• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html).
# Adjusting Systems Manager settings
The options on the **Settings** pages enable and configure features in the Systems Manager unified console. The options displayed depend on the account you are logged into and whether or not you have already set up Systems Manager.
**Note**
The options on the **Settings** page don't affect Systems Manager tools (formerly called capabilities).
## Account setup settings
If Systems Manager is enabled, and if you are logged into an account that is not a member of Organizations or if the delegated administrator has not added your Organizations account to Systems Manager, the **Account setup** page shows the option to **Disable Systems Manager**. Disabling Systems Manager means Systems Manager doesn't display the unified console. All Systems Manager tools still function.
## Organizational setup settings
On the **Organizational setup** tab, the **Home Region** section displays the AWS Region chosen as the home Region during setup. In multi-account and multi-Region environments that use AWS Organizations, Systems Manager automatically aggregates node data from all accounts and Regions to the home Region. Aggregating data in this way enables you to view node data across accounts and Regions in a single location.
**Note**
If you want to change the home Region, you must disable Systems Manager and enable it again. To disable Systems Manager, choose **Disable**.
The **Organizational setup** section displays the AWS organizational units and AWS Regions chosen during setup. To change which organizational units and Regions display node data in Systems Manager, choose **Edit**. For more information about setting up Systems Manager for Organizations, see [Setting up AWS Systems Manager](systems-manager-setting-up-console.md).
## Feature configurations
The **Feature configurations** section allows you to enable and configure key Systems Manager capabilities that enhance node management across your organization. These features work together to provide automated management, compliance monitoring, and maintenance of your managed nodes.
You can configure these features during initial Systems Manager setup or modify them later through the Settings page. Each feature can be enabled or disabled independently based on your organization's requirements.
### Default Host Management Configuration
Default Host Management Configuration (DHMC) automatically configures Amazon Elastic Compute Cloud (Amazon EC2) instances in your organization to be managed by Systems Manager. When enabled, DHMC ensures that new and existing EC2 instances have the necessary AWS Identity and Access Management (IAM) permissions and configurations to communicate with Systems Manager services.
DHMC provides the following benefits:
+ **Automatic IAM role assignment** - Ensures EC2 instances have the required IAM roles and policies to function as managed nodes
+ **Drift remediation** - Automatically corrects configuration drift when instances lose their managed node status
+ **Simplified onboarding** - Reduces manual configuration steps for new instances
+ **Consistent configuration** - Maintains uniform settings across your EC2 fleet
#### Configuring drift remediation frequency
Drift remediation automatically detects and corrects when EC2 instances lose their managed node configuration. You can configure how frequently Systems Manager checks for and remediates configuration drift.
**To configure Default Host Management Configuration**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Settings**.
1. In the **Feature configurations** section, locate **Default Host Management Configuration**.
1. To enable DHMC, turn on the toggle switch.
1. For **Drift remediation frequency**, choose how often you want Systems Manager to check for and remediate configuration drift:
+ **Daily** - Checks and remediates drift once per day
+ **Weekly** - Checks and remediates drift once per week
+ **Monthly** - Checks and remediates drift once per month
1. Choose **Save**.
**Note**
When you enable DHMC, Systems Manager creates the necessary IAM roles and policies in your account. These roles allow EC2 instances to communicate with Systems Manager services. For more information about the IAM roles created by DHMC, see [Managing EC2 instances with Systems Manager](systems-manager-setting-up-ec2.md).
### Inventory metadata collection
Inventory metadata collection automatically gathers detailed information about your managed nodes, including installed applications, network configurations, system updates, and other system metadata. This information helps you maintain compliance, perform security analysis, and understand your infrastructure composition.
Inventory collection provides the following benefits:
+ **Compliance monitoring** - Track installed software and configurations for compliance reporting
+ **Security analysis** - Identify outdated software and potential security vulnerabilities
+ **Asset management** - Maintain an up-to-date inventory of your infrastructure
+ **Query capabilities** - Use collected data with Amazon Q Developer for natural language queries
#### Types of inventory data collected
When inventory metadata collection is enabled, Systems Manager collects the following types of information from your managed nodes:
+ **Applications** - Installed software packages and applications
+ **Network configurations** - Network interfaces, IP addresses, and network settings
+ **System updates** - Installed patches and available updates
+ **System properties** - Hardware specifications, operating system details, and system configurations
+ **Services** - Running services and their configurations
#### Configuring inventory collection frequency
You can configure how frequently Systems Manager collects inventory metadata from your managed nodes. More frequent collection provides more up-to-date information but may increase AWS service usage.
