AWS Systems Manager Automation

learn AWS Systems Manager Automation

SSM Automation document

  • contains one or more steps that run in sequential order
  • can specify parameters
  • Each step is built around a single action
  • Output from one step can be used as input in a later step
  • json or yaml documents
  • can run python or powershell scripts via aws:executeScript (max execution time is 10 min)
  • invoke aws:invokeLambdaFunction
  • can specify execution role via AutomationAssumeRole parameter. if not specified, uses the security context of calling principal
  • can trigger based on EventBridge rule
  • can reference parameters in Parameter Store within an SSM doc via {{ssm:parameter-name}}
  • ssm document types (yaml or json)
    • automation (renamed to runbooks) -
    • command - remotely and securely manage the configuration of your managed instances (ec2 or on-prem)
  • aws:executeScript stdout/stderr can be sent to CloudWatch logs. see


# create an ssm document
aws ssm create-document \
    --content file://path/to/file/documentContent.json \
    --name "document-name" \
    --document-type "Command" \
    --tags "Key=tag-key,Value=tag-value"

# run an ssm document (max execution time is 10 min)
aws ssm start-automation-execution \
--document-name "AWS-UpdateLinuxAmi" \
--parameters "AutomationAssumeRole=arn:aws:iam::123456789012:role/SSMAutomationRole,SourceAmiId=ami-EXAMPLE,IamInstanceProfileName=EC2InstanceRole"

# run `command` type document (runs on EC2 instances)
aws ssm send-command \
    --instance-ids "instance-ID" \
    --document-name "AWS-RunShellScript" \
    --comment "IP config" \
    --parameters commands=ifconfig \
    --output text