Amazon::API::SSM
Amazon Simple Systems Manager (SSM)
Version 2.1.5
Adds or overwrites one or more tags for the specified resource. Tags are metadata that you can assign to your automations, documents, managed nodes, maintenance windows, Parameter Store parameters, and patch baselines. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your account's managed nodes that helps you track each node's owner and stack level. For example:
Key=Owner,Value=DbAdminKey=Owner,Value=SysAdminKey=Owner,Value=DevKey=Stack,Value=ProductionKey=Stack,Value=Pre-ProductionKey=Stack,Value=TestMost resources can have a maximum of 50 tags. Automations can have a maximum of 5 tags.
We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. Tags don't have any semantic meaning to and are interpreted strictly as a string of characters.
For more information about using tags with Amazon Elastic Compute Cloud (Amazon EC2) instances, see Tag your Amazon EC2 resources (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) in the Amazon EC2 User Guide.
ResourceId
The resource ID you want to tag.
Use the ID of the resource. Here are some examples:
MaintenanceWindow: mw-012345abcde
PatchBaseline: pb-012345abcde
Automation: example-c160-4567-8519-012345abcde
OpsMetadata object: ResourceID for tagging is created from the
Amazon Resource Name (ARN) for the object. Specifically, ResourceID
is created from the strings that come after the word opsmetadata in
the ARN. For example, an OpsMetadata object with an ARN of
arn:aws:ssm:us-east-2:1234567890:opsmetadata/aws/ssm/MyGroup/appmanager
has a ResourceID of either aws/ssm/MyGroup/appmanager or
/aws/ssm/MyGroup/appmanager.
For the Document and Parameter values, use the name of the
resource. If you're tagging a shared document, you must use the full
ARN of the document.
ManagedInstance: mi-012345abcde
The ManagedInstance type for this API operation is only for
on-premises managed nodes. You must specify the name of the managed
node in the following format: mi-_ID_number_. For example,
mi-1a2b3c4d5e6f.
ResourceType
Specifies the type of resource you are tagging.
The ManagedInstance type for this API operation is for on-premises
managed nodes. You must specify the name of the managed node in the
following format: mi-_ID_number_. For example, mi-1a2b3c4d5e6f.
Tags
One or more tags. The value parameter is required.
Don't enter personally identifiable information in this field.
ERRORS
InvalidResourceType
The resource type isn't valid. For example, if you are attempting to tag an EC2 instance, the instance must be a registered managed node.
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
InternalServerError
An error occurred on the server side.
TooManyTagsError
The Targets parameter includes too many tags. Remove one or more
tags and try the command again.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
METHOD
POST
REQUEST URI
/
Associates a related item to a Systems Manager OpsCenter OpsItem. For example, you can associate an Incident Manager incident or analysis with an OpsItem. Incident Manager and OpsCenter are tools in Amazon Web Services Systems Manager.
AssociationType
The type of association that you want to create between an OpsItem and
a resource. OpsCenter supports IsParentOf and RelatesTo
association types.
OpsItemId
The ID of the OpsItem to which you want to associate a resource as a related item.
ResourceType
The type of resource that you want to associate with an OpsItem. OpsCenter supports the following types:
AWS::SSMIncidents::IncidentRecord: an Incident Manager incident.
AWS::SSM::Document: a Systems Manager (SSM) document.
ResourceUri
The Amazon Resource Name (ARN) of the Amazon Web Services resource that you want to associate with the OpsItem.
AssociationId
The association ID.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemNotFoundException
The specified OpsItem ID doesn't exist. Verify the ID and try again.
OpsItemLimitExceededException
The request caused OpsItems to exceed one or more quotas.
OpsItemInvalidParameterException
A specified parameter argument isn't valid. Verify the available arguments and try again.
OpsItemRelatedItemAlreadyExistsException
The Amazon Resource Name (ARN) is already associated with the OpsItem.
OpsItemConflictException
The specified OpsItem is in the process of being deleted.
METHOD
POST
REQUEST URI
/
Attempts to cancel the command specified by the Command ID. There is no guarantee that the command will be terminated and the underlying process stopped.
CommandId
The ID of the command you want to cancel.
InstanceIds
(Optional) A list of managed node IDs on which you want to cancel the command. If not provided, the command is canceled on every node on which it was requested.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidCommandId
The specified command ID isn't valid. Verify the ID and try again.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.DuplicateInstanceId
You can't specify a managed node ID in more than one association.
METHOD
POST
REQUEST URI
/
Stops a maintenance window execution that is already in progress and cancels any tasks in the window that haven't already starting running. Tasks already in progress will continue to completion.
WindowExecutionId
The ID of the maintenance window execution to stop.
WindowExecutionId
The ID of the maintenance window execution that has been stopped.
ERRORS
InternalServerError
An error occurred on the server side.
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
METHOD
POST
REQUEST URI
/
Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager. Registering these machines with Systems Manager makes it possible to manage them using Systems Manager tools. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises machines using Systems Manager, see Using Amazon Web Services Systems Manager in hybrid and multicloud environments (https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-hybrid-multicloud.html) in the Amazon Web Services Systems Manager User Guide.
Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and VMs that are configured for Systems Manager are all called managed nodes.
DefaultInstanceName
The name of the registered, managed node as it will appear in the Amazon Web Services Systems Manager console or when you use the Amazon Web Services command line tools to list Systems Manager resources.
Don't enter personally identifiable information in this field.
Description
A user-defined description of the resource that you want to register with Systems Manager.
Don't enter personally identifiable information in this field.
ExpirationDate
The date by which this activation request should expire, in timestamp format, such as "2024-07-07T00:00:00". You can specify a date up to 30 days in advance. If you don't provide an expiration date, the activation code expires in 24 hours.
IamRole
The name of the Identity and Access Management (IAM) role that you want
to assign to the managed node. This IAM role must provide AssumeRole
permissions for the Amazon Web Services Systems Manager service
principal ssm.amazonaws.com. For more information, see Create the
IAM service role required for Systems Manager in a hybrid and
multicloud environments
(https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-service-role.html)
in the Amazon Web Services Systems Manager User Guide.
You can't specify an IAM service-linked role for this parameter. You must create a unique role.
RegistrationLimit
Specify the maximum number of managed nodes you want to register. The
default value is 1.
RegistrationMetadata
Reserved for internal use.
Tags
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an activation to identify which servers or virtual machines (VMs) in your on-premises environment you intend to activate. In this case, you could specify the following key-value pairs:
Key=OS,Value=WindowsKey=Environment,Value=ProductionWhen you install SSM Agent on your on-premises servers and VMs, you specify an activation ID and code. When you specify the activation ID and code, tags assigned to the activation are automatically applied to the on-premises servers or VMs.
You can't add tags to or delete tags from an existing activation. You can tag your on-premises servers, edge devices, and VMs after they connect to Systems Manager for the first time and are assigned a managed node ID. This means they are listed in the Amazon Web Services Systems Manager console with an ID that is prefixed with "mi-". For information about how to add tags to your managed nodes, see AddTagsToResource. For information about how to remove tags from your managed nodes, see RemoveTagsFromResource.
ActivationCode
The code the system generates when it processes the activation. The activation code functions like a password to validate the activation ID.
ActivationId
The ID number generated by the system when it processed the activation. The activation ID functions like a user name.
ERRORS
InvalidParameters
You must specify values for all required parameters in the Amazon Web Services Systems Manager document (SSM document). You can only supply values to parameters defined in the SSM document.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
A State Manager association defines the state that you want to maintain on your managed nodes. For example, an association can specify that anti-virus software must be installed and running on your managed nodes, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an Amazon Web Services resource group or an Amazon Web Services autoscaling group, State Manager, a tool in Amazon Web Services Systems Manager applies the configuration when new managed nodes are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.
ApplyOnlyAtCronInterval
By default, when you create a new association, the system runs it
immediately after it is created and then according to the schedule you
specified and when target changes are detected. Specify true for
ApplyOnlyAtCronIntervalif you want the association to run only
according to the schedule you specified.
For more information, see Understanding when associations are applied to resources (https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#state-manager-about-scheduling) and >About target updates with Automation runbooks (https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#runbook-target-updates) in the Amazon Web Services Systems Manager User Guide.
This parameter isn't supported for rate expressions.
AssociationName
Specify a descriptive name for the association.
AutomationTargetParameterName
Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a tool in Amazon Web Services Systems Manager.
CalendarNames
The names of Amazon Resource Names (ARNs) of the Change Calendar type documents you want to gate your associations under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar (https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the Amazon Web Services Systems Manager User Guide.
ComplianceSeverity
The severity level to assign to the association.
DocumentVersion
The document version you want to associate with the targets. Can be a specific version or the default version.
State Manager doesn't support running associations that use a new
version of a document if that document is shared from another account.
State Manager always runs the default version of a document if
shared from another account, even though the Systems Manager console
shows that a new version was processed. If you want to run an
association using a new version of a document shared form another
account, you must set the document version to default.
Duration
The number of hours the association can run before it is canceled. Duration applies to associations that are currently running, and any pending and in progress commands on all targets. If a target was taken offline for the association to run, it is made available again immediately, without a reboot.
The Duration parameter applies only when both these conditions are
true:
ApplyOnlyAtCronInterval
(https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateAssociation.html#systemsmanager-CreateAssociation-request-ApplyOnlyAtCronInterval)
parameter, which means that the association doesn't run immediately
after it is created, but only according to the specified schedule.InstanceId
The managed node ID.
InstanceId has been deprecated. To specify a managed node ID for an
association, use the Targets parameter. Requests that include the
parameter InstanceID with Systems Manager documents (SSM documents)
that use schema version 2.0 or later will fail. In addition, if you use
the parameter InstanceId, you can't use the parameters
AssociationName, DocumentVersion, MaxErrors,
MaxConcurrency, OutputLocation, or ScheduleExpression. To use
these parameters, you must use the Targets parameter.
MaxConcurrency
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while
Systems Manager is running MaxConcurrency associations, the
association is allowed to run. During the next association interval,
the new managed node will process its association within the limit
specified for MaxConcurrency.
MaxErrors
The number of errors that are allowed before the system stops sending
requests to run the association on additional targets. You can specify
either an absolute number of errors, for example 10, or a percentage of
the target set, for example 10%. If you specify 3, for example, the
system stops sending requests when the fourth error is received. If you
specify 0, then the system stops sending requests after the first error
is returned. If you run an association on 50 managed nodes and set
MaxError to 10%, then the system stops sending the request when the
sixth error is received.
Executions that are already running an association when MaxErrors is
reached are allowed to complete, but some of these executions may fail
as well. If you need to ensure that there won't be more than max-errors
failed executions, set MaxConcurrency to 1 so that executions
proceed one at a time.
Name
The name of the SSM Command document or Automation runbook that contains the configuration information for the managed node.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another Amazon Web Services account.
For Systems Manager documents (SSM documents) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:_partition_:ssm:_region_:_account-id_:document/_document-name_
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you
created in your account, you only need to specify the document name.
For example, AWS-ApplyPatchBaseline or My-Document.
OutputLocation
An Amazon Simple Storage Service (Amazon S3) bucket where you want to store the output details of the request.
Parameters
The parameters for the runtime configuration of the document.
ScheduleExpression
A cron expression when the association will be applied to the targets.
ScheduleOffset
Number of days to wait after the scheduled day to run an association.
For example, if you specified a cron schedule of cron(0 0 ? * THU#2
*), you could specify an offset of 3 to run the association each
Sunday after the second Thursday of the month. For more information
about cron schedules for associations, see Reference: Cron and rate
expressions for Systems Manager
(https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html)
in the Amazon Web Services Systems Manager User Guide.
To use offsets, you must specify the ApplyOnlyAtCronInterval
parameter. This option tells the system not to run an association
immediately after you create it.
SyncCompliance
The mode for generating association compliance. You can specify AUTO
or MANUAL. In AUTO mode, the system uses the status of the
association execution to determine the compliance status. If the
association execution runs successfully, then the association is
COMPLIANT. If the association execution doesn't run successfully,
the association is NON-COMPLIANT.
In MANUAL mode, you must specify the AssociationId as a parameter
for the PutComplianceItems API operation. In this case, compliance data
isn't managed by State Manager. It is managed by your direct call to
the PutComplianceItems API operation.
By default, all associations use AUTO mode.
Tags
Adds or overwrites one or more tags for a State Manager association. Tags are metadata that you can assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define.
TargetLocations
A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to create an association in multiple Regions and multiple accounts.
TargetMaps
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
Targets
The targets for the association. You can target managed nodes by using
tags, Amazon Web Services resource groups, all managed nodes in an
Amazon Web Services account, or individual managed node IDs. You can
target all managed nodes in an Amazon Web Services account by
specifying the InstanceIds key with a value of *. For more
information about choosing targets for an association, see
Understanding targets and rate controls in State Manager associations
(https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state-manager-targets-and-rate-controls.html)
in the Amazon Web Services Systems Manager User Guide.
AssociationDescription
Information about the association.
ERRORS
AssociationAlreadyExists
The specified association already exists.
AssociationLimitExceeded
You can have at most 2,000 active associations.
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.UnsupportedPlatformType
The document doesn't support the platform type of the given managed node IDs. For example, you sent an document for a Windows managed node to a Linux node.
InvalidOutputLocation
The output location isn't valid or doesn't exist.
InvalidParameters
You must specify values for all required parameters in the Amazon Web Services Systems Manager document (SSM document). You can only supply values to parameters defined in the SSM document.
InvalidTarget
The target isn't valid or doesn't exist. It might not be configured for Systems Manager or you might not have permission to perform the operation.
InvalidSchedule
The schedule is invalid. Verify your cron or rate expression and try again.
InvalidTargetMaps
TargetMap parameter isn't valid.
InvalidTag
The specified tag key or value isn't valid.
METHOD
POST
REQUEST URI
/
Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified managed nodes or targets.
When you associate a document with one or more managed nodes using IDs or tags, Amazon Web Services Systems Manager Agent (SSM Agent) running on the managed node processes the document and configures the node as specified.
If you associate a document with a managed node that already has an associated document, the system returns the AssociationAlreadyExists exception.
Entries
One or more associations.
Failed
Information about the associations that failed.
Successful
Information about the associations that succeeded.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidParameters
You must specify values for all required parameters in the Amazon Web Services Systems Manager document (SSM document). You can only supply values to parameters defined in the SSM document.
DuplicateInstanceId
You can't specify a managed node ID in more than one association.
AssociationLimitExceeded
You can have at most 2,000 active associations.
UnsupportedPlatformType
The document doesn't support the platform type of the given managed node IDs. For example, you sent an document for a Windows managed node to a Linux node.
InvalidOutputLocation
The output location isn't valid or doesn't exist.
InvalidTarget
The target isn't valid or doesn't exist. It might not be configured for Systems Manager or you might not have permission to perform the operation.
InvalidSchedule
The schedule is invalid. Verify your cron or rate expression and try again.
InvalidTargetMaps
TargetMap parameter isn't valid.
METHOD
POST
REQUEST URI
/
Creates a Amazon Web Services Systems Manager (SSM document). An SSM document defines the actions that Systems Manager performs on your managed nodes. For more information about SSM documents, including information about supported schemas, features, and syntax, see Amazon Web Services Systems Manager Documents (https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html) in the Amazon Web Services Systems Manager User Guide.
Attachments
A list of key-value pairs that describe attachments to a version of a document.
Content
The content for the new SSM document in JSON or YAML format. The content of the document must not exceed 64KB. This quota also includes the content specified for input parameters at runtime. We recommend storing the contents for your new document in an external JSON or YAML file and referencing the file in a command.
For examples, see the following topics in the Amazon Web Services Systems Manager User Guide.
DisplayName
An optional field where you can specify a friendly name for the SSM document. This value can differ for each version of the document. You can update this value at a later time using the UpdateDocument operation.
DocumentFormat
Specify the document format for the request. The document format can be JSON, YAML, or TEXT. JSON is the default format.
DocumentType
The type of document to create.
The DeploymentStrategy document type is an internal-use-only
document type reserved for AppConfig.
Name
A name for the SSM document.
You can't use the following strings as document name prefixes. These are reserved by Amazon Web Services for use as document name prefixes:
awsamazonamznAWSEC2AWSConfigRemediationAWSSupportRequires
A list of SSM documents required by a document. This parameter is used
exclusively by AppConfig. When a user creates an AppConfig
configuration in an SSM document, the user must also specify a required
document for validation purposes. In this case, an
ApplicationConfiguration document requires an
ApplicationConfigurationSchema document for validation purposes. For
more information, see What is AppConfig?
(https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html)
in the AppConfig User Guide.
Tags
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an SSM document to identify the types of targets or the environment where it will run. In this case, you could specify the following key-value pairs:
Key=OS,Value=WindowsKey=Environment,Value=ProductionTo add tags to an existing SSM document, use the AddTagsToResource operation.
TargetType
Specify a target type to define the kinds of resources the document can
run on. For example, to run a document on EC2 instances, specify the
following value: /AWS::EC2::Instance. If you specify a value of '/'
the document can run on all types of resources. If you don't specify a
value, the document can't run on any resources. For a list of valid
resource types, see Amazon Web Services resource and property types
reference
(https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html)
in the CloudFormation User Guide.
VersionName
An optional field specifying the version of the artifact you are
creating with the document. For example, Release12.1. This value is
unique across all versions of a document, and can't be changed.
DocumentDescription
Information about the SSM document.
ERRORS
DocumentAlreadyExists
The specified document already exists.
MaxDocumentSizeExceeded
The size limit of a document is 64 KB.
InternalServerError
An error occurred on the server side.
InvalidDocumentContent
The content for the document isn't valid.
DocumentLimitExceeded
You can have at most 500 active SSM documents.
InvalidDocumentSchemaVersion
The version of the document schema isn't supported.
METHOD
POST
REQUEST URI
/
Creates a new maintenance window.
The value you specify for Duration determines the specific end time
for the maintenance window based on the time it begins. No maintenance
window tasks are permitted to start after the resulting endtime minus
the number of hours you specify for Cutoff. For example, if the
maintenance window starts at 3 PM, the duration is three hours, and the
value you specify for Cutoff is one hour, no maintenance window
tasks can start after 5 PM.
AllowUnassociatedTargets
Enables a maintenance window task to run on managed nodes, even if you haven't registered those nodes as targets. If enabled, then you must specify the unregistered managed nodes (by node ID) when you register a task with the maintenance window.
If you don't enable this option, then you must specify previously-registered targets when you register a task with the maintenance window.
ClientToken
User-provided idempotency token.
Cutoff
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.
Description
An optional description for the maintenance window. We recommend specifying a description to help you organize your maintenance windows.
Duration
The duration of the maintenance window in hours.
EndDate
The date and time, in ISO-8601 Extended format, for when you want the
maintenance window to become inactive. EndDate allows you to set a
date and time in the future when the maintenance window will no longer
run.
Name
The name of the maintenance window.
Schedule
The schedule of the maintenance window in the form of a cron or rate expression.
ScheduleOffset
The number of days to wait after the date and time specified by a cron expression before running the maintenance window.
For example, the following cron expression schedules a maintenance window to run on the third Tuesday of every month at 11:30 PM.
cron(30 23 ? * TUE#3 *)
If the schedule offset is 2, the maintenance window won't run until
two days later.
ScheduleTimezone
The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los_Angeles", "UTC", or "Asia/Seoul". For more information, see the Time Zone Database (https://www.iana.org/time-zones) on the IANA website.
StartDate
The date and time, in ISO-8601 Extended format, for when you want the
maintenance window to become active. StartDate allows you to delay
activation of the maintenance window until the specified future date.
When using a rate schedule, if you provide a start date that occurs in the past, the current date and time are used as the start date.
Tags
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it will run, the types of targets, and the environment it will run in. In this case, you could specify the following key-value pairs:
Key=TaskType,Value=AgentUpdateKey=OS,Value=WindowsKey=Environment,Value=ProductionTo add tags to an existing maintenance window, use the AddTagsToResource operation.
WindowId
The ID of the created maintenance window.
ERRORS
IdempotentParameterMismatch
Error returned when an idempotent operation is retried and the parameters don't match the original call to the API with the same idempotency token.
ResourceLimitExceededException
Error returned when the caller has exceeded the default resource quotas. For example, too many maintenance windows or patch baselines have been created.
For information about resource quotas in Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Creates a new OpsItem. You must have permission in Identity and Access Management (IAM) to create a new OpsItem. For more information, see Set up OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html) in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see Amazon Web Services Systems Manager OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html) in the Amazon Web Services Systems Manager User Guide.
AccountId
The target Amazon Web Services account where you want to create an OpsItem. To make this call, your account must be configured to work with OpsItems across accounts. For more information, see Set up OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html) in the Amazon Web Services Systems Manager User Guide.
ActualEndTime
The time a runbook workflow ended. Currently reported only for the
OpsItem type /aws/changerequest.
ActualStartTime
The time a runbook workflow started. Currently reported only for the
OpsItem type /aws/changerequest.
Category
Specify a category to assign to an OpsItem.
Description
User-defined text that contains information about the OpsItem, in Markdown format.
Provide enough information so that users viewing this OpsItem for the first time understand the issue.
Notifications
The Amazon Resource Name (ARN) of an SNS topic where notifications are sent when this OpsItem is edited or changed.
OperationalData
Operational data is custom data that provides useful reference details about the OpsItem. For example, you can specify log files, error strings, license keys, troubleshooting tips, or other relevant data. You enter operational data as key-value pairs. The key has a maximum length of 128 characters. The value has a maximum size of 20 KB.
Operational data keys can't begin with the following: amazon,
aws, amzn, ssm, /amazon, /aws, /amzn, /ssm.
You can choose to make the data searchable by other users in the account or you can restrict search access. Searchable data means that all users with access to the OpsItem Overview page (as provided by the DescribeOpsItems API operation) can view and search on the specified data. Operational data that isn't searchable is only viewable by users who have access to the OpsItem (as provided by the GetOpsItem API operation).
Use the /aws/resources key in OperationalData to specify a related
resource in the request. Use the /aws/automations key in
OperationalData to associate an Automation runbook with the OpsItem. To
view Amazon Web Services CLI example commands that use these keys, see
Create OpsItems manually
(https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-manually-create-OpsItems.html)
in the Amazon Web Services Systems Manager User Guide.
OpsItemType
The type of OpsItem to create. Systems Manager supports the following types of OpsItems:
/aws/issue
This type of OpsItem is used for default OpsItems created by OpsCenter.
/aws/changerequest
This type of OpsItem is used by Change Manager for reviewing and approving or rejecting change requests.
/aws/insight
This type of OpsItem is used by OpsCenter for aggregating and reporting on duplicate OpsItems.
PlannedEndTime
The time specified in a change request for a runbook workflow to end.
Currently supported only for the OpsItem type /aws/changerequest.
PlannedStartTime
The time specified in a change request for a runbook workflow to start.
Currently supported only for the OpsItem type /aws/changerequest.
Priority
The importance of this OpsItem in relation to other OpsItems in the system.
RelatedOpsItems
One or more OpsItems that share something in common with the current OpsItems. For example, related OpsItems can include OpsItems with similar error messages, impacted resources, or statuses for the impacted resource.
Severity
Specify a severity to assign to an OpsItem.
Source
The origin of the OpsItem, such as Amazon EC2 or Systems Manager.
