Integration and monitoringSecurity and billingIntermediate23 min read

What Is Systems Manager? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Systems Manager is a tool that helps IT teams manage many computers from one place. It automates tasks like installing updates, running commands, and checking system health. Think of it as a remote control for your entire server room, letting you enforce security policies and fix issues without logging into each machine individually.

Commonly Confused With

Systems ManagervsAWS Config

AWS Config records configuration changes to AWS resources and evaluates them against compliance rules. It is a monitoring and auditing service. Systems Manager actively manages instances by patching, running commands, and enforcing desired states. Config tells you what changed, while Systems Manager can automatically fix what changed.

If a security group rule is deleted, AWS Config will log the change. Systems Manager would not detect that, but if you set up a State Manager association to maintain a security group, it would reapply the rule.

Systems ManagervsAWS OpsWorks

AWS OpsWorks is a configuration management service that uses Chef or Puppet to manage servers. Systems Manager is simpler, agent-based, and designed for organizational policy enforcement rather than infrastructure-as-code. OpsWorks is better for complex application deployments, while Systems Manager excels at operational tasks like patching and inventory.

If you need to deploy a web application with multiple layers and dependencies, OpsWorks is a good fit. If you just need to ensure all servers have the latest security patches, Systems Manager is the right choice.

Systems ManagervsAWS Systems Manager Patch Manager vs. AWS Systems Manager State Manager

Patch Manager is specifically for patch compliance and deployment. State Manager is for general configuration enforcement, such as ensuring a specific script is always running or a registry key is always set. They overlap but have different primary use cases.

Use Patch Manager to install Windows updates. Use State Manager to ensure that a custom monitoring agent is always installed and running on every instance.

Systems ManagervsAmazon EC2 Systems Manager (SSM) vs. AWS CodeDeploy

CodeDeploy automates application deployments to EC2 instances, Lambda, or on-premises. Systems Manager handles operational management (patching, commands, inventory) rather than application release pipelines.

Use CodeDeploy to push a new version of your web app. Use Systems Manager to then run a command to restart the web server and verify the deployment succeeded.

Must Know for Exams

Systems Manager is a core topic in the AWS Certified Solutions Architect Associate (SAA-C03) and AWS Certified SysOps Administrator Associate (SOA-C02) exams. It also appears, though less frequently, in the AWS Security Specialty (SCS-C01) and AWS DevOps Engineer Professional (DOP-C01). In the AWS Solutions Architect exam, questions typically test your ability to choose the right service for centralizing patch management, running commands across instances, or automating instance configuration without exposing SSH. For example, an exam question might describe a scenario where an administrator needs to apply a security patch to 100 EC2 instances without using a bastion host, and you must recommend Systems Manager Patch Manager.

In the SysOps exam, questions go deeper into operational details. You might be asked about the prerequisites for Systems Manager to work: what IAM role must the EC2 instance have, which subnets must allow outbound HTTPS traffic, and how to register on-premises servers. Questions often include troubleshooting steps, such as why an instance is not appearing in the managed instances list. Common causes include missing SSM Agent, wrong IAM permissions, or network connectivity issues.

In the Security Specialty exam, the focus is on how Systems Manager reduces the attack surface by eliminating inbound management ports and how it integrates with AWS Key Management Service (KMS) for encrypting command logs and session data. You may also encounter questions about Session Manager, a feature of Systems Manager that provides browser-based shell access to instances without opening any ports. For all exams, understanding the difference between Systems Manager and similar services like AWS Config (which focuses on recording resource changes for compliance) or AWS OpsWorks (a managed Chef/Puppet service) is critical. Questions often present a scenario with multiple requirements and ask you to pick the most appropriate service. The correct answer frequently involves Systems Manager because of its combination of patch management, state management, and command execution in a single, fully managed service.

Simple Meaning

Imagine you are the manager of a large office building with hundreds of identical desk cubicles. Each cubicle has a computer, a phone, and a lamp. Keeping every workstation identical, updated, and secure would be a nightmare if you had to walk to each cubicle, check the lamp bulb, install a new phone patch, and update the antivirus software one by one. Instead, you would want a central control panel, a single screen where you can see every cubicle’s status, push a button to replace all bulbs at once, schedule updates for the phones, and instantly lock down a machine that is behaving oddly.

