• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). # Working with associations in Systems Manager Working with associations This section describes how to create and manage State Manager associations by using the AWS Systems Manager console, the AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell. **Topics** + [ # Understanding targets and rate controls in State Manager associations ](systems-manager-state-manager-targets-and-rate-controls.md) + [ # Creating associations ](state-manager-associations-creating.md) + [ # Editing and creating a new version of an association ](state-manager-associations-edit.md) + [ # Deleting associations ](systems-manager-state-manager-delete-association.md) + [ # Running Auto Scaling groups with associations ](systems-manager-state-manager-asg.md) + [ # Viewing association histories ](state-manager-associations-history.md) + [ # Working with associations using IAM ](systems-manager-state-manager-iam.md) # Understanding targets and rate controls in State Manager associations Understanding targets and rate controls This topic describes State Manager features that help you deploy an association to dozens or hundreds of nodes while controlling the number of nodes that run the association at the scheduled time. State Manager is a tool in AWS Systems Manager. ## Using targets When you create a State Manager association, you choose which nodes to configure with the association in the **Targets** section of the Systems Manager console, as shown here. ![\[Different options for targeting nodes when creating a State Manager association\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/state-manager-targets.png) If you create an association by using a command line tool such as the AWS Command Line Interface (AWS CLI), then you specify the `targets` parameter. Targeting nodes allows you to configure tens, hundreds, or thousands of nodes with an association without having to specify or choose individual node IDs. Each managed node can be targeted by a maximum of 20 associations. State Manager includes the following target options when creating an association. **Specify tags** Use this option to specify a tag key and (optionally) a tag value assigned to your nodes. When you run the request, the system locates and attempts to create the association on all nodes that match the specified tag key and value. If you specified multiple tag values, the association targets any node with at least one of those tag values. When the system initially creates the association, it runs the association. After this initial run, the system runs the association according to the schedule you specified. If you create new nodes and assign the specified tag key and value to those nodes, the system automatically applies the association, runs it immediately, and then runs it according to the schedule. This applies when the association uses a Command or Policy document and doesn't apply if the association uses an Automation runbook. If you delete the specified tags from a node, the system no longer runs the association on those nodes. **Note** If you use Automation runbooks with State Manager and the tagging limitation prevents you from achieving a specific goal, consider using Automation runbooks with Amazon EventBridge. For more information, see [Run automations based on EventBridge events](running-automations-event-bridge.md). For more information about using runbooks with State Manager, see [Scheduling automations with State Manager associations](scheduling-automations-state-manager-associations.md). As a best practice, we recommend using tags when creating associations that use a Command or Policy document. We also recommend using tags when creating associations to run Auto Scaling groups. For more information, see [Running Auto Scaling groups with associations](systems-manager-state-manager-asg.md). **Note** Note the following information. When creating an association in the AWS Management Console that targets nodes by using tags, you can specify only one tag key for an automation association and five tag keys for a command association. *All* tag keys specified in the association must be currently assigned to the node. If they aren't, State Manager fails to target the node for an association. If you want to use the console *and* you want to target your nodes by using more than one tag key for an automation association and five tag keys for a command association, assign the tag keys to an AWS Resource Groups group and add the nodes to it. You can then choose the **Resource Group** option in the **Targets** list when you create the State Manager association. You can specify a maximum of five tag keys by using the AWS CLI. If you use the AWS CLI, *all* tag keys specified in the `create-association` command must be currently assigned to the node. If they aren't, State Manager fails to target the node for an association. **Choose nodes manually** Use this option to manually select the nodes where you want to create the association. The **Instances** pane displays all Systems Manager managed nodes in the current AWS account and AWS Region. You can manually select as many nodes as you want. When the system initially creates the association, it runs the association. After this initial run, the system runs the association according to the schedule you specified. **Note** If a managed node you expect to see isn't listed, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md) for troubleshooting tips. **Choose a resource group** Use this option to create an association on all nodes returned by an AWS Resource Groups tag-based or AWS CloudFormation stack-based query. Below are details about targeting resource groups for an association. + If you add new nodes to a group, the system automatically maps the nodes to the association that targets the resource group. The system applies the association to the nodes when it discovers the change. After this initial run, the system runs the association according to the schedule you specified. + If you create an association that targets a resource group and the `AWS::SSM::ManagedInstance` resource type was specified for that group, then by design, the association runs on both Amazon Elastic Compute Cloud (Amazon EC2) instances and non-EC2 nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment. The converse is also true. If you create an association that targets a resource group and the `AWS::EC2::Instance` resource type was specified for that group, then by design, the association runs on both non-EC2 nodes in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment and (Amazon EC2) instances. + If you create an association that targets a resource group, the resource group must not have more than five tag keys assigned to it or more than five values specified for any one tag key. If either of these conditions applies to the tags and keys assigned to your resource group, the association fails to run and returns an `InvalidTarget` error. + If you create an association that targets a resource group using tags, you can't choose the **(empty value)** option for the tag value. + If you delete a resource group, all instances in that group no longer run the association. As a best practice, delete