This chapter covers AWS Systems Manager Inventory, a service that collects metadata from your managed instances—EC2 and on-premises—for visibility into software inventory, OS configurations, and installed updates. On the SOA-C02 exam, Inventory questions appear in approximately 5-8% of questions within the Deployment domain (Objective 3.2). Understanding how to configure, query, and troubleshoot Inventory is critical for managing fleet-wide compliance and operational health. We'll also cover managed instance management, including the SSM Agent, associations, and integration with other Systems Manager capabilities.
Jump to a section
Imagine a large corporate library with thousands of books, each with a unique barcode. The librarian (SSM Inventory) periodically walks through the aisles with a handheld scanner, recording each book's title, author, publication date, and condition. However, the librarian doesn't scan every book every day; instead, she follows a schedule: some sections are scanned daily, others weekly. The scan data is stored in a central database (AWS Config or a custom S3 bucket) where managers can query for specific books, like all books published before 2000 or books that are damaged. If a book is moved to a different shelf (instance changes state), the librarian may be notified by the shelf manager (Change Manager) to re-scan that area. The librarian also can perform an on-demand scan if a manager requests it. But the librarian cannot fix a torn page or replace a missing book—she only reports what she sees. That's the difference between Inventory (metadata collection) and Systems Manager's other capabilities like Patch Manager or State Manager, which take action. Also, if a book is in a restricted section (private subnet without internet), the librarian needs a special pass (VPC endpoint or proxy) to access it.
What is AWS Systems Manager Inventory?
AWS Systems Manager Inventory is a feature that automates the collection of metadata from your managed instances. It provides a centralized view of software installed, OS configuration, file details, and other system-level information across your entire fleet. Inventory is not a configuration management tool; it is purely a data collection service. It integrates with AWS Config, Amazon Athena, and Amazon S3 for querying and analysis.
Why Inventory Exists
Before Inventory, administrators had to manually connect to each instance or use third-party tools to gather inventory data. At scale, this becomes impractical. Inventory solves this by:
Automating collection on a schedule you define (e.g., every 30 minutes).
Storing data in a central location (S3 bucket or AWS Config).
Allowing querying via AWS Config advanced queries, Athena, or the Systems Manager console.
Supporting custom inventory types (e.g., file contents, Windows Registry keys).
How Inventory Works Internally
Inventory relies on the SSM Agent running on each instance. The agent collects metadata based on inventory types you specify and sends it to the Systems Manager service. The service then stores the data in an S3 bucket (if configured) and/or in AWS Config as configuration items.
Step-by-step mechanism:
1. You create an Inventory association (via State Manager or explicitly as an Inventory configuration).
2. The association defines which inventory types to collect (e.g., AWS:Application, AWS:NetworkConfig), the schedule (rate or cron), and the target instances (by tags, resource groups, or instance IDs).
3. The SSM Agent on each target instance receives the association and runs the inventory collection on the defined schedule.
4. The agent gathers data (e.g., list of installed applications) and sends it to the Systems Manager service as a JSON payload.
5. The service processes the payload and stores it in the S3 bucket you specified (optional but recommended) and/or in AWS Config.
6. You can then query the data using the console, CLI, or AWS Config advanced queries.
Key Components, Values, Defaults, and Timers
Inventory Types: Predefined types include AWS:Application, AWS:AWSComponent, AWS:NetworkConfig, AWS:WindowsRegistry, AWS:File, AWS:InstanceInformation, AWS:Service, AWS:WindowsRole, AWS:Tag, AWS:Update, AWS:Compliance, AWS:ResourceGroup. Custom types can be created using AWS:CustomInventory.
Schedule: Default is every 30 minutes. You can specify a rate (e.g., rate(1 hour)) or a cron expression (e.g., cron(0 0/1 * * ? *)).
S3 Bucket: If configured, Inventory data is written as JSON files in a bucket path like s3://bucket-name/Inventory/<instance-id>/<type>/<timestamp>.json.
Retention: Data in S3 is retained indefinitely unless you set a lifecycle policy. Data in AWS Config is retained per Config rules (default 7 years for configuration items).
Association ID: Each Inventory configuration creates a State Manager association. You can have multiple associations per instance.
Concurrency: Inventory collection is non-intrusive; it runs in the background and does not impact instance performance significantly.
