SSM (AWS Systems Manager)

SSM (AWS Systems Manager)

AWS Systems Manager (SSM) is an AWS managed service for centrally operating and managing EC2 instances and on-premises servers. It enables operational tasks such as patch application, command execution, parameter management, and inventory collection to be performed in a unified manner, without the need to connect to each server individually via SSH or RDP.

Why SSM Is Necessary

When you only have a handful of servers, logging in via SSH to perform tasks is sufficient—but that changes as the number grows. Applying the same patch to dozens of machines, keeping track of installed packages across all of them, collecting logs in bulk during an incident: handling these tasks manually is simply not practical. SSM provides a mechanism for executing these operational tasks in bulk from the AWS console or CLI.

Key Features

SSM is not a single service but is composed of multiple feature groups. The most notable are described below.

Run Command is a feature that remotely executes shell scripts and PowerShell commands on managed nodes. Because it requires no open SSH ports and allows execution permissions to be controlled via IAM, it is easier to manage than traditional SSH connections from both a security and operational standpoint. No additional charges apply.

Parameter Store is a feature for securely storing and distributing configuration values such as database connection strings and API keys. It supports encryption via KMS, and the standard pattern is for applications to retrieve values using aws ssm get-parameter.

Patch Manager scans the patch compliance status of operating systems and automatically applies patches based on a defined baseline. Combined with Maintenance Windows, it enables a workflow where patch application is completed outside of business hours.

Session Manager provides browser-based shell access. It eliminates the need for bastion servers, and the fact that session activity logs are automatically recorded in CloudTrail and S3 makes it particularly valuable in environments with strict audit requirements.

How SSM Agent Works

Each SSM feature operates through the SSM Agent installed on managed nodes. Because it comes pre-installed on AMIs such as Amazon Linux 2 and Windows Server, EC2 instances can often be used without any additional setup. On-premises servers and edge devices require a manual installation, but by following a registration procedure called hybrid activation, they can be added as managed targets in the same way as EC2 instances.

In the author's experience, version discrepancies in SSM Agent have occasionally been the root cause of issues. When Run Command fails on only specific nodes, the standard first step is to suspect the Agent version.

Pricing

Run Command, Session Manager, and Parameter Store (Standard parameters) are available at no additional charge. Fees do apply for certain advanced features, such as Parameter Store Advanced parameters and OpsItem operations in OpsCenter. The ability to keep basic operational management costs low even in large-scale environments is one of SSM's strengths.

Related Terms

AI ROI (Return on Investment in AI)
AI for Business

AI ROI (Return on Investment in AI)

AI ROI is a metric that quantitatively measures the effects obtained — such as operational efficienc

AI Observability
AI for Business

AI Observability

An operational practice of continuously monitoring and visualizing the inputs/outputs, latency, cost

Ambient AI
AI Agents

Ambient AI

Ambient AI refers to an AI system that is seamlessly embedded in the user's environment, continuousl

BPO (Business Process Outsourcing)
AI for Business

BPO (Business Process Outsourcing)

BPO refers to a form of outsourcing in which a company delegates specific business processes to an e