associations targeting the group. + At most you can target a single resource group for an association. Multiple or nested groups aren't supported. + After you create an association, State Manager periodically updates the association with information about resources in the Resource Group. If you add new resources to a Resource Group, the schedule for when the system applies the association to the new resources depends on several factors. You can determine the status of the association in the State Manager page of the Systems Manager console. **Warning** An AWS Identity and Access Management (IAM) user, group, or role with permission to create an association that targets a resource group of Amazon EC2 instances automatically has root-level control of all instances in the group. Only trusted administrators should be permitted to create associations. For more information about Resource Groups, see [What Is AWS Resource Groups?](https://docs.aws.amazon.com/ARG/latest/userguide/) in the *AWS Resource Groups User Guide*. **Choose all nodes** Use this option to target all nodes in the current AWS account and AWS Region. When you run the request, the system locates and attempts to create the association on all nodes in the current AWS account and AWS Region. When the system initially creates the association, it runs the association. After this initial run, the system runs the association according to the schedule you specified. If you create new nodes, the system automatically applies the association, runs it immediately, and then runs it according to the schedule. ## Using rate controls You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. The concurrency value specifies how many nodes can run the association simultaneously. An error threshold specifies how many association executions can fail before Systems Manager sends a command to each node configured with that association to stop running the association. The command stops the association from running until the next scheduled execution. The concurrency and error threshold features are collectively called *rate controls*. ![\[Different rate control options when creating a State Manager association\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/state-manager-rate-controls.png) **Concurrency** Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify either an absolute number of nodes, for example 20, or a percentage of the target set of nodes, for example 10%. State Manager concurrency has the following restrictions and limitations: + If you choose to create an association by using targets, but you don't specify a concurrency value, then State Manager automatically enforces a maximum concurrency of 50 nodes. + If new nodes that match the target criteria come online while an association that uses concurrency is running, then the new nodes run the association if the concurrency value isn't exceeded. If the concurrency value is exceeded, then the nodes are ignored during the current association execution interval. The nodes run the association during the next scheduled interval while conforming to the concurrency requirements. + If you update an association that uses concurrency, and one or more nodes are processing that association when it's updated, then any node that is running the association is allowed to complete. Those associations that haven't started are stopped. After running associations complete, all target nodes immediately run the association again because it was updated. When the association runs again, the concurrency value is enforced. **Error thresholds** An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify an absolute number of three errors, for example, State Manager sends the stop command when the fourth error is returned. If you specify 0, then State Manager sends the stop command after the first error result is returned. If you specify an error threshold of 10% for 50 associations, then State Manager sends the stop command when the sixth error is returned. Associations that are already running when an error threshold is reached are allowed to complete, but some of these associations might fail. To ensure that there aren't more errors than the number specified for the error threshold, set the **Concurrency** value to 1 so that associations proceed one at a time. State Manager error thresholds have the following restrictions and limitations: + Error thresholds are enforced for the current interval. + Information about each error, including step-level details, is recorded in the association history. + If you choose to create an association by using targets, but you don't specify an error threshold, then State Manager automatically enforces a threshold of 100% failures. # Creating associations State Manager, a tool in AWS Systems Manager, helps you keep your AWS resources in a state that you define and reduce configuration drift. To do this, State Manager uses associations. An *association* is a configuration that you assign to your AWS resources. The configuration defines the state that you want to maintain on your resources. For example, an association can specify that antivirus software must be installed and running on a managed node, or that certain ports must be closed. An association specifies a schedule for when to apply the configuration and the targets for the association. For example, an association for antivirus software might run once a day on all managed nodes in an AWS account. If the software isn't installed on a node, then the association could instruct State Manager to install it. If the software is installed, but the service isn't running, then the association could instruct State Manager to start the service. **Warning** When you create an association, you can choose an AWS resource group of managed nodes as the target for the association. If an AWS Identity and Access Management (IAM) user, group, or role has permission to create an association that targets a resource group of managed nodes, then that user, group, or role automatically has root-level control of all nodes in the group. Permit only trusted administrators to create associations. **Association targets and rate controls** An association specifies which managed nodes, or targets, should receive the association. State Manager includes several features to help you target your managed nodes and control how the association is deployed to those targets. For more information about targets and rate controls, see [Understanding targets and rate controls in State Manager associations](systems-manager-state-manager-targets-and-rate-controls.md). **Tagging associations** You can assign tags to an association when you create it by using a command line tool such as the AWS CLI or AWS Tools for PowerShell. Adding tags to an association by using the Systems Manager console isn't supported. **Running associations** By default, State Manager runs an association immediately after you create it, and then according to the schedule that you've defined. The system also runs associations according to the following rules: + State Manager attempts to run the association on all specified or targeted nodes during an interval. + If an association doesn't run during an interval (because, for