aws ssm

AWS Systems Manager AWS Systems Manager is a collection of capabilities that helps you automate management tasks such as collecting system inventory, applying operating system (OS) patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems (OSs) and applications at scale. Systems Manager lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon Elastic Compute Cloud instance (EC2 instance), or any on-premises server or virtual machine (VM) in your hybrid environment that has been configured for Systems Manager. This reference is intended to be used with the AWS Systems Manager User Guide. To get started, verify prerequisites and configure managed instances. For more information, see Setting up AWS Systems Manager in the AWS Systems Manager User Guide. For information about other API actions you can perform on EC2 instances, see the Amazon EC2 API Reference. For information about how to use a Query API, see Making API requests

Subcommands

NameDescription
add-tags-to-resourceAdds or overwrites one or more tags for the specified resource. Tags are metadata that you can assign to your documents, managed instances, maintenance windows, Parameter Store parameters, and patch baselines. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your account's managed instances that helps you track each instance's owner and stack level. For example: Key=Owner and Value=DbAdmin, SysAdmin, or Dev. Or Key=Stack and Value=Production, Pre-Production, or Test. Each resource can have a maximum of 50 tags. We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. Tags don't have any semantic meaning to and are interpreted strictly as a string of characters. For more information about using tags with EC2 instances, see Tagging your Amazon EC2 resources in the Amazon EC2 User Guide
cancel-commandAttempts to cancel the command specified by the Command ID. There is no guarantee that the command will be terminated and the underlying process stopped
cancel-maintenance-window-executionStops a maintenance window execution that is already in progress and cancels any tasks in the window that have not already starting running. (Tasks already in progress will continue to completion.)
create-activationGenerates an activation code and activation ID you can use to register your on-premises server or virtual machine (VM) with Systems Manager. Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises instances and VMs using Systems Manager, see Setting up AWS Systems Manager for hybrid environments in the AWS Systems Manager User Guide. On-premises servers or VMs that are registered with Systems Manager and EC2 instances that you manage with Systems Manager are all called managed instances
create-associationA State Manager association defines the state that you want to maintain on your instances. For example, an association can specify that anti-virus software must be installed and running on your instances, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an AWS Resource Group or an AWS Autoscaling Group, State Manager applies the configuration when new instances are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software is not installed, then State Manager installs it. If the software is installed, but the service is not running, then the association might instruct State Manager to start the service
create-association-batchAssociates the specified Systems Manager document with the specified instances or targets. When you associate a document with one or more instances using instance IDs or tags, SSM Agent running on the instance processes the document and configures the instance as specified. If you associate a document with an instance that already has an associated document, the system returns the AssociationAlreadyExists exception
create-documentCreates a Systems Manager (SSM) document. An SSM document defines the actions that Systems Manager performs on your managed instances. For more information about SSM documents, including information about supported schemas, features, and syntax, see AWS Systems Manager Documents in the AWS Systems Manager User Guide
create-maintenance-windowCreates a new maintenance window. The value you specify for Duration determines the specific end time for the maintenance window based on the time it begins. No maintenance window tasks are permitted to start after the resulting endtime minus the number of hours you specify for Cutoff. For example, if the maintenance window starts at 3 PM, the duration is three hours, and the value you specify for Cutoff is one hour, no maintenance window tasks can start after 5 PM
create-ops-itemCreates a new OpsItem. You must have permission in AWS Identity and Access Management (IAM) to create a new OpsItem. For more information, see Getting started with OpsCenter in the AWS Systems Manager User Guide. Operations engineers and IT professionals use OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their AWS resources. For more information, see AWS Systems Manager OpsCenter in the AWS Systems Manager User Guide
create-ops-metadataIf you create a new application in Application Manager, Systems Manager calls this API action to specify information about the new application, including the application type