**To configure inventory metadata collection**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Settings**.
1. In the **Feature configurations** section, locate **Inventory metadata collection**.
1. To enable inventory collection, turn on the toggle switch.
1. For **Collection frequency**, choose how often you want Systems Manager to collect inventory data:
+ **Daily** - Collects inventory data once per day
+ **Weekly** - Collects inventory data once per week
+ **Monthly** - Collects inventory data once per month
1. Choose **Save**.
**Important**
Inventory collection requires managed nodes to have the necessary permissions to gather system information. Ensure your managed nodes have the appropriate IAM roles and policies. For more information about required permissions, see [AWS Systems Manager Inventory](systems-manager-inventory.md).
### SSM Agent updates
Automatic SSM Agent updates ensure that your managed nodes are running the latest version of the SSM Agent. Keeping the agent up-to-date provides access to the latest features, security improvements, and bug fixes.
SSM Agent automatic updates provide the following benefits:
+ **Latest features** - Access to new Systems Manager capabilities and improvements
+ **Security updates** - Automatic installation of security patches and fixes
+ **Improved reliability** - Bug fixes and stability improvements
+ **Reduced maintenance** - Eliminates the need for manual agent updates
#### Configuring automatic agent updates
You can configure how frequently Systems Manager checks for and installs SSM Agent updates on your managed nodes. Regular updates help ensure optimal performance and security.
**To configure SSM Agent updates**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Settings**.
1. In the **Feature configurations** section, locate **SSM Agent updates**.
1. To enable automatic updates, turn on the toggle switch.
1. For **Update frequency**, choose how often you want Systems Manager to check for and install agent updates:
+ **Daily** - Checks for updates once per day
+ **Weekly** - Checks for updates once per week
+ **Monthly** - Checks for updates once per month
1. Choose **Save**.
## Diagnose and remediate settings
The **Diagnose and remediate** settings determine whether or not Systems Manager automatically scans your nodes to ensure they can communicate with Systems Manager. If enabled, the feature runs automatically according to a schedule you define. The feature identifies which nodes can't connect to Systems Manager and why. This feature also provides recommended runbooks for remediating networking issues and other problems preventing nodes from being configured as managed nodes.
### Scheduling a recurring diagnostic scan
Systems Manager can diagnose and help you remediate several types of deployment failures, as well as drifted configurations. Systems Manager can also identify Amazon Elastic Compute Cloud (Amazon EC2) instances in your account or organization that Systems Manager isn't able to treat as a *managed node*. The EC2 instance diagnosis process can identify issues related to misconfigurations for a virtual private cloud (VPC), in a Domain Name Service (DNS) setting, or in an Amazon Elastic Compute Cloud (Amazon EC2) security group.
To simply the task of identifying nodes that can't connect to Systems Manager, the **Schedule recurring diagnosis** feature enables you to automate a recurring diagnostic scan. The scans help identify which nodes can't connect to Systems Manager and why. Use the following procedure to enable and configure a recurring diagnostic scan of your nodes.
**To schedule a recurring diagnostic scan**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Settings**, and then choose the **Diagnose and remediate** tab.
1. Turn on the **Schedule recurring diagnosis** option.
1. For **Scanning period**, choose how often you want the scan to run.
1. (Optional) For **Start time**, enter a time, in 24-hour format, for the diagnosis to begin. For example, for 8:15 PM, enter **20:15**.
The time you enter is for your current local time zone.
If you don't specify a time, the diagnostic scan runs immediately. Systems Manager also schedules the scan to run in the future at the current time. If you specify a time, Systems Manager waits to run the diagnostic scan at the specified time.
1. Choose **Save**.
1. After the scan completes, view the details by choosing **Diagnose and remediate** in the left navigation.
For more information about the **Diagnose and remediate** feature, see [Diagnosing and remediating](diagnose-and-remediate.md).