That central control panel is exactly what Systems Manager does for virtual and physical servers in a data center or cloud environment. It gives administrators a web-based dashboard that shows the health, patch status, and configuration of every server they manage. They can define uniform policies, for example, every server must have the latest security updates installed by Tuesday at 2 a.m., and Systems Manager will automatically enforce that across the entire fleet. If a new server is launched, it automatically checks in with Systems Manager, receives its assignment, and conforms to the group policies. This eliminates human errors, ensures consistent security, and saves enormous amounts of time. The service also keeps a log of every action taken, which is crucial for auditing and compliance. In short, Systems Manager is the single pane of glass that turns chaotic server management into a predictable, automated process.

Full Technical Definition

Systems Manager is a cloud-based infrastructure management service that provides operational insight and automation for server fleets, whether they run on-premises, in a public cloud, or in hybrid environments. Its primary function is to act as a centralized orchestration layer that communicates with agent software installed on each managed instance. The agent periodically checks in with the Systems Manager endpoint using HTTPS (port 443) and sends telemetry data such as installed patches, running services, system metrics, and inventory details. The service uses a “pull” model: the agent initiates contact, pulls down the configuration document that defines the desired state for that instance, and then executes the necessary actions locally. The results are reported back and stored in a central database for reporting and alerting.

Systems Manager is built around several core components. The first is the “Run Command” feature, which allows an administrator to execute scripts or commands on any subset of instances without needing to SSH or RDP into them. Commands can be ad-hoc or scheduled, and they run with elevated privileges (using temporary credentials managed by the service). The second component is “Patch Manager,” which automates the process of patching operating systems and applications. Administrators define baseline policies (e.g., mandatory patches, approved patch lists, maintenance windows), and Patch Manager deploys patches according to a schedule, generating reports on compliance. The third major component is “State Manager,” which enforces a desired configuration state on instances. Administrators define an association between an instance and a configuration document (e.g., a bootstrapping script, a security hardening template, or an application install). State Manager periodically checks that the instance still conforms to that association and re-applies the configuration if it drifts.

Beyond these, Systems Manager also offers Automation, which allows complex multi-step workflows (like patching then rebooting then testing) to be run as a single atomic action. It integrates with Identity and Access Management (IAM) for fine-grained permissions and with CloudTrail for full audit logging. A key architectural point is that the agent never exposes inbound ports; all communication is outbound to the Systems Manager endpoint, which eliminates the need for bastion hosts and reduces the attack surface. The service is regional and can manage instances across multiple accounts using a feature called “Resource Groups.” To enable it, each instance must have an IAM role that grants the agent permission to call Systems Manager APIs. This role-based access model ensures that only authorized instances can be managed, and only authorized administrators can issue commands. In enterprise IT environments, Systems Manager is often used alongside configuration management tools like Ansible or Chef, but with the advantage that it is deeply integrated into the cloud platform’s native identity and networking controls.

Real-Life Example

Think of a large hospital with hundreds of patient rooms. Each room has a vital signs monitor, a call button, and a medication dispenser. The biomedical engineering team is responsible for making sure every monitor has the latest firmware, every call button works properly, and every dispenser has the correct lock settings. If they had to visit each room physically, they would never finish before something else broke. Instead, the hospital installs a central monitoring system.

Each medical device connects wirelessly to a central nursing station. From that station, an engineer can see the firmware version of every monitor, run a diagnostic script on all call buttons, and send a new configuration to every medication dispenser simultaneously. If a new security vulnerability is discovered in the dispenser’s lock, the engineer can push an encrypted update to all dispensers during the night shift, automatically, without waking any patient. The central station also logs every action for compliance with health regulators.

Now map this to Systems Manager. The hospital is your data center. The patient rooms are your servers. The vital signs monitor is the operating system. The central nursing station is the Systems Manager dashboard. The wireless connection is the secure HTTPS communication between the agent and the cloud service. The firmware update is a Patch Manager baseline. The diagnostic script is a Run Command. The security policy update is a State Manager association. The compliance log is CloudTrail. Just as the hospital gains efficiency, reliability, and security through centralization, an IT team with Systems Manager gains the same benefits across hundreds or thousands of servers.

Why This Term Matters

In modern IT environments, server fleets frequently scale to hundreds, thousands, or even tens of thousands of instances. Manually patching each one, checking configurations, or troubleshooting an issue is not only inefficient but also error-prone. A single missed patch can lead to a breach, a misconfiguration can cause an outage, and an inconsistent state across environments makes debugging nearly impossible. Systems Manager addresses these challenges head-on by providing a single, auditable, permission-controlled interface for all management operations.