create-patch-baselineCreates a patch baseline. For information about valid key and value pairs in PatchFilters for each supported operating system type, see PatchFilter
create-resource-data-syncA resource data sync helps you view data from multiple sources in a single location. Systems Manager offers two types of resource data sync: SyncToDestination and SyncFromSource. You can configure Systems Manager Inventory to use the SyncToDestination type to synchronize Inventory data from multiple AWS Regions to a single S3 bucket. For more information, see Configuring Resource Data Sync for Inventory in the AWS Systems Manager User Guide. You can configure Systems Manager Explorer to use the SyncFromSource type to synchronize operational work items (OpsItems) and operational data (OpsData) from multiple AWS Regions to a single S3 bucket. This type can synchronize OpsItems and OpsData from multiple AWS accounts and Regions or EntireOrganization by using AWS Organizations. For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions in the AWS Systems Manager User Guide. A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync. By default, data is not encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy
delete-activationDeletes an activation. You are not required to delete an activation. If you delete an activation, you can no longer use it to register additional managed instances. Deleting an activation does not de-register managed instances. You must manually de-register managed instances
delete-associationDisassociates the specified Systems Manager document from the specified instance. When you disassociate a document from an instance, it does not change the configuration of the instance. To change the configuration state of an instance after you disassociate a document, you must create a new document with the desired configuration and associate it with the instance
delete-documentDeletes the Systems Manager document and all instance associations to the document. Before you delete the document, we recommend that you use DeleteAssociation to disassociate all instances that are associated with the document
delete-inventoryDelete a custom inventory type or the data associated with a custom Inventory type. Deleting a custom inventory type is also referred to as deleting a custom inventory schema
delete-maintenance-windowDeletes a maintenance window
delete-ops-metadataDelete OpsMetadata related to an application
delete-parameterDelete a parameter from the system
delete-parametersDelete a list of parameters
delete-patch-baselineDeletes a patch baseline
delete-resource-data-syncDeletes a Resource Data Sync configuration. After the configuration is deleted, changes to data on managed instances are no longer synced to or from the target. Deleting a sync configuration does not delete data
deregister-managed-instanceRemoves the server or virtual machine from the list of registered servers. You can reregister the instance again at any time. If you don't plan to use Run Command on the server, we suggest uninstalling SSM Agent first
deregister-patch-baseline-for-patch-groupRemoves a patch group from a patch baseline
deregister-target-from-maintenance-windowRemoves a target from a maintenance window
deregister-task-from-maintenance-windowRemoves a task from a maintenance window
describe-activationsDescribes details about the activation, such as the date and time the activation was created, its expiration date, the IAM role assigned to the instances in the activation, and the number of instances registered by using this activation
describe-associationDescribes the association for the specified target or instance. If you created the association by using the Targets parameter, then you must retrieve the association by using the association ID. If you created the association by specifying an instance ID and a Systems Manager document, then you retrieve the association by specifying the document name and the instance ID
describe-association-execution-targetsUse this API action to view information about a specific execution of a specific association
describe-association-executionsUse this API action to view all executions for a specific association ID
describe-automation-executionsProvides details about all active and terminated Automation executions
describe-automation-step-executionsInformation about all active and terminated step executions in an Automation workflow
describe-available-patchesLists all patches eligible to be included in a patch baseline
describe-documentDescribes the specified Systems Manager document
describe-document-permissionDescribes the permissions for a Systems Manager document. If you created the document, you are the owner. If a document is shared, it can either be shared privately (by specifying a user's AWS account ID) or publicly (All)
describe-effective-instance-associationsAll associations for the instance(s)
describe-effective-patches-for-patch-baselineRetrieves the current effective patches (the patch and the approval state) for the specified patch baseline. Note that this API applies only to Windows patch baselines
describe-instance-associations-statusThe status of the associations for the instance(s)
describe-instance-informationDescribes one or more of your instances, including information about the operating system platform, the version of SSM Agent installed on the instance, instance status, and so on. If you specify one or more instance IDs, it returns information for those instances. If you do not specify instance IDs, it returns information for all your instances. If you specify an instance ID that is not valid or an instance that you do not own, you receive an error. The IamRole field for this API action is the Amazon Identity and Access Management (IAM) role assigned to on-premises instances. This call does not return the IAM role for EC2 instances
describe-instance-patch-statesRetrieves the high-level patch state of one or more instances
describe-instance-patch-states-for-patch-groupRetrieves the high-level patch state for the instances in the specified patch group
describe-instance-patchesRetrieves information about the patches on the specified instance and their state relative to the patch baseline being used for the instance
describe-inventory-deletionsDescribes a specific delete inventory operation
describe-maintenance-window-execution-task-invocationsRetrieves the individual task executions (one per target) for a particular task run as part of a maintenance window execution
describe-maintenance-window-execution-tasksFor a given maintenance window execution, lists the tasks that were run
describe-maintenance-window-executionsLists the executions of a maintenance window. This includes information about when the maintenance window was scheduled to be active, and information about tasks registered and run with the maintenance window
describe-maintenance-window-scheduleRetrieves information about upcoming executions of a maintenance window
describe-maintenance-window-targetsLists the targets registered with the maintenance window
describe-maintenance-window-tasksLists the tasks in a maintenance window. For maintenance window tasks without a specified target, you cannot supply values for --max-errors and --max-concurrency. Instead, the system inserts a placeholder value of 1, which may be reported in the response to this command. These values do not affect the running of your task and can be ignored
describe-maintenance-windowsRetrieves the maintenance windows in an AWS account
describe-maintenance-windows-for-targetRetrieves information about the maintenance window targets or tasks that an instance is associated with
describe-ops-itemsQuery a set of OpsItems. You must have permission in AWS Identity and Access Management (IAM) to query a list of OpsItems. For more information, see Getting started with OpsCenter in the AWS Systems Manager User Guide. Operations engineers and IT professionals use OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their AWS resources. For more information, see AWS Systems Manager OpsCenter in the AWS Systems Manager User Guide
describe-parametersGet information about a parameter. Request results are returned on a best-effort basis. If you specify MaxResults in the request, the response includes information up to the limit specified. The number of items returned, however, can be between zero and the value of MaxResults. If the service reaches an internal limit while processing the results, it stops the operation and returns the matching values up to that point and a NextToken. You can specify the NextToken in a subsequent call to get the next set of results
describe-patch-baselinesLists the patch baselines in your AWS account
describe-patch-group-stateReturns high-level aggregated patch compliance state for a patch group
describe-patch-groupsLists all patch groups that have been registered with patch baselines
describe-patch-propertiesLists the properties of available patches organized by product, product family, classification, severity, and other properties of available patches. You can use the reported properties in the filters you specify in requests for actions such as CreatePatchBaseline, UpdatePatchBaseline, DescribeAvailablePatches, and DescribePatchBaselines. The following section lists the properties that can be used in filters for each major operating system type: AMAZON_LINUX Valid properties: PRODUCT, CLASSIFICATION, SEVERITY AMAZON_LINUX_2 Valid properties: PRODUCT, CLASSIFICATION, SEVERITY CENTOS Valid properties: PRODUCT, CLASSIFICATION, SEVERITY DEBIAN Valid properties: PRODUCT, PRIORITY MACOS Valid properties: PRODUCT, CLASSIFICATION ORACLE_LINUX Valid properties: PRODUCT, CLASSIFICATION, SEVERITY REDHAT_ENTERPRISE_LINUX Valid properties: PRODUCT, CLASSIFICATION, SEVERITY SUSE Valid properties: PRODUCT, CLASSIFICATION, SEVERITY UBUNTU Valid properties: PRODUCT, PRIORITY WINDOWS Valid properties: PRODUCT, PRODUCT_FAMILY, CLASSIFICATION, MSRC_SEVERITY
describe-sessionsRetrieves a list of all active sessions (both connected and disconnected) or terminated sessions from the past 30 days
get-automation-executionGet detailed information about a particular Automation execution
get-calendar-stateGets the state of the AWS Systems Manager Change Calendar at an optional, specified time. If you specify a time, GetCalendarState returns the state of the calendar at a specific time, and returns the next time that the Change Calendar state will transition. If you do not specify a time, GetCalendarState assumes the current time. Change Calendar entries have two possible states: OPEN or CLOSED. If you specify more than one calendar in a request, the command returns the status of OPEN only if all calendars in the request are open. If one or more calendars in the request are closed, the status returned is CLOSED. For more information about Systems Manager Change Calendar, see AWS Systems Manager Change Calendar in the AWS Systems Manager User Guide
get-command-invocationReturns detailed information about command execution for an invocation or plugin. GetCommandInvocation only gives the execution status of a plugin in a document. To get the command execution status on a specific instance, use ListCommandInvocations. To get the command execution status across instances, use ListCommands
get-connection-statusRetrieves the Session Manager connection status for an instance to determine whether it is running and ready to receive Session Manager connections
get-default-patch-baselineRetrieves the default patch baseline. Note that Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system. If you do not specify an operating system value, the default patch baseline for Windows is returned
get-deployable-patch-snapshot-for-instanceRetrieves the current snapshot for the patch baseline the instance uses. This API is primarily used by the AWS-RunPatchBaseline Systems Manager document
get-documentGets the contents of the specified Systems Manager document
get-inventoryQuery inventory information
get-inventory-schemaReturn a list of inventory type names for the account, or return a list of attribute names for a specific Inventory item type
get-maintenance-windowRetrieves a maintenance window
get-maintenance-window-executionRetrieves details about a specific a maintenance window execution
get-maintenance-window-execution-taskRetrieves the details about a specific task run as part of a maintenance window execution
get-maintenance-window-execution-task-invocationRetrieves information about a specific task running on a specific target
get-maintenance-window-taskLists the tasks in a maintenance window. For maintenance window tasks without a specified target, you cannot supply values for --max-errors and --max-concurrency. Instead, the system inserts a placeholder value of 1, which may be reported in the response to this command. These values do not affect the running of your task and can be ignored
get-ops-itemGet information about an OpsItem by using the ID. You must have permission in AWS Identity and Access Management (IAM) to view information about an OpsItem. For more information, see Getting started with OpsCenter in the AWS Systems Manager User Guide. Operations engineers and IT professionals use OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their AWS resources. For more information, see AWS Systems Manager OpsCenter in the AWS Systems Manager User Guide
get-ops-metadataView operational metadata related to an application in Application Manager
get-ops-summaryView a summary of OpsItems based on specified filters and aggregators
get-parameterGet information about a parameter by using the parameter name. Don't confuse this API action with the GetParameters API action
get-parameter-historyRetrieves the history of all changes to a parameter
get-parametersGet details of a parameter. Don't confuse this API action with the GetParameter API action
get-parameters-by-pathRetrieve information about one or more parameters in a specific hierarchy. Request results are returned on a best-effort basis. If you specify MaxResults in the request, the response includes information up to the limit specified. The number of items returned, however, can be between zero and the value of MaxResults. If the service reaches an internal limit while processing the results, it stops the operation and returns the matching values up to that point and a NextToken. You can specify the NextToken in a subsequent call to get the next set of results
get-patch-baselineRetrieves information about a patch baseline
get-patch-baseline-for-patch-groupRetrieves the patch baseline that should be used for the specified patch group
get-service-settingServiceSetting is an account-level setting for an AWS service. This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an AWS service charges money to the account based on feature or service usage, then the AWS service team might create a default setting of "false". This means the user can't use this feature unless they change the setting to "true" and intentionally opt in for a paid feature. Services map a SettingId object to a setting value. AWS services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the UpdateServiceSetting API action to change the default setting. Or use the ResetServiceSetting to change the value back to the original value defined by the AWS service team. Query the current service setting for the account