example, a concurrency value limited the number of nodes that could process the association at one time), then State Manager attempts to run the association during the next interval. + State Manager runs the association after changes to the association's configuration, target nodes, documents, or parameters. For more information, see [Understanding when associations are applied to resources](state-manager-about.md#state-manager-about-scheduling) + State Manager records history for all skipped intervals. You can view the history on the **Execution History** tab. ## Scheduling associations You can schedule associations to run at basic intervals such as *every 10 hours*, or you can create more advanced schedules using custom cron and rate expressions. You can also prevent associations from running when you first create them. **Using cron and rate expressions to schedule association runs** In addition to standard cron and rate expressions, State Manager also supports cron expressions that include a day of the week and the number sign (\$1) to designate the *n*th day of a month to run an association. Here is an example that runs a cron schedule on the third Tuesday of every month at 23:30 UTC: `cron(30 23 ? * TUE#3 *)` Here is an example that runs on the second Thursday of every month at midnight UTC: `cron(0 0 ? * THU#2 *)` State Manager also supports the (L) sign to indicate the last *X* day of the month. Here is an example that runs a cron schedule on the last Tuesday of every month at midnight UTC: `cron(0 0 ? * 3L *)` To further control when an association runs, for example if you want to run an association two days after patch Tuesday, you can specify an offset. An *offset* defines how many days to wait after the scheduled day to run an association. For example, if you specified a cron schedule of `cron(0 0 ? * THU#2 *)`, you could specify the number 3 in the **Schedule offset** field to run the association each Sunday after the second Thursday of the month. **Note** To use offsets, you must either select **Apply association only at the next specified Cron interval** in the console or specify the `ApplyOnlyAtCronInterval` parameter from the command line. When either of these options are activated, State Manager doesn't run the association immediately after you create it. For more information about cron and rate expressions, see [Reference: Cron and rate expressions for Systems Manager](reference-cron-and-rate-expressions.md). ## Create an association (console) The following procedure describes how to use the Systems Manager console to create a State Manager association. **Note** Note the following information. This procedure describes how to create an association that uses either a `Command` or a `Policy` document to target managed nodes. For information about creating an association that uses an Automation runbook to target nodes or other types of AWS resources, see [Scheduling automations with State Manager associations](scheduling-automations-state-manager-associations.md). When creating an association, you can specify a maximum of five tag keys by using the AWS Management Console. *All* tag keys specified for the association must be currently assigned to the node. If they aren't, State Manager fails to target the node for the association. **To create a State Manager association** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **State Manager**. 1. Choose **Create association**. 1. In the **Name** field, specify a name. 1. In the **Document** list, choose the option next to a document name. Note the document type. This procedure applies to `Command` and `Policy` documents. For information about creating an association that uses an Automation runbook, see [Scheduling automations with State Manager associations](scheduling-automations-state-manager-associations.md). **Important** State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the `default` version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared from another account, you must set the document version to `default`. 1. For **Parameters**, specify the required input parameters. 1. (Optional) For **Association Dispatch Assume Role**, select a role from the drop-down. State Manager will take actions using this role on your behalf. For information about setting up the custom-provided role, see [Setup roles for `AssociationDispatchAssumeRole`](state-manager-about.md#setup-assume-role) **Note** It is recommended that you define a custom IAM role so that you have full control of the permissions that State Manager has when taking actions on your behalf. Service-linked role support in State Manager is being phased out. Associations relying on service-linked role may require updates in the future to continue functioning properly. For information about managing the usage of custom-provided role, see [Manage usage of AssociationDispatchAssumeRole with `ssm:AssociationDispatchAssumeRole`](state-manager-about.md#context-key-assume-role). 1. (Optional) Choose a CloudWatch alarm to apply to your association for monitoring. **Note** Note the following information about this step. The alarms list displays a maximum of 100 alarms. If you don't see your alarm in the list, use the AWS Command Line Interface to create the association. For more information, see [Create an association (command line)](#create-state-manager-association-commandline). To attach a CloudWatch alarm to your command, the IAM principal that creates the association must have permission for the `iam:createServiceLinkedRole` action. For more information about CloudWatch alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html). If your alarm activates, any pending command invocations or automations do not run. 1. For **Targets**, choose an option. For information about using targets, see [Understanding targets and rate controls in State Manager associations](systems-manager-state-manager-targets-and-rate-controls.md). **Note** In order for associations that are created with Automation runbooks to be applied when new target nodes are detected, certain conditions must be met. For information, see [About target updates with Automation runbooks](state-manager-about.md#runbook-target-updates). 1. In the **Specify schedule** section, choose either **On Schedule** or **No schedule**. If you choose **On Schedule**, use the buttons provided to create a cron or rate schedule for the association. If you don't want the association to run immediately after you create it, choose **Apply association only at the next specified Cron interval**. 1. (Optional) In the **Schedule offset** field, specify a number between 1 and 6. 1. In the **Advanced options** section use **Compliance severity** to choose a severity level for the association and use **Change Calendars** to choose a change calendar for the association. Compliance reporting indicates whether the association state is compliant or noncompliant, along with the severity level you indicate here. For more information, see [About State Manager association compliance](compliance-about.md#compliance-about-association). The change calendar determines when the association runs. If the calendar is closed, the association isn't applied. If the calendar is open, the association runs accordingly. For more information, see [AWS Systems Manager Change Calendar](systems-manager-change-calendar.md). 