For organizations that must comply with regulations such as HIPAA, PCI DSS, or SOC 2, Systems Manager’s built-in patch compliance reporting and configuration drift detection are invaluable. Auditors can pull reports showing exactly which patches were installed when, and which systems conform to the approved configuration. The service reduces operational risk by removing the need to open SSH or RDP ports to the internet. Because the agent only makes outbound connections, the attack surface is dramatically reduced. This is a fundamental shift in security architecture compared to traditional jump boxes.

From a cost perspective, Systems Manager eliminates the need for third-party configuration management tools and reduces the time senior engineers spend on routine maintenance. Automation of patching, bootstrapping, and compliance checks means junior staff can handle more tasks safely. The service also integrates with existing monitoring and incident response workflows, allowing teams to trigger automated remediation when a server reports a critical vulnerability. Systems Manager is not just a tool for convenience; it is a foundational component of a secure, scalable, and compliant IT operations practice.

How It Appears in Exam Questions

Exam questions about Systems Manager generally fall into three categories: scenario-based, configuration-based, and troubleshooting. In scenario-based questions, you are told about a company running hundreds of EC2 instances. The administrator needs to run a script on all instances at a specific time without manually connecting to each one, and the solution must not expose any inbound ports. The correct answer is to use Systems Manager Run Command with a maintenance window. Another common scenario is when an administrator needs to enforce a specific security configuration (e.g., disable root login, set password policies) on all new and existing instances. Here, the answer is to create a Systems Manager State Manager association with a document that applies that configuration.

Configuration-based questions ask you to identify the correct IAM policy or network setup. For example, “An EC2 instance with the SSM Agent installed is not showing in the Systems Manager console. What should you check?” The answer might be that the instance does not have an IAM instance profile that grants the ssm.amazonaws.com service principal permission. Or that the security group does not allow outbound HTTPS traffic to the Systems Manager endpoint. These questions test your understanding of the prerequisites. Another pattern is asking which AWS service can be used to establish a secure, auditable shell connection to an EC2 instance in a private subnet without a bastion host. The answer is Systems Manager Session Manager.

Troubleshooting questions often revolve around why an automation workflow fails. For instance, a Patch Manager baseline is configured but instances are not reporting as compliant. Possible reasons include the instance being in a different region, the time zone offset causing the maintenance window to be skipped, or the approval rules excluding the required patches. You might also be asked why a Run Command fails on some instances but works on others. The likely causes are the SSM Agent version being outdated, insufficient permissions on the instance, or a security group blocking the agent’s communication with the endpoint. Finally, multi-service questions might combine Systems Manager with AWS Config. For example, an administrator wants to detect when an EC2 instance’s security group changes and then automatically patch the instance. Systems Manager would handle the patching, while AWS Config would detect the change and trigger a Systems Manager Automation runbook. Being able to see these integration points is key to answering correctly.

Practise Systems Manager Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are the IT operations engineer for a mid-sized e-commerce platform that runs on 50 Linux and 30 Windows EC2 instances. A critical security vulnerability has just been announced in the OpenSSL library, affecting all Linux servers. Your manager asks you to quickly assess which instances are vulnerable, apply the patch, and verify the results. You cannot manually SSH into 50 instances because it would take hours and some instances are in private subnets.

You open the Systems Manager console. First, you use the Patch Manager feature to create a patch baseline that includes the OpenSSL patch with an approval rule to install it immediately. You then select all Linux instances as targets. Because the instances already have the SSM Agent installed and the correct IAM role, they appear in the managed instances list. You schedule the patching to start in 10 minutes. Systems Manager pushes a command to each instance’s SSM Agent, which downloads and installs the patch, then reports the status back. Within 30 minutes, you see a compliance report showing that all 50 Linux instances are now patched and compliant.

Next, you want to run a script to verify that the patched version is correct. You use Run Command with a simple shell script that runs “openssl version” on each instance. The output is captured in the console and stored in Amazon S3. You can quickly scan the results and confirm the updated version. Finally, you use Systems Manager Session Manager to open a browser-based shell into one of the private instances to do a deeper verification. Throughout the entire process, you never opened SSH ports, never needed a bastion host, and generated a full audit trail for compliance. This scenario demonstrates how Systems Manager transforms a potentially chaotic emergency patching effort into a quick, secure, and auditable process.

Common Mistakes

Thinking Systems Manager is only for AWS EC2 instances in the same region.

Systems Manager can manage instances across multiple AWS regions, on-premises servers (via a hybrid activation), and even instances in other cloud providers, as long as the SSM Agent can communicate with the Systems Manager endpoint.

Remember that Systems Manager is multi-region and multi-environment. To manage on-premises servers, you create a managed instance activation and install the agent on them.

Assuming Systems Manager can manage instances without the SSM Agent installed.