label-parameter-versionA parameter label is a user-defined alias to help you manage different versions of a parameter. When you modify a parameter, Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter when there are multiple versions. Parameter labels have the following requirements and restrictions. A version of a parameter can have a maximum of 10 labels. You can't attach the same label to different versions of the same parameter. For example, if version 1 has the label Production, then you can't attach Production to version 2. You can move a label from one version of a parameter to another. You can't create a label when you create a new parameter. You must attach a label to a specific version of a parameter. If you no longer want to use a parameter label, then you can either delete it or move it to a different version of a parameter. A label can have a maximum of 100 characters. Labels can contain letters (case sensitive), numbers, periods (.), hyphens (-), or underscores (_). Labels can't begin with a number, "aws," or "ssm" (not case sensitive). If a label fails to meet these requirements, then the label is not associated with a parameter and the system displays it in the list of InvalidLabels
list-association-versionsRetrieves all versions of an association for a specific association ID
list-associationsReturns all State Manager associations in the current AWS account and Region. You can limit the results to a specific State Manager association document or instance by specifying a filter
list-command-invocationsAn invocation is copy of a command sent to a specific instance. A command can apply to one or more instances. A command invocation applies to one instance. For example, if a user runs SendCommand against three instances, then a command invocation is created for each requested instance ID. ListCommandInvocations provide status about command execution
list-commandsLists the commands requested by users of the AWS account
list-compliance-itemsFor a specified resource ID, this API action returns a list of compliance statuses for different resource types. Currently, you can only specify one resource ID per call. List results depend on the criteria specified in the filter
list-compliance-summariesReturns a summary count of compliant and non-compliant resources for a compliance type. For example, this call can return State Manager associations, patches, or custom compliance types according to the filter criteria that you specify
list-document-metadata-historyInformation about approval reviews for a version of an SSM document
list-document-versionsList all versions for a document
list-documentsReturns all Systems Manager (SSM) documents in the current AWS account and Region. You can limit the results of this request by using a filter
list-inventory-entriesA list of inventory items returned by the request
list-ops-item-eventsReturns a list of all OpsItem events in the current AWS account and Region. You can limit the results to events associated with specific OpsItems by specifying a filter
list-ops-metadataSystems Manager calls this API action when displaying all Application Manager OpsMetadata objects or blobs
list-resource-compliance-summariesReturns a resource-level summary count. The summary includes information about compliant and non-compliant statuses and detailed compliance-item severity counts, according to the filter criteria you specify
list-resource-data-syncLists your resource data sync configurations. Includes information about the last time a sync attempted to start, the last sync status, and the last time a sync successfully completed. The number of sync configurations might be too large to return using a single call to ListResourceDataSync. You can limit the number of sync configurations returned by using the MaxResults parameter. To determine whether there are more sync configurations to list, check the value of NextToken in the output. If there are more sync configurations to list, you can request them by specifying the NextToken returned in the call to the parameter of a subsequent call
list-tags-for-resourceReturns a list of the tags assigned to the specified resource
modify-document-permissionShares a Systems Manager document publicly or privately. If you share a document privately, you must specify the AWS user account IDs for those people who can use the document. If you share a document publicly, you must specify All as the account ID
put-compliance-itemsRegisters a compliance type and other compliance details on a designated resource. This action lets you register custom compliance details with a resource. This call overwrites existing compliance information on the resource, so you must provide a full list of compliance items each time that you send the request. ComplianceType can be one of the following: ExecutionId: The execution ID when the patch, association, or custom compliance item was applied. ExecutionType: Specify patch, association, or Custom:string. ExecutionTime. The time the patch, association, or custom compliance item was applied to the instance. Id: The patch, association, or custom compliance ID. Title: A title. Status: The status of the compliance item. For example, approved for patches, or Failed for associations. Severity: A patch severity. For example, critical. DocumentName: A SSM document name. For example, AWS-RunPatchBaseline. DocumentVersion: An SSM document version number. For example, 4. Classification: A patch classification. For example, security updates. PatchBaselineId: A patch baseline ID. PatchSeverity: A patch severity. For example, Critical. PatchState: A patch state. For example, InstancesWithFailedPatches. PatchGroup: The name of a patch group. InstalledTime: The time the association, patch, or custom compliance item was applied to the resource. Specify the time by using the following format: yyyy-MM-dd'T'HH:mm:ss'Z'