1. In the **Rate control** section, choose options to control how the association runs on multiple nodes. For more information about using rate controls, see [Understanding targets and rate controls in State Manager associations](systems-manager-state-manager-targets-and-rate-controls.md). In the **Concurrency** section, choose an option: + Choose **targets** to enter an absolute number of targets that can run the association simultaneously. + Choose **percentage** to enter a percentage of the target set that can run the association simultaneously. In the **Error threshold** section, choose an option: + Choose **errors** to enter an absolute number of errors that are allowed before State Manager stops running associations on additional targets. + Choose **percentage** to enter a percentage of errors that are allowed before State Manager stops running associations on additional targets. 1. (Optional) For **Output options**, to save the command output to a file, select the **Enable writing output to S3** box. Enter the bucket and prefix (folder) names in the boxes. **Note** The S3 permissions that grant the ability to write the data to an S3 bucket are those of the instance profile assigned to the managed node, not those of the IAM user performing this task. For more information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md) or [Create an IAM service role for a hybrid environment](hybrid-multicloud-service-role.md). In addition, if the specified S3 bucket is in a different AWS account, verify that the instance profile or IAM service role associated with the managed node has the necessary permissions to write to that bucket. Following are the minimal permissions required to turn on Amazon S3 output for an association. You can further restrict access by attaching IAM policies to users or roles within an account. At minimum, an Amazon EC2 instance profile should have an IAM role with the `AmazonSSMManagedInstanceCore` managed policy and the following inline policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*" } ] } ``` ------ For minimal permissions, the Amazon S3 bucket you export to must have the default settings defined by the Amazon S3 console. For more information about creating Amazon S3 buckets, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the *Amazon S3 User Guide*. **Note** API operations that are initiated by the SSM document during an association run are not logged in AWS CloudTrail. 1. Choose **Create Association**. **Note** If you delete the association you created, the association no longer runs on any targets of that association. ## Create an association (command line) The following procedure describes how to use the AWS CLI (on Linux or Windows Server) or Tools for PowerShell to create a State Manager association. This section includes several examples that show how to use targets and rate controls. Targets and rate controls allow you to assign an association to dozens or hundreds of nodes while controlling the execution of those associations. For more information about targets and rate controls, see [Understanding targets and rate controls in State Manager associations](systems-manager-state-manager-targets-and-rate-controls.md). **Important** This procedure describes how to create an association that uses either a `Command` or a `Policy` document to target managed nodes. For information about creating an association that uses an Automation runbook to target nodes or other types of AWS resources, see [Scheduling automations with State Manager associations](scheduling-automations-state-manager-associations.md). **Before you begin** The `targets` parameter is an array of search criteria that targets nodes using a `Key`,`Value` combination that you specify. If you plan to create an association on dozens or hundreds of node by using the `targets` parameter, review the following targeting options before you begin the procedure. Target specific nodes by specifying IDs ``` --targets Key=InstanceIds,Values=instance-id-1,instance-id-2,instance-id-3 ``` ``` --targets Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE ``` Target instances by using tags ``` --targets Key=tag:tag-key,Values=tag-value-1,tag-value-2,tag-value-3 ``` ``` --targets Key=tag:Environment,Values=Development,Test,Pre-production ``` Target nodes by using AWS Resource Groups ``` --targets Key=resource-groups:Name,Values=resource-group-name ``` ``` --targets Key=resource-groups:Name,Values=WindowsInstancesGroup ``` Target all instances in the current AWS account and AWS Region ``` --targets Key=InstanceIds,Values=* ``` **Note** Note the following information. State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the `default` version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version to `default`. State Manager doesn't support `IncludeChildOrganizationUnits`, `ExcludeAccounts`, `TargetsMaxErrors`, `TargetsMaxConcurrency`, `Targets`, `TargetLocationAlarmConfiguration` parameters for [TargetLocation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_TargetLocation.html). You can specify a maximum of five tag keys by using the AWS CLI. If you use the AWS CLI, *all* tag keys specified in the `create-association` command must be currently assigned to the node. If they aren't, State Manager fails to target the node for an association. When you create an association, you specify when the schedule runs. Specify the schedule by using a cron or rate expression. For more information about cron and rate expressions, see [Cron and rate expressions for associations](reference-cron-and-rate-expressions.md#reference-cron-and-rate-expressions-association). In order for associations that are created with Automation runbooks to be applied when new target nodes are detected, certain conditions must be met. For information, see [About target updates with Automation runbooks](state-manager-about.md#runbook-target-updates). **To create an association** 1. Install and configure the AWS CLI or the AWS Tools for PowerShell, if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Installing the AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up.html). 1. Use the following format to create a command that creates a State Manager association. Replace each *example resource placeholder* with your own information. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --name document_name \ --document-version version_of_document_applied \ --instance-id instances_to_apply_association_on \ --parameters (if any) \ --targets target_options \ --association-dispatch-assume-role arn_of_role_to_be_used_when_dispatching_configurations \ --schedule-expression "cron_or_rate_expression" \ --apply-only-at-cron-interval required_parameter_for_schedule_offsets \ --schedule-offset number_between_1_and_6 \ --output-location s3_bucket_to_store_output_details \ --association-name association_name \ --max-errors a_number_of_errors_or_a_percentage_of_target_set \ --max-concurrency a_number_of_instances_or_a_percentage_of_target_set \ --compliance-severity severity_level \ --calendar-names change_calendar_names \ --target-locations aws_region_or_account \ --tags "Key=tag_key,Value=tag_value" ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --name document_name ^ --document-version version_of_document_applied ^ --instance-id instances_to_apply_association_on ^ --parameters (if any) ^ --targets target_options ^ --association-dispatch-assume-role arn_of_role_to_be_used_when_dispatching_configurations ^ --schedule-expression "cron_or_rate_expression" ^ --apply-only-at-cron-interval required_parameter_for_schedule_offsets ^ --schedule-offset number_between_1_and_6 ^ --output-location s3_bucket_to_store_output_details ^ --association-name association_name ^ --max-errors a_number_of_errors_or_a_percentage_of_target_set ^ --max-concurrency a_number_of_instances_or_a_percentage_of_target_set ^ --compliance-severity severity_level ^ --calendar-names change_calendar_names ^ --target-locations aws_region_or_account ^ --tags "Key=tag_key,Value=tag_value" ``` ------ #### [ PowerShell ] ``` New-SSMAssociation ` -Name document_name ` -DocumentVersion version_of_document_applied ` -InstanceId instances_to_apply_association_on ` -Parameters (if any) ` -Target target_options ` -AssociationDispatchAssumeRole arn_of_role_to_be_used_when_dispatching_configurations ` -ScheduleExpression "cron_or_rate_expression" ` -ApplyOnlyAtCronInterval required_parameter_for_schedule_offsets ` -ScheduleOffSet number_between_1_and_6 ` -OutputLocation s3_bucket_to_store_output_details ` -AssociationName association_name ` -MaxError a_number_of_errors_or_a_percentage_of_target_set -MaxConcurrency a_number_of_instances_or_a_percentage_of_target_set ` -ComplianceSeverity severity_level ` -CalendarNames change_calendar_names ` -TargetLocations aws_region_or_account ` -Tags "Key=tag_key,Value=tag_value" ``` ------ The following example creates an association on nodes tagged with `"Environment,Linux"`. The association uses the `AWS-UpdateSSMAgent` document to update the SSM Agent on the targeted nodes at 2:00 UTC every Sunday morning. This association runs simultaneously on 10 nodes maximum at any given time. Also, this association stops running on more nodes for a particular execution interval if the error count exceeds 5. For compliance reporting, this association is assigned a severity level of Medium. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --association-name Update_SSM_Agent_Linux \ --targets Key=tag:Environment,Values=Linux \ --name AWS-UpdateSSMAgent \ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole \ --compliance-severity "MEDIUM" \ --schedule-expression "cron(0 2 ? * SUN *)" \ --max-errors "5" \ --max-concurrency "10" ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --association-name Update_SSM_Agent_Linux ^ --targets Key=tag:Environment,Values=Linux ^ --name AWS-UpdateSSMAgent ^ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole ^ --compliance-severity "MEDIUM" ^ --schedule-expression "cron(0 2 ? * SUN *)" ^ --max-errors "5" ^ --max-concurrency "10" ``` ------ #### [ PowerShell ] ``` New-SSMAssociation ` -AssociationName Update_SSM_Agent_Linux ` -Name AWS-UpdateSSMAgent ` -AssociationDispatchAssumeRole "arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole" ` -Target @{ "Key"="tag:Environment" "Values"="Linux" } ` -ComplianceSeverity MEDIUM ` -ScheduleExpression "cron(0 2 ? * SUN *)" ` -MaxConcurrency 10 ` -MaxError 5 ``` ------ The following example targets node IDs by specifying a wildcard value (\$1). This allows Systems Manager to create an association on *all* nodes in the current AWS account and AWS Region. This association runs simultaneously on 10 nodes maximum at any given time. Also, this association stops running on more nodes for a particular execution interval if the error count exceeds 5. For compliance reporting, this association is assigned a severity level of Medium. This association uses a schedule offset, which means it runs two days after the specified cron schedule. It also includes the `ApplyOnlyAtCronInterval` parameter, which is required to use the schedule offset and which means the association won't run immediately after it is created. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --association-name Update_SSM_Agent_Linux \ --name "AWS-UpdateSSMAgent" \ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole \ --targets "Key=instanceids,Values=*" \ --compliance-severity "MEDIUM" \ --schedule-expression "cron(0 2 ? * SUN#2 *)" \ --apply-only-at-cron-interval \ --schedule-offset 2 \ --max-errors "5" \ --max-concurrency "10" \ ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --association-name Update_SSM_Agent_Linux ^ --name "AWS-UpdateSSMAgent" ^ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole ^ --targets "Key=instanceids,Values=*" ^ --compliance-severity "MEDIUM" ^ --schedule-expression "cron(0 2 ? * SUN#2 *)" ^ --apply-only-at-cron-interval ^ --schedule-offset 2 ^ --max-errors "5" ^ --max-concurrency "10" ^ --apply-only-at-cron-interval ``` ------ #### [ PowerShell ] ``` New-SSMAssociation ` -AssociationName Update_SSM_Agent_All ` -Name AWS-UpdateSSMAgent ` -AssociationDispatchAssumeRole "arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole" ` -Target @{ "Key"="InstanceIds" "Values"="*" } ` -ScheduleExpression "cron(0 2 ? * SUN#2 *)" ` -ApplyOnlyAtCronInterval ` -ScheduleOffset 2 ` -MaxConcurrency 10 ` -MaxError 5 ` -ComplianceSeverity MEDIUM ` -ApplyOnlyAtCronInterval ``` ------ The following example creates an association on nodes in Resource Groups. The group is named "HR-Department". The association uses the `AWS-UpdateSSMAgent` document to update SSM Agent on the targeted nodes at 2:00 UTC every Sunday morning. This association runs simultaneously on 10 nodes maximum at any given time. Also, this association stops running on more nodes for a particular execution interval if the error count exceeds 5. For compliance reporting, this association is assigned a severity level of Medium. This association runs at the specified cron schedule. It doesn't run immediately after the association is created. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --association-name Update_SSM_Agent_Linux \ --targets Key=resource-groups:Name,Values=HR-Department \ --name AWS-UpdateSSMAgent \ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole \ --compliance-severity "MEDIUM" \ --schedule-expression "cron(0 2 ? * SUN *)" \ --max-errors "5" \ --max-concurrency "10" \ --apply-only-at-cron-interval ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --association-name Update_SSM_Agent_Linux ^ --targets Key=resource-groups:Name,Values=HR-Department ^ --name AWS-UpdateSSMAgent ^ -association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole ^ --compliance-severity "MEDIUM" ^ --schedule-expression "cron(0 2 ? * SUN *)" ^ --max-errors "5" ^ --max-concurrency "10" ^ --apply-only-at-cron-interval ``` ------ #### [ PowerShell ] ``` New-SSMAssociation ` -AssociationName Update_SSM_Agent_Linux ` -Name AWS-UpdateSSMAgent ` -AssociationDispatchAssumeRole "arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole" ` -Target @{ "Key"="resource-groups:Name" "Values"="HR-Department" } ` -ScheduleExpression "cron(0 2 ? * SUN *)" ` -MaxConcurrency 10 ` -MaxError 5 ` -ComplianceSeverity MEDIUM ` -ApplyOnlyAtCronInterval ``` ------ The following example creates an association that runs on nodes tagged with a specific node ID. The association uses the SSM Agent document to update SSM Agent on the targeted nodes once when the change calendar is open. The association checks the calendar state when it runs. If the calendar is closed at launch time and the association is only run once, it won't run again because the association run window has passed. If the calendar is open, the association runs accordingly. **Note** If you add new nodes to the tags or resource groups that an association acts on when the change calendar is closed, the association is applied to those nodes once the change calendar opens. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --association-name CalendarAssociation \ --targets "Key=instanceids,Values=i-0cb2b964d3e14fd9f" \ --name AWS-UpdateSSMAgent \ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole \ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" \ --schedule-expression "rate(1day)" ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --association-name CalendarAssociation ^ --targets "Key=instanceids,Values=i-0cb2b964d3e14fd9f" ^ --name AWS-UpdateSSMAgent ^ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole ^ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" ^ --schedule-expression "rate(1day)" ``` ------ #### [ PowerShell ] ``` New-SSMAssociation ` -AssociationName CalendarAssociation ` -Target @{ "Key"="tag:instanceids" "Values"="i-0cb2b964d3e14fd9f" } ` -Name AWS-UpdateSSMAgent ` -AssociationDispatchAssumeRole "arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole" ` -CalendarNames "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" ` -ScheduleExpression "rate(1day)" ``` ------ The following example creates an association that runs on nodes tagged with a specific node ID. The association uses the SSM Agent document to update SSM Agent on the targeted nodes on the targeted nodes at 2:00 AM every Sunday. This association runs only at the specified cron schedule when the change calendar is open. When the association is created, it checks the calendar state. If the calendar is closed, the association isn't applied. When the interval to apply the association starts at 2:00 AM on Sunday, the association checks to see if the calendar is open. If the calendar is open, the association runs accordingly. **Note** If you add new nodes to the tags or resource groups that an association acts on when the change calendar is closed, the association is applied to those nodes once the change calendar opens. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --association-name MultiCalendarAssociation \ --targets "Key=instanceids,Values=i-0cb2b964d3e14fd9f" \ --name AWS-UpdateSSMAgent \ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole \ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" "arn:aws:ssm:us-east-2:123456789012:document/testCalendar2" \ --schedule-expression "cron(0 2 ? * SUN *)" ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --association-name MultiCalendarAssociation ^ --targets "Key=instanceids,Values=i-0cb2b964d3e14fd9f" ^ --name AWS-UpdateSSMAgent ^ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole ^ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" "arn:aws:ssm:us-east-2:123456789012:document/testCalendar2" ^ --schedule-expression "cron(0 2 ? * SUN *)" ``` ------ #### [ PowerShell ] ``` New-SSMAssociation ` -AssociationName MultiCalendarAssociation ` -Name AWS-UpdateSSMAgent ` -AssociationDispatchAssumeRole "arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole" ` -Target @{ "Key"="tag:instanceids" "Values"="i-0cb2b964d3e14fd9f" } ` -CalendarNames "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" "arn:aws:ssm:us-east-2:123456789012:document/testCalendar2" ` -ScheduleExpression "cron(0 2 ? * SUN *)" ``` ------ **Note** If you delete the association you created, the association no longer runs on any targets of that association. Also, if you specified the `apply-only-at-cron-interval` parameter, you can reset this option. To do so, specify the `no-apply-only-at-cron-interval` parameter when you update the association from the command line. This parameter forces the association to run immediately after updating the association and according to the interval specified. # Editing and creating a new version of an association Editing an association You can edit a State Manager association to specify a new name, schedule, severity level, targets, or other values. For associations based on SSM Command-type documents, you can also choose to write the output of the command to an Amazon Simple Storage Service (Amazon S3) bucket. After you edit an association, State Manager creates a new version. You can view different versions after editing, as described in the following procedures. **Note** In order for associations that are created with Automation runbooks to be applied when new target nodes are detected, certain conditions must be met. For information, see [About target updates with Automation runbooks](state-manager-about.md#runbook-target-updates). The following procedures describe how to edit and create a new version of an association using the Systems Manager console, AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell (Tools for PowerShell). **Important** State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the `default` version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version to `default`. ## Edit an association (console) The following procedure describes how to use the Systems Manager console to edit and create a new version of an association. **Note** For associations that use SSM Command documents, not Automation runbooks, this procedure requires that you have write access to an existing Amazon S3 bucket. If you haven't used Amazon S3 before, be aware that you will incur charges for using Amazon S3. For information about how to create a bucket, see [Create a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CreatingABucket.html). **To edit a State Manager association** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **State Manager**. 1. Choose an existing association, and then choose **Edit**. 1. Reconfigure the association to meet your current requirements. For information about association options with `Command` and `Policy` documents, see [Creating associations](state-manager-associations-creating.md). For information about association options with Automation runbooks, see [Scheduling automations with State Manager associations](scheduling-automations-state-manager-associations.md). 1. Choose **Save Changes**. 1. (Optional) To view association information, in the **Associations** page, choose the name of the association you edited, and then choose the **Versions** tab. The system lists each version of the association you created and edited. 1. (Optional) To view output for associations based on SSM `Command` documents, do the following: 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. Choose the name of the Amazon S3 bucket you specified for storing command output, and then choose the folder named with the ID of the node that ran the association. (If you chose to store output in a folder in the bucket, open it first.) 