• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). 

# Integration with other products and services
Integration with other products and services

AWS Systems Manager has built-in integration for the products and services shown in the following table.


|  |  | 
| --- |--- |
|  Ansible  |  [https://www.ansible.com/](https://www.ansible.com/) is an IT automation platform that makes your applications and systems easier to deploy. Systems Manager provides the Systems Manager document (SSM document) `AWS-ApplyAnsiblePlaybooks` which allows you to create State Manager associations that run Ansible playbooks.  Learn more [Creating associations that run Ansible playbooks](systems-manager-state-manager-ansible.md)   | 
|  Chef  |  [https://www.chef.io/](https://www.chef.io/) is an IT automation tool that makes your applications and systems easier to deploy. Systems Manager provides the `AWS-ApplyChefRecipes` SSM document, which allows you to create associations in State Manager, a tool in AWS Systems Manager, that run Chef recipes.  Learn more [Creating associations that run Chef recipes](systems-manager-state-manager-chef.md)  Systems Manager also integrates with [https://www.chef.io/products/chef-inspec/](https://www.chef.io/products/chef-inspec/) profiles, allowing you to run compliance scans and view compliant and noncompliant nodes.  Learn more [Using Chef InSpec profiles with Systems Manager Compliance](integration-chef-inspec.md)   | 
|  GitHub  |  [https://github.com/](https://github.com/) provides hosting for software development version control and collaboration. Systems Manager provides the SSM document `AWS-RunDocument`, which allows you to run other SSM documents stored in GitHub, and the SSM document `AWS-RunRemoteScript` , which allows you to run scripts stored in GitHub. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/integrations-partners.html)  | 
|  Jenkins  |  [https://www.jenkins.io/](https://www.jenkins.io/) is an open-source automation server that allows developers to reliably build, test, and deploy their software. Automation, a tool in Systems Manager, can be used as a post-build step to pre-install application releases into Amazon Machine Images (AMIs).  Learn more [Updating AMIs using Automation and Jenkins](automation-tutorial-update-patch-ami-jenkins-integration.md)   | 
|  ServiceNow  |  [https://www.servicenow.com/](https://www.servicenow.com/) is an enterprise service management system that allows you to manage your IT services and operations. Automation, Change Manager, Incident Manager, and OpsCenter, all tools in Systems Manager, integrate with ServiceNow by using the AWS Service Management Connector. With this integration, you can view, create, update, add correspondence, and resolve AWS Support cases from ServiceNow.  Learn more [Integrating with ServiceNow](integrations-partners-servicenow.md)    | 
| Terraform |  HashiCorp [Terraform](https://registry.terraform.io/) is an open-source *infrastructure as code* (IaC) software tool that provides a command line interface (CLI) workflow to manage various cloud services. For Systems Manager, you can use Terraform to manage or provision the following: **Resources** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/integrations-partners.html) **Data sources** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/integrations-partners.html)  | 

**Topics**
+ [

# Running scripts from GitHub
](integration-remote-scripts.md)
+ [

# Using Chef InSpec profiles with Systems Manager Compliance
](integration-chef-inspec.md)
+ [

# Integrating with ServiceNow
](integrations-partners-servicenow.md)

# Running scripts from GitHub


This topic describes how to use the pre-defined Systems Manager document (SSM document) `AWS-RunRemoteScript` to download scripts from GitHub, including Ansible Playbooks, Python, Ruby, and PowerShell scripts. By using this SSM document, you no longer need to manually port scripts into Amazon Elastic Compute Cloud (Amazon EC2) or wrap them in SSM documents. AWS Systems Manager integration with GitHub promotes *infrastructure as code*, which reduces the time it takes to manage nodes while standardizing configurations across your fleet. 

You can also create custom SSM documents that allow you to download and run scripts or other SSM documents from remote locations. For more information, see [Creating composite documents](documents-creating-content.md#documents-creating-composite).

You can also download a directory that includes multiple scripts. When you run the primary script in the directory, Systems Manager also runs any referenced scripts that are included in the directory. 