The source name can't contain the following strings: aws, amazon,
and amzn.
Tags
Optional metadata that you assign to a resource.
Tags use a key-value pair. For example:
Key=Department,Value=Finance
To add tags to a new OpsItem, a user must have IAM permissions for both
the ssm:CreateOpsItems operation and the ssm:AddTagsToResource
operation. To add tags to an existing OpsItem, use the
AddTagsToResource operation.
Title
A short heading that describes the nature of the OpsItem and the impacted resource.
OpsItemArn
The OpsItem Amazon Resource Name (ARN).
OpsItemId
The ID of the OpsItem.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemAlreadyExistsException
The OpsItem already exists.
OpsItemLimitExceededException
The request caused OpsItems to exceed one or more quotas.
OpsItemInvalidParameterException
A specified parameter argument isn't valid. Verify the available arguments and try again.
OpsItemAccessDeniedException
You don't have permission to view OpsItems in the specified account. Verify that your account is configured either as a Systems Manager delegated administrator or that you are logged into the Organizations management account.
METHOD
POST
REQUEST URI
/
If you create a new application in Application Manager, Amazon Web Services Systems Manager calls this API operation to specify information about the new application, including the application type.
Metadata
Metadata for a new Application Manager application.
ResourceId
A resource ID for a new Application Manager application.
Tags
Optional metadata that you assign to a resource. You can specify a maximum of five tags for an OpsMetadata object. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an OpsMetadata object to identify an environment or target Amazon Web Services Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=ProductionKey=Region,Value=us-east-2OpsMetadataArn
The Amazon Resource Name (ARN) of the OpsMetadata Object or blob created by the call.
ERRORS
OpsMetadataAlreadyExistsException
An OpsMetadata object already exists for the selected resource.
OpsMetadataTooManyUpdatesException
The system is processing too many concurrent updates. Wait a few moments and try again.
OpsMetadataInvalidArgumentException
One of the arguments passed is invalid.
OpsMetadataLimitExceededException
Your account reached the maximum number of OpsMetadata objects allowed by Application Manager. The maximum is 200 OpsMetadata objects. Delete one or more OpsMetadata object and try again.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Creates a patch baseline.
For information about valid key-value pairs in PatchFilters for each
supported operating system type, see PatchFilter.
ApprovalRules
A set of rules used to include patches in the baseline.
ApprovedPatches
A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) in the Amazon Web Services Systems Manager User Guide.
ApprovedPatchesComplianceLevel
Defines the compliance level for approved patches. When an approved
patch is reported as missing, this value describes the severity of the
compliance violation. The default value is UNSPECIFIED.
ApprovedPatchesEnableNonSecurity
Indicates whether the list of approved patches includes non-security
updates that should be applied to the managed nodes. The default value
is false. Applies to Linux managed nodes only.
AvailableSecurityUpdatesComplianceStatus
Indicates the status you want to assign to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline.
Example scenario: Security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed.
Supported for Windows Server managed nodes only.
ClientToken
User-provided idempotency token.
Description
A description of the patch baseline.
GlobalFilters
A set of global filters used to include patches in the baseline.
The GlobalFilters parameter can be configured only by using the CLI
or an Amazon Web Services SDK. It can't be configured from the Patch
Manager console, and its value isn't displayed in the console.
Name
The name of the patch baseline.
OperatingSystem
Defines the operating system the patch baseline applies to. The default
value is WINDOWS.
RejectedPatches
A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) in the Amazon Web Services Systems Manager User Guide.
RejectedPatchesAction
The action for Patch Manager to take on patches included in the
RejectedPackages list.
ALLOW_AS_DEPENDENCY
Linux and macOS: A package in the rejected patches list is installed
only if it is a dependency of another package. It is considered
compliant with the patch baseline, and its status is reported as
INSTALLED_OTHER. This is the default action if no option is
specified.
Windows Server: Windows Server doesn't support the concept of
package dependencies. If a package in the rejected patches list and
already installed on the node, its status is reported as
INSTALLED_OTHER. Any package not already installed on the node is
skipped. This is the default action if no option is specified.
BLOCK
All OSs: Packages in the rejected patches list, and packages that
include them as dependencies, aren't installed by Patch Manager under
any circumstances. If a package was installed before it was added to
the rejected patches list, or is installed outside of Patch Manager
afterward, it's considered noncompliant with the patch baseline and its
status is reported as INSTALLED_REJECTED.
Sources
Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
Tags
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a patch baseline to identify the severity level of patches it specifies and the operating system family it applies to. In this case, you could specify the following key-value pairs:
Key=PatchSeverity,Value=CriticalKey=OS,Value=WindowsTo add tags to an existing patch baseline, use the AddTagsToResource operation.
BaselineId
The ID of the created patch baseline.
ERRORS
IdempotentParameterMismatch
Error returned when an idempotent operation is retried and the parameters don't match the original call to the API with the same idempotency token.
ResourceLimitExceededException
Error returned when the caller has exceeded the default resource quotas. For example, too many maintenance windows or patch baselines have been created.
For information about resource quotas in Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
A resource data sync helps you view data from multiple sources in a
single location. Amazon Web Services Systems Manager offers two types
of resource data sync: SyncToDestination and SyncFromSource.
You can configure Systems Manager Inventory to use the
SyncToDestination type to synchronize Inventory data from multiple
Amazon Web Services Regions to a single Amazon Simple Storage Service
(Amazon S3) bucket. For more information, see Creating a resource data
sync for Inventory
(https://docs.aws.amazon.com/systems-manager/latest/userguide/inventory-create-resource-data-sync.html)
in the Amazon Web Services Systems Manager User Guide.
You can configure Systems Manager Explorer to use the SyncFromSource
type to synchronize operational work items (OpsItems) and operational
data (OpsData) from multiple Amazon Web Services Regions to a single
Amazon S3 bucket. This type can synchronize OpsItems and OpsData from
multiple Amazon Web Services accounts and Amazon Web Services Regions
or EntireOrganization by using Organizations. For more information,
see Setting up Systems Manager Explorer to display data from multiple
accounts and Regions
(https://docs.aws.amazon.com/systems-manager/latest/userguide/Explorer-resource-data-sync.html)
in the Amazon Web Services Systems Manager User Guide.
A resource data sync is an asynchronous operation that returns immediately. After a successful initial sync is completed, the system continuously syncs data. To check the status of a sync, use the ListResourceDataSync.
By default, data isn't encrypted in Amazon S3. We strongly recommend that you enable encryption in Amazon S3 to ensure secure data storage. We also recommend that you secure access to the Amazon S3 bucket by creating a restrictive bucket policy.
S3Destination
Amazon S3 configuration details for the sync. This parameter is
required if the SyncType value is SyncToDestination.
SyncName
A name for the configuration.
SyncSource
Specify information about the data sources to synchronize. This
parameter is required if the SyncType value is SyncFromSource.
SyncType
Specify SyncToDestination to create a resource data sync that
synchronizes data to an S3 bucket for Inventory. If you specify
SyncToDestination, you must provide a value for S3Destination.
Specify SyncFromSource to synchronize data from a single account and
multiple Regions, or multiple Amazon Web Services accounts and Amazon
Web Services Regions, as listed in Organizations for Explorer. If you
specify SyncFromSource, you must provide a value for SyncSource.
The default value is SyncToDestination.
ERRORS
InternalServerError
An error occurred on the server side.
ResourceDataSyncCountExceededException
You have exceeded the allowed maximum sync configurations.
ResourceDataSyncAlreadyExistsException
A sync configuration with the same name already exists.
ResourceDataSyncInvalidConfigurationException
The specified sync configuration is invalid.
METHOD
POST
REQUEST URI
/
Deletes an activation. You aren't required to delete an activation. If you delete an activation, you can no longer use it to register additional managed nodes. Deleting an activation doesn't de-register managed nodes. You must manually de-register managed nodes.
ActivationId
The ID of the activation that you want to delete.
ERRORS
InvalidActivationId
The activation ID isn't valid. Verify that you entered the correct ActivationId or ActivationCode and try again.
InvalidActivation
The activation isn't valid. The activation might have been deleted, or the ActivationId and the ActivationCode don't match.
InternalServerError
An error occurred on the server side.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
METHOD
POST
REQUEST URI
/
Disassociates the specified Amazon Web Services Systems Manager
document (SSM document) from the specified managed node. If you created
the association by using the Targets parameter, then you must delete
the association by using the association ID.
When you disassociate a document from a managed node, it doesn't change the configuration of the node. To change the configuration state of a managed node after you disassociate a document, you must create a new document with the desired configuration and associate it with the node.
AssociationId
The association ID that you want to delete.
InstanceId
The managed node ID.
InstanceId has been deprecated. To specify a managed node ID for an
association, use the Targets parameter. Requests that include the
parameter InstanceID with Systems Manager documents (SSM documents)
that use schema version 2.0 or later will fail. In addition, if you use
the parameter InstanceId, you can't use the parameters
AssociationName, DocumentVersion, MaxErrors,
MaxConcurrency, OutputLocation, or ScheduleExpression. To use
these parameters, you must use the Targets parameter.
Name
The name of the SSM document.
ERRORS
AssociationDoesNotExist
The specified association doesn't exist.
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
METHOD
POST
REQUEST URI
/
Deletes the Amazon Web Services Systems Manager document (SSM document) and all managed node associations to the document.
Before you delete the document, we recommend that you use DeleteAssociation to disassociate all managed nodes that are associated with the document.
DocumentVersion
The version of the document that you want to delete. If not provided, all versions of the document are deleted.
Force
Some SSM document types require that you specify a Force flag before
you can delete the document. For example, you must specify a Force
flag to delete a document of type ApplicationConfigurationSchema.
You can restrict access to the Force flag in an Identity and Access
Management (IAM) policy.
Name
The name of the document.
VersionName
The version name of the document that you want to delete. If not provided, all versions of the document are deleted.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentOperation
You attempted to delete a document while it is still shared. You must stop sharing the document before you can delete it.
AssociatedInstances
You must disassociate a document from all managed nodes before you can delete it.
METHOD
POST
REQUEST URI
/
Delete a custom inventory type or the data associated with a custom Inventory type. Deleting a custom inventory type is also referred to as deleting a custom inventory schema.
ClientToken
User-provided idempotency token.
DryRun
Use this option to view a summary of the deletion request without
deleting any data or the data type. This option is useful when you only
want to understand what will be deleted. Once you validate that the
data to be deleted is what you intend to delete, you can run the same
command without specifying the DryRun option.
SchemaDeleteOption
Use the SchemaDeleteOption to delete a custom inventory type
(schema). If you don't choose this option, the system only deletes
existing inventory data associated with the custom inventory type.
Choose one of the following options:
DisableSchema: If you choose this option, the system ignores all
inventory data for the specified version, and any earlier versions. To
enable this schema again, you must call the PutInventory operation
for a version greater than the disabled version.
DeleteSchema: This option deletes the specified custom type from the Inventory service. You can recreate the schema later, if you want.
TypeName
The name of the custom inventory type for which you want to delete either all previously collected data or the inventory type itself.
DeletionId
Every DeleteInventory operation is assigned a unique ID. This option
returns a unique ID. You can use this ID to query the status of a
delete operation. This option is useful for ensuring that a delete
operation has completed before you begin other operations.
DeletionSummary
A summary of the delete operation. For more information about this summary, see Deleting custom inventory (https://docs.aws.amazon.com/systems-manager/latest/userguide/inventory-custom.html#delete-custom-inventory-summary) in the Amazon Web Services Systems Manager User Guide.
TypeName
The name of the inventory data type specified in the request.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidTypeNameException
The parameter type name isn't valid.
InvalidOptionException
The delete inventory option specified isn't valid. Verify the option and try again.
InvalidDeleteInventoryParametersException
One or more of the parameters specified for the delete operation isn't valid. Verify all parameters and try again.
InvalidInventoryRequestException
The request isn't valid.
METHOD
POST
REQUEST URI
/
Deletes a maintenance window.
WindowId
The ID of the maintenance window to delete.
WindowId
The ID of the deleted maintenance window.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Delete an OpsItem. You must have permission in Identity and Access Management (IAM) to delete an OpsItem.
Note the following important information about this operation.
This operation doesn't support cross-account calls. A delegated administrator or management account can't delete OpsItems in other accounts, even if OpsCenter has been set up for cross-account administration. For more information about cross-account administration, see Setting up OpsCenter to centrally manage OpsItems across accounts (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setting-up-cross-account.html) in the Systems Manager User Guide.
INPUT
OpsItemId
The ID of the OpsItem that you want to delete.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemInvalidParameterException
A specified parameter argument isn't valid. Verify the available arguments and try again.
METHOD
POST
REQUEST URI
/
Delete OpsMetadata related to an application.
OpsMetadataArn
The Amazon Resource Name (ARN) of an OpsMetadata Object to delete.
ERRORS
OpsMetadataNotFoundException
The OpsMetadata object doesn't exist.
OpsMetadataInvalidArgumentException
One of the arguments passed is invalid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Delete a parameter from the system. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
Name
The name of the parameter to delete.
You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.
ERRORS
InternalServerError
An error occurred on the server side.
ParameterNotFound
The parameter couldn't be found. Verify the name and try again.
For the DeleteParameter and GetParameter actions, if the
specified parameter doesn't exist, the ParameterNotFound exception
is not recorded in CloudTrail event logs.
METHOD
POST
REQUEST URI
/
Delete a list of parameters. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
Names
The names of the parameters to delete. After deleting a parameter, wait for at least 30 seconds to create a parameter with the same name.
You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.
DeletedParameters
The names of the deleted parameters.
InvalidParameters
The names of parameters that weren't deleted because the parameters aren't valid.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Deletes a patch baseline.
BaselineId
The ID of the patch baseline to delete.
BaselineId
The ID of the deleted patch baseline.
ERRORS
ResourceInUseException
Error returned if an attempt is made to delete a patch baseline that is registered for a patch group.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Deletes a resource data sync configuration. After the configuration is deleted, changes to data on managed nodes are no longer synced to or from the target. Deleting a sync configuration doesn't delete data.
SyncName
The name of the configuration to delete.
SyncType
Specify the type of resource data sync to delete.
ERRORS
InternalServerError
An error occurred on the server side.
ResourceDataSyncNotFoundException
The specified sync name wasn't found.
ResourceDataSyncInvalidConfigurationException
The specified sync configuration is invalid.
METHOD
POST
REQUEST URI
/
Deletes a Systems Manager resource policy. A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your Systems Manager resources. The following resources support Systems Manager resource policies.
OpsItemGroup - The resource policy for OpsItemGroup enables
Amazon Web Services accounts to view and interact with OpsCenter
operational work items (OpsItems).Parameter - The resource policy is used to share a parameter with
other accounts using Resource Access Manager (RAM). For more
information about cross-account sharing of parameters, see Working with
shared parameters
(https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html)
in the Amazon Web Services Systems Manager User Guide.
INPUT
PolicyHash
ID of the current policy version. The hash helps to prevent multiple calls from attempting to overwrite a policy.
PolicyId
The policy ID.
ResourceArn
Amazon Resource Name (ARN) of the resource to which the policies are attached.
ERRORS
InternalServerError
An error occurred on the server side.
ResourcePolicyInvalidParameterException
One or more parameters specified for the call aren't valid. Verify the parameters and their values and try again.
ResourcePolicyConflictException
The hash provided in the call doesn't match the stored hash. This exception is thrown when trying to update an obsolete policy version or when multiple requests to update a policy are sent.
ResourceNotFoundException
The specified parameter to be shared could not be found.
MalformedResourcePolicyDocumentException
The specified policy document is malformed or invalid, or excessive
PutResourcePolicy or DeleteResourcePolicy calls have been made.
ResourcePolicyNotFoundException
No policies with the specified policy ID and hash could be found.
METHOD
POST
REQUEST URI
/
Removes the server or virtual machine from the list of registered servers.
If you want to reregister an on-premises server, edge device, or VM, you must use a different Activation Code and Activation ID than used to register the machine previously. The Activation Code and Activation ID must not have already been used on the maximum number of activations specified when they were created. For more information, see Deregistering managed nodes in a hybrid and multicloud environment (https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-deregister-hybrid-nodes.html) in the Amazon Web Services Systems Manager User Guide.
InstanceId
The ID assigned to the managed node when you registered it using the activation process.
ERRORS
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Removes a patch group from a patch baseline.
BaselineId
The ID of the patch baseline to deregister the patch group from.
PatchGroup
The name of the patch group that should be deregistered from the patch baseline.
BaselineId
The ID of the patch baseline the patch group was deregistered from.
PatchGroup
The name of the patch group deregistered from the patch baseline.
ERRORS
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Removes a target from a maintenance window.
Safe
The system checks if the target is being referenced by a task. If the target is being referenced, the system returns an error and doesn't deregister the target from the maintenance window.
WindowId
The ID of the maintenance window the target should be removed from.
WindowTargetId
The ID of the target definition to remove.
WindowId
The ID of the maintenance window the target was removed from.
WindowTargetId
The ID of the removed target definition.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
TargetInUseException
You specified the Safe option for the
DeregisterTargetFromMaintenanceWindow operation, but the target is
still referenced in a task.
METHOD
POST
REQUEST URI
/
Removes a task from a maintenance window.
WindowId
The ID of the maintenance window the task should be removed from.
WindowTaskId
The ID of the task to remove from the maintenance window.
WindowId
The ID of the maintenance window the task was removed from.
WindowTaskId
The ID of the task removed from the maintenance window.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Describes details about the activation, such as the date and time the activation was created, its expiration date, the Identity and Access Management (IAM) role assigned to the managed nodes in the activation, and the number of nodes registered by using this activation.
Filters
A filter to view information about your activations.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
ActivationList
A list of activations for your Amazon Web Services account.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Describes the association for the specified target or managed node. If
you created the association by using the Targets parameter, then you
must retrieve the association by using the association ID.
AssociationId
The association ID for which you want information.
AssociationVersion
Specify the association version to retrieve. To view the latest
version, either specify $LATEST for this parameter, or omit this
parameter. To view a list of all associations for a managed node, use
ListAssociations. To get a list of versions for a specific association,
use ListAssociationVersions.
InstanceId
The managed node ID.
Name
The name of the SSM document.
AssociationDescription
Information about the association.
ERRORS
AssociationDoesNotExist
The specified association doesn't exist.
InvalidAssociationVersion
The version you specified isn't valid. Use ListAssociationVersions to
view all versions of an association according to the association ID.
Or, use the $LATEST parameter to view the latest version of the
association.
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.METHOD
POST
REQUEST URI
/
Views information about a specific execution of a specific association.
AssociationId
The association ID that includes the execution for which you want to view details.
ExecutionId
The execution ID for which you want to view details.
Filters
Filters for the request. You can specify the following filters and values.
Status (EQUAL)
ResourceId (EQUAL)
ResourceType (EQUAL)
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
AssociationExecutionTargets
Information about the execution.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InternalServerError
An error occurred on the server side.
AssociationDoesNotExist
The specified association doesn't exist.
InvalidNextToken
The specified token isn't valid.
AssociationExecutionDoesNotExist
The specified execution ID doesn't exist. Verify the ID number and try again.
METHOD
POST
REQUEST URI
/
Views all executions for a specific association ID.
AssociationId
The association ID for which you want to view execution history details.
Filters
Filters for the request. You can specify the following filters and values.
ExecutionId (EQUAL)
Status (EQUAL)
CreatedTime (EQUAL, GREATER_THAN, LESS_THAN)
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
AssociationExecutions
A list of the executions for the specified association ID.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InternalServerError
An error occurred on the server side.
AssociationDoesNotExist
The specified association doesn't exist.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Provides details about all active and terminated Automation executions.
Filters
Filters used to limit the scope of executions that are requested.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
AutomationExecutionMetadataList
The list of details about each automation execution which has occurred which matches the filter specification, if any.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InvalidFilterKey
The specified key isn't valid.
InvalidFilterValue
The filter value isn't valid. Verify the value and try again.
InvalidNextToken
The specified token isn't valid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Information about all active and terminated step executions in an Automation workflow.
AutomationExecutionId
The Automation execution ID for which you want step execution descriptions.
Filters
One or more filters to limit the number of step executions returned by the request.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
ReverseOrder
Indicates whether to list step executions in reverse order by start time. The default value is 'false'.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
StepExecutions
A list of details about the current state of all steps that make up an execution.
ERRORS
AutomationExecutionNotFoundException
There is no automation execution information for the requested automation execution ID.
InvalidNextToken
The specified token isn't valid.
InvalidFilterKey
The specified key isn't valid.
InvalidFilterValue
The filter value isn't valid. Verify the value and try again.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Lists all patches eligible to be included in a patch baseline.
Currently, DescribeAvailablePatches supports only the Amazon Linux
1, Amazon Linux 2, and Windows Server operating systems.
Filters
Each element in the array is a structure containing a key-value pair.
Windows Server
Supported keys for Windows Server managed node patches include the following:
PATCH_SET
Sample values: OS | APPLICATION
PRODUCT
Sample values: WindowsServer2012 | Office 2010 |
MicrosoftDefenderAntivirus
PRODUCT_FAMILY
Sample values: Windows | Office
MSRC_SEVERITY
Sample values: ServicePacks | Important | Moderate
CLASSIFICATION
Sample values: ServicePacks | SecurityUpdates |
DefinitionUpdates
PATCH_ID
Sample values: KB123456 | KB4516046
Linux
When specifying filters for Linux patches, you must specify a key-pair
for PRODUCT. For example, using the Command Line Interface (CLI),
the following command fails:
aws ssm describe-available-patches --filters
Key=CVE_ID,Values=CVE-2018-3615
However, the following command succeeds:
aws ssm describe-available-patches --filters
Key=PRODUCT,Values=AmazonLinux2018.03 Key=CVE_ID,Values=CVE-2018-3615
Supported keys for Linux managed node patches include the following:
PRODUCT
Sample values: AmazonLinux2018.03 | AmazonLinux2.0
NAME
Sample values: kernel-headers | samba-python | php
SEVERITY
Sample values: Critical | Important | Medium | Low
EPOCH
Sample values: 0 | 1
VERSION
Sample values: 78.6.1 | 4.10.16
RELEASE
Sample values: 9.56.amzn1 | 1.amzn2
ARCH
Sample values: i686 | x86_64
REPOSITORY
Sample values: Core | Updates
ADVISORY_ID
Sample values: ALAS-2018-1058 | ALAS2-2021-1594
CVE_ID
Sample values: CVE-2018-3615 | CVE-2020-1472
BUGZILLA_ID
Sample values: 1463241
MaxResults
The maximum number of patches to return (per page).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Patches
An array of patches. Each entry in the array is a patch structure.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Describes the specified Amazon Web Services Systems Manager document (SSM document).
DocumentVersion
The document version for which you want information. Can be a specific version or the default version.
Name
The name of the SSM document.
VersionName
An optional field specifying the version of the artifact associated with the document. For example, 12.6. This value is unique across all versions of a document, and can't be changed.
Document
Information about the SSM document.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
METHOD
POST
REQUEST URI
/
Describes the permissions for a Amazon Web Services Systems Manager document (SSM document). If you created the document, you are the owner. If a document is shared, it can either be shared privately (by specifying a user's Amazon Web Services account ID) or publicly (All).
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
Name
The name of the document for which you are the owner.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
PermissionType
The permission type for the document. The permission type can be Share.