1. Drill down several levels, through the `awsrunPowerShell` folder, to the `stdout` file. 1. Choose **Open** or **Download** to view the host name. ## Edit an association (command line) The following procedure describes how to use the AWS CLI (on Linux or Windows Server) or AWS Tools for PowerShell to edit and create a new version of an association. **To edit a State Manager association** 1. Install and configure the AWS CLI or the AWS Tools for PowerShell, if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Installing the AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up.html). 1. Use the following format to create a command to edit and create a new version of an existing State Manager association. Replace each *example resource placeholder* with your own information. **Important** When you call `[https://docs.aws.amazon.com/cli/latest/reference/ssm/desupdatecribe-association.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/desupdatecribe-association.html)`, the system drops all optional parameters from the request and overwrites the association with null values for those parameters. This is by design. You must specify all optional parameters in the call, even if you are not changing the parameters. This includes the `--name` parameter. Before calling this action, we recommend that you call the `[https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-association.html](https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-association.html)` operation and make a note of all optional parameters required for your `update-association` call. ------ #### [ Linux & macOS ] ``` aws ssm update-association \ --name document_name \ --document-version version_of_document_applied \ --instance-id instances_to_apply_association_on \ --parameters (if any) \ --targets target_options \ --association-dispatch-assume-role arn_of_role_to_be_used_when_dispatching_configurations \ --schedule-expression "cron_or_rate_expression" \ --schedule-offset "number_between_1_and_6" \ --output-location s3_bucket_to_store_output_details \ --association-name association_name \ --max-errors a_number_of_errors_or_a_percentage_of_target_set \ --max-concurrency a_number_of_instances_or_a_percentage_of_target_set \ --compliance-severity severity_level \ --calendar-names change_calendar_names \ --target-locations aws_region_or_account ``` ------ #### [ Windows ] ``` aws ssm update-association ^ --name document_name ^ --document-version version_of_document_applied ^ --instance-id instances_to_apply_association_on ^ --parameters (if any) ^ --targets target_options ^ --association-dispatch-assume-role arn_of_role_to_be_used_when_dispatching_configurations ^ --schedule-expression "cron_or_rate_expression" ^ --schedule-offset "number_between_1_and_6" ^ --output-location s3_bucket_to_store_output_details ^ --association-name association_name ^ --max-errors a_number_of_errors_or_a_percentage_of_target_set ^ --max-concurrency a_number_of_instances_or_a_percentage_of_target_set ^ --compliance-severity severity_level ^ --calendar-names change_calendar_names ^ --target-locations aws_region_or_account ``` ------ #### [ PowerShell ] ``` Update-SSMAssociation ` -Name document_name ` -DocumentVersion version_of_document_applied ` -InstanceId instances_to_apply_association_on ` -Parameters (if any) ` -Target target_options ` -AssociationDispatchAssumeRole arn_of_role_to_be_used_when_dispatching_configurations ` -ScheduleExpression "cron_or_rate_expression" ` -ScheduleOffset "number_between_1_and_6" ` -OutputLocation s3_bucket_to_store_output_details ` -AssociationName association_name ` -MaxError a_number_of_errors_or_a_percentage_of_target_set -MaxConcurrency a_number_of_instances_or_a_percentage_of_target_set ` -ComplianceSeverity severity_level ` -CalendarNames change_calendar_names ` -TargetLocations aws_region_or_account ``` ------ The following example updates an existing association to change the name to `TestHostnameAssociation2`. The new association version runs every hour and writes the output of commands to the specified Amazon S3 bucket. ------ #### [ Linux & macOS ] ``` aws ssm update-association \ --association-id 8dfe3659-4309-493a-8755-01234EXAMPLE \ --association-name TestHostnameAssociation2 \ --parameters commands="echo Association" \ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole \ --output-location S3Location='{OutputS3Region=us-east-1,OutputS3BucketName=amzn-s3-demo-bucket,OutputS3KeyPrefix=logs}' \ --schedule-expression "cron(0 */1 * * ? *)" ``` ------ #### [ Windows ] ``` aws ssm update-association ^ --association-id 8dfe3659-4309-493a-8755-01234EXAMPLE ^ --association-name TestHostnameAssociation2 ^ --parameters commands="echo Association" ^ --association-dispatch-assume-role arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole ^ --output-location S3Location='{OutputS3Region=us-east-1,OutputS3BucketName=amzn-s3-demo-bucket,OutputS3KeyPrefix=logs}' ^ --schedule-expression "cron(0 */1 * * ? *)" ``` ------ #### [ PowerShell ] ``` Update-SSMAssociation ` -AssociationId b85ccafe-9f02-4812-9b81-01234EXAMPLE ` -AssociationName TestHostnameAssociation2 ` -Parameter @{"commands"="echo Association"} ` -AssociationDispatchAssumeRole "arn:aws:iam::123456789012:role/myAssociationDispatchAssumeRole" ` -S3Location_OutputS3BucketName amzn-s3-demo-bucket ` -S3Location_OutputS3KeyPrefix logs ` -S3Location_OutputS3Region us-east-1 ` -ScheduleExpression "cron(0 */1 * * ? *)" ``` ------ The following example updates an existing association to change the name to `CalendarAssociation`. The new association runs when the calendar is open and writes command output to the specified Amazon S3 bucket. ------ #### [ Linux & macOS ] ``` aws ssm update-association \ --association-id 8dfe3659-4309-493a-8755-01234EXAMPLE \ --association-name CalendarAssociation \ --parameters commands="echo Association" \ --output-location S3Location='{OutputS3Region=us-east-1,OutputS3BucketName=amzn-s3-demo-bucket,OutputS3KeyPrefix=logs}' \ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar2" ``` ------ #### [ Windows ] ``` aws ssm update-association ^ --association-id 8dfe3659-4309-493a-8755-01234EXAMPLE ^ --association-name CalendarAssociation ^ --parameters commands="echo Association" ^ --output-location S3Location='{OutputS3Region=us-east-1,OutputS3BucketName=amzn-s3-demo-bucket,OutputS3KeyPrefix=logs}' ^ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar2" ``` ------ #### [ PowerShell ] ``` Update-SSMAssociation ` -AssociationId b85ccafe-9f02-4812-9b81-01234EXAMPLE ` -AssociationName CalendarAssociation ` -AssociationName OneTimeAssociation ` -Parameter @{"commands"="echo Association"} ` -S3Location_OutputS3BucketName amzn-s3-demo-bucket ` -CalendarNames "arn:aws:ssm:us-east-1:123456789012:document/testCalendar2" ``` ------ The following example updates an existing association to change the name to `MultiCalendarAssociation`. The new association runs when the calendars are open and writes command output to the specified Amazon S3 bucket. ------ #### [ Linux & macOS ] ``` aws ssm update-association \ --association-id 8dfe3659-4309-493a-8755-01234EXAMPLE \ --association-name MultiCalendarAssociation \ --parameters commands="echo Association" \ --output-location