Note the following important details about running scripts from GitHub.
+ Systems Manager doesn't verify that your script is capable of running on a node. Before you download and run the script, verify that the required software is installed on the node. Or, you can create a composite document that installs the software by using either Run Command or State Manager,tools in AWS Systems Manager, and then downloads and runs the script.
+ You're responsible for ensuring that all GitHub requirements are met. This includes refreshing your access token, as needed. Ensure that you don't surpass the number of authenticated or unauthenticated requests. For more information, see the GitHub documentation.
+ GitHub Enterprise repositories are not supported.

**Topics**
+ [

# Run Ansible Playbooks from GitHub
](integration-github-ansible.md)
+ [

# Run Python scripts from GitHub
](integration-github-python.md)

# Run Ansible Playbooks from GitHub


This section includes procedures to help you run Ansible Playbooks from GitHub by using either the console or the AWS Command Line Interface (AWS CLI).

**Before you begin**  
If you plan to run a script stored in a private GitHub repository, create an AWS Systems Manager `SecureString` parameter for your GitHub security access token. You can't access a script in a private GitHub repository by manually passing your token over SSH. The access token must be passed as a Systems Manager `SecureString` parameter. For more information about creating a `SecureString` parameter, see [Creating Parameter Store parameters in Systems Manager](sysman-paramstore-su-create.md).

## Run an Ansible Playbook from GitHub (console)


**Run an Ansible Playbook from GitHub**

1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Run Command**.

1. Choose **Run command**.

1. In the **Command document** list, choose **`AWS-RunRemoteScript`**.

1. In **Command parameters**, do the following:
   + In **Source Type**, select **GitHub**. 
   + In the **Source Info** box, enter the required information to access the source in the following format.

     ```
     {
       "owner": "owner_name",
       "repository": "repository_name", 
       "getOptions": "branch:branch_name",
       "path": "path_to_scripts_or_directory",
       "tokenInfo": "{{ssm-secure:SecureString_parameter_name}}" 
     }
     ```

     This example downloads a file named `webserver.yml`. 

     ```
     {
         "owner": "TestUser1",
         "repository": "GitHubPrivateTest",
         "getOptions": "branch:myBranch",
         "path": "scripts/webserver.yml",
         "tokenInfo": "{{ssm-secure:mySecureStringParameter}}"
     }
     ```
**Note**  
`"branch"` is required only if your SSM document is stored in a branch other than `master`.  
To use the version of your scripts that are in a particular *commit* in your repository, use `commitID` with `getOptions` instead of `branch`. For example:  
`"getOptions": "commitID:bbc1ddb94...b76d3bEXAMPLE",`
   + In the **Command Line** field, enter parameters for the script execution. Here is an example.

     **ansible-playbook -i “localhost,” --check -c local webserver.yml**
   + (Optional) In the **Working Directory** field, enter the name of a directory on the node where you want to download and run the script.
   + (Optional) In **Execution Timeout**, specify the number of seconds for the system to wait before failing the script command execution. 

1. In the **Targets** section, choose the managed nodes on which you want to run this operation by specifying tags, selecting instances or edge devices manually, or specifying a resource group.
**Tip**  
If a managed node you expect to see isn't listed, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md) for troubleshooting tips.

1. For **Other parameters**:
   + For **Comment**, enter information about this command.
   + For **Timeout (seconds)**, specify the number of seconds for the system to wait before failing the overall command execution. 

1. For **Rate control**:
   + For **Concurrency**, specify either a number or a percentage of managed nodes on which to run the command at the same time.
**Note**  
If you selected targets by specifying tags applied to managed nodes or by specifying AWS resource groups, and you aren't certain how many managed nodes are targeted, then restrict the number of targets that can run the document at the same time by specifying a percentage.
   + For **Error threshold**, specify when to stop running the command on other managed nodes after it fails on either a number or a percentage of nodes. For example, if you specify three errors, then Systems Manager stops sending the command when the fourth error is received. Managed nodes still processing the command might also send errors.

1. (Optional) For **Output options**, to save the command output to a file, select the **Write command output to an S3 bucket** box. Enter the bucket and prefix (folder) names in the boxes.
**Note**  
The S3 permissions that grant the ability to write the data to an S3 bucket are those of the instance profile (for EC2 instances) or IAM service role (hybrid-activated machines) assigned to the instance, not those of the IAM user performing this task. For more information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md) or [Create an IAM service role for a hybrid environment](hybrid-multicloud-service-role.md). In addition, if the specified S3 bucket is in a different AWS account, make sure that the instance profile or IAM service role associated with the managed node has the necessary permissions to write to that bucket.