Configuration and Verification Commands
Creating an Inventory association using the AWS CLI:
aws ssm create-association \
--name AWS-GatherSoftwareInventory \
--targets Key=tag:Environment,Values=Production \
--schedule-expression "rate(1 hour)" \
--parameters '{"applications": ["Enabled"], "awsComponents": ["Enabled"], "networkConfig": ["Enabled"], "files": ["Enabled"], "windowsRegistry": ["Enabled"], "instanceDetailedInformation": ["Enabled"], "customInventory": ["Enabled"], "services": ["Enabled"], "windowsRoles": ["Enabled"], "tags": ["Enabled"], "update": ["Enabled"], "compliance": ["Enabled"]}'Verifying inventory data collection:
aws ssm get-inventory \
--instance-id i-1234567890abcdef0 \
--type-name AWS:ApplicationListing all inventory instances:
aws ssm list-inventory-entries \
--instance-id i-1234567890abcdef0 \
--type-name AWS:InstanceInformationQuerying with AWS Config advanced query:
SELECT
resourceId,
resourceType,
configuration.application
WHERE
resourceType = 'AWS::SSM::ManagedInstanceInventory'Integration with Related Technologies
AWS Config: Inventory data can be sent to AWS Config as configuration items. This allows you to use Config rules to evaluate compliance (e.g., ensure all instances have a specific application installed).
Amazon Athena: You can query Inventory data stored in S3 using Athena for complex analytics.
Amazon QuickSight: Visualize inventory data.
Systems Manager State Manager: Inventory associations are actually State Manager associations. State Manager ensures the association is applied and maintained.
Systems Manager Patch Manager: While Patch Manager applies patches, Inventory reports on installed updates (via AWS:Update type).
Systems Manager Compliance: Inventory data feeds into the Compliance dashboard to show patch compliance, association compliance, etc.
Managed Instance Management
Managed instances are EC2 instances or on-premises machines that have the SSM Agent installed and are registered with Systems Manager. To manage an instance, you need:
SSM Agent installed and running.
An IAM role (instance profile for EC2) that grants necessary permissions (e.g., AmazonSSMManagedInstanceCore).
Network connectivity to Systems Manager endpoints (via internet gateway, VPC endpoints, or proxy).
Key concepts:
- Hybrid Activations: For on-premises servers, you create a hybrid activation to register them as managed instances.
- Managed Instance ID: Each managed instance gets a unique ID (e.g., mi-1234567890abcdef0).
- Ping Status: You can check connectivity with aws ssm describe-instance-information.
- Association Status: Use aws ssm describe-association-execution-targets to verify association compliance.
Troubleshooting Inventory
Common issues:
- Inventory not collected: Check SSM Agent logs (/var/log/amazon/ssm/ on Linux, %PROGRAMDATA%\Amazon\SSM\Logs\ on Windows). Ensure the instance has proper IAM permissions (AmazonSSMManagedInstanceCore). Verify network connectivity (use aws ssm describe-instance-information to see ping status).
- Data not appearing in S3: Confirm S3 bucket policy allows Systems Manager to write. Check that you specified a bucket when creating the association.
- Missing inventory types: Ensure the SSM Agent version supports the type (e.g., AWS:File requires agent version 2.2.x or later).
- Custom inventory not working: The custom inventory script must output JSON to stdout in the correct format.
Create Inventory Association
Use the Systems Manager console or AWS CLI to create an association using the document `AWS-GatherSoftwareInventory`. Specify targets by tags, resource groups, or instance IDs. Set a schedule (e.g., `rate(1 hour)`). Optionally, configure an S3 bucket to store the output. The association is created as a State Manager association, which will be applied to the targeted instances. The SSM Agent on each target instance will receive the association and begin collecting inventory data according to the schedule. If you do not specify a schedule, the default of every 30 minutes is used.
SSM Agent Collects Data
The SSM Agent on each managed instance runs the inventory collection based on the association's schedule. For each enabled inventory type (e.g., applications, network config), the agent gathers the relevant metadata. For example, for `AWS:Application`, it enumerates installed software from the system package manager or registry. For `AWS:File`, it reads the contents of specified files. The agent then compiles the data into a JSON payload and sends it to the Systems Manager service via HTTPS. The agent uses the instance's IAM role to authenticate.
Data Stored in S3 and/or AWS Config
The Systems Manager service receives the inventory payload and, if configured, writes it as a JSON file to the specified S3 bucket. The file path follows: `s3://bucket-name/Inventory/<instance-id>/<type>/<timestamp>.json`. Additionally, if you have enabled AWS Config recording for Systems Manager resources, the inventory data is recorded as a configuration item for the resource type `AWS::SSM::ManagedInstanceInventory`. This allows you to use AWS Config rules and advanced queries to analyze the data.
