manager is the answer.
SSM Compliance tracks PATCH compliance and STATE MANAGER association compliance — it tells you WHAT is configured and whether instances are compliant with your desired state. It does NOT provide SOC 2, PCI-DSS, or other regulatory compliance reports. For compliance evidence, use AWS Artifact. For resource configuration history, use AWS Config.
Parameter Store SecureString uses KMS for encryption. If a Lambda or EC2 role needs to GET a SecureString parameter, the IAM policy needs BOTH ssm:GetParameter AND kms:Decrypt permissions (for the KMS key used to encrypt it). Missing the kms:Decrypt is a common exam trap.
The Patch Group tag key must be EXACTLY 'Patch Group' (two words, capital P, capital G, one space) — case-sensitive. Instances tagged with this key are associated with a custom patch baseline. Instances without this tag use the default baseline for their OS.
For automatic secret rotation (e.g., RDS passwords), use AWS Secrets Manager — NOT Parameter Store. Parameter Store Advanced tier supports parameter policies with expiration notifications but does NOT auto-rotate the secret value itself. This is the #1 differentiator between the two services on the exam.
SSM Compliance ≠ Regulatory Compliance. SSM tracks patch and configuration state compliance only. For regulatory reports (SOC, PCI, HIPAA), use AWS Artifact. For resource change history and rules, use AWS Config.
Session Manager = Zero inbound ports + Zero SSH keys + Full IAM control + Full session logging. Any exam question about 'secure access to EC2 without opening ports or managing SSH keys' = Session Manager.
Automatic secret rotation = AWS Secrets Manager (ALWAYS). Parameter Store Advanced can notify on expiration but CANNOT auto-rotate. This distinction appears on every certification exam.
On-premises servers managed by SSM appear with the 'mi-' prefix (managed instance) instead of 'i-' (EC2 instance). They require an SSM Activation (Activation Code + Activation ID) to register. This is tested in hybrid architecture scenarios.
SSM Automation runbooks can be triggered by: (1) manual execution, (2) EventBridge rules, (3) AWS Config remediation actions, (4) Maintenance Windows, (5) State Manager associations. For exam questions about automated remediation of Config violations, the answer pattern is Config Rule → SSM Automation.
SSM Parameter Store supports hierarchical naming with path-based access control. Use /environment/service/parameter naming (e.g., /prod/myapp/db-password). IAM policies can restrict access to entire paths using the 'ssm:GetParametersByPath' action with path-based conditions.
CloudTrail logs WHO called SSM APIs (e.g., who ran a command, who accessed a parameter). Session Manager logs WHAT was typed in a session (to S3/CloudWatch Logs). These are complementary — CloudTrail for API audit, Session Manager logging for session content audit.
State Manager associations define DESIRED STATE and re-apply it on a schedule. If an instance drifts from desired state (e.g., an agent gets uninstalled), State Manager detects and corrects it on the next association run. This is the SSM answer to configuration drift.
SSM Distributor is used to create, manage, and deploy software packages (like custom agents or third-party software) to managed instances. It is NOT for application deployment — use CodeDeploy for application deployments. Distributor is for infrastructure-level software distribution.
AppConfig (part of SSM) enables safe, validated configuration deployments to applications with deployment strategies (linear, exponential, all-at-once), validators (JSON schema, Lambda), and automatic rollback. Use it when you need controlled feature flag or config rollouts without redeploying code.
Common Mistake
SSM Compliance provides compliance reports for regulatory frameworks like PCI-DSS, HIPAA, or SOC 2.
Correct
SSM Compliance only tracks PATCH compliance (is the instance patched per the baseline?) and STATE MANAGER association compliance (is the desired configuration applied?). For regulatory compliance reports and attestations, use AWS Artifact. For resource configuration audit history, use AWS Config.
This is the #1 misconception on exam questions. The word 'compliance' in SSM is about operational configuration compliance, not regulatory compliance. Always distinguish: SSM Compliance = config state tracking; AWS Artifact = regulatory documents; AWS Config = resource configuration history and rules.
Common Mistake
CloudTrail provides application-level tracing and can show what happened inside an application or what a Session Manager user typed.
Correct
CloudTrail records AWS API calls (who called which AWS API, when, from where) — it is an API audit log, not an application tracer and not a session content recorder. For distributed request tracing through application code, use AWS X-Ray. For Session Manager session content (keystrokes/output), enable Session Manager logging to S3/CloudWatch Logs.