1. In the **SNS notifications** section, if you want notifications sent about the status of the command execution, select the **Enable SNS notifications** check box.

   For more information about configuring Amazon SNS notifications for Run Command, see [Monitoring Systems Manager status changes using Amazon SNS notifications](monitoring-sns-notifications.md).

1. Choose **Run**.

## Run an Ansible Playbook from GitHub by using the AWS CLI


1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.

   For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

1. Run the following command to download and run a script from GitHub.

   ```
   aws ssm send-command \
       --document-name "AWS-RunRemoteScript" \
       --instance-ids "instance-IDs"\
       --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"owner_name\", \"repository\": \"repository_name\", \"path\": \"path_to_file_or_directory\", \"tokenInfo\":\"{{ssm-secure:name_of_your_SecureString_parameter}}\" }"],"commandLine":["commands_to_run"]}'
   ```

   Here is an example command to run on a local Linux machine.

   ```
   aws ssm send-command \    
       --document-name "AWS-RunRemoteScript" \
       --instance-ids "i-02573cafcfEXAMPLE" \
       --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"TestUser1\", \"repository\": \"GitHubPrivateTest\", \"path\": \"scripts/webserver.yml\", \"tokenInfo\":\"{{ssm-secure:mySecureStringParameter}}\" }"],"commandLine":["ansible-playbook -i “localhost,” --check -c local webserver.yml"]}'
   ```

# Run Python scripts from GitHub


This section includes procedures to help you run Python scripts from GitHub by using either the AWS Systems Manager console or the AWS Command Line Interface (AWS CLI). 

## Run a Python script from GitHub (console)


**Run a Python script from GitHub**

1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **Run Command**.

1. Choose **Run command**.

1. In the **Command document** list, choose **`AWS-RunRemoteScript`**.

1. For **Command parameters**, do the following:
   + In **Source Type**, select **GitHub**. 
   + In the **Source Info** box, enter the required information to access the source in the following format:

     ```
     {
         "owner": "owner_name",
         "repository": "repository_name",
         "getOptions": "branch:branch_name",
         "path": "path_to_document",
         "tokenInfo": "{{ssm-secure:SecureString_parameter_name}}"
     }
     ```

     The following example downloads a directory of scripts named *complex-script*.

     ```
     {
         "owner": "TestUser1",
         "repository": "SSMTestDocsRepo",
         "getOptions": "branch:myBranch",
         "path": "scripts/python/complex-script",
         "tokenInfo": "{{ssm-secure:myAccessTokenParam}}"
     }
     ```
**Note**  
`"branch"` is required only if your scripts are stored in a branch other than `master`.  
To use the version of your scripts that are in a particular *commit* in your repository, use `commitID` with `getOptions` instead of `branch`. For example:  
`"getOptions": "commitID:bbc1ddb94...b76d3bEXAMPLE",`
   + For **Command Line**, enter parameters for the script execution. Here is an example.

     ```
     mainFile.py argument-1 argument-2
     ```

     This example runs `mainFile.py`, which can then run other scripts in the `complex-script` directory.
   + (Optional) For **Working Directory**, enter the name of a directory on the node where you want to download and run the script.
   + (Optional) For **Execution Timeout**, specify the number of seconds for the system to wait before failing the script command execution. 

1. In the **Targets** section, choose the managed nodes on which you want to run this operation by specifying tags, selecting instances or edge devices manually, or specifying a resource group.
**Tip**  
If a managed node you expect to see isn't listed, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md) for troubleshooting tips.

1. For **Other parameters**:
   + For **Comment**, enter information about this command.
   + For **Timeout (seconds)**, specify the number of seconds for the system to wait before failing the overall command execution. 