Query Inventory Data
You can query the collected inventory data using several methods. In the Systems Manager console, navigate to Inventory to see a summary per instance. Use the AWS CLI with `aws ssm get-inventory` or `aws ssm list-inventory-entries` to retrieve data programmatically. For advanced analysis, use Amazon Athena to query the S3 bucket directly with SQL. Alternatively, use AWS Config advanced queries to search across all inventory data stored in Config. The query language supports filtering by application name, version, instance ID, etc.
Monitor and Remediate
Use Systems Manager Compliance to monitor whether instances are compliant with your inventory policies. For example, you can create a compliance rule that requires a specific security software to be installed. If an instance is missing it, the compliance status becomes non-compliant. You can then use Systems Manager Automation or Run Command to remediate (e.g., install the missing software). Also, you can set up Amazon CloudWatch Events to trigger on inventory data updates or compliance changes, enabling automated responses.
Scenario 1: Enterprise Software License Compliance
A large enterprise with thousands of EC2 instances needs to track which instances have licensed software (e.g., Oracle Database, Microsoft SQL Server). They configure Inventory to collect AWS:Application data every 6 hours and store it in an S3 bucket. They use Amazon Athena to run weekly queries that list all instances with Oracle installed, cross-referencing with an external license database. The challenge is that some instances are in private subnets without internet access, so they must use VPC endpoints for Systems Manager and S3. They also set up a Config rule to flag instances that have unlicensed software versions. The main issue they face is that Inventory only reports what is installed, not whether the license is valid; they need to combine with other data sources.
Scenario 2: OS and Patch Compliance
A company wants to ensure all Windows servers have a specific set of security updates. They enable Inventory with AWS:Update type to collect installed updates. They also use Patch Manager to apply missing patches. Inventory shows which patches are installed, while Compliance shows whether the instance is compliant with a patch baseline. They set a schedule to collect inventory daily and patch weekly. A common misconfiguration is not enabling the AWS:Update type, so the compliance dashboard shows no data. They also learn that Inventory data for updates is only collected after a patch operation; it does not automatically reflect real-time changes. They must ensure the association runs after patching.
Scenario 3: Custom Software Inventory
A DevOps team uses a custom script to collect deployment metadata (e.g., version of a custom application, environment variables). They implement a custom inventory type using AWS:CustomInventory. The script runs on each instance and outputs JSON to stdout. They configure Inventory to execute this script every hour. The data is stored in S3 and queried via Athena. The challenge is that the custom inventory script must be idempotent and handle errors gracefully. If the script fails, Inventory does not collect data for that cycle. They also need to ensure the script is present on all instances; they use a State Manager association to distribute the script. A common mistake is not setting the correct working directory or environment variables for the script.
What SOA-C02 Tests on Inventory (Objective 3.2) The exam focuses on:
Understanding what Inventory collects and how to configure it.
Differentiating Inventory from other Systems Manager capabilities (Patch Manager, State Manager, Run Command).
Knowing the default schedule (30 minutes) and how to change it.
Using Inventory with AWS Config and S3 for querying.
Troubleshooting common issues: missing IAM permissions, network connectivity, SSM Agent version.
Hybrid activations for on-premises instances.
Custom inventory types.
Common Wrong Answers and Why Candidates Choose Them 1. Inventory can install software. Candidates confuse Inventory with Patch Manager or Run Command. Inventory is read-only; it only collects metadata. 2. Inventory automatically remediates non-compliant instances. Inventory itself does not take action; you need Automation or Run Command for remediation. 3. Inventory data is stored only in Systems Manager console. The exam expects you to know that data can be stored in S3 and AWS Config for long-term analysis. 4. You must manually run inventory collection each time. The exam tests that Inventory runs on a schedule; you can also trigger on-demand via Run Command, but the primary mechanism is scheduled associations.
Specific Numbers and Terms
- Default schedule: every 30 minutes.
- Predefined inventory types: AWS:Application, AWS:AWSComponent, AWS:NetworkConfig, AWS:File, AWS:WindowsRegistry, AWS:InstanceInformation, AWS:Service, AWS:WindowsRole, AWS:Tag, AWS:Update, AWS:Compliance, AWS:ResourceGroup.
- Association document: AWS-GatherSoftwareInventory.
- IAM policy: AmazonSSMManagedInstanceCore (includes Inventory permissions).
- Hybrid activation: requires an activation code and ID; instances are registered as managed instances.
Edge Cases and Exceptions - Inventory on instances with no SSM Agent: impossible; the instance must be managed. - Inventory on instances in a different AWS account: you can use resource sharing via Systems Manager Resource Groups, but Inventory associations are per-account. - Large inventory payloads: Systems Manager has a 1 MB limit per inventory type per instance per collection. If exceeded, the data is truncated. - Custom inventory: the script must output JSON to stdout; the schema must be defined in the association.