AccountIds
The account IDs that have permission to use this document. The ID can be either an Amazon Web Services account or All.
AccountSharingInfoList
A list of Amazon Web Services accounts where the current document is shared and the version shared with each account.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidNextToken
The specified token isn't valid.
InvalidPermissionType
The permission type isn't supported. Share is the only supported permission type.
InvalidDocumentOperation
You attempted to delete a document while it is still shared. You must stop sharing the document before you can delete it.
METHOD
POST
REQUEST URI
/
All associations for the managed nodes.
InstanceId
The managed node ID for which you want to view all associations.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
Associations
The associations for the requested managed node.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Retrieves the current effective patches (the patch and the approval state) for the specified patch baseline. Applies to patch baselines for Windows only.
BaselineId
The ID of the patch baseline to retrieve the effective patches for.
MaxResults
The maximum number of patches to return (per page).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
EffectivePatches
An array of patches and patch status.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
UnsupportedOperatingSystem
The operating systems you specified isn't supported, or the operation isn't supported for the operating system.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
The status of the associations for the managed nodes.
InstanceId
The managed node IDs for which you want association status information.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
InstanceAssociationStatusInfos
Status information about the association.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Provides information about one or more of your managed nodes, including the operating system platform, SSM Agent version, association status, and IP address. This operation does not return information for nodes that are either Stopped or Terminated.
If you specify one or more node IDs, the operation returns information for those managed nodes. If you don't specify node IDs, it returns information for all your managed nodes. If you specify a node ID that isn't valid or a node that you don't own, you receive an error.
The IamRole field returned for this API operation is the role
assigned to an Amazon EC2 instance configured with a Systems Manager
Quick Setup host management configuration or the role assigned to an
on-premises managed node.
Filters
One or more filters. Use a filter to return a more specific list of
managed nodes. You can filter based on tags applied to your managed
nodes. Tag filters can't be combined with other filter types. Use this
Filters data type instead of InstanceInformationFilterList, which
is deprecated.
InstanceInformationFilterList
This is a legacy method. We recommend that you don't use this method.
Instead, use the Filters data type. Filters enables you to return
node information by filtering based on tags applied to managed nodes.
Attempting to use InstanceInformationFilterList and Filters leads
to an exception error.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results. The default value is 10 items.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
InstanceInformationList
The managed node information list.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidNextToken
The specified token isn't valid.
InvalidInstanceInformationFilterValue
The specified filter value isn't valid.
InvalidFilterKey
The specified key isn't valid.
METHOD
POST
REQUEST URI
/
Retrieves the high-level patch state of one or more managed nodes.
InstanceIds
The ID of the managed node for which patch state information should be retrieved.
MaxResults
The maximum number of managed nodes to return (per page).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
InstancePatchStates
The high-level patch state for the requested managed nodes.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Retrieves the high-level patch state for the managed nodes in the specified patch group.
Filters
Each entry in the array is a structure containing:
MaxResults
The maximum number of patches to return (per page).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
PatchGroup
The name of the patch group for which the patch state information should be retrieved.
InstancePatchStates
The high-level patch state for the requested managed nodes.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Retrieves information about the patches on the specified managed node and their state relative to the patch baseline being used for the node.
Filters
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribeInstancePatchesinclude the following:
Classification
Sample values: Security | SecurityUpdates
KBId
Sample values: KB4480056 | java-1.7.0-openjdk.x86_64
Severity
Sample values: Important | Medium | Low
State
Sample values: Installed | InstalledOther |
InstalledPendingReboot
For lists of all State values, see Patch compliance state values
(https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-compliance-states.html)
in the Amazon Web Services Systems Manager User Guide.
InstanceId
The ID of the managed node whose patch state information should be retrieved.
MaxResults
The maximum number of patches to return (per page).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Patches
Each entry in the array is a structure containing:
ERRORS
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
An API operation used by the Systems Manager console to display information about Systems Manager managed nodes.
FiltersWithOperator
The request filters to use with the operator.
InstancePropertyFilterList
An array of instance property filters.
MaxResults
The maximum number of items to return for the call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token provided by a previous request to use to return the next set of properties.
InstanceProperties
Properties for the managed instances.
NextToken
The token for the next set of properties to return. Use this token to get the next set of results.
ERRORS
InvalidNextToken
The specified token isn't valid.
InvalidFilterKey
The specified key isn't valid.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidActivationId
The activation ID isn't valid. Verify that you entered the correct ActivationId or ActivationCode and try again.
InvalidInstancePropertyFilterValue
The specified filter value isn't valid.
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
METHOD
POST
REQUEST URI
/
Describes a specific delete inventory operation.
DeletionId
Specify the delete inventory ID for which you want information. This ID
was returned by the DeleteInventory operation.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
InventoryDeletions
A list of status items for deleted inventory.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDeletionIdException
The ID specified for the delete operation doesn't exist or isn't valid. Verify the ID and try again.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Retrieves the individual task executions (one per target) for a particular task run as part of a maintenance window execution.
Filters
Optional filters used to scope down the returned task invocations. The
supported filter key is STATUS with the corresponding values
PENDING, IN_PROGRESS, SUCCESS, FAILED, TIMED_OUT,
CANCELLING, and CANCELLED.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
TaskId
The ID of the specific task in the maintenance window task that should be retrieved.
WindowExecutionId
The ID of the maintenance window execution the task is part of.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
WindowExecutionTaskInvocationIdentities
Information about the task invocation results per invocation.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
For a given maintenance window execution, lists the tasks that were run.
Filters
Optional filters used to scope down the returned tasks. The supported
filter key is STATUS with the corresponding values PENDING,
IN_PROGRESS, SUCCESS, FAILED, TIMED_OUT, CANCELLING, and
CANCELLED.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
WindowExecutionId
The ID of the maintenance window execution whose task executions should be retrieved.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
WindowExecutionTaskIdentities
Information about the task executions.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Lists the executions of a maintenance window. This includes information about when the maintenance window was scheduled to be active, and information about tasks registered and run with the maintenance window.
Filters
Each entry in the array is a structure containing:
ExecutedBefore and ExecutedAfter.2024-11-04T05:00:00Z.MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
WindowId
The ID of the maintenance window whose executions should be retrieved.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
WindowExecutions
Information about the maintenance window executions.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves information about upcoming executions of a maintenance window.
Filters
Filters used to limit the range of results. For example, you can limit maintenance window executions to only those scheduled before or after a certain date and time.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
ResourceType
The type of resource you want to retrieve information about. For
example, INSTANCE.
Targets
The managed node ID or key-value pair to retrieve information about.
WindowId
The ID of the maintenance window to retrieve information about.
NextToken
The token for the next set of items to return. (You use this token in the next call.)
ScheduledWindowExecutions
Information about maintenance window executions scheduled for the specified time range.
ERRORS
InternalServerError
An error occurred on the server side.
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
METHOD
POST
REQUEST URI
/
Lists the targets registered with the maintenance window.
Filters
Optional filters that can be used to narrow down the scope of the
returned window targets. The supported filter keys are Type,
WindowTargetId, and OwnerInformation.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
WindowId
The ID of the maintenance window whose targets should be retrieved.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Targets
Information about the targets in the maintenance window.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Lists the tasks in a maintenance window.
For maintenance window tasks without a specified target, you can't
supply values for --max-errors and --max-concurrency. Instead,
the system inserts a placeholder value of 1, which may be reported
in the response to this command. These values don't affect the running
of your task and can be ignored.
Filters
Optional filters used to narrow down the scope of the returned tasks.
The supported filter keys are WindowTaskId, TaskArn, Priority,
and TaskType.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
WindowId
The ID of the maintenance window whose tasks should be retrieved.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Tasks
Information about the tasks in the maintenance window.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves the maintenance windows in an Amazon Web Services account.
Filters
Optional filters used to narrow down the scope of the returned
maintenance windows. Supported filter keys are Name and Enabled.
For example, Name=MyMaintenanceWindow and Enabled=True.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
WindowIdentities
Information about the maintenance windows.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves information about the maintenance window targets or tasks that a managed node is associated with.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
ResourceType
The type of resource you want to retrieve information about. For
example, INSTANCE.
Targets
The managed node ID or key-value pair to retrieve information about.
NextToken
The token for the next set of items to return. (You use this token in the next call.)
WindowIdentities
Information about the maintenance window targets and tasks a managed node is associated with.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Query a set of OpsItems. You must have permission in Identity and Access Management (IAM) to query a list of OpsItems. For more information, see Set up OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html) in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see Amazon Web Services Systems Manager OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html) in the Amazon Web Services Systems Manager User Guide.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
OpsItemFilters
One or more filters to limit the response.
Key: CreatedTime
Operations: GreaterThan, LessThan
Key: LastModifiedBy
Operations: Contains, Equals
Key: LastModifiedTime
Operations: GreaterThan, LessThan
Key: Priority
Operations: Equals
Key: Source
Operations: Contains, Equals
Key: Status
Operations: Equals
Key: Title*
Operations: Equals,Contains
Key: OperationalData**
Operations: Equals
Key: OperationalDataKey
Operations: Equals
Key: OperationalDataValue
Operations: Equals, Contains
Key: OpsItemId
Operations: Equals
Key: ResourceId
Operations: Contains
Key: AutomationId
Operations: Equals
Key: AccountId
Operations: Equals
*The Equals operator for Title matches the first 100 characters. If you specify more than 100 characters, they system returns an error that the filter value exceeds the length limit.
**If you filter the response by using the OperationalData operator, specify a key-value pair by using the following JSON format: {"key":"key_name","value":"a_value"}
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
OpsItemSummaries
A list of OpsItems.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Lists the parameters in your Amazon Web Services account or the parameters shared with you when you enable the Shared (https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html#systemsmanager-DescribeParameters-request-Shared) option.
Request results are returned on a best-effort basis. If you specify
MaxResults in the request, the response includes information up to
the limit specified. The number of items returned, however, can be
between zero and the value of MaxResults. If the service reaches an
internal limit while processing the results, it stops the operation and
returns the matching values up to that point and a NextToken. You
can specify the NextToken in a subsequent call to get the next set
of results.
If you change the KMS key alias for the KMS key used to encrypt a
parameter, then you must also update the key alias the parameter uses
to reference KMS. Otherwise, DescribeParameters retrieves whatever
the original key alias was referencing.
Filters
This data type is deprecated. Instead, use ParameterFilters.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
ParameterFilters
Filters to limit the request results.
Shared
Lists parameters that are shared with you.
By default when using this option, the command returns parameters that
have been shared using a standard Resource Access Manager Resource
Share. In order for a parameter that was shared using the
PutResourcePolicy command to be returned, the associated RAM Resource
Share Created From Policy must have been promoted to a standard
Resource Share using the RAM PromoteResourceShareCreatedFromPolicy
(https://docs.aws.amazon.com/ram/latest/APIReference/API_PromoteResourceShareCreatedFromPolicy.html)
API operation.
For more information about sharing parameters, see Working with shared parameters (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html) in the Amazon Web Services Systems Manager User Guide.
NextToken
The token to use when requesting the next set of items.
Parameters
Parameters returned by the request.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidFilterKey
The specified key isn't valid.
InvalidFilterOption
The specified filter option isn't valid. Valid options are Equals and BeginsWith. For Path filter, valid options are Recursive and OneLevel.
InvalidFilterValue
The filter value isn't valid. Verify the value and try again.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Lists the patch baselines in your Amazon Web Services account.
Filters
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribePatchBaselines include the following:
NAME_PREFIX
Sample values: AWS- | My-
OWNER
Sample values: AWS | Self
OPERATING_SYSTEM
Sample values: AMAZON_LINUX | SUSE | WINDOWS
MaxResults
The maximum number of patch baselines to return (per page).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
BaselineIdentities
An array of PatchBaselineIdentity elements.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Returns high-level aggregated patch compliance state information for a patch group.
PatchGroup
The name of the patch group whose patch snapshot should be retrieved.
Instances
The number of managed nodes in the patch group.
InstancesWithAvailableSecurityUpdates
The number of managed nodes for which security-related patches are available but not approved because because they didn't meet the patch baseline requirements. For example, an updated version of a patch might have been released before the specified auto-approval period was over.
Applies to Windows Server managed nodes only.
InstancesWithCriticalNonCompliantPatches
The number of managed nodes where patches that are specified as
Critical for compliance reporting in the patch baseline aren't
installed. These patches might be missing, have failed installation,
were rejected, or were installed but awaiting a required managed node
reboot. The status of these managed nodes is NON_COMPLIANT.
InstancesWithFailedPatches
The number of managed nodes with patches from the patch baseline that failed to install.
InstancesWithInstalledOtherPatches
The number of managed nodes with patches installed that aren't defined in the patch baseline.
InstancesWithInstalledPatches
The number of managed nodes with installed patches.
InstancesWithInstalledPendingRebootPatches
The number of managed nodes with patches installed by Patch Manager
that haven't been rebooted after the patch installation. The status of
these managed nodes is NON_COMPLIANT.
InstancesWithInstalledRejectedPatches
The number of managed nodes with patches installed that are specified
in a RejectedPatches list. Patches with a status of
INSTALLED_REJECTED were typically installed before they were added
to a RejectedPatches list.
If ALLOW_AS_DEPENDENCY is the specified option for
RejectedPatchesAction, the value of
InstancesWithInstalledRejectedPatches will always be 0 (zero).
InstancesWithMissingPatches
The number of managed nodes with missing patches from the patch baseline.
InstancesWithNotApplicablePatches
The number of managed nodes with patches that aren't applicable.
InstancesWithOtherNonCompliantPatches
The number of managed nodes with patches installed that are specified
as other than Critical or Security but aren't compliant with the
patch baseline. The status of these managed nodes is NON_COMPLIANT.
InstancesWithSecurityNonCompliantPatches
The number of managed nodes where patches that are specified as
Security in a patch advisory aren't installed. These patches might
be missing, have failed installation, were rejected, or were installed
but awaiting a required managed node reboot. The status of these
managed nodes is NON_COMPLIANT.
InstancesWithUnreportedNotApplicablePatches
The number of managed nodes with NotApplicable patches beyond the
supported limit, which aren't reported by name to Inventory. Inventory
is a tool in Amazon Web Services Systems Manager.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Lists all patch groups that have been registered with patch baselines.
Filters
Each element in the array is a structure containing a key-value pair.
Supported keys for DescribePatchGroups include the following:
NAME_PREFIX
Sample values: AWS- | My-.
OPERATING_SYSTEM
Sample values: AMAZON_LINUX | SUSE | WINDOWS
MaxResults
The maximum number of patch groups to return (per page).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
Mappings
Each entry in the array contains:
PatchGroup: string (between 1 and 256 characters. Regex:
^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$)PatchBaselineIdentity: A PatchBaselineIdentity element.NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Lists the properties of available patches organized by product, product family, classification, severity, and other properties of available patches. You can use the reported properties in the filters you specify in requests for operations such as CreatePatchBaseline, UpdatePatchBaseline, DescribeAvailablePatches, and DescribePatchBaselines.
The following section lists the properties that can be used in filters for each major operating system type:
AMAZON_LINUX
Valid properties: PRODUCT | CLASSIFICATION | SEVERITY
AMAZON_LINUX_2
Valid properties: PRODUCT | CLASSIFICATION | SEVERITY
AMAZON_LINUX_2023
Valid properties: PRODUCT | CLASSIFICATION | SEVERITY
CENTOS
Valid properties: PRODUCT | CLASSIFICATION | SEVERITY
DEBIAN
Valid properties: PRODUCT | PRIORITY
MACOS
Valid properties: PRODUCT | CLASSIFICATION
ORACLE_LINUX
Valid properties: PRODUCT | CLASSIFICATION | SEVERITY
REDHAT_ENTERPRISE_LINUX
Valid properties: PRODUCT | CLASSIFICATION | SEVERITY
SUSE
Valid properties: PRODUCT | CLASSIFICATION | SEVERITY
UBUNTU
Valid properties: PRODUCT | PRIORITY
WINDOWS
Valid properties: PRODUCT | PRODUCT_FAMILY | CLASSIFICATION |
MSRC_SEVERITY
INPUT
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
OperatingSystem
The operating system type for which to list patches.
PatchSet
Indicates whether to list patches for the Windows operating system or for applications released by Microsoft. Not applicable for the Linux or macOS operating systems.
Property
The patch property for which you want to view patch details.
NextToken
The token for the next set of items to return. (You use this token in the next call.)
Properties
A list of the properties for patches matching the filter request parameters.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves a list of all active sessions (both connected and disconnected) or terminated sessions from the past 30 days.
Filters
One or more filters to limit the type of sessions returned by the request.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
State
The session status to retrieve a list of sessions for. For example, "Active".
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
Sessions
A list of sessions meeting the request parameters.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidFilterKey
The specified key isn't valid.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Deletes the association between an OpsItem and a related item. For example, this API operation can delete an Incident Manager incident from an OpsItem. Incident Manager is a tool in Amazon Web Services Systems Manager.
AssociationId
The ID of the association for which you want to delete an association between the OpsItem and a related item.
OpsItemId
The ID of the OpsItem for which you want to delete an association between the OpsItem and a related item.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemRelatedItemAssociationNotFoundException
The association wasn't found using the parameters you specified in the call. Verify the information and try again.
OpsItemNotFoundException
The specified OpsItem ID doesn't exist. Verify the ID and try again.
OpsItemInvalidParameterException
A specified parameter argument isn't valid. Verify the available arguments and try again.
OpsItemConflictException
The specified OpsItem is in the process of being deleted.
METHOD
POST
REQUEST URI
/
Get detailed information about a particular Automation execution.
AutomationExecutionId
The unique identifier for an existing automation execution to examine. The execution ID is returned by StartAutomationExecution when the execution of an Automation runbook is initiated.
AutomationExecution
Detailed information about the current state of an automation execution.
ERRORS
AutomationExecutionNotFoundException
There is no automation execution information for the requested automation execution ID.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Gets the state of a Amazon Web Services Systems Manager change calendar
at the current time or a specified time. If you specify a time,
GetCalendarState returns the state of the calendar at that specific
time, and returns the next time that the change calendar state will
transition. If you don't specify a time, GetCalendarState uses the
current time. Change Calendar entries have two possible states: OPEN
or CLOSED.
If you specify more than one calendar in a request, the command returns
the status of OPEN only if all calendars in the request are open. If
one or more calendars in the request are closed, the status returned is
CLOSED.
For more information about Change Calendar, a tool in Amazon Web Services Systems Manager, see Amazon Web Services Systems Manager Change Calendar (https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar.html) in the Amazon Web Services Systems Manager User Guide.
AtTime
(Optional) The specific time for which you want to get calendar state
information, in ISO 8601 (https://en.wikipedia.org/wiki/ISO_8601)
format. If you don't specify a value or AtTime, the current time is
used.
CalendarNames
The names of Amazon Resource Names (ARNs) of the Systems Manager documents (SSM documents) that represent the calendar entries for which you want to get the state.
AtTime
The time, as an ISO 8601 (https://en.wikipedia.org/wiki/ISO_8601)
string, that you specified in your command. If you don't specify a
time, GetCalendarState uses the current time.
NextTransitionTime
The time, as an ISO 8601 (https://en.wikipedia.org/wiki/ISO_8601)
string, that the calendar state will change. If the current calendar
state is OPEN, NextTransitionTime indicates when the calendar
state changes to CLOSED, and vice-versa.
State
The state of the calendar. An OPEN calendar indicates that actions
are allowed to proceed, and a CLOSED calendar indicates that actions
aren't allowed to proceed.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentType
The SSM document type isn't valid. Valid document types are described
in the DocumentType property.
UnsupportedCalendarException
The calendar entry contained in the specified SSM document isn't supported.
METHOD
POST
REQUEST URI
/
Returns detailed information about command execution for an invocation or plugin. The Run Command API follows an eventual consistency model, due to the distributed nature of the system supporting the API. This means that the result of an API command you run that affects your resources might not be immediately visible to all subsequent commands you run. You should keep this in mind when you carry out an API command that immediately follows a previous API command.
GetCommandInvocation only gives the execution status of a plugin in
a document. To get the command execution status on a specific managed
node, use ListCommandInvocations. To get the command execution status
across managed nodes, use ListCommands.
CommandId
(Required) The parent command ID of the invocation plugin.
InstanceId
(Required) The ID of the managed node targeted by the command. A managed node can be an Amazon Elastic Compute Cloud (Amazon EC2) instance, edge device, and on-premises server or VM in your hybrid environment that is configured for Amazon Web Services Systems Manager.
PluginName
The name of the step for which you want detailed results. If the
document contains only one step, you can omit the name and details for
that step. If the document contains more than one step, you must
specify the name of the step for which you want to view details. Be
sure to specify the name of the step, not the name of a plugin like
aws:RunShellScript.
To find the PluginName, check the document content and find the name
of the step you want details for. Alternatively, use
ListCommandInvocations with the CommandId and Details parameters.
The PluginName is the Name attribute of the CommandPlugin
object in the CommandPlugins list.
CloudWatchOutputConfig
Amazon CloudWatch Logs information where Systems Manager sent the command output.
CommandId
The parent command ID of the invocation plugin.
Comment
The comment text for the command.
DocumentName
The name of the document that was run. For example,
AWS-RunShellScript.
DocumentVersion
The Systems Manager document (SSM document) version used in the request.
ExecutionElapsedTime
Duration since ExecutionStartDateTime.
ExecutionEndDateTime
The date and time the plugin finished running. Date and time are
written in ISO 8601 format. For example, June 7, 2017 is represented as
2017-06-7. The following sample Amazon Web Services CLI command uses
the InvokedAfter filter.
aws ssm list-commands --filters
key=InvokedAfter,value=2017-06-07T00:00:00Z
If the plugin hasn't started to run, the string is empty.
ExecutionStartDateTime
The date and time the plugin started running. Date and time are written
in ISO 8601 format. For example, June 7, 2017 is represented as
2017-06-7. The following sample Amazon Web Services CLI command uses
the InvokedBefore filter.
aws ssm list-commands --filters
key=InvokedBefore,value=2017-06-07T00:00:00Z
If the plugin hasn't started to run, the string is empty.
InstanceId
The ID of the managed node targeted by the command. A managed node can be an Amazon Elastic Compute Cloud (Amazon EC2) instance, edge device, or on-premises server or VM in your hybrid environment that is configured for Amazon Web Services Systems Manager.
PluginName
The name of the plugin, or step name, for which details are
reported. For example, aws:RunShellScript is a plugin.
ResponseCode
The error level response code for the plugin script. If the response
code is -1, then the command hasn't started running on the managed
node, or it wasn't received by the node.
StandardErrorContent
The first 8,000 characters written by the plugin to stderr. If the
command hasn't finished running, then this string is empty.
StandardErrorUrl
The URL for the complete text written by the plugin to stderr. If
the command hasn't finished running, then this string is empty.
StandardOutputContent
The first 24,000 characters written by the plugin to stdout. If the
command hasn't finished running, if ExecutionStatus is neither
Succeeded nor Failed, then this string is empty.
StandardOutputUrl
The URL for the complete text written by the plugin to stdout in
Amazon Simple Storage Service (Amazon S3). If an S3 bucket wasn't
specified, then this string is empty.
Status
The status of this invocation plugin. This status can be different than
StatusDetails.