1. For **Rate control**:
   + For **Concurrency**, specify either a number or a percentage of managed nodes on which to run the command at the same time.
**Note**  
If you selected targets by specifying tags applied to managed nodes or by specifying AWS resource groups, and you aren't certain how many managed nodes are targeted, then restrict the number of targets that can run the document at the same time by specifying a percentage.
   + For **Error threshold**, specify when to stop running the command on other managed nodes after it fails on either a number or a percentage of nodes. For example, if you specify three errors, then Systems Manager stops sending the command when the fourth error is received. Managed nodes still processing the command might also send errors.

1. (Optional) For **Output options**, to save the command output to a file, select the **Write command output to an S3 bucket** box. Enter the bucket and prefix (folder) names in the boxes.
**Note**  
The S3 permissions that grant the ability to write the data to an S3 bucket are those of the instance profile (for EC2 instances) or IAM service role (hybrid-activated machines) assigned to the instance, not those of the IAM user performing this task. For more information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md) or [Create an IAM service role for a hybrid environment](hybrid-multicloud-service-role.md). In addition, if the specified S3 bucket is in a different AWS account, make sure that the instance profile or IAM service role associated with the managed node has the necessary permissions to write to that bucket.

1. In the **SNS notifications** section, if you want notifications sent about the status of the command execution, select the **Enable SNS notifications** check box.

   For more information about configuring Amazon SNS notifications for Run Command, see [Monitoring Systems Manager status changes using Amazon SNS notifications](monitoring-sns-notifications.md).

1. Choose **Run**.

## Run a Python script from GitHub by using the AWS CLI


1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.

   For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

1. Run the following command to download and run a script from GitHub.

   ```
   aws ssm send-command --document-name "AWS-RunRemoteScript" --instance-ids "instance-IDs" --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"owner_name\", \"repository\":\"repository_name\", \"path\": \"path_to_script_or_directory"}"],"commandLine":["commands_to_run"]}'
   ```

   Here is an example.

   ```
   aws ssm send-command --document-name "AWS-RunRemoteScript" --instance-ids "i-02573cafcfEXAMPLE" --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"TestUser1\", \"repository\":\"GitHubTestPublic\", \"path\": \"scripts/python/complex-script\"}"],"commandLine":["mainFile.py argument-1 argument-2 "]}'
   ```

   This example downloads a directory of scripts called `complex-script`. The `commandLine` entry runs `mainFile.py`, which can then run other scripts in the `complex-script` directory.

# Using Chef InSpec profiles with Systems Manager Compliance


AWS Systems Manager integrates with [https://www.chef.io/products/chef-inspec](https://www.chef.io/products/chef-inspec). Chef InSpec is an open-source testing framework that allows you to create human-readable profiles to store in GitHub or Amazon Simple Storage Service (Amazon S3). Then you can use Systems Manager to run compliance scans and view compliant and noncompliant nodes. A *profile* is a security, compliance, or policy requirement for your computing environment. For example, you can create profiles that perform the following checks when you scan your nodes with Compliance, a tool in AWS Systems Manager:
+ Check if specific ports are open or closed.
+ Check if specific applications are running.
+ Check if certain packages are installed.
+ Check Windows Registry keys for specific properties.

You can create InSpec profiles *only* for Amazon Elastic Compute Cloud (Amazon EC2) instances that you manage with Systems Manager. On-premises servers or virtual machines (VMs) are not supported. The following sample Chef InSpec profile checks if port 22 is open.

```
control 'Scan Port' do
impact 10.0
title 'Server: Configure the service port'
desc 'Always specify which port the SSH server should listen to.
Prevent unexpected settings.'
describe sshd_config do
its('Port') { should eq('22') }
end
end
```

InSpec includes a collection of resources that help you quickly write checks and auditing controls. InSpec uses the [InSpec Domain-specific Language (DSL)](https://docs.chef.io/inspec/7.0/reference/glossary/#dsl) for writing these controls in Ruby. You can also use profiles created by a large community of InSpec users. For example, the [DevSec chef-os-hardening](https://github.com/dev-sec/chef-os-hardening) project on GitHub includes dozens of profiles to help you secure your nodes. You can author and store profiles in GitHub or Amazon S3. 