Exam questions often present a scenario requiring 'what did the user type in the shell session' and list CloudTrail as an option. CloudTrail would only show that StartSession was called, not the session content. Session Manager's own logging feature captures session content.
Common Mistake
The SSM Agent includes X-Ray functionality, so you don't need to install the X-Ray daemon separately.
Correct
The SSM Agent and the X-Ray daemon/agent are completely separate software components with completely different purposes. SSM Agent enables Systems Manager features (Run Command, Session Manager, Patch Manager, etc.). X-Ray requires its own daemon or SDK instrumentation for distributed tracing. They do not overlap.
This misconception conflates 'agents on EC2 instances' — there are multiple agents (SSM Agent, CloudWatch Agent, X-Ray daemon, CodeDeploy agent) that serve different purposes. Know each agent's purpose: SSM Agent = management plane; CloudWatch Agent = metrics/logs; X-Ray daemon = distributed tracing.
Common Mistake
Parameter Store and Secrets Manager are interchangeable — just pick whichever is cheaper.
Correct
The key differentiator is AUTOMATIC ROTATION. Secrets Manager natively rotates secrets (e.g., RDS passwords, Redshift credentials) using Lambda functions on a configurable schedule. Parameter Store does NOT rotate secret values — it can notify you of expiration (Advanced tier) but you must rotate manually or build your own rotation. Additionally, Secrets Manager supports cross-account secret sharing natively.
Exam questions will describe a scenario requiring 'automatic rotation of database credentials every 90 days' — the answer is always Secrets Manager, never Parameter Store. The cost difference ($0.40/secret/month for Secrets Manager vs free for Parameter Store Standard) is secondary to the rotation requirement.
Common Mistake
You need to open port 22 (SSH) or port 3389 (RDP) on security groups to use Session Manager.
Correct
Session Manager requires ZERO inbound ports open. The SSM Agent on the instance initiates an outbound HTTPS (port 443) connection to the SSM VPC endpoint (or public endpoint). All you need is: (1) SSM Agent installed and running, (2) IAM instance profile with AmazonSSMManagedInstanceCore policy, (3) network path to SSM endpoint (VPC endpoint or internet gateway).
Security-focused exam questions ask for the most secure way to access instances. Session Manager is always more secure than SSH/RDP because it eliminates inbound ports, SSH key management, and bastion host infrastructure while providing full IAM-based access control and session logging.
Common Mistake
SSM Inventory makes changes to instances to enforce desired configuration.
Correct
SSM Inventory is READ-ONLY metadata collection. It collects information about installed software, network configuration, Windows registry, files, etc. It does NOT make any changes. State Manager (with associations) is the SSM capability that enforces and re-applies desired configuration.
Candidates confuse Inventory (observe) with State Manager (enforce). Remember: Inventory = visibility/audit; State Manager = enforcement/remediation.
Common Mistake
SSM documents (SSM Documents / runbooks) are only used for Automation.
Correct
SSM Documents are used across multiple SSM capabilities: Command documents (Run Command), Automation documents (Automation runbooks), Session documents (Session Manager configuration), Package documents (Distributor), and Policy documents (State Manager). Each capability has its own document type.
Exam questions may describe a 'document' and ask which SSM feature uses it. Know that documents are the underlying mechanism for multiple SSM features, not just Automation.
PARIS = SSM capabilities: Patch Manager, Automation, Run Command, Inventory, Session Manager — the core five you MUST know cold
SSM vs Secrets Manager: 'S for Scheduled rotation' — if the question mentions scheduled/automatic rotation, it's Secrets Manager. If it's just storage with encryption, Parameter Store works fine.
Session Manager = 'No Port, No Key, No Problem' — zero inbound ports, zero SSH keys, full audit trail
For the compliance trap: 'SSM tracks Config-compliance, AWS Artifact tracks Cert-compliance' — Config (configuration state) vs Cert (certification/regulatory documents)
On-premises instances = 'mi-' (Managed Instance) prefix; EC2 = 'i-' prefix — if you see 'mi-' in an exam question, it's a hybrid/on-premises scenario
Patch Group tag: 'Two Words, Two Capitals' — 'Patch Group' not 'patchgroup' or 'PatchGroup'
CertAI Tutor · SAP-C02, DVA-C02, SAA-C03, DEA-C01, DOP-C02, SCS-C02, CLF-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns