AWS Systems Manager (SSM) Study Guide
AWS Systems Manager is a central hub for managing your AWS resources and on-premises infrastructure at scale. It provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your resources.
Core Components & Features
1. Session Manager
Provides secure, auditable instance management without the need to open inbound ports (like 22 or 3389) or maintain bastion hosts. It uses the SSM Agent to create a secure tunnel.
2. Parameter Store
A secure, hierarchical storage for configuration data and secrets management (passwords, database strings, AMI IDs). It integrates with AWS KMS for encryption.
3. Run Command
Allows you to remotely and securely manage the configuration of your managed instances at scale. You can run scripts or shell commands on a group of instances simultaneously.
4. Patch Manager
Automates the process of patching managed instances with both security-related and other types of updates. You can define “Patch Baselines” to control which patches are approved for installation.
Parameter Store vs. Secrets Manager
| Feature | SSM Parameter Store | AWS Secrets Manager |
|---|---|---|
| Primary Use | Config data & simple secrets | Complex secrets (DB credentials) |
| Cost | Standard is Free | Paid per secret/month |
| Rotation | Manual / Custom Lambda | Native Auto-rotation (RDS/Redshift) |
| Cross-account | Complex setup | Easier native support |
Decision Matrix / If–Then Guide
- If you need to access a private instance without a Bastion host ⮕ Use Session Manager.
- If you need to run a shell script on 50 instances at 2 AM ⮕ Use Run Command + Maintenance Windows.
- If you need to store an API key for free ⮕ Use Parameter Store (Standard).
- If you need to ensure instances stay in a “Desired State” (e.g., specific software installed) ⮕ Use State Manager.
- If you need to manage on-premises servers ⮕ Use Hybrid Activations + SSM Agent.
Exam Tips and Gotchas
- SSM Agent: Must be installed and running on the target instance. It is pre-installed on Amazon Linux 1/2/2023 and many Windows AMIs.
- IAM Role: The EC2 instance must have an IAM Instance Profile with the
AmazonSSMManagedInstanceCorepolicy attached. - Connectivity: The instance needs outbound access to the SSM service endpoints (via Internet Gateway, NAT Gateway, or VPC Endpoints). No inbound ports are required for Session Manager.
- Hybrid Cloud: SSM can manage on-premises servers. This requires a “Hybrid Activation” and a specific IAM service role.
- Resource Groups: Use these to categorize resources (by Tag) so SSM can act on them as a single unit.
Topics covered :
Summary of key subtopics covered in this guide:
- Session Manager (Secure Access)
- Parameter Store (Config & Secrets)
- Run Command (Bulk Execution)
- Patch Manager (Compliance)
- State Manager (Configuration Consistency)
- Hybrid Cloud Management
- IAM Roles for SSM
Integrations
IAM: Controls who can run commands.
KMS: Encrypts parameters.
CloudWatch: Logs session data and command output.
EventBridge: Triggers Automations on status changes.
Scaling & Limits
Throughput: Parameter Store supports up to 10,000 requests per second (Higher Throughput setting).
Concurrency: Run Command can target thousands of instances using tags and control velocity via “Max Errors” and “Concurrency”.
Optimization
Standard Parameters: Free.
Advanced Parameters: $0.05 per 10,000 interactions.
Automation: Free for the first 100,000 steps per month. Most SSM features have no additional cost beyond the resources they manage.
Production Use Case: Zero-Touch Patching
A financial firm uses Maintenance Windows to trigger Patch Manager every Tuesday at 3 AM. It automatically scans 500+ EC2 instances across multiple VPCs, applies security updates, and reboots if necessary. Compliance reports are then automatically sent to an S3 bucket for auditing.