## How it works


Here is how the process of using InSpec profiles with Compliance works:

1. Either identify predefined InSpec profiles that you want to use, or create your own. You can use [predefined profiles](https://github.com/search?p=1&q=topic%3Ainspec+org%3Adev-sec&type=Repositories) on GitHub to get started. For information about how to create your own InSpec profiles, see [ChefChef InSpec Profiles](https://www.inspec.io/docs/reference/profiles/).

1. Store profiles in either a public or private GitHub repository, or in an S3 bucket.

1. Run Compliance with your InSpec profiles by using the Systems Manager document (SSM document) `AWS-RunInspecChecks`. You can begin a Compliance scan by using Run Command, a tool in AWS Systems Manager, for on-demand scans, or you can schedule regular Compliance scans by using State Manager, a tool in AWS Systems Manager.

1. Identify noncompliant nodes by using the Compliance API or the Compliance console.

**Note**  
Note the following information.  
Chef uses a client on your nodes to process the profile. You don't need to install the client. When Systems Manager runs the SSM document `AWS-RunInspecChecks`, the system checks if the client is installed. If not, Systems Manager installs the Chef client during the scan, and then uninstalls the client after the scan is completed.
Running the SSM document `AWS-RunInspecChecks`, as described in this topic, assigns a compliance entry of type `Custom:Inspec` to each targeted node. To assign this compliance type, the document calls the [PutComplianceItems](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutComplianceItems.html) API operation.

## Running an InSpec compliance scan


This section includes information about how to run an InSpec compliance scan by using the Systems Manager console and the AWS Command Line Interface (AWS CLI). The console procedure shows how to configure State Manager to run the scan. The AWS CLI procedure shows how to configure Run Command to run the scan.

### Running an InSpec compliance scan with State Manager (console)


**To run an InSpec compliance scan with State Manager by using the AWS Systems Manager console**

1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).

1. In the navigation pane, choose **State Manager**.

1. Choose **Create association**.

1. In the **Provide association details** section, enter a name.

1. In the **Document** list, choose **`AWS-RunInspecChecks`**.

1. In the **Document version** list, choose **Latest at runtime**.

1. In the **Parameters** section, in the **Source Type** list, choose either **GitHub** or **S3**.

   If you choose **GitHub**, then enter the path to an InSpec profile in either a public or private GitHub repository in the **Source Info** field. Here is an example path to a public profile provided by the Systems Manager team from the following location: [https://github.com/awslabs/amazon-ssm/tree/master/Compliance/InSpec/PortCheck](https://github.com/awslabs/amazon-ssm/tree/master/Compliance/InSpec/PortCheck).

   ```
   {"owner":"awslabs","repository":"amazon-ssm","path":"Compliance/InSpec/PortCheck","getOptions":"branch:master"}
   ```

   If you choose **S3**, then enter a valid URL to an InSpec profile in an S3 bucket in the **Source Info** field. 

   For more information about how Systems Manager integrates with GitHub and Amazon S3, see [Running scripts from GitHub](integration-remote-scripts.md). 

1. In the **Targets** section, choose the managed nodes on which you want to run this operation by specifying tags, selecting instances or edge devices manually, or specifying a resource group.
**Tip**  
If a managed node you expect to see isn't listed, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md) for troubleshooting tips.

1. In the **Specify schedule** section, use the schedule builder options to create a schedule that specifies when you want the Compliance scan to run.

1. For **Rate control**:
   + For **Concurrency**, specify either a number or a percentage of managed nodes on which to run the command at the same time.
**Note**  
If you selected targets by specifying tags applied to managed nodes or by specifying AWS resource groups, and you aren't certain how many managed nodes are targeted, then restrict the number of targets that can run the document at the same time by specifying a percentage.
   + For **Error threshold**, specify when to stop running the command on other managed nodes after it fails on either a number or a percentage of nodes. For example, if you specify three errors, then Systems Manager stops sending the command when the fourth error is received. Managed nodes still processing the command might also send errors.

1. (Optional) For **Output options**, to save the command output to a file, select the **Write command output to an S3 bucket** box. Enter the bucket and prefix (folder) names in the boxes.
**Note**  
The S3 permissions that grant the ability to write the data to an S3 bucket are those of the instance profile (for EC2 instances) or IAM service role (hybrid-activated machines) assigned to the instance, not those of the IAM user performing this task. For more information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md) or [Create an IAM service role for a hybrid environment](hybrid-multicloud-service-role.md). In addition, if the specified S3 bucket is in a different AWS account, make sure that the instance profile or IAM service role associated with the managed node has the necessary permissions to write to that bucket.