StatusDetails
A detailed status of the command execution for an invocation.
StatusDetails includes more information than Status because it
includes states resulting from error and concurrency control
parameters. StatusDetails can show different results than Status.
For more information about these statuses, see Understanding command
statuses
(https://docs.aws.amazon.com/systems-manager/latest/userguide/monitor-commands.html)
in the Amazon Web Services Systems Manager User Guide.
StatusDetails can be one of the following values:
MaxErrors limit, but they do contribute
to whether the parent command status is Success or Incomplete. This is
a terminal state.MaxErrors limit of the parent command.
This is a terminal state.MaxErrors limit
of the parent command. This is a terminal state.MaxErrors limit
and don't contribute to whether the parent command status is Success or
Incomplete. This is a terminal state.MaxErrors limit and
subsequent command invocations were canceled by the system. This is a
terminal state.ERRORS
InternalServerError
An error occurred on the server side.
InvalidCommandId
The specified command ID isn't valid. Verify the ID and try again.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidPluginName
The plugin name isn't valid.
InvocationDoesNotExist
The command ID and managed node ID you specified didn't match any invocations. Verify the command ID and the managed node ID and try again.
METHOD
POST
REQUEST URI
/
Retrieves the Session Manager connection status for a managed node to determine whether it is running and ready to receive Session Manager connections.
Target
The managed node ID.
Status
The status of the connection to the managed node.
Target
The ID of the managed node to check connection status.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves the default patch baseline. Amazon Web Services Systems Manager supports creating multiple default patch baselines. For example, you can create a default patch baseline for each operating system.
If you don't specify an operating system value, the default patch baseline for Windows is returned.
OperatingSystem
Returns the default patch baseline for the specified operating system.
BaselineId
The ID of the default patch baseline.
OperatingSystem
The operating system for the returned patch baseline.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves the current snapshot for the patch baseline the managed node
uses. This API is primarily used by the AWS-RunPatchBaseline Systems
Manager document (SSM document).
If you run the command locally, such as with the Command Line Interface
(CLI), the system attempts to use your local Amazon Web Services
credentials and the operation fails. To avoid this, you can run the
command in the Amazon Web Services Systems Manager console. Use Run
Command, a tool in Amazon Web Services Systems Manager, with an SSM
document that enables you to target a managed node with a script or
command. For example, run the command using the AWS-RunShellScript
document or the AWS-RunPowerShellScript document.
BaselineOverride
Defines the basic information about a patch baseline override.
InstanceId
The ID of the managed node for which the appropriate patch snapshot should be retrieved.
SnapshotId
The snapshot ID provided by the user when running
AWS-RunPatchBaseline.
InstanceId
The managed node ID.
Product
Returns the specific operating system (for example Windows Server 2012 or Amazon Linux 2015.09) on the managed node for the specified patch snapshot.
SnapshotDownloadUrl
A pre-signed Amazon Simple Storage Service (Amazon S3) URL that can be used to download the patch snapshot.
SnapshotId
The user-defined snapshot ID.
ERRORS
InternalServerError
An error occurred on the server side.
UnsupportedOperatingSystem
The operating systems you specified isn't supported, or the operation isn't supported for the operating system.
UnsupportedFeatureRequiredException
Patching for applications released by Microsoft is only available on EC2 instances and advanced instances. To patch applications released by Microsoft on on-premises servers and VMs, you must enable advanced instances. For more information, see Turning on the advanced-instances tier (https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-managedinstances-advanced.html) in the Amazon Web Services Systems Manager User Guide.
METHOD
POST
REQUEST URI
/
Gets the contents of the specified Amazon Web Services Systems Manager document (SSM document).
DocumentFormat
Returns the document in the specified format. The document format can be either JSON or YAML. JSON is the default format.
DocumentVersion
The document version for which you want information.
Name
The name of the SSM document.
VersionName
An optional field specifying the version of the artifact associated with the document. For example, 12.6. This value is unique across all versions of a document and can't be changed.
AttachmentsContent
A description of the document attachments, including names, locations, sizes, and so on.
Content
The contents of the SSM document.
CreatedDate
The date the SSM document was created.
DisplayName
The friendly name of the SSM document. This value can differ for each version of the document. If you want to update this value, see UpdateDocument.
DocumentFormat
The document format, either JSON or YAML.
DocumentType
The document type.
DocumentVersion
The document version.
Name
The name of the SSM document.
Requires
A list of SSM documents required by a document. For example, an
ApplicationConfiguration document requires an
ApplicationConfigurationSchema document.
ReviewStatus
The current review status of a new custom Systems Manager document (SSM document) created by a member of your organization, or of the latest version of an existing SSM document.
Only one version of an SSM document can be in the APPROVED state at a time. When a new version is approved, the status of the previous version changes to REJECTED.
Only one version of an SSM document can be in review, or PENDING, at a time.
Status
The status of the SSM document, such as Creating, Active,
Updating, Failed, and Deleting.
StatusInformation
A message returned by Amazon Web Services Systems Manager that explains
the Status value. For example, a Failed status might be explained
by the StatusInformation message, "The specified S3 bucket doesn't
exist. Verify that the URL of the S3 bucket is correct."
VersionName
The version of the artifact associated with the document. For example, 12.6. This value is unique across all versions of a document, and can't be changed.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
METHOD
POST
REQUEST URI
/
Initiates the process of retrieving an existing preview that shows the effects that running a specified Automation runbook would have on the targeted resources.
ExecutionPreviewId
The ID of the existing execution preview.
EndedAt
A UTC timestamp indicating when the execution preview operation ended.
ExecutionPreview
ExecutionPreviewId
The generated ID for the existing execution preview.
Status
The current status of the execution preview operation.
StatusMessage
Supplemental information about the current status of the execution preview.
ERRORS
InternalServerError
An error occurred on the server side.
ResourceNotFoundException
The specified parameter to be shared could not be found.
METHOD
POST
REQUEST URI
/
Query inventory information. This includes managed node status, such as
Stopped or Terminated.
Aggregators
Returns counts of inventory types based on one or more expressions. For
example, if you aggregate by using an expression that uses the
AWS:InstanceInformation.PlatformType type, you can see a count of
how many Windows and Linux managed nodes exist in your inventoried
fleet.
Filters
One or more filters. Use a filter to return a more specific list of results.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
ResultAttributes
The list of inventory item types to return.
Entities
Collection of inventory entities such as a collection of managed node inventory.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidInventoryGroupException
The specified inventory group isn't valid.
InvalidNextToken
The specified token isn't valid.
InvalidTypeNameException
The parameter type name isn't valid.
InvalidAggregatorException
The specified aggregator isn't valid for the group type. Verify that the aggregator you provided is supported.
InvalidResultAttributeException
The specified inventory item result attribute isn't valid.
METHOD
POST
REQUEST URI
/
Return a list of inventory type names for the account, or return a list of attribute names for a specific Inventory item type.
Aggregator
Returns inventory schemas that support aggregation. For example, this
call returns the AWS:InstanceInformation type, because it supports
aggregation based on the PlatformName, PlatformType, and
PlatformVersion attributes.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
SubType
Returns the sub-type schema for a specified inventory type.
TypeName
The type of inventory item to return.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Schemas
Inventory schemas returned by the request.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidTypeNameException
The parameter type name isn't valid.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Retrieves a maintenance window.
WindowId
The ID of the maintenance window for which you want to retrieve information.
AllowUnassociatedTargets
Whether targets must be registered with the maintenance window before tasks can be defined for those targets.
CreatedDate
The date the maintenance window was created.
Cutoff
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.
Description
The description of the maintenance window.
Duration
The duration of the maintenance window in hours.
Enabled
Indicates whether the maintenance window is enabled.
EndDate
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. The maintenance window won't run after this specified time.
ModifiedDate
The date the maintenance window was last modified.
Name
The name of the maintenance window.
NextExecutionTime
The next time the maintenance window will actually run, taking into account any specified times for the maintenance window to become active or inactive.
Schedule
The schedule of the maintenance window in the form of a cron or rate expression.
ScheduleOffset
The number of days to wait to run a maintenance window after the scheduled cron expression date and time.
ScheduleTimezone
The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los_Angeles", "UTC", or "Asia/Seoul". For more information, see the Time Zone Database (https://www.iana.org/time-zones) on the IANA website.
StartDate
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. The maintenance window won't run before this specified time.
WindowId
The ID of the created maintenance window.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves details about a specific a maintenance window execution.
WindowExecutionId
The ID of the maintenance window execution that includes the task.
EndTime
The time the maintenance window finished running.
StartTime
The time the maintenance window started running.
Status
The status of the maintenance window execution.
StatusDetails
The details explaining the status. Not available for all status values.
TaskIds
The ID of the task executions from the maintenance window execution.
WindowExecutionId
The ID of the maintenance window execution.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves the details about a specific task run as part of a maintenance window execution.
TaskId
The ID of the specific task execution in the maintenance window task that should be retrieved.
WindowExecutionId
The ID of the maintenance window execution that includes the task.
AlarmConfiguration
The details for the CloudWatch alarm you applied to your maintenance window task.
EndTime
The time the task execution completed.
MaxConcurrency
The defined maximum number of task executions that could be run in parallel.
MaxErrors
The defined maximum number of task execution errors allowed before scheduling of the task execution would have been stopped.
Priority
The priority of the task.
ServiceRole
The role that was assumed when running the task.
StartTime
The time the task execution started.
Status
The status of the task.
StatusDetails
The details explaining the status. Not available for all status values.
TaskArn
The Amazon Resource Name (ARN) of the task that ran.
TaskExecutionId
The ID of the specific task execution in the maintenance window task that was retrieved.
TaskParameters
The parameters passed to the task when it was run.
TaskParameters has been deprecated. To specify parameters to pass to
a task when it runs, instead use the Parameters option in the
TaskInvocationParameters structure. For information about how
Systems Manager handles these options for the supported maintenance
window task types, see MaintenanceWindowTaskInvocationParameters.
The map has the following format:
Key: string, between 1 and 255 charactersValue: an array of strings, each between 1 and 255 charactersTriggeredAlarms
The CloudWatch alarms that were invoked by the maintenance window task.
Type
The type of task that was run.
WindowExecutionId
The ID of the maintenance window execution that includes the task.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves information about a specific task running on a specific target.
InvocationId
The invocation ID to retrieve.
TaskId
The ID of the specific task in the maintenance window task that should be retrieved.
WindowExecutionId
The ID of the maintenance window execution for which the task is a part.
EndTime
The time that the task finished running on the target.
ExecutionId
The execution ID.
InvocationId
The invocation ID.
OwnerInformation
User-provided value to be included in any Amazon CloudWatch Events or Amazon EventBridge events raised while running tasks for these targets in this maintenance window.
Parameters
The parameters used at the time that the task ran.
StartTime
The time that the task started running on the target.
Status
The task status for an invocation.
StatusDetails
The details explaining the status. Details are only available for certain status values.
TaskExecutionId
The task execution ID.
TaskType
Retrieves the task type for a maintenance window.
WindowExecutionId
The maintenance window execution ID.
WindowTargetId
The maintenance window target ID.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves the details of a maintenance window task.
For maintenance window tasks without a specified target, you can't
supply values for --max-errors and --max-concurrency. Instead,
the system inserts a placeholder value of 1, which may be reported
in the response to this command. These values don't affect the running
of your task and can be ignored.
To retrieve a list of tasks in a maintenance window, instead use the DescribeMaintenanceWindowTasks command.
WindowId
The maintenance window ID that includes the task to retrieve.
WindowTaskId
The maintenance window task ID to retrieve.
AlarmConfiguration
The details for the CloudWatch alarm you applied to your maintenance window task.
CutoffBehavior
The action to take on tasks when the maintenance window cutoff time is
reached. CONTINUE_TASK means that tasks continue to run. For
Automation, Lambda, Step Functions tasks, CANCEL_TASK means that
currently running task invocations continue, but no new task
invocations are started. For Run Command tasks, CANCEL_TASK means
the system attempts to stop the task by sending a CancelCommand
operation.
Description
The retrieved task description.
LoggingInfo
The location in Amazon Simple Storage Service (Amazon S3) where the task results are logged.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage
Service (Amazon S3) bucket to contain logs, instead use the
OutputS3BucketName and OutputS3KeyPrefix options in the
TaskInvocationParameters structure. For information about how Amazon
Web Services Systems Manager handles these options for the supported
maintenance window task types, see
MaintenanceWindowTaskInvocationParameters.
MaxConcurrency
The maximum number of targets allowed to run this task in parallel.
For maintenance window tasks without a target specified, you can't
supply a value for this option. Instead, the system inserts a
placeholder value of 1, which may be reported in the response to
this command. This value doesn't affect the running of your task and
can be ignored.
MaxErrors
The maximum number of errors allowed before the task stops being scheduled.
For maintenance window tasks without a target specified, you can't
supply a value for this option. Instead, the system inserts a
placeholder value of 1, which may be reported in the response to
this command. This value doesn't affect the running of your task and
can be ignored.
Name
The retrieved task name.
Priority
The priority of the task when it runs. The lower the number, the higher the priority. Tasks that have the same priority are scheduled in parallel.
ServiceRoleArn
The Amazon Resource Name (ARN) of the IAM service role for Amazon Web
Services Systems Manager to assume when running a maintenance window
task. If you do not specify a service role ARN, Systems Manager uses a
service-linked role in your account. If no appropriate service-linked
role for Systems Manager exists in your account, it is created when you
run RegisterTaskWithMaintenanceWindow.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html) in the in the Amazon Web Services Systems Manager User Guide.
Targets
The targets where the task should run.
TaskArn
The resource that the task used during execution. For RUN_COMMAND
and AUTOMATION task types, the value of TaskArn is the SSM
document name/ARN. For LAMBDA tasks, the value is the function
name/ARN. For STEP_FUNCTIONS tasks, the value is the state machine
ARN.
TaskInvocationParameters
The parameters to pass to the task when it runs.
TaskParameters
The parameters to pass to the task when it runs.
TaskParameters has been deprecated. To specify parameters to pass to
a task when it runs, instead use the Parameters option in the
TaskInvocationParameters structure. For information about how
Systems Manager handles these options for the supported maintenance
window task types, see MaintenanceWindowTaskInvocationParameters.
TaskType
The type of task to run.
WindowId
The retrieved maintenance window ID.
WindowTaskId
The retrieved maintenance window task ID.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Get information about an OpsItem by using the ID. You must have permission in Identity and Access Management (IAM) to view information about an OpsItem. For more information, see Set up OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html) in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see Amazon Web Services Systems Manager OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html) in the Amazon Web Services Systems Manager User Guide.
OpsItemArn
The OpsItem Amazon Resource Name (ARN).
OpsItemId
The ID of the OpsItem that you want to get.
OpsItem
The OpsItem.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemNotFoundException
The specified OpsItem ID doesn't exist. Verify the ID and try again.
OpsItemAccessDeniedException
You don't have permission to view OpsItems in the specified account. Verify that your account is configured either as a Systems Manager delegated administrator or that you are logged into the Organizations management account.
METHOD
POST
REQUEST URI
/
View operational metadata related to an application in Application Manager.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
OpsMetadataArn
The Amazon Resource Name (ARN) of an OpsMetadata Object to view.
Metadata
OpsMetadata for an Application Manager application.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ResourceId
The resource ID of the Application Manager application.
ERRORS
OpsMetadataNotFoundException
The OpsMetadata object doesn't exist.
OpsMetadataInvalidArgumentException
One of the arguments passed is invalid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
View a summary of operations metadata (OpsData) based on specified filters and aggregators. OpsData can include information about Amazon Web Services Systems Manager OpsCenter operational workitems (OpsItems) as well as information about any Amazon Web Services resource or service configured to report OpsData to Amazon Web Services Systems Manager Explorer.
Aggregators
Optional aggregators that return counts of OpsData based on one or more expressions.
Filters
Optional filters used to scope down the returned OpsData.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
ResultAttributes
The OpsData data type to return.
SyncName
Specify the name of a resource data sync to get.
Entities
The list of aggregated details and filtered OpsData.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InternalServerError
An error occurred on the server side.
ResourceDataSyncNotFoundException
The specified sync name wasn't found.
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
InvalidTypeNameException
The parameter type name isn't valid.
InvalidAggregatorException
The specified aggregator isn't valid for the group type. Verify that the aggregator you provided is supported.
METHOD
POST
REQUEST URI
/
Get information about a single parameter by specifying the parameter name.
To get information about more than one parameter at a time, use the GetParameters operation.
Name
The name or Amazon Resource Name (ARN) of the parameter that you want to query. For parameters shared with you from another account, you must use the full ARN.
To query by parameter label, use "Name": "name:label". To query by
parameter version, use "Name": "name:version".
For more information about shared parameters, see Working with shared parameters (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html) in the Amazon Web Services Systems Manager User Guide.
WithDecryption
Return decrypted values for secure string parameters. This flag is
ignored for String and StringList parameter types.
Parameter
Information about a parameter.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidKeyId
The query key ID isn't valid.
ParameterNotFound
The parameter couldn't be found. Verify the name and try again.
For the DeleteParameter and GetParameter actions, if the
specified parameter doesn't exist, the ParameterNotFound exception
is not recorded in CloudTrail event logs.
ParameterVersionNotFound
The specified parameter version wasn't found. Verify the parameter name and version, and try again.
METHOD
POST
REQUEST URI
/
Retrieves the history of all changes to a parameter.
If you change the KMS key alias for the KMS key used to encrypt a
parameter, then you must also update the key alias the parameter uses
to reference KMS. Otherwise, GetParameterHistory retrieves whatever
the original key alias was referencing.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
Name
The name or Amazon Resource Name (ARN) of the parameter for which you want to review history. For parameters shared with you from another account, you must use the full ARN.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
WithDecryption
Return decrypted values for secure string parameters. This flag is
ignored for String and StringList parameter types.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Parameters
A list of parameters returned by the request.
ERRORS
InternalServerError
An error occurred on the server side.
ParameterNotFound
The parameter couldn't be found. Verify the name and try again.
For the DeleteParameter and GetParameter actions, if the
specified parameter doesn't exist, the ParameterNotFound exception
is not recorded in CloudTrail event logs.
InvalidNextToken
The specified token isn't valid.
InvalidKeyId
The query key ID isn't valid.
METHOD
POST
REQUEST URI
/
Get information about one or more parameters by specifying multiple parameter names.
To get information about a single parameter, you can use the GetParameter operation instead.
Names
The names or Amazon Resource Names (ARNs) of the parameters that you want to query. For parameters shared with you from another account, you must use the full ARNs.
To query by parameter label, use "Name": "name:label". To query by
parameter version, use "Name": "name:version".
The results for GetParameters requests are listed in alphabetical
order in query responses.
For information about shared parameters, see Working with shared parameters (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html) in the Amazon Web Services Systems Manager User Guide.
WithDecryption
Return decrypted secure string value. Return decrypted values for
secure string parameters. This flag is ignored for String and
StringList parameter types.
InvalidParameters
A list of parameters that aren't formatted correctly or don't run during an execution.
Parameters
A list of details for a parameter.
ERRORS
InvalidKeyId
The query key ID isn't valid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieve information about one or more parameters under a specified level in a hierarchy.
Request results are returned on a best-effort basis. If you specify
MaxResults in the request, the response includes information up to
the limit specified. The number of items returned, however, can be
between zero and the value of MaxResults. If the service reaches an
internal limit while processing the results, it stops the operation and
returns the matching values up to that point and a NextToken. You
can specify the NextToken in a subsequent call to get the next set
of results.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
ParameterFilters
Filters to limit the request results.
The following Key values are supported for GetParametersByPath:
Type, KeyId, and Label.
The following Key values aren't supported for
GetParametersByPath: tag, DataType, Name, Path, and
Tier.
Path
The hierarchy for the parameter. Hierarchies start with a forward slash
(/). The hierarchy is the parameter name except the last part of the
parameter. For the API call to succeed, the last part of the parameter
name can't be in the path. A parameter name hierarchy can have a
maximum of 15 levels. Here is an example of a hierarchy:
/Finance/Prod/IAD/WinServ2016/license33
Recursive
Retrieve all parameters within a hierarchy.
If a user has access to a path, then the user can access all levels of
that path. For example, if a user has permission to access path /a,
then the user can also access /a/b. Even if a user has explicitly
been denied access in IAM for parameter /a/b, they can still call
the GetParametersByPath API operation recursively for /a and view
/a/b.
WithDecryption
Retrieve all parameters in a hierarchy with their value decrypted.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
Parameters
A list of parameters found in the specified hierarchy.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidFilterKey
The specified key isn't valid.
InvalidFilterOption
The specified filter option isn't valid. Valid options are Equals and BeginsWith. For Path filter, valid options are Recursive and OneLevel.
InvalidFilterValue
The filter value isn't valid. Verify the value and try again.
InvalidKeyId
The query key ID isn't valid.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Retrieves information about a patch baseline.
BaselineId
The ID of the patch baseline to retrieve.
To retrieve information about an Amazon Web Services managed patch
baseline, specify the full Amazon Resource Name (ARN) of the baseline.
For example, for the baseline AWS-AmazonLinuxDefaultPatchBaseline,
specify
arn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0e392de35e7c563b7
instead of pb-0e392de35e7c563b7.
ApprovalRules
A set of rules used to include patches in the baseline.
ApprovedPatches
A list of explicitly approved patches for the baseline.
ApprovedPatchesComplianceLevel
Returns the specified compliance severity level for approved patches in the patch baseline.
ApprovedPatchesEnableNonSecurity
Indicates whether the list of approved patches includes non-security
updates that should be applied to the managed nodes. The default value
is false. Applies to Linux managed nodes only.
AvailableSecurityUpdatesComplianceStatus
Indicates the compliance status of managed nodes for which
security-related patches are available but were not approved. This
preference is specified when the CreatePatchBaseline or
UpdatePatchBaseline commands are run.
Applies to Windows Server managed nodes only.
BaselineId
The ID of the retrieved patch baseline.
CreatedDate
The date the patch baseline was created.
Description
A description of the patch baseline.
GlobalFilters
A set of global filters used to exclude patches from the baseline.
ModifiedDate
The date the patch baseline was last modified.
Name
The name of the patch baseline.
OperatingSystem
Returns the operating system specified for the patch baseline.
PatchGroups
Patch groups included in the patch baseline.
RejectedPatches
A list of explicitly rejected patches for the baseline.
RejectedPatchesAction
The action specified to take on patches included in the
RejectedPatches list. A patch can be allowed only if it is a
dependency of another package, or blocked entirely along with packages
that include it as a dependency.
Sources
Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Retrieves the patch baseline that should be used for the specified patch group.
OperatingSystem
Returns the operating system rule specified for patch groups using the patch baseline.
PatchGroup
The name of the patch group whose patch baseline should be retrieved.
BaselineId
The ID of the patch baseline that should be used for the patch group.
OperatingSystem
The operating system rule specified for patch groups using the patch baseline.
PatchGroup
The name of the patch group.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Returns an array of the Policy object.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
ResourceArn
Amazon Resource Name (ARN) of the resource to which the policies are attached.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
Policies
An array of the Policy object.
ERRORS
InternalServerError
An error occurred on the server side.
ResourcePolicyInvalidParameterException
One or more parameters specified for the call aren't valid. Verify the parameters and their values and try again.
ResourceNotFoundException
The specified parameter to be shared could not be found.
METHOD
POST
REQUEST URI
/
ServiceSetting is an account-level setting for an Amazon Web
Services service. This setting defines how a user interacts with or
uses a service or a feature of a service. For example, if an Amazon Web
Services service charges money to the account based on feature or
service usage, then the Amazon Web Services service team might create a
default setting of false. This means the user can't use this feature
unless they change the setting to true and intentionally opt in for
a paid feature.
Services map a SettingId object to a setting value. Amazon Web
Services services teams define the default value for a SettingId.
You can't create a new SettingId, but you can overwrite the default
value if you have the ssm:UpdateServiceSetting permission for the
setting. Use the UpdateServiceSetting API operation to change the
default setting. Or use the ResetServiceSetting to change the value
back to the original value defined by the Amazon Web Services service
team.
Query the current service setting for the Amazon Web Services account.
SettingId
The ID of the service setting to get. The setting ID can be one of the following.
/ssm/appmanager/appmanager-enabled/ssm/automation/customer-script-log-destination/ssm/automation/customer-script-log-group-name/ssm/documents/console/public-sharing-permission/ssm/managed-instance/activation-tier/ssm/managed-instance/default-ec2-instance-management-role/ssm/opsinsights/opscenter/ssm/parameter-store/default-parameter-tier/ssm/parameter-store/high-throughput-enabledServiceSetting
The query result of the current service setting.
ERRORS
InternalServerError
An error occurred on the server side.
ServiceSettingNotFound
The specified service setting wasn't found. Either the service name or the setting hasn't been provisioned by the Amazon Web Services service team.
METHOD
POST
REQUEST URI
/
A parameter label is a user-defined alias to help you manage different versions of a parameter. When you modify a parameter, Amazon Web Services Systems Manager automatically saves a new version and increments the version number by one. A label can help you remember the purpose of a parameter when there are multiple versions.
Parameter labels have the following requirements and restrictions.
Labels can't begin with a number, "aws" or "ssm" (not case
sensitive). If a label fails to meet these requirements, then the label
isn't associated with a parameter and the system displays it in the
list of InvalidLabels.
INPUT
Labels
One or more labels to attach to the specified parameter version.
Name
The parameter name on which you want to attach one or more labels.
You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.
ParameterVersion
The specific version of the parameter on which you want to attach one or more labels. If no version is specified, the system attaches the label to the latest version.
InvalidLabels
The label doesn't meet the requirements. For information about parameter label requirements, see Working with parameter labels (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-labels.html) in the Amazon Web Services Systems Manager User Guide.
ParameterVersion
The version of the parameter that has been labeled.
ERRORS
InternalServerError
An error occurred on the server side.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
ParameterNotFound
The parameter couldn't be found. Verify the name and try again.
For the DeleteParameter and GetParameter actions, if the
specified parameter doesn't exist, the ParameterNotFound exception
is not recorded in CloudTrail event logs.
ParameterVersionNotFound
The specified parameter version wasn't found. Verify the parameter name and version, and try again.
ParameterVersionLabelLimitExceeded
A parameter version can have a maximum of ten labels.
METHOD
POST
REQUEST URI
/
Retrieves all versions of an association for a specific association ID.
AssociationId
The association ID for which you want to view all versions.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
AssociationVersions
Information about all versions of the association for the specified association ID.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidNextToken
The specified token isn't valid.
AssociationDoesNotExist
The specified association doesn't exist.
METHOD
POST
REQUEST URI
/
Returns all State Manager associations in the current Amazon Web Services account and Amazon Web Services Region. You can limit the results to a specific State Manager association document or managed node by specifying a filter. State Manager is a tool in Amazon Web Services Systems Manager.
AssociationFilterList
One or more filters. Use a filter to return a more specific list of results.
Filtering associations using the InstanceID attribute only returns
legacy associations created using the InstanceID attribute.
Associations targeting the managed node that are part of the Target
Attributes ResourceGroup or Tags aren't returned.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
Associations
The associations.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
An invocation is copy of a command sent to a specific managed node. A
command can apply to one or more managed nodes. A command invocation
applies to one managed node. For example, if a user runs SendCommand
against three managed nodes, then a command invocation is created for
each requested managed node ID. ListCommandInvocations provide
status about command execution.
CommandId
(Optional) The invocations for a specific command ID.
Details
(Optional) If set this returns the response of the command executions
and any command output. The default value is false.
Filters
(Optional) One or more filters. Use a filter to return a more specific list of results.
InstanceId
(Optional) The command execution details for a specific managed node ID.
MaxResults
(Optional) The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
(Optional) The token for the next set of items to return. (You received this token from a previous call.)
CommandInvocations
(Optional) A list of all invocations.
NextToken
(Optional) The token for the next set of items to return. (You received this token from a previous call.)
ERRORS
InternalServerError
An error occurred on the server side.
InvalidCommandId
The specified command ID isn't valid. Verify the ID and try again.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidFilterKey
The specified key isn't valid.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Lists the commands requested by users of the Amazon Web Services account.
CommandId
(Optional) If provided, lists only the specified command.
Filters
(Optional) One or more filters. Use a filter to return a more specific list of results.
InstanceId
(Optional) Lists commands issued against this managed node ID.
You can't specify a managed node ID in the same command that you
specify Status = Pending. This is because the command hasn't
reached the managed node yet.
MaxResults
(Optional) The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
(Optional) The token for the next set of items to return. (You received this token from a previous call.)
Commands
(Optional) The list of commands requested by the user.
NextToken
(Optional) The token for the next set of items to return. (You received this token from a previous call.)
ERRORS
InternalServerError
An error occurred on the server side.
InvalidCommandId
The specified command ID isn't valid. Verify the ID and try again.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidFilterKey
The specified key isn't valid.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
For a specified resource ID, this API operation returns a list of compliance statuses for different resource types. Currently, you can only specify one resource ID per call. List results depend on the criteria specified in the filter.
Filters
One or more compliance filters. Use a filter to return a more specific list of results.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
ResourceIds
The ID for the resources from which to get compliance information. Currently, you can only specify one resource ID.
ResourceTypes
The type of resource from which to get compliance information.
Currently, the only supported resource type is ManagedInstance.
ComplianceItems
A list of compliance information for the specified resource ID.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InvalidResourceType
The resource type isn't valid. For example, if you are attempting to tag an EC2 instance, the instance must be a registered managed node.
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
InternalServerError
An error occurred on the server side.
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Returns a summary count of compliant and non-compliant resources for a compliance type. For example, this call can return State Manager associations, patches, or custom compliance types according to the filter criteria that you specify.
Filters
One or more compliance or inventory filters. Use a filter to return a more specific list of results.
MaxResults
The maximum number of items to return for this call. Currently, you can specify null or 50. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
ComplianceSummaryItems
A list of compliant and non-compliant summary counts based on compliance types. For example, this call returns State Manager associations, patches, or custom compliance types according to the filter criteria that you specified.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ERRORS
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Information about approval reviews for a version of a change template in Change Manager.
DocumentVersion
The version of the change template.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
Metadata
The type of data for which details are being requested. Currently, the
only supported value is DocumentReviews.
Name
The name of the change template.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
Author
The user ID of the person in the organization who requested the review of the change template.
DocumentVersion
The version of the change template.
Metadata
Information about the response to the change template approval request.
Name
The name of the change template.
NextToken
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
List all versions for a document.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
Name
The name of the document. You can specify an Amazon Resource Name (ARN).
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
DocumentVersions
The document versions.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidNextToken
The specified token isn't valid.
InvalidDocument
The specified SSM document doesn't exist.
METHOD
POST
REQUEST URI
/
Returns all Systems Manager (SSM) documents in the current Amazon Web Services account and Amazon Web Services Region. You can limit the results of this request by using a filter.
DocumentFilterList
This data type is deprecated. Instead, use Filters.
Filters
One or more DocumentKeyValuesFilter objects. Use a filter to return
a more specific list of results. For keys, you can specify one or more
key-value pair tags that have been applied to a document. Other valid
keys include Owner, Name, PlatformTypes, DocumentType, and
TargetType. For example, to return documents you own use
Key=Owner,Values=Self. To specify a custom key-value pair, use the
format Key=tag:tagName,Values=valueName.
This API operation only supports filtering documents by using a single
tag key and one or more tag values. For example:
Key=tag:tagName,Values=valueName1,valueName2
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
DocumentIdentifiers
The names of the SSM documents.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidNextToken
The specified token isn't valid.
InvalidFilterKey
The specified key isn't valid.
METHOD
POST
REQUEST URI
/
A list of inventory items returned by the request.
Filters
One or more filters. Use a filter to return a more specific list of results.
InstanceId
The managed node ID for which you want inventory information.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
TypeName
The type of inventory item for which you want information.
CaptureTime
The time that inventory information was collected for the managed nodes.
Entries
A list of inventory items on the managed nodes.
InstanceId
The managed node ID targeted by the request to query inventory information.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
SchemaVersion
The inventory schema version used by the managed nodes.
TypeName
The type of inventory item returned by the request.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidTypeNameException
The parameter type name isn't valid.
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Takes in filters and returns a list of managed nodes matching the filter criteria.
Filters
One or more filters. Use a filter to return a more specific list of managed nodes.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
SyncName
The name of the Amazon Web Services managed resource data sync to retrieve information about.
For cross-account/cross-Region configurations, this parameter is
required, and the name of the supported resource data sync is
AWS-QuickSetup-ManagedNode.
For single account/single-Region configurations, the parameter is not required.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Nodes
A list of managed nodes that match the specified filter criteria.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
ResourceDataSyncNotFoundException
The specified sync name wasn't found.
UnsupportedOperationException
This operation is not supported for the current account. You must first enable the Systems Manager integrated experience in your account.
METHOD
POST
REQUEST URI
/
Generates a summary of managed instance/node metadata based on the filters and aggregators you specify. Results are grouped by the input aggregator you specify.
Aggregators
Specify one or more aggregators to return a count of managed nodes that match that expression. For example, a count of managed nodes by operating system.
Filters
One or more filters. Use a filter to generate a summary that matches your specified filter criteria.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.) The call also returns a token that you can specify in a subsequent call to get the next set of results.
SyncName
The name of the Amazon Web Services managed resource data sync to retrieve information about.
For cross-account/cross-Region configurations, this parameter is
required, and the name of the supported resource data sync is
AWS-QuickSetup-ManagedNode.
For single account/single-Region configurations, the parameter is not required.
NextToken
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
Summary
A collection of objects reporting information about your managed nodes, such as the count of nodes by operating system.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidAggregatorException
The specified aggregator isn't valid for the group type. Verify that the aggregator you provided is supported.
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
ResourceDataSyncNotFoundException
The specified sync name wasn't found.
UnsupportedOperationException
This operation is not supported for the current account. You must first enable the Systems Manager integrated experience in your account.
METHOD
POST
REQUEST URI
/
Returns a list of all OpsItem events in the current Amazon Web Services Region and Amazon Web Services account. You can limit the results to events associated with specific OpsItems by specifying a filter.
Filters
One or more OpsItem filters. Use a filter to return a more specific list of results.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
Summaries
A list of event information for the specified OpsItems.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemNotFoundException
The specified OpsItem ID doesn't exist. Verify the ID and try again.
OpsItemLimitExceededException
The request caused OpsItems to exceed one or more quotas.
OpsItemInvalidParameterException
A specified parameter argument isn't valid. Verify the available arguments and try again.
METHOD
POST
REQUEST URI
/
Lists all related-item resources associated with a Systems Manager OpsCenter OpsItem. OpsCenter is a tool in Amazon Web Services Systems Manager.
Filters
One or more OpsItem filters. Use a filter to return a more specific list of results.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
The token for the next set of items to return. (You received this token from a previous call.)
OpsItemId
The ID of the OpsItem for which you want to list all related-item resources.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
Summaries
A list of related-item resources for the specified OpsItem.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemInvalidParameterException
A specified parameter argument isn't valid. Verify the available arguments and try again.
METHOD
POST
REQUEST URI
/
Amazon Web Services Systems Manager calls this API operation when displaying all Application Manager OpsMetadata objects or blobs.
Filters
One or more filters to limit the number of OpsMetadata objects returned by the call.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
OpsMetadataList
Returns a list of OpsMetadata objects.
ERRORS
OpsMetadataInvalidArgumentException
One of the arguments passed is invalid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Returns a resource-level summary count. The summary includes information about compliant and non-compliant statuses and detailed compliance-item severity counts, according to the filter criteria you specify.
Filters
One or more filters. Use a filter to return a more specific list of results.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ResourceComplianceSummaryItems
A summary count for specified or targeted managed nodes. Summary count includes information about compliant and non-compliant State Manager associations, patch status, or custom items according to the filter criteria that you specify.
ERRORS
InvalidFilter
The filter name isn't valid. Verify that you entered the correct name and try again.
InvalidNextToken
The specified token isn't valid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Lists your resource data sync configurations. Includes information about the last time a sync attempted to start, the last sync status, and the last time a sync successfully completed.
The number of sync configurations might be too large to return using a
single call to ListResourceDataSync. You can limit the number of
sync configurations returned by using the MaxResults parameter. To
determine whether there are more sync configurations to list, check the
value of NextToken in the output. If there are more sync
configurations to list, you can request them by specifying the
NextToken returned in the call to the parameter of a subsequent
call.
MaxResults
The maximum number of items to return for this call. The call also returns a token that you can specify in a subsequent call to get the next set of results.
NextToken
A token to start the list. Use this token to get the next set of results.
SyncType
View a list of resource data syncs according to the sync type. Specify
SyncToDestination to view resource data syncs that synchronize data
to an Amazon S3 bucket. Specify SyncFromSource to view resource data
syncs from Organizations or from multiple Amazon Web Services Regions.
NextToken
The token for the next set of items to return. Use this token to get the next set of results.
ResourceDataSyncItems
A list of your current resource data sync configurations and their statuses.
ERRORS
ResourceDataSyncInvalidConfigurationException
The specified sync configuration is invalid.
InternalServerError
An error occurred on the server side.
InvalidNextToken
The specified token isn't valid.
METHOD
POST
REQUEST URI
/
Returns a list of the tags assigned to the specified resource.
For information about the ID format for each supported resource type, see AddTagsToResource.
ResourceId
The resource ID for which you want to see a list of tags.
ResourceType
Returns a list of tags for a specific resource type.
TagList
A list of tags.
ERRORS
InvalidResourceType
The resource type isn't valid. For example, if you are attempting to tag an EC2 instance, the instance must be a registered managed node.
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Shares a Amazon Web Services Systems Manager document (SSM document)publicly or privately. If you share a document privately, you must specify the Amazon Web Services user IDs for those people who can use the document. If you share a document publicly, you must specify All as the account ID.
AccountIdsToAdd
The Amazon Web Services users that should have access to the document.
The account IDs can either be a group of account IDs or All. You
must specify a value for this parameter or the AccountIdsToRemove
parameter.
AccountIdsToRemove
The Amazon Web Services users that should no longer have access to the
document. The Amazon Web Services user can either be a group of account
IDs or All. This action has a higher priority than
AccountIdsToAdd. If you specify an ID to add and the same ID to
remove, the system removes access to the document. You must specify a
value for this parameter or the AccountIdsToAdd parameter.
Name
The name of the document that you want to share.
PermissionType
The permission type for the document. The permission type can be Share.
SharedDocumentVersion
(Optional) The version of the document to share. If it isn't specified,
the system choose the Default version to share.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidPermissionType
The permission type isn't supported. Share is the only supported permission type.
DocumentPermissionLimit
The document can't be shared with more Amazon Web Services accounts. You can specify a maximum of 20 accounts per API operation to share a private document.
By default, you can share a private document with a maximum of 1,000 accounts and publicly share up to five documents.
If you need to increase the quota for privately or publicly shared Systems Manager documents, contact Amazon Web Services Support.
DocumentLimitExceeded
You can have at most 500 active SSM documents.
METHOD
POST
REQUEST URI
/
Registers a compliance type and other compliance details on a designated resource. This operation lets you register custom compliance details with a resource. This call overwrites existing compliance information on the resource, so you must provide a full list of compliance items each time that you send the request.
ComplianceType can be one of the following:
string.approved for
patches, or Failed for associations.Critical.AWS-RunPatchBaseline.security
updates.Critical.InstancesWithFailedPatches.InstalledTime: The time the association, patch, or custom compliance
item was applied to the resource. Specify the time by using the
following format: yyyy-MM-dd'T'HH:mm:ss'Z'
INPUT
ComplianceType
Specify the compliance type. For example, specify Association (for a
State Manager association), Patch, or Custom:string.
ExecutionSummary
A summary of the call execution that includes an execution ID, the type
of execution (for example, Command), and the date/time of the
execution using a datetime object that is saved in the following
format: yyyy-MM-dd'T'HH:mm:ss'Z'
ItemContentHash
MD5 or SHA-256 content hash. The content hash is used to determine if existing information should be overwritten or ignored. If the content hashes match, the request to put compliance information is ignored.
Items
Information about the compliance as defined by the resource type. For
example, for a patch compliance type, Items includes information
about the PatchSeverity, Classification, and so on.
ResourceId
Specify an ID for this resource. For a managed node, this is the node ID.
ResourceType
Specify the type of resource. ManagedInstance is currently the only
supported resource type.
UploadType
The mode for uploading compliance items. You can specify COMPLETE or
PARTIAL. In COMPLETE mode, the system overwrites all existing
compliance information for the resource. You must provide a full list
of compliance items each time you send the request.
In PARTIAL mode, the system overwrites compliance information for a
specific association. The association must be configured with
SyncCompliance set to MANUAL. By default, all requests use
COMPLETE mode.
This attribute is only valid for association compliance.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidItemContentException
One or more content items isn't valid.
TotalSizeLimitExceededException
The size of inventory data has exceeded the total size limit for the resource.
ItemSizeLimitExceededException
The inventory item size has exceeded the size limit.
ComplianceTypeCountLimitExceededException
You specified too many custom compliance types. You can specify a maximum of 10 different types.
InvalidResourceType
The resource type isn't valid. For example, if you are attempting to tag an EC2 instance, the instance must be a registered managed node.
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
METHOD
POST
REQUEST URI
/
Bulk update custom inventory items on one or more managed nodes. The request adds an inventory item, if it doesn't already exist, or updates an inventory item, if it does exist.
InstanceId
An managed node ID where you want to add or update inventory items.
Items
The inventory items that you want to add or update on managed nodes.
Message
Information about the request.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidTypeNameException
The parameter type name isn't valid.
InvalidItemContentException
One or more content items isn't valid.
TotalSizeLimitExceededException
The size of inventory data has exceeded the total size limit for the resource.
ItemSizeLimitExceededException
The inventory item size has exceeded the size limit.
ItemContentMismatchException
The inventory item has invalid content.
CustomSchemaCountLimitExceededException
You have exceeded the limit for custom schemas. Delete one or more custom schemas and try again.
UnsupportedInventorySchemaVersionException
Inventory item type schema version has to match supported versions in the service. Check output of GetInventorySchema to see the available schema version for each type.
UnsupportedInventoryItemContextException
The Context attribute that you specified for the InventoryItem
isn't allowed for this inventory type. You can only use the Context
attribute with inventory types like AWS:ComplianceItem.
InvalidInventoryItemContextException
You specified invalid keys or values in the Context attribute for
InventoryItem. Verify the keys and values, and try again.
SubTypeCountLimitExceededException
The sub-type count exceeded the limit for the inventory type.
METHOD
POST
REQUEST URI
/
Create or update a parameter in Parameter Store.
AllowedPattern
A regular expression used to validate the parameter value. For example, for String types with values restricted to numbers, you can specify the following: AllowedPattern=^\d+$
DataType
The data type for a String parameter. Supported data types include
plain text and Amazon Machine Image (AMI) IDs.
The following data type values are supported.
textaws:ec2:imageaws:ssm:integration When you create a String parameter and specify aws:ec2:image,
Amazon Web Services Systems Manager validates the parameter value is in
the required format, such as ami-12345abcdeEXAMPLE, and that the
specified AMI is available in your Amazon Web Services account.
If the action is successful, the service sends back an HTTP 200
response which indicates a successful PutParameter call for all
cases except for data type aws:ec2:image. If you call
PutParameter with aws:ec2:image data type, a successful HTTP 200
response does not guarantee that your parameter was successfully
created or updated. The aws:ec2:image value is validated
asynchronously, and the PutParameter call returns before the
validation is complete. If you submit an invalid AMI value, the
PutParameter operation will return success, but the asynchronous
validation will fail and the parameter will not be created or updated.
To monitor whether your aws:ec2:image parameters are created
successfully, see Setting up notifications or trigger actions based on
Parameter Store events
(https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-cwe.html).
For more information about AMI format validation , see Native parameter
support for Amazon Machine Image IDs
(https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-ec2-aliases.html).
Description
Information about the parameter that you want to add to the system. Optional but recommended.
Don't enter personally identifiable information in this field.
KeyId
The Key Management Service (KMS) ID that you want to use to encrypt a
parameter. Use a custom key for better security. Required for
parameters that use the SecureString data type.
If you don't specify a key ID, the system uses the default key associated with your Amazon Web Services account, which is not as secure as using a custom key.
SecureString data type with the
Key ID parameter.Name
The fully qualified name of the parameter that you want to create or update.
You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.
The fully qualified name includes the complete hierarchy of the
parameter path and name. For parameters in a hierarchy, you must
include a leading forward slash character (/) when you create or
reference a parameter. For example: /Dev/DBServer/MySQL/db-string13
Naming Constraints:
aws" or "ssm"
(case-insensitive).Parameter names can include only the following symbols and letters:
a-zA-Z0-9_.-
In addition, the slash character ( / ) is used to delineate hierarchies
in parameter names. For example:
`/Dev/Production/East/Project-ABC/MyParameter`
For additional information about valid values for parameter names, see Creating Systems Manager parameters (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-su-create.html) in the Amazon Web Services Systems Manager User Guide.
The reported maximum length of 2048 characters for a parameter name includes 1037 characters that are reserved for internal use by Systems Manager. The maximum length for a parameter name that you specify is 1011 characters.
This count of 1011 characters includes the characters in the ARN that
precede the name you specify. This ARN length will vary depending on
your partition and Region. For example, the following 45 characters
count toward the 1011 character maximum for a parameter created in the
US East (Ohio) Region:
arn:aws:ssm:us-east-2:111122223333:parameter/.
Overwrite
Overwrite an existing parameter. The default value is false.
Policies
One or more policies to apply to a parameter. This operation takes a JSON array. Parameter Store, a tool in Amazon Web Services Systems Manager supports the following policy types:
Expiration: This policy deletes the parameter after it expires. When you create the policy, you specify the expiration date. You can update the expiration date and time by updating the policy. Updating the parameter doesn't affect the expiration date and time. When the expiration time is reached, Parameter Store deletes the parameter.
ExpirationNotification: This policy initiates an event in Amazon CloudWatch Events that notifies you about the expiration. By using this policy, you can receive notification before or after the expiration time is reached, in units of days or hours.
NoChangeNotification: This policy initiates a CloudWatch Events event if a parameter hasn't been modified for a specified period of time. This policy type is useful when, for example, a secret needs to be changed within a period of time, but it hasn't been changed.
All existing policies are preserved until you send new policies or an empty policy. For more information about parameter policies, see Assigning parameter policies (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-policies.html).