The SSM Agent is required on every instance. Without it, the instance cannot communicate with the Systems Manager service, and it will not appear in the managed instances list.

Always verify that the SSM Agent is installed and running before attempting to use Systems Manager features. For EC2 instances, the agent is pre-installed on many AMIs, but for on-premises servers you must install it manually.

Believing that Systems Manager inbound traffic must be allowed in security groups.

Systems Manager operates on a pull model: the agent initiates all communication to the Systems Manager endpoint (outbound HTTPS). You do not need to open any inbound ports for Systems Manager to work.

Instead of opening inbound ports, ensure that the instance’s route allows outbound traffic to the Systems Manager endpoint (ssm.<region>.amazonaws.com) on port 443.

Thinking that Session Manager can be used without any IAM permissions.

Session Manager requires specific IAM permissions both on the user’s role and on the instance’s role. Without these, the session will fail to start.

Grant the user permission to call ssm:StartSession and the instance’s IAM role permission to call ssm:TerminateSession and related actions. Also, ensure the instance role has the AmazonSSMManagedInstanceCore managed policy attached.

Confusing State Manager with AWS Config rules.

State Manager enforces a desired configuration on instances (e.g., install a specific software, set a registry key). AWS Config records resource changes and can evaluate them against rules, but it does not automatically fix configurations on an ongoing basis.

Use State Manager when you want to continually enforce a configuration (and re-apply if drifted). Use AWS Config when you only need to audit and record configuration changes.

Exam Trap — Don't Get Fooled

{"trap":"The exam presents a scenario where an administrator needs to run a script on EC2 instances in a private subnet. The answer choices include Systems Manager Run Command, AWS Systems Manager Automation, and SSH with a bastion host. Many learners choose the bastion host because they think private subnets require inbound access."

,"why_learners_choose_it":"Learners often assume that to run commands on a private subnet instance, you must have an inbound connection. They are not aware that Systems Manager’s outbound-only model works perfectly for private subnets, as long as the instance can reach the Systems Manager endpoint via a NAT gateway or VPC endpoint.","how_to_avoid_it":"Remember that Systems Manager never requires inbound connections.

If the question states that the instance is in a private subnet, Systems Manager is often the best solution because it avoids the security risk of a bastion host. Always check if the answer choice uses the SSM Agent, if it does, it likely works in private subnets."

Step-by-Step Breakdown

1

Install the SSM Agent

The SSM Agent must be installed on every instance you want to manage. For many EC2 AMIs, it is pre-installed. For on-premises servers, you download and install it manually. The agent is the software that communicates with the Systems Manager service.

2

Attach an IAM Instance Role

The EC2 instance (or on-premises server) needs an IAM role that grants the agent permission to call Systems Manager APIs. At a minimum, attach the AmazonSSMManagedInstanceCore managed policy. This role is how Systems Manager authenticates the instance.

3

Ensure Network Connectivity

The instance must be able to reach the Systems Manager endpoint (ssm.<region>.amazonaws.com) over HTTPS (port 443). For private subnets, use a VPC endpoint (Interface type) or a NAT gateway. Without outbound connectivity, the agent cannot check in.

4

Register the instance with Systems Manager

Once the agent is installed and the IAM role is attached, the agent automatically registers with Systems Manager during its first check-in. The instance then appears in the Systems Manager console under Managed Instances. For on-premises servers, you manually create a managed instance activation first.

5

Define a Configuration Document (or use a default one)

Systems Manager uses documents (JSON or YAML) to define commands, patch baselines, or desired states. You can use AWS-provided documents (like AWS-RunShellScript) or create custom ones. For example, a State Manager association references a document that defines the configuration to enforce.

6

Create an Association or Send a Command

To run an ad-hoc command, you use Run Command. To enforce a persistent configuration, you create a State Manager association that links an instance (or group) to a document. You can schedule this to run periodically or on demand.

7

Monitor Results and Compliance

Systems Manager reports the status of each command or association. You can view logs in the console or stream them to Amazon S3 and CloudWatch Logs. Patch Manager produces compliance reports that show which instances are missing patches. This audit trail is essential for compliance and troubleshooting.

Practical Mini-Lesson

To use Systems Manager effectively in a real-world environment, you must first understand the prerequisites and common pitfalls. The most critical prerequisite is the IAM role. Many engineers forget to attach the right policy, or they attach it to the wrong entity. The instance must have an instance profile (for EC2) with at least the AmazonSSMManagedInstanceCore policy. For on-premises servers, you create a managed instance activation, which generates an activation code and ID; you then configure the agent with those credentials. If the instance does not show up in the managed instances list, nine times out of ten it is an IAM or networking issue.

