AWS Systems Manager Incident Manager is no longer open to new customers. Existing customers can continue to use the service as normal. For more information, see AWS Systems Manager Incident Manager availability change.
Exporting Incident Manager data
This topic describes how to use a Python script to export incident records and post-incident analyses from AWS Systems Manager Incident Manager. The script exports data to structured JSON files for further analysis or archival purposes.
What you can export
The script exports the following data:
-
Complete incident records, including:
-
Timeline events
-
Related items
-
Engagements
-
Automation executions
-
Security findings
-
Tags
-
-
Post-incident analysis documents from Systems Manager
Prerequisites
Before you begin, make sure you have:
-
Python 3.7 or later installed
-
AWS CLI configured with appropriate credentials
-
The following Python packages installed:
pip install boto3 python-dateutil
Required IAM permissions
To use this script, make sure you have the following permissions:
Systems Manager Incidents permissions
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm-incidents:ListIncidentRecords", "ssm-incidents:GetIncidentRecord", "ssm-incidents:ListTimelineEvents", "ssm-incidents:GetTimelineEvent", "ssm-incidents:ListRelatedItems", "ssm-incidents:ListEngagements", "ssm-incidents:GetEngagement", "ssm-incidents:BatchGetIncidentFindings", "ssm-incidents:ListTagsForResource" ], "Resource": "*" } ] }
Systems Manager permissions
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:ListDocuments", "ssm:GetDocument", "ssm:GetAutomationExecution" ], "Resource": "*" } ] }
Export structure
The script creates the following directory structure for exported data:
incident_manager_export_YYYYMMDD_HHMMSS/ ├── incident_records/ │ ├── 20250309_102129_IAD_Service_A_Lambda_High_Latency.json │ ├── 20250314_114820_SecurityFinding_SecurityHubFindings.json │ └── ... └── post_incident_analyses/ ├── 20250310_143022_Root_Cause_Analysis_Service_A.json ├── 20250315_091545_Security_Incident_Review.json └── ...
Running the export script
Basic usage
The Incident Manager data export script is provided here. Please download the script and use the following instructions to run the script.
To run the script with default settings:
python3 export-incident-manager-data.py
Available options
You can customize the export using these command-line options:
| Option | Description | Default |
|---|---|---|
--region |
AWS Region | us-east-1 |
--profile |
AWS profile name | Default profile |
--verbose, -v |
Enable detailed logging | FALSE |
--limit |
Maximum number of incidents to export | No limit |
--timeline-events-limit |
Maximum timeline events per incident | 100 |
--timeline-details-limit |
Maximum timeline event details per incident | 100 |
--related-items-limit |
Maximum related items per incident | 50 |
--engagements-limit |
Maximum engagements per incident | 20 |
--analysis-docs-limit |
Maximum analysis documents to export | 50 |
Examples
Export from a specific Region using a custom profile:
python3 export-incident-manager-data.py --region us-east-1 --profile my-aws-profile
Export with verbose logging and limits for testing:
python3 export-incident-manager-data.py --verbose --limit 5 --timeline-events-limit 10
Export with conservative limits for large datasets:
python3 export-incident-manager-data.py --timeline-events-limit 50 --timeline-details-limit 25
Output file structure
Incident record JSON structure
Each incident record file contains the following structure:
{ "incident_record": { // Complete incident record from get-incident-record }, "incident_summary": { // Incident summary from list-incident-records }, "incident_source_details": { "from_incident_record": {}, "from_incident_summary": {}, "enhanced_details": { "created_by": "arn:aws:sts::...", "source": "aws.ssm-incidents.custom", "source_analysis": { "source_type": "manual", "creation_method": "human_via_console", "automation_involved": false, "human_created": true } } }, "timeline_events": { "detailed_events": [ { "summary": {}, // From list-timeline-events "details": {} // From get-timeline-event } ], "summary_only_events": [], "metadata": { "total_events_found": 45, "events_with_details": 25, "limits_applied": {} } }, "related_items": { "items": [], "metadata": {} }, "engagements": { "engagements": [], "metadata": {} }, "automation_executions": [], "findings": [], "tags": [], "post_incident_analysis": { "analysis_reference": {}, "metadata": {} }, "export_metadata": { "exported_at": "2025-09-18T...", "region": "us-east-*", "incident_arn": "arn:aws:ssm-incidents::..." } }
Post-incident analysis JSON structure
Each analysis document file contains:
{ "document_metadata": { // Document metadata from list-documents }, "document_details": { "Name": "037fc5dd-cd86-49bb-9c3d-15720e78798e", "Content": "...", // Full JSON content "DocumentType": "ProblemAnalysis", "CreatedDate": 1234567890, "ReviewStatus": "APPROVED", "AttachmentsContent": [], // ... other fields from get-document }, "export_metadata": { "exported_at": "2025-09-18T...", "region": "us-east-*", "document_name": "..." } }