Tags
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a Systems Manager parameter to identify the type of resource to which it applies, the environment, or the type of configuration data referenced by the parameter. In this case, you could specify the following key-value pairs:
Key=Resource,Value=S3bucketKey=OS,Value=WindowsKey=ParameterType,Value=LicenseKeyTo add tags to an existing Systems Manager parameter, use the AddTagsToResource operation.
Tier
The parameter tier to assign to a parameter.
Parameter Store offers a standard tier and an advanced tier for parameters. Standard parameters have a content size limit of 4 KB and can't be configured to use parameter policies. You can create a maximum of 10,000 standard parameters for each Region in an Amazon Web Services account. Standard parameters are offered at no additional cost.
Advanced parameters have a content size limit of 8 KB and can be configured to use parameter policies. You can create a maximum of 100,000 advanced parameters for each Region in an Amazon Web Services account. Advanced parameters incur a charge. For more information, see Managing parameter tiers (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html) in the Amazon Web Services Systems Manager User Guide.
You can change a standard parameter to an advanced parameter any time. But you can't revert an advanced parameter to a standard parameter. Reverting an advanced parameter to a standard parameter would result in data loss because the system would truncate the size of the parameter from 8 KB to 4 KB. Reverting would also remove any policies attached to the parameter. Lastly, advanced parameters use a different form of encryption than standard parameters.
If you no longer need an advanced parameter, or if you no longer want to incur charges for an advanced parameter, you must delete it and recreate it as a new standard parameter.
Using the Default Tier Configuration
In PutParameter requests, you can specify the tier to create the
parameter in. Whenever you specify a tier in the request, Parameter
Store creates or updates the parameter according to that request.
However, if you don't specify a tier in a request, Parameter Store
assigns the tier based on the current Parameter Store default tier
configuration.
The default tier when you begin using Parameter Store is the standard-parameter tier. If you use the advanced-parameter tier, you can specify one of the following as the default:
Intelligent-Tiering: With this option, Parameter Store evaluates each request to determine if the parameter is standard or advanced.
If the request doesn't include any options that require an advanced
parameter, the parameter is created in the standard-parameter tier. If
one or more options requiring an advanced parameter are included in the
request, Parameter Store create a parameter in the advanced-parameter
tier.
This approach helps control your parameter-related costs by always
creating standard parameters unless an advanced parameter is necessary.
Options that require an advanced parameter include the following:
For more information about configuring the default tier option, see Specifying a default parameter tier (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html#ps-default-tier) in the Amazon Web Services Systems Manager User Guide.
Type
The type of parameter that you want to create.
SecureString isn't currently supported for CloudFormation templates.
Items in a StringList must be separated by a comma (,). You can't
use other punctuation or special character to escape items in the list.
If you have a parameter value that requires a comma, then use the
String data type.
Specifying a parameter type isn't required when updating a parameter. You must specify a parameter type when creating a parameter.
Value
The parameter value that you want to add to the system. Standard parameters have a value limit of 4 KB. Advanced parameters have a value limit of 8 KB.
Parameters can't be referenced or nested in the values of other
parameters. You can't include values wrapped in double brackets {{}}
or {{ssm:_parameter-name_}} in a parameter value.
Tier
The tier assigned to the parameter.
Version
The new version number of a parameter. If you edit a parameter value, Parameter Store automatically creates a new version and assigns this new version a unique ID. You can reference a parameter version ID in API operations or in Systems Manager documents (SSM documents). By default, if you don't specify a specific version, the system returns the latest parameter value when a parameter is called.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidKeyId
The query key ID isn't valid.
ParameterLimitExceeded
You have exceeded the number of parameters for this Amazon Web Services account. Delete one or more parameters and try again.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
ParameterAlreadyExists
The parameter already exists. You can't create duplicate parameters.
HierarchyLevelLimitExceededException
A hierarchy can have a maximum of 15 levels. For more information, see Requirements and constraints for parameter names (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-parameter-name-constraints.html) in the Amazon Web Services Systems Manager User Guide.
HierarchyTypeMismatchException
Parameter Store doesn't support changing a parameter type in a
hierarchy. For example, you can't change a parameter from a String
type to a SecureString type. You must create a new, unique
parameter.
InvalidAllowedPatternException
The request doesn't meet the regular expression requirement.
ParameterMaxVersionLimitExceeded
Parameter Store retains the 100 most recently created versions of a parameter. After this number of versions has been created, Parameter Store deletes the oldest version when a new one is created. However, if the oldest version has a label attached to it, Parameter Store won't delete the version and instead presents this error message:
An error occurred (ParameterMaxVersionLimitExceeded) when calling the
PutParameter operation: You attempted to create a new version of
_parameter-name_ by calling the PutParameter API with the overwrite
flag. Version _version-number_, the oldest version, can't be deleted
because it has a label associated with it. Move the label to another
version of the parameter, and try again.
This safeguard is to prevent parameter versions with mission critical labels assigned to them from being deleted. To continue creating new parameters, first move the label from the oldest version of the parameter to a newer one for use in your operations. For information about moving parameter labels, see Move a parameter label (console) (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-labels.html#sysman-paramstore-labels-console-move) or Move a parameter label (CLI) (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-labels.html#sysman-paramstore-labels-cli-move) in the Amazon Web Services Systems Manager User Guide.
ParameterPatternMismatchException
The parameter name isn't valid.
UnsupportedParameterType
The parameter type isn't supported.
PoliciesLimitExceededException
You specified more than the maximum number of allowed policies for the parameter. The maximum is 10.
InvalidPolicyTypeException
The policy type isn't supported. Parameter Store supports the following policy types: Expiration, ExpirationNotification, and NoChangeNotification.
InvalidPolicyAttributeException
A policy attribute or its value is invalid.
IncompatiblePolicyException
There is a conflict in the policies specified for this parameter. You can't, for example, specify two Expiration policies for a parameter. Review your policies, and try again.
METHOD
POST
REQUEST URI
/
Creates or updates a Systems Manager resource policy. A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your Systems Manager resources. The following resources support Systems Manager resource policies.
OpsItemGroup - The resource policy for OpsItemGroup enables
Amazon Web Services accounts to view and interact with OpsCenter
operational work items (OpsItems).Parameter - The resource policy is used to share a parameter with
other accounts using Resource Access Manager (RAM).
To share a parameter, it must be in the advanced parameter tier. For information about parameter tiers, see Managing parameter tiers (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html). For information about changing an existing standard parameter to an advanced parameter, see Changing a standard parameter to an advanced parameter (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-advanced-parameters.html#parameter-store-advanced-parameters-enabling).
To share a SecureString parameter, it must be encrypted with a
customer managed key, and you must share the key separately through Key
Management Service. Amazon Web Services managed keys cannot be shared.
Parameters encrypted with the default Amazon Web Services managed key
can be updated to use a customer managed key instead. For KMS key
definitions, see KMS concepts
(https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
in the Key Management Service Developer Guide.
While you can share a parameter using the Systems Manager
PutResourcePolicy operation, we recommend using Resource Access
Manager (RAM) instead. This is because using PutResourcePolicy
requires the extra step of promoting the parameter to a standard RAM
Resource Share using the RAM PromoteResourceShareCreatedFromPolicy
(https://docs.aws.amazon.com/ram/latest/APIReference/API_PromoteResourceShareCreatedFromPolicy.html)
API operation. Otherwise, the parameter won't be returned by the
Systems Manager DescribeParameters
(https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeParameters.html)
API operation using the --shared option.
For more information, see Sharing a parameter (https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html#share) in the Amazon Web Services Systems Manager User Guide
INPUT
Policy
A policy you want to associate with a resource.
PolicyHash
ID of the current policy version. The hash helps to prevent a situation where multiple users attempt to overwrite a policy. You must provide this hash when updating or deleting a policy.
PolicyId
The policy ID.
ResourceArn
Amazon Resource Name (ARN) of the resource to which you want to attach a policy.
PolicyHash
ID of the current policy version.
PolicyId
The policy ID. To update a policy, you must specify PolicyId and
PolicyHash.
ERRORS
InternalServerError
An error occurred on the server side.
ResourcePolicyInvalidParameterException
One or more parameters specified for the call aren't valid. Verify the parameters and their values and try again.
ResourcePolicyLimitExceededException
The PutResourcePolicy API action enforces two limits. A policy can't be
greater than 1024 bytes in size. And only one policy can be attached to
OpsItemGroup. Verify these limits and try again.
ResourcePolicyConflictException
The hash provided in the call doesn't match the stored hash. This exception is thrown when trying to update an obsolete policy version or when multiple requests to update a policy are sent.
ResourceNotFoundException
The specified parameter to be shared could not be found.
MalformedResourcePolicyDocumentException
The specified policy document is malformed or invalid, or excessive
PutResourcePolicy or DeleteResourcePolicy calls have been made.
ResourcePolicyNotFoundException
No policies with the specified policy ID and hash could be found.
METHOD
POST
REQUEST URI
/
Defines the default patch baseline for the relevant operating system.
To reset the Amazon Web Services-predefined patch baseline as the
default, specify the full patch baseline Amazon Resource Name (ARN) as
the baseline ID value. For example, for CentOS, specify
arn:aws:ssm:us-east-2:733109147000:patchbaseline/pb-0574b43a65ea646ed
instead of pb-0574b43a65ea646ed.
BaselineId
The ID of the patch baseline that should be the default patch baseline.
BaselineId
The ID of the default patch baseline.
ERRORS
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Registers a patch baseline for a patch group.
BaselineId
The ID of the patch baseline to register with the patch group.
PatchGroup
The name of the patch group to be registered with the patch baseline.
BaselineId
The ID of the patch baseline the patch group was registered with.
PatchGroup
The name of the patch group registered with the patch baseline.
ERRORS
AlreadyExistsException
Error returned if an attempt is made to register a patch group with a patch baseline that is already registered with a different patch baseline.
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
ResourceLimitExceededException
Error returned when the caller has exceeded the default resource quotas. For example, too many maintenance windows or patch baselines have been created.
For information about resource quotas in Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Registers a target with a maintenance window.
ClientToken
User-provided idempotency token.
Description
An optional description for the target.
Name
An optional name for the target.
OwnerInformation
User-provided value that will be included in any Amazon CloudWatch Events events raised while running tasks for these targets in this maintenance window.
ResourceType
The type of target being registered with the maintenance window.
Targets
The targets to register with the maintenance window. In other words, the managed nodes to run commands on when the maintenance window runs.
If a single maintenance window task is registered with multiple targets, its task invocations occur sequentially and not in parallel. If your task must run on multiple targets at the same time, register a task for each target individually and assign each task the same priority level.
You can specify targets using managed node IDs, resource group names, or tags that have been applied to managed nodes.
Example 1: Specify managed node IDs
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Example 2: Use tag key-pairs applied to managed nodes
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Example 3: Use tag-keys applied to managed nodes
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Example 4: Use resource group names
Key=resource-groups:Name,Values=<resource-group-name>
Example 5: Use filters for resource group types
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
For Key=resource-groups:ResourceTypeFilters, specify resource types
in the following format
Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
For more information about these examples formats, including the best use case for each one, see Examples: Register targets with a maintenance window (https://docs.aws.amazon.com/systems-manager/latest/userguide/mw-cli-tutorial-targets-examples.html) in the Amazon Web Services Systems Manager User Guide.
WindowId
The ID of the maintenance window the target should be registered with.
WindowTargetId
The ID of the target definition in this maintenance window.
ERRORS
IdempotentParameterMismatch
Error returned when an idempotent operation is retried and the parameters don't match the original call to the API with the same idempotency token.
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
ResourceLimitExceededException
Error returned when the caller has exceeded the default resource quotas. For example, too many maintenance windows or patch baselines have been created.
For information about resource quotas in Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Adds a new task to a maintenance window.
AlarmConfiguration
The CloudWatch alarm you want to apply to your maintenance window task.
ClientToken
User-provided idempotency token.
CutoffBehavior
Indicates whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.
CONTINUE_TASK: When the cutoff time is reached, any tasks that are
running continue. The default value.CANCEL_TASK:
The status for tasks that are not completed is TIMED_OUT.
Description
An optional description for the task.
LoggingInfo
A structure containing information about an Amazon Simple Storage Service (Amazon S3) bucket to write managed node-level logs to.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage
Service (Amazon S3) bucket to contain logs, instead use the
OutputS3BucketName and OutputS3KeyPrefix options in the
TaskInvocationParameters structure. For information about how Amazon
Web Services Systems Manager handles these options for the supported
maintenance window task types, see
MaintenanceWindowTaskInvocationParameters.
MaxConcurrency
The maximum number of targets this task can be run for, in parallel.
Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task (https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't
supply a value for this option. Instead, the system inserts a
placeholder value of 1. This value doesn't affect the running of
your task.
MaxErrors
The maximum number of errors allowed before this task stops being scheduled.
Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task (https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't
supply a value for this option. Instead, the system inserts a
placeholder value of 1. This value doesn't affect the running of
your task.
Name
An optional name for the task.
Priority
The priority of the task in the maintenance window, the lower the number the higher the priority. Tasks in a maintenance window are scheduled in priority order with tasks that have the same priority scheduled in parallel.
ServiceRoleArn
The Amazon Resource Name (ARN) of the IAM service role for Amazon Web
Services Systems Manager to assume when running a maintenance window
task. If you do not specify a service role ARN, Systems Manager uses a
service-linked role in your account. If no appropriate service-linked
role for Systems Manager exists in your account, it is created when you
run RegisterTaskWithMaintenanceWindow.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html) in the in the Amazon Web Services Systems Manager User Guide.
Targets
The targets (either managed nodes or maintenance window targets).
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets (https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) in the Amazon Web Services Systems Manager User Guide.
Specify managed nodes using the following format:
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>
Specify maintenance window targets using the following format:
Key=WindowTargetIds,Values=<window-target-id-1>,<window-target-id-2>
TaskArn
The ARN of the task to run.
TaskInvocationParameters
The parameters that the task should use during execution. Populate only the fields that match the task type. All other fields should be empty.
TaskParameters
The parameters that should be passed to the task when it is run.
TaskParameters has been deprecated. To specify parameters to pass to
a task when it runs, instead use the Parameters option in the
TaskInvocationParameters structure. For information about how
Systems Manager handles these options for the supported maintenance
window task types, see MaintenanceWindowTaskInvocationParameters.
TaskType
The type of task being registered.
WindowId
The ID of the maintenance window the task should be added to.
WindowTaskId
The ID of the task in the maintenance window.
ERRORS
IdempotentParameterMismatch
Error returned when an idempotent operation is retried and the parameters don't match the original call to the API with the same idempotency token.
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
ResourceLimitExceededException
Error returned when the caller has exceeded the default resource quotas. For example, too many maintenance windows or patch baselines have been created.
For information about resource quotas in Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
FeatureNotAvailableException
You attempted to register a LAMBDA or STEP_FUNCTIONS task in a
region where the corresponding service isn't available.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Removes tag keys from the specified resource.
ResourceId
The ID of the resource from which you want to remove tags. For example:
ManagedInstance: mi-012345abcde
MaintenanceWindow: mw-012345abcde
Automation: example-c160-4567-8519-012345abcde
PatchBaseline: pb-012345abcde
OpsMetadata object: ResourceID for tagging is created from the
Amazon Resource Name (ARN) for the object. Specifically, ResourceID
is created from the strings that come after the word opsmetadata in
the ARN. For example, an OpsMetadata object with an ARN of
arn:aws:ssm:us-east-2:1234567890:opsmetadata/aws/ssm/MyGroup/appmanager
has a ResourceID of either aws/ssm/MyGroup/appmanager or
/aws/ssm/MyGroup/appmanager.
For the Document and Parameter values, use the name of the resource.
The ManagedInstance type for this API operation is only for
on-premises managed nodes. Specify the name of the managed node in the
following format: mi-ID_number. For example, mi-1a2b3c4d5e6f.
ResourceType
The type of resource from which you want to remove a tag.
The ManagedInstance type for this API operation is only for
on-premises managed nodes. Specify the name of the managed node in the
following format: mi-_ID_number_. For example, mi-1a2b3c4d5e6f.
TagKeys
Tag keys that you want to remove from the specified resource.
ERRORS
InvalidResourceType
The resource type isn't valid. For example, if you are attempting to tag an EC2 instance, the instance must be a registered managed node.
InvalidResourceId
The resource ID isn't valid. Verify that you entered the correct ID and try again.
InternalServerError
An error occurred on the server side.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
METHOD
POST
REQUEST URI
/
ServiceSetting is an account-level setting for an Amazon Web
Services service. This setting defines how a user interacts with or
uses a service or a feature of a service. For example, if an Amazon Web
Services service charges money to the account based on feature or
service usage, then the Amazon Web Services service team might create a
default setting of "false". This means the user can't use this feature
unless they change the setting to "true" and intentionally opt in for a
paid feature.
Services map a SettingId object to a setting value. Amazon Web
Services services teams define the default value for a SettingId.
You can't create a new SettingId, but you can overwrite the default
value if you have the ssm:UpdateServiceSetting permission for the
setting. Use the GetServiceSetting API operation to view the current
value. Use the UpdateServiceSetting API operation to change the default
setting.
Reset the service setting for the account to the default value as provisioned by the Amazon Web Services service team.
SettingId
The Amazon Resource Name (ARN) of the service setting to reset. The setting ID can be one of the following.
/ssm/appmanager/appmanager-enabled/ssm/automation/customer-script-log-destination/ssm/automation/customer-script-log-group-name/ssm/documents/console/public-sharing-permission/ssm/managed-instance/activation-tier/ssm/managed-instance/default-ec2-instance-management-role/ssm/opsinsights/opscenter/ssm/parameter-store/default-parameter-tier/ssm/parameter-store/high-throughput-enabledServiceSetting
The current, effective service setting after calling the ResetServiceSetting API operation.
ERRORS
InternalServerError
An error occurred on the server side.
ServiceSettingNotFound
The specified service setting wasn't found. Either the service name or the setting hasn't been provisioned by the Amazon Web Services service team.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
METHOD
POST
REQUEST URI
/
Reconnects a session to a managed node after it has been disconnected. Connections can be resumed for disconnected sessions, but not terminated sessions.
This command is primarily for use by client machines to automatically reconnect during intermittent network issues. It isn't intended for any other use.
SessionId
The ID of the disconnected session to resume.
SessionId
The ID of the session.
StreamUrl
A URL back to SSM Agent on the managed node that the Session Manager
client uses to send commands and receive output from the managed node.
Format:
wss://ssmmessages.**region**.amazonaws.com/v1/data-channel/**session-id**?stream=(input|output).
region represents the Region identifier for an Amazon Web Services
Region supported by Amazon Web Services Systems Manager, such as
us-east-2 for the US East (Ohio) Region. For a list of supported
region values, see the Region column in Systems Manager service
endpoints
(https://docs.aws.amazon.com/general/latest/gr/ssm.html#ssm_region) in
the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as
1a2b3c4dEXAMPLE.
TokenValue
An encrypted token value containing session and caller information. Used to authenticate the connection to the managed node.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Sends a signal to an Automation execution to change the current behavior or status of the execution.
AutomationExecutionId
The unique identifier for an existing Automation execution that you want to send the signal to.
Payload
The data sent with the signal. The data schema depends on the type of signal used in the request.
For Approve and Reject signal types, the payload is an optional
comment that you can send with the signal type. For example:
Comment="Looks good"
For StartStep and Resume signal types, you must send the name of
the Automation step to start or resume as the payload. For example:
StepName="step1"
For the StopStep signal type, you must send the step execution ID as
the payload. For example:
StepExecutionId="97fff367-fc5a-4299-aed8-0123456789ab"
SignalType
The type of signal to send to an Automation execution.
ERRORS
AutomationExecutionNotFoundException
There is no automation execution information for the requested automation execution ID.
AutomationStepNotFoundException
The specified step name and execution ID don't exist. Verify the information and try again.
InvalidAutomationSignalException
The signal isn't valid for the current Automation execution.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Runs commands on one or more managed nodes.
AlarmConfiguration
The CloudWatch alarm you want to apply to your command.
CloudWatchOutputConfig
Enables Amazon Web Services Systems Manager to send Run Command output to Amazon CloudWatch Logs. Run Command is a tool in Amazon Web Services Systems Manager.
Comment
User-specified information about the command, such as a brief description of what the command should do.
DocumentHash
The Sha256 or Sha1 hash created by the system when the document was created.
Sha1 hashes have been deprecated.
DocumentHashType
Sha256 or Sha1.
Sha1 hashes have been deprecated.
DocumentName
The name of the Amazon Web Services Systems Manager document (SSM document) to run. This can be a public document or a custom document. To run a shared document belonging to another account, specify the document Amazon Resource Name (ARN). For more information about how to use shared documents, see Sharing SSM documents (https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-using-shared.html) in the Amazon Web Services Systems Manager User Guide.
If you specify a document name or ARN that hasn't been shared with your
account, you receive an InvalidDocument error.
DocumentVersion
The SSM document version to use in the request. You can specify $DEFAULT, $LATEST, or a specific version number. If you run commands by using the Command Line Interface (Amazon Web Services CLI), then you must escape the first two options by using a backslash. If you specify a version number, then you don't need to use the backslash. For example:
--document-version "\$DEFAULT"
--document-version "\$LATEST"
--document-version "3"
InstanceIds
The IDs of the managed nodes where the command should run. Specifying managed node IDs is most useful when you are targeting a limited number of managed nodes, though you can specify up to 50 IDs.
To target a larger number of managed nodes, or if you prefer not to
list individual node IDs, we recommend using the Targets option
instead. Using Targets, which accepts tag key-value pairs to
identify the managed nodes to send commands to, you can a send command
to tens, hundreds, or thousands of nodes at once.
For more information about how to use targets, see Run commands at scale (https://docs.aws.amazon.com/systems-manager/latest/userguide/send-commands-multiple.html) in the Amazon Web Services Systems Manager User Guide.
MaxConcurrency
(Optional) The maximum number of managed nodes that are allowed to run
the command at the same time. You can specify a number such as 10 or a
percentage such as 10%. The default value is 50. For more
information about how to use MaxConcurrency, see Using concurrency
controls
(https://docs.aws.amazon.com/systems-manager/latest/userguide/send-commands-multiple.html#send-commands-velocity)
in the Amazon Web Services Systems Manager User Guide.
MaxErrors
The maximum number of errors allowed without the command failing. When
the command fails one more time beyond the value of MaxErrors, the
systems stops sending the command to additional targets. You can
specify a number like 10 or a percentage like 10%. The default value is
0. For more information about how to use MaxErrors, see Using
error controls
(https://docs.aws.amazon.com/systems-manager/latest/userguide/send-commands-multiple.html#send-commands-maxerrors)
in the Amazon Web Services Systems Manager User Guide.
NotificationConfig
Configurations for sending notifications.
OutputS3BucketName
The name of the S3 bucket where command execution responses should be stored.
OutputS3KeyPrefix
The directory structure within the S3 bucket where the responses should be stored.
OutputS3Region
(Deprecated) You can no longer specify this parameter. The system ignores it. Instead, Systems Manager automatically determines the Amazon Web Services Region of the S3 bucket.
Parameters
The required and optional parameters specified in the document being run.
ServiceRoleArn
The ARN of the Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for Run Command commands.