1. Choose **Create Association**. The system creates the association and automatically runs the Compliance scan.

1. Wait several minutes for the scan to complete, and then choose **Compliance** in the navigation pane.

1. In **Corresponding managed instances**, locate nodes where the **Compliance Type** column is **Custom:Inspec**.

1. Choose a node ID to view the details of noncompliant statuses.

### Running an InSpec compliance scan with Run Command (AWS CLI)


1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.

   For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).

1. Run one of the following commands to run an InSpec profile from either GitHub or Amazon S3.

   The command takes the following parameters:
   + **sourceType**: GitHub or Amazon S3
   + **sourceInfo**: URL to the InSpec profile folder either in GitHub or an S3 bucket. The folder must contain the base InSpec file (\$1.yml) and all related controls (\$1.rb).

   **GitHub**

   ```
   aws ssm send-command --document-name "AWS-RunInspecChecks" --targets '[{"Key":"tag:tag_name","Values":["tag_value"]}]' --parameters '{"sourceType":["GitHub"],"sourceInfo":["{\"owner\":\"owner_name\", \"repository\":\"repository_name\", \"path\": \"Inspec.yml_file"}"]}'
   ```

   Here is an example.

   ```
   aws ssm send-command --document-name "AWS-RunInspecChecks" --targets '[{"Key":"tag:testEnvironment","Values":["webServers"]}]' --parameters '{"sourceType":["GitHub"],"getOptions":"branch:master","sourceInfo":["{\"owner\":\"awslabs\", \"repository\":\"amazon-ssm\", \"path\": \"Compliance/InSpec/PortCheck\"}"]}'
   ```

   **Amazon S3**

   ```
   aws ssm send-command --document-name "AWS-RunInspecChecks" --targets '[{"Key":"tag:tag_name","Values":["tag_value"]}]' --parameters'{"sourceType":["S3"],"sourceInfo":["{\"path\":\"https://s3.aws-api-domain/amzn-s3-demo-bucket/Inspec.yml_file\"}"]}'
   ```

   Here is an example.

   ```
   aws ssm send-command --document-name "AWS-RunInspecChecks" --targets '[{"Key":"tag:testEnvironment","Values":["webServers"]}]' --parameters'{"sourceType":["S3"],"sourceInfo":["{\"path\":\"https://s3.aws-api-domain/amzn-s3-demo-bucket/InSpec/PortCheck.yml\"}"]}' 
   ```

1. Run the following command to view a summary of the Compliance scan.

   ```
   aws ssm list-resource-compliance-summaries --filters Key=ComplianceType,Values=Custom:Inspec
   ```

1. Run the following command to see details of a node that isn't compliant.

   ```
   aws ssm list-compliance-items --resource-ids node_ID --resource-type ManagedInstance --filters Key=DocumentName,Values=AWS-RunInspecChecks
   ```

# Integrating with ServiceNow


ServiceNow provides a cloud-based service management system to create and manage organization-level workflows, such as for IT services, ticketing systems, and support. The AWS Service Management Connector integrates ServiceNow with Systems Manager to provision, manage, and operate AWS resources from ServiceNow. You can use the AWS Service Management Connector to integrate ServiceNow with Automation, Change Manager, Incident Manager, and OpsCenter, all tools in AWS Systems Manager. 

You can perform the following tasks using ServiceNow: 
+ Run automation playbooks from Systems Manager. 
+ View, update, and resolve incidents from Systems Manager OpsItems. 
+ View and manage operational items, such as incidents, through Systems Manager OpsCenter. 
+ View and run Systems Manager change requests from a curated list of pre-approved change templates. 
+ Manage and resolve incidents involving AWS hosted applications by integrating with Incident Manager. 

**Note**  
For information about how to integrate with ServiceNow, see [Configuring AWS service integrations](https://docs.aws.amazon.com/smc/latest/ag/sn-config-integ.html) in the *AWS Service Management Connector Administrator Guide*.