put-inventoryBulk update custom inventory items on one more instance. The request adds an inventory item, if it doesn't already exist, or updates an inventory item, if it does exist
put-parameterAdd a parameter to the system
register-default-patch-baselineDefines the default patch baseline for the relevant operating system. To reset the AWS predefined patch baseline as the default, specify the full patch baseline ARN as the baseline ID value. For example, for CentOS, specify arn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0574b43a65ea646ed instead of pb-0574b43a65ea646ed
register-patch-baseline-for-patch-groupRegisters a patch baseline for a patch group
register-target-with-maintenance-windowRegisters a target with a maintenance window
register-task-with-maintenance-windowAdds a new task to a maintenance window
remove-tags-from-resourceRemoves tag keys from the specified resource
reset-service-settingServiceSetting is an account-level setting for an AWS service. This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an AWS service charges money to the account based on feature or service usage, then the AWS service team might create a default setting of "false". This means the user can't use this feature unless they change the setting to "true" and intentionally opt in for a paid feature. Services map a SettingId object to a setting value. AWS services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the GetServiceSetting API action to view the current value. Use the UpdateServiceSetting API action to change the default setting. Reset the service setting for the account to the default value as provisioned by the AWS service team
resume-sessionReconnects a session to an instance after it has been disconnected. Connections can be resumed for disconnected sessions, but not terminated sessions. This command is primarily for use by client machines to automatically reconnect during intermittent network issues. It is not intended for any other use
send-automation-signalSends a signal to an Automation execution to change the current behavior or status of the execution
send-commandRuns commands on one or more managed instances
start-associations-onceUse this API action to run an association immediately and only one time. This action can be helpful when troubleshooting associations
start-automation-executionInitiates execution of an Automation document
start-change-request-executionCreates a change request for Change Manager. The runbooks (Automation documents) specified in the change request run only after all required approvals for the change request have been received
start-sessionInitiates a connection to a target (for example, an instance) for a Session Manager session. Returns a URL and token that can be used to open a WebSocket connection for sending input and receiving outputs. AWS CLI usage: start-session is an interactive command that requires the Session Manager plugin to be installed on the client machine making the call. For information, see Install the Session Manager plugin for the AWS CLI in the AWS Systems Manager User Guide. AWS Tools for PowerShell usage: Start-SSMSession is not currently supported by AWS Tools for PowerShell on Windows local machines
stop-automation-executionStop an Automation that is currently running
terminate-sessionPermanently ends a session and closes the data connection between the Session Manager client and SSM Agent on the instance. A terminated session cannot be resumed
unlabel-parameter-versionRemove a label or labels from a parameter
update-associationUpdates an association. You can update the association name and version, the document version, schedule, parameters, and Amazon S3 output. In order to call this API action, your IAM user account, group, or role must be configured with permission to call the DescribeAssociation API action. If you don't have permission to call DescribeAssociation, then you receive the following error: An error occurred (AccessDeniedException) when calling the UpdateAssociation operation: User: <user_arn> is not authorized to perform: ssm:DescribeAssociation on resource: <resource_arn> When you update an association, the association immediately runs against the specified targets
update-association-statusUpdates the status of the Systems Manager document associated with the specified instance
update-documentUpdates one or more values for an SSM document
update-document-default-versionSet the default version of a document