This role must provide the sns:Publish permission for your
notification topic. For information about creating and using this
service role, see Monitoring Systems Manager status changes using
Amazon SNS notifications
(https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-sns-notifications.html)
in the Amazon Web Services Systems Manager User Guide.
Targets
An array of search criteria that targets managed nodes using a
Key,Value combination that you specify. Specifying targets is most
useful when you want to send a command to a large number of managed
nodes at once. Using Targets, which accepts tag key-value pairs to
identify managed nodes, you can send a command to tens, hundreds, or
thousands of nodes at once.
To send a command to a smaller number of managed nodes, you can use the
InstanceIds option instead.
For more information about how to use targets, see Run commands at scale (https://docs.aws.amazon.com/systems-manager/latest/userguide/send-commands-multiple.html) in the Amazon Web Services Systems Manager User Guide.
TimeoutSeconds
If this time is reached and the command hasn't already started running, it won't run.
Command
The request as it was received by Systems Manager. Also provides the command ID which can be used future references to this request.
ERRORS
DuplicateInstanceId
You can't specify a managed node ID in more than one association.
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
InvalidOutputFolder
The S3 bucket doesn't exist.
InvalidParameters
You must specify values for all required parameters in the Amazon Web Services Systems Manager document (SSM document). You can only supply values to parameters defined in the SSM document.
UnsupportedPlatformType
The document doesn't support the platform type of the given managed node IDs. For example, you sent an document for a Windows managed node to a Linux node.
MaxDocumentSizeExceeded
The size limit of a document is 64 KB.
InvalidRole
The role name can't contain invalid characters. Also verify that you specified an IAM role for notifications that includes the required trust policy. For information about configuring the IAM role for Run Command notifications, see Monitoring Systems Manager status changes using Amazon SNS notifications (https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-sns-notifications.html) in the Amazon Web Services Systems Manager User Guide.
InvalidNotificationConfig
One or more configuration items isn't valid. Verify that a valid Amazon Resource Name (ARN) was provided for an Amazon Simple Notification Service topic.
METHOD
POST
REQUEST URI
/
Runs an association immediately and only one time. This operation can be helpful when troubleshooting associations.
AssociationIds
The association IDs that you want to run immediately and only one time.
ERRORS
InvalidAssociation
The association isn't valid or doesn't exist.
AssociationDoesNotExist
The specified association doesn't exist.
METHOD
POST
REQUEST URI
/
Initiates execution of an Automation runbook.
AlarmConfiguration
The CloudWatch alarm you want to apply to your automation.
ClientToken
User-provided idempotency token. The token must be unique, is case insensitive, enforces the UUID format, and can't be reused.
DocumentName
The name of the SSM document to run. This can be a public document or a custom document. To run a shared document belonging to another account, specify the document ARN. For more information about how to use shared documents, see Sharing SSM documents (https://docs.aws.amazon.com/systems-manager/latest/userguide/documents-ssm-sharing.html) in the Amazon Web Services Systems Manager User Guide.
DocumentVersion
The version of the Automation runbook to use for this execution.
MaxConcurrency
The maximum number of targets allowed to run this task in parallel. You
can specify a number, such as 10, or a percentage, such as 10%. The
default value is 10.
If both this parameter and the TargetLocation:TargetsMaxConcurrency
are supplied, TargetLocation:TargetsMaxConcurrency takes precedence.
MaxErrors
The number of errors that are allowed before the system stops running the automation on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops running the automation when the fourth error is received. If you specify 0, then the system stops running the automation on additional targets after the first error result is returned. If you run an automation on 50 resources and set max-errors to 10%, then the system stops running the automation on additional targets when the sixth error is received.
Executions that are already running an automation when max-errors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set max-concurrency to 1 so the executions proceed one at a time.
If this parameter and the TargetLocation:TargetsMaxErrors parameter
are both supplied, TargetLocation:TargetsMaxErrors takes precedence.
Mode
The execution mode of the automation. Valid modes include the following: Auto and Interactive. The default mode is Auto.
Parameters
A key-value map of execution parameters, which match the declared parameters in the Automation runbook.
Tags
Optional metadata that you assign to a resource. You can specify a maximum of five tags for an automation. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an automation to identify an environment or operating system. In this case, you could specify the following key-value pairs:
Key=environment,Value=testKey=OS,Value=Windows The Array Members maximum value is reported as 1000. This number
includes capacity reserved for internal operations. When calling the
StartAutomationExecution action, you can specify a maximum of 5
tags. You can, however, use the AddTagsToResource action to add up to a
total of 50 tags to an existing automation configuration.
TargetLocations
A location is a combination of Amazon Web Services Regions and/or Amazon Web Services accounts where you want to run the automation. Use this operation to start an automation in multiple Amazon Web Services Regions and multiple Amazon Web Services accounts. For more information, see Running automations in multiple Amazon Web Services Regions and accounts (https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation-multiple-accounts-and-regions.html) in the Amazon Web Services Systems Manager User Guide.
TargetLocationsURL
Specify a publicly accessible URL for a file that contains the
TargetLocations body. Currently, only files in presigned Amazon S3
buckets are supported.
TargetMaps
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
TargetParameterName
The name of the parameter used as the target resource for the rate-controlled execution. Required if you specify targets.
Targets
A key-value mapping to target resources. Required if you specify TargetParameterName.
If both this parameter and the TargetLocation:Targets parameter are
supplied, TargetLocation:Targets takes precedence.
AutomationExecutionId
The unique ID of a newly scheduled automation execution.
ERRORS
AutomationDefinitionNotFoundException
An Automation runbook with the specified name couldn't be found.
InvalidAutomationExecutionParametersException
The supplied parameters for invoking the specified Automation runbook are incorrect. For example, they may not match the set of parameters permitted for the specified Automation document.
AutomationExecutionLimitExceededException
The number of simultaneously running Automation executions exceeded the allowable limit.
AutomationDefinitionVersionNotFoundException
An Automation runbook with the specified name and version couldn't be found.
IdempotentParameterMismatch
Error returned when an idempotent operation is retried and the parameters don't match the original call to the API with the same idempotency token.
InvalidTarget
The target isn't valid or doesn't exist. It might not be configured for Systems Manager or you might not have permission to perform the operation.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Creates a change request for Change Manager. The Automation runbooks specified in the change request run only after all required approvals for the change request have been received.
AutoApprove
Indicates whether the change request can be approved automatically without the need for manual approvals.
If AutoApprovable is enabled in a change template, then setting
AutoApprove to true in StartChangeRequestExecution creates a
change request that bypasses approver review.
Change Calendar restrictions are not bypassed in this scenario. If the
state of an associated calendar is CLOSED, change freeze approvers
must still grant permission for this change request to run. If they
don't, the change won't be processed until the calendar state is again
OPEN.
ChangeDetails
User-provided details about the change. If no details are provided, content specified in the Template information section of the associated change template is added.
ChangeRequestName
The name of the change request associated with the runbook workflow to be run.
ClientToken
The user-provided idempotency token. The token must be unique, is case insensitive, enforces the UUID format, and can't be reused.
DocumentName
The name of the change template document to run during the runbook workflow.
DocumentVersion
The version of the change template document to run during the runbook workflow.
Parameters
A key-value map of parameters that match the declared parameters in the change template document.
Runbooks
Information about the Automation runbooks that are run during the runbook workflow.
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
ScheduledEndTime
The time that the requester expects the runbook workflow related to the change request to complete. The time is an estimate only that the requester provides for reviewers.
ScheduledTime
The date and time specified in the change request to run the Automation runbooks.
The Automation runbooks specified for the runbook workflow can't run until all required approvals for the change request have been received.
Tags
Optional metadata that you assign to a resource. You can specify a maximum of five tags for a change request. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a change request to identify an environment or target Amazon Web Services Region. In this case, you could specify the following key-value pairs:
Key=Environment,Value=ProductionKey=Region,Value=us-east-2 The Array Members maximum value is reported as 1000. This number
includes capacity reserved for internal operations. When calling the
StartChangeRequestExecution action, you can specify a maximum of 5
tags. You can, however, use the AddTagsToResource action to add up to a
total of 50 tags to an existing change request configuration.
AutomationExecutionId
The unique ID of a runbook workflow operation. (A runbook workflow is a type of Automation operation.)
ERRORS
AutomationDefinitionNotFoundException
An Automation runbook with the specified name couldn't be found.
InvalidAutomationExecutionParametersException
The supplied parameters for invoking the specified Automation runbook are incorrect. For example, they may not match the set of parameters permitted for the specified Automation document.
AutomationExecutionLimitExceededException
The number of simultaneously running Automation executions exceeded the allowable limit.
AutomationDefinitionVersionNotFoundException
An Automation runbook with the specified name and version couldn't be found.
IdempotentParameterMismatch
Error returned when an idempotent operation is retried and the parameters don't match the original call to the API with the same idempotency token.
InternalServerError
An error occurred on the server side.
AutomationDefinitionNotApprovedException
Indicates that the Change Manager change template used in the change request was rejected or is still in a pending state.
METHOD
POST
REQUEST URI
/
Initiates the process of creating a preview showing the effects that running a specified Automation runbook would have on the targeted resources.
DocumentName
The name of the Automation runbook to run. The result of the execution preview indicates what the impact would be of running this runbook.
DocumentVersion
The version of the Automation runbook to run. The default value is
$DEFAULT.
ExecutionInputs
Information about the inputs that can be specified for the preview operation.
ExecutionPreviewId
The ID of the execution preview generated by the system.
ERRORS
InternalServerError
An error occurred on the server side.
ValidationException
The request isn't valid. Verify that you entered valid contents for the command and try again.
METHOD
POST
REQUEST URI
/
Initiates a connection to a target (for example, a managed node) for a Session Manager session. Returns a URL and token that can be used to open a WebSocket connection for sending input and receiving outputs.
Amazon Web Services CLI usage: start-session is an interactive
command that requires the Session Manager plugin to be installed on the
client machine making the call. For information, see Install the
Session Manager plugin for the Amazon Web Services CLI
(https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html)
in the Amazon Web Services Systems Manager User Guide.
Amazon Web Services Tools for PowerShell usage: Start-SSMSession isn't currently supported by Amazon Web Services Tools for PowerShell on Windows local machines.
DocumentName
The name of the SSM document you want to use to define the type of
session, input parameters, or preferences for the session. For example,
SSM-SessionManagerRunShell. You can call the GetDocument API to
verify the document exists before attempting to start a session. If no
document name is provided, a shell to the managed node is launched by
default. For more information, see Start a session
(https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html)
in the Amazon Web Services Systems Manager User Guide.
Parameters
The values you want to specify for the parameters defined in the Session document. For more information about these parameters, see Create a Session Manager preferences document (https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-preferences-cli.html) in the Amazon Web Services Systems Manager User Guide.
Reason
The reason for connecting to the instance. This value is included in the details for the Amazon CloudWatch Events event created when you start the session.
Target
The managed node to connect to for the session.
SessionId
The ID of the session.
StreamUrl
A URL back to SSM Agent on the managed node that the Session Manager
client uses to send commands and receive output from the node. Format:
wss://ssmmessages.**region**.amazonaws.com/v1/data-channel/**session-id**?stream=(input|output)
region represents the Region identifier for an Amazon Web Services
Region supported by Amazon Web Services Systems Manager, such as
us-east-2 for the US East (Ohio) Region. For a list of supported
region values, see the Region column in Systems Manager service
endpoints
(https://docs.aws.amazon.com/general/latest/gr/ssm.html#ssm_region) in
the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as
1a2b3c4dEXAMPLE.
TokenValue
An encrypted token value containing session and caller information. This token is used to authenticate the connection to the managed node, and is valid only long enough to ensure the connection is successful. Never share your session's token.
ERRORS
InvalidDocument
The specified SSM document doesn't exist.
TargetNotConnected
The specified target managed node for the session isn't fully configured for use with Session Manager. For more information, see Setting up Session Manager (https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html) in the Amazon Web Services Systems Manager User Guide. This error is also returned if you attempt to start a session on a managed node that is located in a different account or Region
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Stop an Automation that is currently running.
AutomationExecutionId
The execution ID of the Automation to stop.
Type
The stop request type. Valid types include the following: Cancel and Complete. The default type is Cancel.
ERRORS
AutomationExecutionNotFoundException
There is no automation execution information for the requested automation execution ID.
InvalidAutomationStatusUpdateException
The specified update status operation isn't valid.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Permanently ends a session and closes the data connection between the Session Manager client and SSM Agent on the managed node. A terminated session can't be resumed.
SessionId
The ID of the session to terminate.
SessionId
The ID of the session that has been terminated.
ERRORS
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Remove a label or labels from a parameter.
Labels
One or more labels to delete from the specified parameter version.
Name
The name of the parameter from which you want to delete one or more labels.
You can't enter the Amazon Resource Name (ARN) for a parameter, only the parameter name itself.
ParameterVersion
The specific version of the parameter which you want to delete one or more labels from. If it isn't present, the call will fail.
InvalidLabels
The labels that aren't attached to the given parameter version.
RemovedLabels
A list of all labels deleted from the parameter.
ERRORS
InternalServerError
An error occurred on the server side.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
ParameterNotFound
The parameter couldn't be found. Verify the name and try again.
For the DeleteParameter and GetParameter actions, if the
specified parameter doesn't exist, the ParameterNotFound exception
is not recorded in CloudTrail event logs.
ParameterVersionNotFound
The specified parameter version wasn't found. Verify the parameter name and version, and try again.
METHOD
POST
REQUEST URI
/
Updates an association. You can update the association name and
version, the document version, schedule, parameters, and Amazon Simple
Storage Service (Amazon S3) output. When you call UpdateAssociation,
the system removes all optional parameters from the request and
overwrites the association with null values for those parameters. This
is by design. You must specify all optional parameters in the call,
even if you are not changing the parameters. This includes the Name
parameter. Before calling this API action, we recommend that you call
the DescribeAssociation API operation and make a note of all optional
parameters required for your UpdateAssociation call.
In order to call this API operation, a user, group, or role must be
granted permission to call the DescribeAssociation API operation. If
you don't have permission to call DescribeAssociation, then you
receive the following error: An error occurred
(AccessDeniedException) when calling the UpdateAssociation operation:
User: <user_arn> isn't authorized to perform:
ssm:DescribeAssociation on resource: <resource_arn>
When you update an association, the association immediately runs
against the specified targets. You can add the
ApplyOnlyAtCronInterval parameter to run the association during the
next schedule run.
ApplyOnlyAtCronInterval
By default, when you update an association, the system runs it
immediately after it is updated and then according to the schedule you
specified. Specify true for ApplyOnlyAtCronInterval if you want
the association to run only according to the schedule you specified.
If you chose this option when you created an association and later you
edit that association or you make changes to the Automation runbook or
SSM document on which that association is based, State Manager applies
the association at the next specified cron interval. For example, if
you chose the Latest version of an SSM document when you created an
association and you edit the association by choosing a different
document version on the Documents page, State Manager applies the
association at the next specified cron interval if you previously set
ApplyOnlyAtCronInterval to true. If this option wasn't selected,
State Manager immediately runs the association.
For more information, see Understanding when associations are applied to resources (https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#state-manager-about-scheduling) and About target updates with Automation runbooks (https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#runbook-target-updates) in the Amazon Web Services Systems Manager User Guide.
This parameter isn't supported for rate expressions.
You can reset this parameter. To do so, specify the
no-apply-only-at-cron-interval parameter when you update the
association from the command line. This parameter forces the
association to run immediately after updating it and according to the
interval specified.
AssociationId
The ID of the association you want to update.
AssociationName
The name of the association that you want to update.
AssociationVersion
This parameter is provided for concurrency control purposes. You must
specify the latest association version in the service. If you want to
ensure that this request succeeds, either specify $LATEST, or omit
this parameter.
AutomationTargetParameterName
Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a tool in Amazon Web Services Systems Manager.
CalendarNames
The names or Amazon Resource Names (ARNs) of the Change Calendar type documents you want to gate your associations under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar (https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-change-calendar) in the Amazon Web Services Systems Manager User Guide.
ComplianceSeverity
The severity level to assign to the association.
DocumentVersion
The document version you want update for the association.
State Manager doesn't support running associations that use a new
version of a document if that document is shared from another account.
State Manager always runs the default version of a document if
shared from another account, even though the Systems Manager console
shows that a new version was processed. If you want to run an
association using a new version of a document shared form another
account, you must set the document version to default.
Duration
The number of hours the association can run before it is canceled. Duration applies to associations that are currently running, and any pending and in progress commands on all targets. If a target was taken offline for the association to run, it is made available again immediately, without a reboot.
The Duration parameter applies only when both these conditions are
true:
ApplyOnlyAtCronInterval
(https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_UpdateAssociation.html#systemsmanager-UpdateAssociation-request-ApplyOnlyAtCronInterval)
parameter, which means that the association doesn't run immediately
after it is updated, but only according to the specified schedule.MaxConcurrency
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while
Systems Manager is running MaxConcurrency associations, the
association is allowed to run. During the next association interval,
the new managed node will process its association within the limit
specified for MaxConcurrency.
MaxErrors
The number of errors that are allowed before the system stops sending
requests to run the association on additional targets. You can specify
either an absolute number of errors, for example 10, or a percentage of
the target set, for example 10%. If you specify 3, for example, the
system stops sending requests when the fourth error is received. If you
specify 0, then the system stops sending requests after the first error
is returned. If you run an association on 50 managed nodes and set
MaxError to 10%, then the system stops sending the request when the
sixth error is received.
Executions that are already running an association when MaxErrors is
reached are allowed to complete, but some of these executions may fail
as well. If you need to ensure that there won't be more than max-errors
failed executions, set MaxConcurrency to 1 so that executions
proceed one at a time.
Name
The name of the SSM Command document or Automation runbook that contains the configuration information for the managed node.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager document (SSM document) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:_region_:_account-id_:document/_document-name_
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you
created in your account, you only need to specify the document name.
For example, AWS-ApplyPatchBaseline or My-Document.
OutputLocation
An S3 bucket where you want to store the results of this request.
Parameters
The parameters you want to update for the association. If you create a
parameter using Parameter Store, a tool in Amazon Web Services Systems
Manager, you can reference the parameter using
{{ssm:parameter-name}}.
ScheduleExpression
The cron expression used to schedule the association that you want to update.
ScheduleOffset
Number of days to wait after the scheduled day to run an association.
For example, if you specified a cron schedule of cron(0 0 ? * THU#2
*), you could specify an offset of 3 to run the association each
Sunday after the second Thursday of the month. For more information
about cron schedules for associations, see Reference: Cron and rate
expressions for Systems Manager
(https://docs.aws.amazon.com/systems-manager/latest/userguide/reference-cron-and-rate-expressions.html)
in the Amazon Web Services Systems Manager User Guide.
To use offsets, you must specify the ApplyOnlyAtCronInterval
parameter. This option tells the system not to run an association
immediately after you create it.
SyncCompliance
The mode for generating association compliance. You can specify AUTO
or MANUAL. In AUTO mode, the system uses the status of the
association execution to determine the compliance status. If the
association execution runs successfully, then the association is
COMPLIANT. If the association execution doesn't run successfully,
the association is NON-COMPLIANT.
In MANUAL mode, you must specify the AssociationId as a parameter
for the PutComplianceItems API operation. In this case, compliance data
isn't managed by State Manager, a tool in Amazon Web Services Systems
Manager. It is managed by your direct call to the PutComplianceItems
API operation.
By default, all associations use AUTO mode.
TargetLocations
A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to update an association in multiple Regions and multiple accounts.
TargetMaps
A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.
Targets
The targets of the association.
AssociationDescription
The description of the association that was updated.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidSchedule
The schedule is invalid. Verify your cron or rate expression and try again.
InvalidParameters
You must specify values for all required parameters in the Amazon Web Services Systems Manager document (SSM document). You can only supply values to parameters defined in the SSM document.
InvalidOutputLocation
The output location isn't valid or doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
AssociationDoesNotExist
The specified association doesn't exist.
InvalidUpdate
The update isn't valid.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
InvalidDocument
The specified SSM document doesn't exist.
InvalidTarget
The target isn't valid or doesn't exist. It might not be configured for Systems Manager or you might not have permission to perform the operation.
InvalidAssociationVersion
The version you specified isn't valid. Use ListAssociationVersions to
view all versions of an association according to the association ID.
Or, use the $LATEST parameter to view the latest version of the
association.
AssociationVersionLimitExceeded
You have reached the maximum number versions allowed for an association. Each association has a limit of 1,000 versions.
InvalidTargetMaps
TargetMap parameter isn't valid.
METHOD
POST
REQUEST URI
/
Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified managed node.
UpdateAssociationStatus is primarily used by the Amazon Web Services
Systems Manager Agent (SSM Agent) to report status updates about your
associations and is only used for associations created with the
InstanceId legacy parameter.
AssociationStatus
The association status.
InstanceId
The managed node ID.
Name
The name of the SSM document.
AssociationDescription
Information about the association.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InvalidDocument
The specified SSM document doesn't exist.
AssociationDoesNotExist
The specified association doesn't exist.
StatusUnchanged
The updated status is the same as the current status.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
METHOD
POST
REQUEST URI
/
Updates one or more values for an SSM document.
Attachments
A list of key-value pairs that describe attachments to a version of a document.
Content
A valid JSON or YAML string.
DisplayName
The friendly name of the SSM document that you want to update. This value can differ for each version of the document. If you don't specify a value for this parameter in your request, the existing value is applied to the new document version.
DocumentFormat
Specify the document format for the new document version. Systems Manager supports JSON and YAML documents. JSON is the default format.
DocumentVersion
The version of the document that you want to update. Currently, Systems
Manager supports updating only the latest version of the document. You
can specify the version number of the latest version or use the
$LATEST variable.
If you change a document version for a State Manager association,
Systems Manager immediately runs the association unless you previously
specifed the apply-only-at-cron-interval parameter.
Name
The name of the SSM document that you want to update.
TargetType
Specify a new target type for the document.
VersionName
An optional field specifying the version of the artifact you are updating with the document. For example, 12.6. This value is unique across all versions of a document, and can't be changed.
DocumentDescription
A description of the document that was updated.
ERRORS
MaxDocumentSizeExceeded
The size limit of a document is 64 KB.
DocumentVersionLimitExceeded
The document has too many versions. Delete one or more document versions and try again.
InternalServerError
An error occurred on the server side.
DuplicateDocumentContent
The content of the association document matches another document. Change the content of the document and try again.
DuplicateDocumentVersionName
The version name has already been used in this document. Specify a different version name, and then try again.
InvalidDocumentContent
The content for the document isn't valid.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
InvalidDocumentSchemaVersion
The version of the document schema isn't supported.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentOperation
You attempted to delete a document while it is still shared. You must stop sharing the document before you can delete it.
METHOD
POST
REQUEST URI
/
Set the default version of a document.
If you change a document version for a State Manager association,
Systems Manager immediately runs the association unless you previously
specifed the apply-only-at-cron-interval parameter.
DocumentVersion
The version of a custom document that you want to set as the default version.
Name
The name of a custom document that you want to set as the default version.
Description
The description of a custom document that you want to set as the default version.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
InvalidDocumentSchemaVersion
The version of the document schema isn't supported.
METHOD
POST
REQUEST URI
/
Updates information related to approval reviews for a specific version of a change template in Change Manager.