Next, understand the difference between the two main types of interactions: command-based and state-based. Command-based (Run Command) is great for one-time tasks: run a script, restart a service, install a specific patch. State-based (State Manager) is for ongoing compliance: ensure that a certain application is always installed, maintain a specific firewall rule, enforce a registry key setting. In production, you will likely use both. For example, you might use State Manager to ensure the CrowdStrike agent is always installed and running, and then use Run Command to push an ad-hoc update to that agent.

Security groups are another area where professionals go wrong. Remember that Systems Manager does NOT require inbound ports. The agent itself opens no ports. However, if you use Session Manager to provide a shell to the instance, the Session Manager service communicates with the agent through the same outbound connection. There is still no inbound port. This is a major security advantage. When configuring security groups for an instance that will be managed by Systems Manager, you only need to allow outbound HTTPS (443) to the VPC endpoint or the public endpoint. That’s it.

Finally, consider cost. Systems Manager is a free service, but there are costs associated with the underlying infrastructure. For example, if you use a VPC Interface endpoint for Systems Manager, you pay per hour and per GB of data processed. If you use a NAT gateway, you pay for NAT gateway hours and data transfer. For large fleets, these costs can add up, so you should evaluate whether a VPC endpoint is more cost-effective than a NAT gateway. Also, storing command output in S3 incurs standard S3 costs, and logging to CloudWatch Logs also has costs. Being aware of these can help you design a cost-effective management solution. In practice, professionals often set up lifecycle hooks with Auto Scaling groups to automatically register new instances with Systems Manager, ensuring that the fleet is always compliant from the moment it boots.

Memory Tip

Think of Systems Manager as the 'remote control' for your server fleet: you press a button, and the agent does the work on every server, no login required.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the SSM Agent, and is it required?

The SSM Agent is a small piece of software that runs on each managed instance. It is required for Systems Manager to work. It handles communication with the Systems Manager service, executes commands, and reports results. Without it, the instance cannot be managed.

Can Systems Manager manage on-premises servers?

Yes. You can register on-premises servers with Systems Manager by creating a managed instance activation. You then install the SSM Agent on the server and configure it with the activation code and ID. The server will then appear in the managed instances console.

Does Systems Manager require inbound ports to be open?

No. The SSM Agent always initiates communication to the Systems Manager endpoint over HTTPS (outbound). No inbound ports are required. This makes it much more secure than traditional bastion host solutions.

What is the difference between Run Command and State Manager?

Run Command is for one-time, ad-hoc execution of commands or scripts. State Manager is for enforcing a desired configuration on an ongoing basis. If you want to run a script now, use Run Command. If you want to ensure a configuration persists, use State Manager.

How does Systems Manager improve security?

It eliminates the need for SSH or RDP ports to be open, reduces exposure to attacks, and provides fine-grained IAM controls. Session Manager allows shell access without opening inbound ports. All actions are logged in CloudTrail for auditing.

Is Systems Manager free to use?

Systems Manager itself does not have a charge. However, you may incur costs for underlying resources such as VPC endpoints, NAT gateways, S3 storage for command output, and CloudWatch Logs for logs.

What IAM permission is needed for an EC2 instance to work with Systems Manager?

The EC2 instance’s IAM role must have the AmazonSSMManagedInstanceCore managed policy attached. This grants the necessary permissions for the agent to register, check in, and execute commands.

Summary

Systems Manager is a comprehensive AWS service that centralizes the operational management of server fleets, whether they live in the cloud or on-premises. It provides patch management, command execution, state enforcement, and secure shell access through a single, unified console. The key architectural principle is the outbound-only communication model: the SSM Agent contacts the service, eliminating the need for inbound ports and substantially reducing the attack surface. For IT professionals preparing for AWS certifications, understanding Systems Manager is essential because it appears across multiple exams, often in scenarios involving secure, automated management of instances in private subnets.

The service’s core features, Run Command, Patch Manager, State Manager, Session Manager, and Automation, each serve distinct operational needs, and exam questions frequently test the ability to select the right feature for a given scenario. Common pitfalls include neglecting the IAM role prerequisites, confusing Systems Manager with AWS Config or OpsWorks, and forgetting that it works in private subnets without inbound rules. A solid grasp of the prerequisites (agent, IAM role, network connectivity) and the pull model will allow you to answer both scenario-based and troubleshooting questions correctly. Systems Manager is a vital tool for modern IT operations and a recurring high-value topic in AWS certification exams.