### Updating S3 bucket encryption
When you onboard Systems Manager, Quick Setup creates an Amazon Simple Storage Service (Amazon S3) bucket in the delegated administrator account for AWS Organizations setups. For single-account setups, the bucket is stored in the account being set up. This bucket is used to store the metadata generated during diagnostic scans.
For more information about setting up the unified Systems Manager console, see [Setting up AWS Systems Manager](systems-manager-setting-up-console.md).
By default, your data in the bucket is encrypted using a AWS Key Management Service (AWS KMS) key that AWS owns and manages for you.
You can choose to use a different AWS KMS key for your bucket encryption. As another alternative, you can use server-side encryption with AWS KMS keys (SSE-KMS) using a customer managed key (CMK). For information, see [Working with Amazon S3 buckets and bucket policies for Systems Manager](systems-manager-diagnosis-metadata-bucket.md).
**To use a different AWS KMS key for S3 bucket encryption**
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Settings**, and then choose the **Diagnose and remediate** tab.
1. In the **Update S3 bucket encryption** area, choose **Edit**.
1. Select the **Customize encryption settings (advanced)** check box.
1. For **Choose an AWS KMS key**, choose or enter the Amazon Resource Name (ARN) of the key.
**Tip**
To create a new key, choose **Create an AWS KMS key**.
1. Choose **Save**.
# Working with Amazon S3 buckets and bucket policies for Systems Manager
During the [onboarding process](systems-manager-setting-up-console.md) for AWS Systems Manager, Quick Setup creates an Amazon Simple Storage Service (Amazon S3) bucket in the delegated administrator account for organization setups. For single-account setups, the bucket is stored in the account being set up.
You can use Systems Manager to run diagnostic operations on your fleet to identify cases of failed deployments and drifted configurations. Systems Manager can also detect cases where configuration issues are preventing Systems Manager from managing EC2 instances in your account or organization. The results of these diagnostic operations are stored in this Amazon S3 bucket, which is protected by both an encryption method and an S3 bucket policy. For information about the diagnostic operations that output data to this bucket, see [Diagnosing and remediating](diagnose-and-remediate.md).
**Changing the bucket encryption method**
By default, the S3 bucket uses server-side encryption with Amazon S3 managed keys (SSE-S3).
You can instead use server-side encryption with AWS KMS keys (SSE-KMS) using a customer managed key (CMK) as an alternative to Amazon S3 managed keys, as explained in [Changing to an AWS KMS customer managed key to encrypt S3 resources](remediate-s3-bucket-encryption.md).
**Contents of the bucket policy**
The bucket policy prevents member accounts in an organization from discovering one another. Read and write permissions to the bucket are allowed only for the diagnosis and remediation roles created for Systems Manager. The contents of these system-generated policies are presented in [S3 bucket policies for the unified Systems Manager console](remediate-s3-bucket-policies.md).
**Warning**
Modifying the default bucket policy might allow member accounts in an organization to discover one another, or read diagnosis outputs for instances in another account. We recommend using extreme caution if you choose to modify this policy.
**Topics**
+ [Changing to an AWS KMS customer managed key to encrypt S3 resources](remediate-s3-bucket-encryption.md)
+ [S3 bucket policies for the unified Systems Manager console](remediate-s3-bucket-policies.md)
# Changing to an AWS KMS customer managed key to encrypt S3 resources
During the onboarding process for the unified Systems Manager console, Quick Setup creates an Amazon Simple Storage Service (Amazon S3) bucket in the delegated administrator account. This bucket is used to store the diagnosis output data generated during remediation runbook executions. By default, the bucket uses server-side encryption with Amazon S3 managed keys (SSE-S3).
You can review the content of these policies in [S3 bucket policies for the unified Systems Manager console](remediate-s3-bucket-policies.md).
However, you can instead use server-side encryption with AWS KMS keys (SSE-KMS) using a customer managed key (CMK) as an alternative to an AWS KMS key.
Complete the following tasks in order to configure Systems Manager to use your CMK.
## Task 1: Add a tag to an existing CMK
AWS Systems Manager uses your CMK only if it is tagged with the following key-value pair:
+ Key: `SystemsManagerManaged`
+ Value: `true`
Use the following procedure to provide access for encrypting the S3 bucket with your CMK.
**To add a tag to your existing CMK**
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. In the left navigation, choose **Customer managed keys**.