How to Eliminate Wrong Answers
- If the question says 'collect software inventory' and an option mentions 'install patches', eliminate it.
- If the question asks about 'real-time' inventory, remember that Inventory is scheduled; for real-time, use Run Command with aws ssm get-inventory on-demand.
- If the question mentions 'store inventory data', look for S3 or AWS Config options; the console only shows recent data.
- For hybrid instances, ensure the answer includes hybrid activation.
SSM Inventory collects metadata from managed instances; it does not modify or install anything.
Default inventory collection schedule is every 30 minutes; customizable via rate or cron.
Inventory data can be stored in S3 and/or AWS Config for querying and long-term retention.
Use the `AWS-GatherSoftwareInventory` document to create an Inventory association.
Instance must have SSM Agent installed and appropriate IAM permissions (e.g., AmazonSSMManagedInstanceCore).
For on-premises instances, use hybrid activation to register them as managed instances.
Custom inventory types allow collection of arbitrary data via scripts, outputting JSON to stdout.
Inventory integrates with AWS Config, Athena, and QuickSight for analysis.
Troubleshoot by checking SSM Agent logs, IAM permissions, and network connectivity (VPC endpoints).
Exam questions often test the difference between Inventory (read-only) and Patch Manager (applies patches).
These come up on the exam all the time. Here's how to tell them apart.
SSM Inventory
Collects software and OS configuration metadata from managed instances.
Runs on a schedule (default 30 minutes) via State Manager associations.
Data can be stored in S3 and/or sent to AWS Config.
Supports custom inventory types (e.g., file contents, registry keys).
Does not track resource configuration changes over time; only snapshots.
AWS Config
Tracks configuration changes to AWS resources (EC2, security groups, etc.).
Records configuration items continuously on resource changes.
Provides a historical timeline of changes and compliance rules.
Does not collect software inventory natively; can receive inventory data from SSM Inventory.
Supports advanced queries across all resource types, including inventory data.
Mistake
Inventory can automatically install missing software.
Correct
Inventory is read-only; it only collects data. To install software, use Run Command, Patch Manager, or State Manager with a custom document.
Mistake
Inventory data is collected in real-time.
Correct
Inventory runs on a schedule (default every 30 minutes). For on-demand collection, you can use Run Command with the `AWS-GatherSoftwareInventory` document, but this is not real-time.
Mistake
You must manually enable Inventory on each instance.
Correct
Inventory is enabled by creating an association that targets instances by tags, resource groups, or IDs. The association is automatically applied to all matching instances.
Mistake
Inventory data is stored only in the Systems Manager console.
Correct
Inventory data can be stored in an S3 bucket and/or AWS Config for long-term retention and querying. The console only shows a summary view.
Mistake
Inventory works on instances without the SSM Agent.
Correct
The SSM Agent must be installed and running on the instance. For on-premises, you need a hybrid activation.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default schedule is every 30 minutes. You can change this when creating the association using a rate expression (e.g., `rate(1 hour)`) or a cron expression (e.g., `cron(0 0/1 * * ? *)`). On the exam, remember that you can set any schedule, but the default is 30 minutes.
Yes, but you must first register the on-premises server as a managed instance using a hybrid activation. This generates an activation code and ID that you use during the SSM Agent installation. After registration, the server appears in Systems Manager and can be targeted by Inventory associations just like EC2 instances.
The instance must have an IAM role (EC2 instance profile) with the managed policy `AmazonSSMManagedInstanceCore`. This policy includes permissions for Systems Manager operations, including inventory. For custom inventory, you may need additional permissions if the custom script accesses other AWS services.
You can use AWS Config advanced queries if inventory data is sent to Config. Alternatively, store inventory data in S3 and use Amazon Athena to query it with SQL. The console also provides a summary view, but for complex queries, Athena or Config is recommended.
Systems Manager has a 1 MB limit per inventory type per instance per collection cycle. If the payload exceeds this limit, the data is truncated. To avoid this, reduce the number of inventory types or filter the data collected (e.g., exclude certain file paths).
Yes, you can use Run Command with the `AWS-GatherSoftwareInventory` document to trigger an immediate inventory collection on one or more instances. This is useful for troubleshooting or after a change. The collected data is stored the same way as scheduled collections.
Inventory collects software and OS-level metadata from managed instances. AWS Config tracks configuration changes to AWS resources (e.g., EC2, security groups). Inventory can send data to AWS Config, but Config itself does not collect software inventory natively. They complement each other.
You've just covered SSM Inventory and Managed Instance Management — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?