update-document-metadataUpdates information related to approval reviews for a specific version of a document
update-maintenance-windowUpdates an existing maintenance window. Only specified parameters are modified. The value you specify for Duration determines the specific end time for the maintenance window based on the time it begins. No maintenance window tasks are permitted to start after the resulting endtime minus the number of hours you specify for Cutoff. For example, if the maintenance window starts at 3 PM, the duration is three hours, and the value you specify for Cutoff is one hour, no maintenance window tasks can start after 5 PM
update-maintenance-window-targetModifies the target of an existing maintenance window. You can change the following: Name Description Owner IDs for an ID target Tags for a Tag target From any supported tag type to another. The three supported tag types are ID target, Tag target, and resource group. For more information, see Target. If a parameter is null, then the corresponding field is not modified
update-maintenance-window-taskModifies a task assigned to a maintenance window. You can't change the task type, but you can change the following values: TaskARN. For example, you can change a RUN_COMMAND task from AWS-RunPowerShellScript to AWS-RunShellScript. ServiceRoleArn TaskInvocationParameters Priority MaxConcurrency MaxErrors One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, AWS Lambda, and AWS Step Functions). For more information about running tasks that do not specify targets, see Registering maintenance window tasks without targets in the AWS Systems Manager User Guide. If the value for a parameter in UpdateMaintenanceWindowTask is null, then the corresponding field is not modified. If you set Replace to true, then all fields required by the RegisterTaskWithMaintenanceWindow action are required for this request. Optional fields that aren't specified are set to null. When you update a maintenance window task that has options specified in TaskInvocationParameters, you must provide again all the TaskInvocationParameters values that you want to retain. The values you do not specify again are removed. For example, suppose that when you registered a Run Command task, you specified TaskInvocationParameters values for Comment, NotificationConfig, and OutputS3BucketName. If you update the maintenance window task and specify only a different OutputS3BucketName value, the values for Comment and NotificationConfig are removed
update-managed-instance-roleChanges the Amazon Identity and Access Management (IAM) role that is assigned to the on-premises instance or virtual machines (VM). IAM roles are first assigned to these hybrid instances during the activation process. For more information, see CreateActivation
update-ops-itemEdit or change an OpsItem. You must have permission in AWS Identity and Access Management (IAM) to update an OpsItem. For more information, see Getting started with OpsCenter in the AWS Systems Manager User Guide. Operations engineers and IT professionals use OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their AWS resources. For more information, see AWS Systems Manager OpsCenter in the AWS Systems Manager User Guide
update-ops-metadataSystems Manager calls this API action when you edit OpsMetadata in Application Manager
update-patch-baselineModifies an existing patch baseline. Fields not specified in the request are left unchanged. For information about valid key and value pairs in PatchFilters for each supported operating system type, see PatchFilter
update-resource-data-syncUpdate a resource data sync. After you create a resource data sync for a Region, you can't change the account options for that sync. For example, if you create a sync in the us-east-2 (Ohio) Region and you choose the Include only the current account option, you can't edit that sync later and choose the Include all accounts from my AWS Organizations configuration option. Instead, you must delete the first resource data sync, and create a new one. This API action only supports a resource data sync that was created with a SyncFromSource SyncType
update-service-settingServiceSetting is an account-level setting for an AWS service. This setting defines how a user interacts with or uses a service or a feature of a service. For example, if an AWS service charges money to the account based on feature or service usage, then the AWS service team might create a default setting of "false". This means the user can't use this feature unless they change the setting to "true" and intentionally opt in for a paid feature. Services map a SettingId object to a setting value. AWS services teams define the default value for a SettingId. You can't create a new SettingId, but you can overwrite the default value if you have the ssm:UpdateServiceSetting permission for the setting. Use the GetServiceSetting API action to view the current value. Or, use the ResetServiceSetting to change the value back to the original value defined by the AWS service team. Update the service setting for the account
waitWait until a particular condition is satisfied. Each subcommand polls an API until the listed requirement is met