1. Select the AWS KMS key to use with AWS Systems Manager.
1. Choose the **Tags** tab, and then choose **Edit**.
1. Choose **Add tag**.
1. Do the following:
1. For **Tag key**, enter **SystemsManagerManaged**.
1. For **Tag value**, enter **true**.
1. Choose **Save**.
## Task 2: Modify an existing CMK key policy
Use the following procedure to update the [KMS key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) of your CMK to allow AWS Systems Manager roles to encrypt the S3 bucket on your behalf.
**To modify an existing CMK key policy**
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. In the left navigation, choose **Customer managed keys**.
1. Select the AWS KMS key to use with AWS Systems Manager.
1. On the **Key policy** tab, choose **Edit**.
1. Add the following JSON statement to the `Statement` field, and replace the *placeholder values* with your own information.
Ensure that you add all AWS account IDs that are onboarded in your organization to AWS Systems Manager in the `Principal` field.
To locate the correct bucket name in the Amazon S3 console, in the delegated administrator account, locate the bucket in the format `do-not-delete-ssm-operational-account-id-home-region-disambiguator`.
```
{
"Sid": "EncryptionForSystemsManagerS3Bucket",
"Effect": "Allow",
"Principal": {
"AWS": [
"account-id-1",
"account-id-2",
...
]
},
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket"
},
"StringLike": {
"kms:ViaService": "s3.*.amazonaws.com"
},
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::*:role/AWS-SSM-*"
}
}
}
```
**Tip**
Alternatively, you can update the CMK key policy using the [aws:PrincipalOrgID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid) condition key to grant AWS Systems Manager access to your CMK.
## Task 3: Specify the CMK in Systems Manager settings
After completing the previous two tasks, use the following procedure to change the S3 bucket encryption. This change ensures that the associated Quick Setup configuration process can add permissions for Systems Manager to accept your CMK.
1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/).
1. In the navigation pane, choose **Settings**.
1. On the **Diagnose and remediate** tab, in the **Update S3 bucket encryption** section, choose **Edit**.
1. Select the **Customize encryption settings (advanced)** check box.
1. In the search (![\[The search icon\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/search-icon.png)) box, choose the ID of an existing key, or paste the ARN of an existing key.
1. Choose **Save**.
# S3 bucket policies for the unified Systems Manager console
This topic includes the Amazon S3 bucket policies created by Systems Manager when you onboard an organization or single account to the unified Systems Manager console.
**Warning**
Modifying the default bucket policy might allow member accounts in an organization to discover one another, or read diagnosis outputs for instances in another account. We recommend using extreme caution if you choose to modify this policy.
## Amazon S3 bucket policy for an organization
The diagnosis bucket is created with the following default bucket policy when onboarding an organization to Systems Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
},
{
"Sid": "AllowAccessLog",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/access-logs/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "000000000000"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:::amzn-s3-demo-bucket"
}
}
},
{
"Sid": "AllowCrossAccountRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
}
}
},
{
"Sid": "AllowCrossAccountWrite",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::bucket-name/actions/*/${aws:PrincipalAccount}/*",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/AWS-SSM-DiagnosisExecutionRole-operational-123456789012-home-region",
"arn:aws:iam::*:role/AWS-SSM-DiagnosisAdminRole-operational-123456789012-home-region",
"arn:aws:iam::*:role/AWS-SSM-RemediationExecutionRole-operational-123456789012-home-region",
"arn:aws:iam::*:role/AWS-SSM-RemediationAdminRole-operational-123456789012-home-region"
]
}
}
},
{
"Sid": "AllowCrossAccountListUnderAccountOwnPrefix",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
},
"StringLike": {
"s3:prefix": "*/${aws:PrincipalAccount}/*"
}
}
},
{
"Sid": "AllowCrossAccountGetConfigWithinOrganization",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetEncryptionConfiguration",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "organization-id"
}
}
}
]
}
```
------
## Amazon S3 bucket policy for a single account
The diagnosis bucket is created with the following default bucket policy when onboarding a single account to Systems Manager.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "DenyNonSigV4Requests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
],
"Condition": {
"StringNotEquals": {
"s3:SignatureVersion": "AWS4-HMAC-SHA256"
}
}
}
]
}
```
------