DocumentReviews
The change template review details to update.
DocumentVersion
The version of a change template in which to update approval metadata.
Name
The name of the change template for which a version's metadata is to be updated.
ERRORS
InternalServerError
An error occurred on the server side.
InvalidDocument
The specified SSM document doesn't exist.
InvalidDocumentOperation
You attempted to delete a document while it is still shared. You must stop sharing the document before you can delete it.
InvalidDocumentVersion
The document version isn't valid or doesn't exist.
METHOD
POST
REQUEST URI
/
Updates an existing maintenance window. Only specified parameters are modified.
The value you specify for Duration determines the specific end time
for the maintenance window based on the time it begins. No maintenance
window tasks are permitted to start after the resulting endtime minus
the number of hours you specify for Cutoff. For example, if the
maintenance window starts at 3 PM, the duration is three hours, and the
value you specify for Cutoff is one hour, no maintenance window
tasks can start after 5 PM.
AllowUnassociatedTargets
Whether targets must be registered with the maintenance window before tasks can be defined for those targets.
Cutoff
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.
Description
An optional description for the update request.
Duration
The duration of the maintenance window in hours.
Enabled
Whether the maintenance window is enabled.
EndDate
The date and time, in ISO-8601 Extended format, for when you want the
maintenance window to become inactive. EndDate allows you to set a
date and time in the future when the maintenance window will no longer
run.
Name
The name of the maintenance window.
Replace
If True, then all fields that are required by the
CreateMaintenanceWindow operation are also required for this API
request. Optional fields that aren't specified are set to null.
Schedule
The schedule of the maintenance window in the form of a cron or rate expression.
ScheduleOffset
The number of days to wait after the date and time specified by a cron expression before running the maintenance window.
For example, the following cron expression schedules a maintenance window to run the third Tuesday of every month at 11:30 PM.
cron(30 23 ? * TUE#3 *)
If the schedule offset is 2, the maintenance window won't run until
two days later.
ScheduleTimezone
The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los_Angeles", "UTC", or "Asia/Seoul". For more information, see the Time Zone Database (https://www.iana.org/time-zones) on the IANA website.
StartDate
The date and time, in ISO-8601 Extended format, for when you want the
maintenance window to become active. StartDate allows you to delay
activation of the maintenance window until the specified future date.
When using a rate schedule, if you provide a start date that occurs in the past, the current date and time are used as the start date.
WindowId
The ID of the maintenance window to update.
AllowUnassociatedTargets
Whether targets must be registered with the maintenance window before tasks can be defined for those targets.
Cutoff
The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.
Description
An optional description of the update.
Duration
The duration of the maintenance window in hours.
Enabled
Whether the maintenance window is enabled.
EndDate
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. The maintenance window won't run after this specified time.
Name
The name of the maintenance window.
Schedule
The schedule of the maintenance window in the form of a cron or rate expression.
ScheduleOffset
The number of days to wait to run a maintenance window after the scheduled cron expression date and time.
ScheduleTimezone
The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los_Angeles", "UTC", or "Asia/Seoul". For more information, see the Time Zone Database (https://www.iana.org/time-zones) on the IANA website.
StartDate
The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. The maintenance window won't run before this specified time.
WindowId
The ID of the created maintenance window.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Modifies the target of an existing maintenance window. You can change the following:
If a parameter is null, then the corresponding field isn't modified.
Description
An optional description for the update.
Name
A name for the update.
OwnerInformation
User-provided value that will be included in any Amazon CloudWatch Events events raised while running tasks for these targets in this maintenance window.
Replace
If True, then all fields that are required by the
RegisterTargetWithMaintenanceWindow operation are also required for
this API request. Optional fields that aren't specified are set to
null.
Targets
The targets to add or replace.
WindowId
The maintenance window ID with which to modify the target.
WindowTargetId
The target ID to modify.
Description
The updated description.
Name
The updated name.
OwnerInformation
The updated owner.
Targets
The updated targets.
WindowId
The maintenance window ID specified in the update request.
WindowTargetId
The target ID specified in the update request.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Modifies a task assigned to a maintenance window. You can't change the task type, but you can change the following values:
TaskARN. For example, you can change a RUN_COMMAND task from
AWS-RunPowerShellScript to AWS-RunShellScript.ServiceRoleArnTaskInvocationParametersPriorityMaxConcurrencyMaxErrorsOne or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets (https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) in the Amazon Web Services Systems Manager User Guide.
If the value for a parameter in UpdateMaintenanceWindowTask is null,
then the corresponding field isn't modified. If you set Replace to
true, then all fields required by the RegisterTaskWithMaintenanceWindow
operation are required for this request. Optional fields that aren't
specified are set to null.
When you update a maintenance window task that has options specified in
TaskInvocationParameters, you must provide again all the
TaskInvocationParameters values that you want to retain. The values
you don't specify again are removed. For example, suppose that when you
registered a Run Command task, you specified
TaskInvocationParameters values for Comment,
NotificationConfig, and OutputS3BucketName. If you update the
maintenance window task and specify only a different
OutputS3BucketName value, the values for Comment and
NotificationConfig are removed.
AlarmConfiguration
The CloudWatch alarm you want to apply to your maintenance window task.
CutoffBehavior
Indicates whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.
CONTINUE_TASK: When the cutoff time is reached, any tasks that are
running continue. The default value.CANCEL_TASK:
The status for tasks that are not completed is TIMED_OUT.
Description
The new task description to specify.
LoggingInfo
The new logging location in Amazon S3 to specify.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage
Service (Amazon S3) bucket to contain logs, instead use the
OutputS3BucketName and OutputS3KeyPrefix options in the
TaskInvocationParameters structure. For information about how Amazon
Web Services Systems Manager handles these options for the supported
maintenance window task types, see
MaintenanceWindowTaskInvocationParameters.
MaxConcurrency
The new MaxConcurrency value you want to specify. MaxConcurrency
is the number of targets that are allowed to run this task, in
parallel.
Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task (https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't
supply a value for this option. Instead, the system inserts a
placeholder value of 1. This value doesn't affect the running of
your task.
MaxErrors
The new MaxErrors value to specify. MaxErrors is the maximum
number of errors that are allowed before the task stops being
scheduled.
Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task (https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) You must provide a value in all other cases.
For maintenance window tasks without a target specified, you can't
supply a value for this option. Instead, the system inserts a
placeholder value of 1. This value doesn't affect the running of
your task.
Name
The new task name to specify.
Priority
The new task priority to specify. The lower the number, the higher the priority. Tasks that have the same priority are scheduled in parallel.
Replace
If True, then all fields that are required by the RegisterTaskWithMaintenanceWindow operation are also required for this API request. Optional fields that aren't specified are set to null.
ServiceRoleArn
The Amazon Resource Name (ARN) of the IAM service role for Amazon Web
Services Systems Manager to assume when running a maintenance window
task. If you do not specify a service role ARN, Systems Manager uses a
service-linked role in your account. If no appropriate service-linked
role for Systems Manager exists in your account, it is created when you
run RegisterTaskWithMaintenanceWindow.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html) in the in the Amazon Web Services Systems Manager User Guide.
Targets
The targets (either managed nodes or tags) to modify. Managed nodes are
specified using the format
Key=instanceids,Values=instanceID_1,instanceID_2. Tags are specified
using the format Key=tag_name,Values=tag_value.
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets (https://docs.aws.amazon.com/systems-manager/latest/userguide/maintenance-windows-targetless-tasks.html) in the Amazon Web Services Systems Manager User Guide.
TaskArn
The task ARN to modify.
TaskInvocationParameters
The parameters that the task should use during execution. Populate only the fields that match the task type. All other fields should be empty.
When you update a maintenance window task that has options specified in
TaskInvocationParameters, you must provide again all the
TaskInvocationParameters values that you want to retain. The values
you don't specify again are removed. For example, suppose that when you
registered a Run Command task, you specified
TaskInvocationParameters values for Comment,
NotificationConfig, and OutputS3BucketName. If you update the
maintenance window task and specify only a different
OutputS3BucketName value, the values for Comment and
NotificationConfig are removed.
TaskParameters
The parameters to modify.
TaskParameters has been deprecated. To specify parameters to pass to
a task when it runs, instead use the Parameters option in the
TaskInvocationParameters structure. For information about how
Systems Manager handles these options for the supported maintenance
window task types, see MaintenanceWindowTaskInvocationParameters.
The map has the following format:
Key: string, between 1 and 255 characters
Value: an array of strings, each string is between 1 and 255 characters
WindowId
The maintenance window ID that contains the task to modify.
WindowTaskId
The task ID to modify.
AlarmConfiguration
The details for the CloudWatch alarm you applied to your maintenance window task.
CutoffBehavior
The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.
Description
The updated task description.
LoggingInfo
The updated logging information in Amazon S3.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage
Service (Amazon S3) bucket to contain logs, instead use the
OutputS3BucketName and OutputS3KeyPrefix options in the
TaskInvocationParameters structure. For information about how Amazon
Web Services Systems Manager handles these options for the supported
maintenance window task types, see
MaintenanceWindowTaskInvocationParameters.
MaxConcurrency
The updated MaxConcurrency value.
MaxErrors
The updated MaxErrors value.
Name
The updated task name.
Priority
The updated priority value.
ServiceRoleArn
The Amazon Resource Name (ARN) of the IAM service role for Amazon Web
Services Systems Manager to assume when running a maintenance window
task. If you do not specify a service role ARN, Systems Manager uses a
service-linked role in your account. If no appropriate service-linked
role for Systems Manager exists in your account, it is created when you
run RegisterTaskWithMaintenanceWindow.
However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows (https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html) in the in the Amazon Web Services Systems Manager User Guide.
Targets
The updated target values.
TaskArn
The updated task ARN value.
TaskInvocationParameters
The updated parameter values.
TaskParameters
The updated parameter values.
TaskParameters has been deprecated. To specify parameters to pass to
a task when it runs, instead use the Parameters option in the
TaskInvocationParameters structure. For information about how
Systems Manager handles these options for the supported maintenance
window task types, see MaintenanceWindowTaskInvocationParameters.
WindowId
The ID of the maintenance window that was updated.
WindowTaskId
The task ID of the maintenance window that was updated.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Changes the Identity and Access Management (IAM) role that is assigned to the on-premises server, edge device, or virtual machines (VM). IAM roles are first assigned to these hybrid nodes during the activation process. For more information, see CreateActivation.
IamRole
The name of the Identity and Access Management (IAM) role that you want
to assign to the managed node. This IAM role must provide AssumeRole
permissions for the Amazon Web Services Systems Manager service
principal ssm.amazonaws.com. For more information, see Create the
IAM service role required for Systems Manager in hybrid and multicloud
environments
(https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-service-role.html)
in the Amazon Web Services Systems Manager User Guide.
You can't specify an IAM service-linked role for this parameter. You must create a unique role.
InstanceId
The ID of the managed node where you want to update the role.
ERRORS
InvalidInstanceId
The following problems can cause this exception:
Running,
Pending, Stopped, and Stopping. Invalid states are:
Shutting-down and Terminated.InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Edit or change an OpsItem. You must have permission in Identity and Access Management (IAM) to update an OpsItem. For more information, see Set up OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-setup.html) in the Amazon Web Services Systems Manager User Guide.
Operations engineers and IT professionals use Amazon Web Services Systems Manager OpsCenter to view, investigate, and remediate operational issues impacting the performance and health of their Amazon Web Services resources. For more information, see Amazon Web Services Systems Manager OpsCenter (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html) in the Amazon Web Services Systems Manager User Guide.
ActualEndTime
The time a runbook workflow ended. Currently reported only for the
OpsItem type /aws/changerequest.
ActualStartTime
The time a runbook workflow started. Currently reported only for the
OpsItem type /aws/changerequest.
Category
Specify a new category for an OpsItem.
Description
User-defined text that contains information about the OpsItem, in Markdown format.
Notifications
The Amazon Resource Name (ARN) of an SNS topic where notifications are sent when this OpsItem is edited or changed.
OperationalData
Add new keys or edit existing key-value pairs of the OperationalData map in the OpsItem object.
Operational data is custom data that provides useful reference details about the OpsItem. For example, you can specify log files, error strings, license keys, troubleshooting tips, or other relevant data. You enter operational data as key-value pairs. The key has a maximum length of 128 characters. The value has a maximum size of 20 KB.
Operational data keys can't begin with the following: amazon,
aws, amzn, ssm, /amazon, /aws, /amzn, /ssm.
You can choose to make the data searchable by other users in the account or you can restrict search access. Searchable data means that all users with access to the OpsItem Overview page (as provided by the DescribeOpsItems API operation) can view and search on the specified data. Operational data that isn't searchable is only viewable by users who have access to the OpsItem (as provided by the GetOpsItem API operation).
Use the /aws/resources key in OperationalData to specify a related
resource in the request. Use the /aws/automations key in
OperationalData to associate an Automation runbook with the OpsItem. To
view Amazon Web Services CLI example commands that use these keys, see
Creating OpsItems manually
(https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-manually-create-OpsItems.html)
in the Amazon Web Services Systems Manager User Guide.
OperationalDataToDelete
Keys that you want to remove from the OperationalData map.
OpsItemArn
The OpsItem Amazon Resource Name (ARN).
OpsItemId
The ID of the OpsItem.
PlannedEndTime
The time specified in a change request for a runbook workflow to end.
Currently supported only for the OpsItem type /aws/changerequest.
PlannedStartTime
The time specified in a change request for a runbook workflow to start.
Currently supported only for the OpsItem type /aws/changerequest.
Priority
The importance of this OpsItem in relation to other OpsItems in the system.
RelatedOpsItems
One or more OpsItems that share something in common with the current OpsItems. For example, related OpsItems can include OpsItems with similar error messages, impacted resources, or statuses for the impacted resource.
Severity
Specify a new severity for an OpsItem.
Status
The OpsItem status. For more information, see Editing OpsItem details (https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter-working-with-OpsItems-editing-details.html) in the Amazon Web Services Systems Manager User Guide.
Title
A short heading that describes the nature of the OpsItem and the impacted resource.
ERRORS
InternalServerError
An error occurred on the server side.
OpsItemNotFoundException
The specified OpsItem ID doesn't exist. Verify the ID and try again.
OpsItemAlreadyExistsException
The OpsItem already exists.
OpsItemLimitExceededException
The request caused OpsItems to exceed one or more quotas.
OpsItemInvalidParameterException
A specified parameter argument isn't valid. Verify the available arguments and try again.
OpsItemAccessDeniedException
You don't have permission to view OpsItems in the specified account. Verify that your account is configured either as a Systems Manager delegated administrator or that you are logged into the Organizations management account.
OpsItemConflictException
The specified OpsItem is in the process of being deleted.
METHOD
POST
REQUEST URI
/
Amazon Web Services Systems Manager calls this API operation when you edit OpsMetadata in Application Manager.
KeysToDelete
The metadata keys to delete from the OpsMetadata object.
MetadataToUpdate
Metadata to add to an OpsMetadata object.
OpsMetadataArn
The Amazon Resource Name (ARN) of the OpsMetadata Object to update.
OpsMetadataArn
The Amazon Resource Name (ARN) of the OpsMetadata Object that was updated.
ERRORS
OpsMetadataNotFoundException
The OpsMetadata object doesn't exist.
OpsMetadataInvalidArgumentException
One of the arguments passed is invalid.
OpsMetadataKeyLimitExceededException
The OpsMetadata object exceeds the maximum number of OpsMetadata keys that you can assign to an application in Application Manager.
OpsMetadataTooManyUpdatesException
The system is processing too many concurrent updates. Wait a few moments and try again.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Modifies an existing patch baseline. Fields not specified in the request are left unchanged.
For information about valid key-value pairs in PatchFilters for each
supported operating system type, see PatchFilter.
ApprovalRules
A set of rules used to include patches in the baseline.
ApprovedPatches
A list of explicitly approved patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) in the Amazon Web Services Systems Manager User Guide.
ApprovedPatchesComplianceLevel
Assigns a new compliance severity level to an existing patch baseline.
ApprovedPatchesEnableNonSecurity
Indicates whether the list of approved patches includes non-security
updates that should be applied to the managed nodes. The default value
is false. Applies to Linux managed nodes only.
AvailableSecurityUpdatesComplianceStatus
Indicates the status to be assigned to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline.
Example scenario: Security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed.
Supported for Windows Server managed nodes only.
BaselineId
The ID of the patch baseline to update.
Description
A description of the patch baseline.
GlobalFilters
A set of global filters used to include patches in the baseline.
The GlobalFilters parameter can be configured only by using the CLI
or an Amazon Web Services SDK. It can't be configured from the Patch
Manager console, and its value isn't displayed in the console.
Name
The name of the patch baseline.
RejectedPatches
A list of explicitly rejected patches for the baseline.
For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-approved-rejected-package-name-formats.html) in the Amazon Web Services Systems Manager User Guide.
RejectedPatchesAction
The action for Patch Manager to take on patches included in the
RejectedPackages list.
ALLOW_AS_DEPENDENCY
Linux and macOS: A package in the rejected patches list is installed
only if it is a dependency of another package. It is considered
compliant with the patch baseline, and its status is reported as
INSTALLED_OTHER. This is the default action if no option is
specified.
Windows Server: Windows Server doesn't support the concept of
package dependencies. If a package in the rejected patches list and
already installed on the node, its status is reported as
INSTALLED_OTHER. Any package not already installed on the node is
skipped. This is the default action if no option is specified.
BLOCK
All OSs: Packages in the rejected patches list, and packages that
include them as dependencies, aren't installed by Patch Manager under
any circumstances. If a package was installed before it was added to
the rejected patches list, or is installed outside of Patch Manager
afterward, it's considered noncompliant with the patch baseline and its
status is reported as INSTALLED_REJECTED.
Replace
If True, then all fields that are required by the CreatePatchBaseline operation are also required for this API request. Optional fields that aren't specified are set to null.
Sources
Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
ApprovalRules
A set of rules used to include patches in the baseline.
ApprovedPatches
A list of explicitly approved patches for the baseline.
ApprovedPatchesComplianceLevel
The compliance severity level assigned to the patch baseline after the update completed.
ApprovedPatchesEnableNonSecurity
Indicates whether the list of approved patches includes non-security
updates that should be applied to the managed nodes. The default value
is false. Applies to Linux managed nodes only.
AvailableSecurityUpdatesComplianceStatus
Indicates the compliance status of managed nodes for which
security-related patches are available but were not approved. This
preference is specified when the CreatePatchBaseline or
UpdatePatchBaseline commands are run.
Applies to Windows Server managed nodes only.
BaselineId
The ID of the deleted patch baseline.
CreatedDate
The date when the patch baseline was created.
Description
A description of the patch baseline.
GlobalFilters
A set of global filters used to exclude patches from the baseline.
ModifiedDate
The date when the patch baseline was last modified.
Name
The name of the patch baseline.
OperatingSystem
The operating system rule used by the updated patch baseline.
RejectedPatches
A list of explicitly rejected patches for the baseline.
RejectedPatchesAction
The action specified to take on patches included in the
RejectedPatches list. A patch can be allowed only if it is a
dependency of another package, or blocked entirely along with packages
that include it as a dependency.
Sources
Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
ERRORS
DoesNotExistException
Error returned when the ID specified for a resource, such as a maintenance window or patch baseline, doesn't exist.
For information about resource quotas in Amazon Web Services Systems Manager, see Systems Manager service quotas (https://docs.aws.amazon.com/general/latest/gr/ssm.html#limits_ssm) in the Amazon Web Services General Reference.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
Update a resource data sync. After you create a resource data sync for
a Region, you can't change the account options for that sync. For
example, if you create a sync in the us-east-2 (Ohio) Region and you
choose the Include only the current account option, you can't edit
that sync later and choose the Include all accounts from my
Organizations configuration option. Instead, you must delete the first
resource data sync, and create a new one.
This API operation only supports a resource data sync that was created
with a SyncFromSource SyncType.
SyncName
The name of the resource data sync you want to update.
SyncSource
Specify information about the data sources to synchronize.
SyncType
The type of resource data sync. The supported SyncType is
SyncFromSource.
ERRORS
ResourceDataSyncNotFoundException
The specified sync name wasn't found.
ResourceDataSyncInvalidConfigurationException
The specified sync configuration is invalid.
ResourceDataSyncConflictException
Another UpdateResourceDataSync request is being processed. Wait a
few minutes and try again.
InternalServerError
An error occurred on the server side.
METHOD
POST
REQUEST URI
/
ServiceSetting is an account-level setting for an Amazon Web
Services service. This setting defines how a user interacts with or
uses a service or a feature of a service. For example, if an Amazon Web
Services service charges money to the account based on feature or
service usage, then the Amazon Web Services service team might create a
default setting of "false". This means the user can't use this feature
unless they change the setting to "true" and intentionally opt in for a
paid feature.
Services map a SettingId object to a setting value. Amazon Web
Services services teams define the default value for a SettingId.
You can't create a new SettingId, but you can overwrite the default
value if you have the ssm:UpdateServiceSetting permission for the
setting. Use the GetServiceSetting API operation to view the current
value. Or, use the ResetServiceSetting to change the value back to the
original value defined by the Amazon Web Services service team.
Update the service setting for the account.
SettingId
The Amazon Resource Name (ARN) of the service setting to update. For
example,
arn:aws:ssm:us-east-1:111122223333:servicesetting/ssm/parameter-store/high-throughput-enabled.
The setting ID can be one of the following.
/ssm/appmanager/appmanager-enabled/ssm/automation/customer-script-log-destination/ssm/automation/customer-script-log-group-name/ssm/documents/console/public-sharing-permission/ssm/managed-instance/activation-tier/ssm/managed-instance/default-ec2-instance-management-role/ssm/opsinsights/opscenter/ssm/parameter-store/default-parameter-tier/ssm/parameter-store/high-throughput-enabled Permissions to update the
/ssm/managed-instance/default-ec2-instance-management-role setting
should only be provided to administrators. Implement least privilege
access when allowing individuals to configure or modify the Default
Host Management Configuration.
SettingValue
The new value to specify for the service setting. The following list specifies the available values for each setting.
/ssm/appmanager/appmanager-enabled, enter True or False./ssm/automation/customer-script-log-destination, enter
CloudWatch./ssm/automation/customer-script-log-group-name, enter the name
of an Amazon CloudWatch Logs log group./ssm/documents/console/public-sharing-permission, enter
Enable or Disable./ssm/managed-instance/activation-tier, enter standard or
advanced./ssm/managed-instance/default-ec2-instance-management-role,
enter the name of an IAM role./ssm/opsinsights/opscenter, enter Enabled or Disabled./ssm/parameter-store/default-parameter-tier, enter Standard,
Advanced, or Intelligent-Tiering/ssm/parameter-store/high-throughput-enabled, enter true or
false.ERRORS
InternalServerError
An error occurred on the server side.
ServiceSettingNotFound
The specified service setting wasn't found. Either the service name or the setting hasn't been provisioned by the Amazon Web Services service team.
TooManyUpdates
There are concurrent updates for a resource that supports one update at a time.
METHOD
POST
REQUEST URI
/
Autogenerated by /home/rlauer/lib/perl5/Amazon/API/Botocore.pm at Mon Oct 6 17:03:36 2025
This module is free software it may be used, redistributed and/or modified under the same terms as Perl itself.