S3Location='{OutputS3Region=us-east-1,OutputS3BucketName=amzn-s3-demo-bucket,OutputS3KeyPrefix=logs}' \ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" "arn:aws:ssm:us-east-2:123456789012:document/testCalendar2" ``` ------ #### [ Windows ] ``` aws ssm update-association ^ --association-id 8dfe3659-4309-493a-8755-01234EXAMPLE ^ --association-name MultiCalendarAssociation ^ --parameters commands="echo Association" ^ --output-location S3Location='{OutputS3Region=us-east-1,OutputS3BucketName=amzn-s3-demo-bucket,OutputS3KeyPrefix=logs}' ^ --calendar-names "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" "arn:aws:ssm:us-east-2:123456789012:document/testCalendar2" ``` ------ #### [ PowerShell ] ``` Update-SSMAssociation ` -AssociationId b85ccafe-9f02-4812-9b81-01234EXAMPLE ` -AssociationName MultiCalendarAssociation ` -Parameter @{"commands"="echo Association"} ` -S3Location_OutputS3BucketName amzn-s3-demo-bucket ` -CalendarNames "arn:aws:ssm:us-east-1:123456789012:document/testCalendar1" "arn:aws:ssm:us-east-2:123456789012:document/testCalendar2" ``` ------ 1. To view the new version of the association, run the following command. ------ #### [ Linux & macOS ] ``` aws ssm describe-association \ --association-id b85ccafe-9f02-4812-9b81-01234EXAMPLE ``` ------ #### [ Windows ] ``` aws ssm describe-association ^ --association-id b85ccafe-9f02-4812-9b81-01234EXAMPLE ``` ------ #### [ PowerShell ] ``` Get-SSMAssociation ` -AssociationId b85ccafe-9f02-4812-9b81-01234EXAMPLE | Select-Object * ``` ------ The system returns information like the following. ------ #### [ Linux & macOS ] ``` { "AssociationDescription": { "ScheduleExpression": "cron(0 */1 * * ? *)", "OutputLocation": { "S3Location": { "OutputS3KeyPrefix": "logs", "OutputS3BucketName": "amzn-s3-demo-bucket", "OutputS3Region": "us-east-1" } }, "Name": "AWS-RunPowerShellScript", "Parameters": { "commands": [ "echo Association" ] }, "LastExecutionDate": 1559316400.338, "Overview": { "Status": "Success", "DetailedStatus": "Success", "AssociationStatusAggregatedCount": {} }, "AssociationId": "b85ccafe-9f02-4812-9b81-01234EXAMPLE", "DocumentVersion": "$DEFAULT", "LastSuccessfulExecutionDate": 1559316400.338, "LastUpdateAssociationDate": 1559316389.753, "Date": 1559314038.532, "AssociationVersion": "2", "AssociationName": "TestHostnameAssociation2", "Targets": [ { "Values": [ "Windows" ], "Key": "tag:Environment" } ] } } ``` ------ #### [ Windows ] ``` { "AssociationDescription": { "ScheduleExpression": "cron(0 */1 * * ? *)", "OutputLocation": { "S3Location": { "OutputS3KeyPrefix": "logs", "OutputS3BucketName": "amzn-s3-demo-bucket", "OutputS3Region": "us-east-1" } }, "Name": "AWS-RunPowerShellScript", "Parameters": { "commands": [ "echo Association" ] }, "LastExecutionDate": 1559316400.338, "Overview": { "Status": "Success", "DetailedStatus": "Success", "AssociationStatusAggregatedCount": {} }, "AssociationId": "b85ccafe-9f02-4812-9b81-01234EXAMPLE", "DocumentVersion": "$DEFAULT", "LastSuccessfulExecutionDate": 1559316400.338, "LastUpdateAssociationDate": 1559316389.753, "Date": 1559314038.532, "AssociationVersion": "2", "AssociationName": "TestHostnameAssociation2", "Targets": [ { "Values": [ "Windows" ], "Key": "tag:Environment" } ] } } ``` ------ #### [ PowerShell ] ``` AssociationId : b85ccafe-9f02-4812-9b81-01234EXAMPLE AssociationName : TestHostnameAssociation2 AssociationVersion : 2 AutomationTargetParameterName : ComplianceSeverity : Date : 5/31/2019 2:47:18 PM DocumentVersion : $DEFAULT InstanceId : LastExecutionDate : 5/31/2019 3:26:40 PM LastSuccessfulExecutionDate : 5/31/2019 3:26:40 PM LastUpdateAssociationDate : 5/31/2019 3:26:29 PM MaxConcurrency : MaxErrors : Name : AWS-RunPowerShellScript OutputLocation : Amazon.SimpleSystemsManagement.Model.InstanceAssociationOutputLocation Overview : Amazon.SimpleSystemsManagement.Model.AssociationOverview Parameters : {[commands, Amazon.Runtime.Internal.Util.AlwaysSendList`1[System.String]]} ScheduleExpression : cron(0 */1 * * ? *) Status : Targets : {tag:Environment} ``` ------ # Deleting associations Use the following procedure to delete an association by using the AWS Systems Manager console. **To delete an association** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **State Manager**. 1. Select an association and then choose **Delete**. You can delete multiple associations in a single operation by running an automation from the AWS Systems Manager console. When you select multiple associations for deletion, State Manager launches the automation runbook start page with the association IDs entered as input parameter values. **To delete multiple associations in a single operation** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **State Manager**. 1. Select each association that you want to delete and then choose **Delete**. 1. (Optional) In the **Additional input parameters** area, select the Amazon Resource Name (ARN) for the *assume role* that you want the automation to use while running. To create a new assume role, choose **Create**. 1. Choose **Submit**. # Running Auto Scaling groups with associations The best practice when using associations to run Auto Scaling groups is to use tag targets. Not using tags might cause you to reach the association limit. If all nodes are tagged with the same key and value, you only need one association to run your Auto Scaling group. The following procedure describes how to create such an association. **To create an association that runs Auto Scaling groups** 1. Ensure all nodes in the Auto Scaling group are tagged with the same key and value. For more instructions on tagging nodes, see [Tagging Auto Scaling groups and instances](https://docs.aws.amazon.com//autoscaling/ec2/userguide/autoscaling-tagging.html) in the *AWS Auto Scaling User Guide*. 1. Create an association by using the procedure in [Working with associations in Systems Manager](state-manager-associations.md). If you're working in the console, choose **Specify instance tags** in the **Targets** field. For **Instance tags**, enter the **Tag** key and value for your Auto Scaling group. If you're using the AWS Command Line Interface (AWS CLI), specify `--targets Key=tag:tag-key,Values=tag-value` where the key and value match what you tagged your nodes with. # Viewing association histories You can view all executions for a specific association ID by using the [DescribeAssociationExecutions](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeAssociationExecutions.html) API operation. Use this operation to see the status, detailed status, results, last execution time, and more information for a State Manager association. State Manager is a tool in AWS Systems Manager. This API operation also includes filters to help you locate associations according to the criteria you specify. For example, you can specify an exact date and time, and use a GREATER\$1THAN filter to view executions processed after the specified date and time. If, for example, an association execution failed, you can drill down into the details of a specific execution by using the [DescribeAssociationExecutionTargets](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeAssociationExecutionTargets.html) API operation. This operation shows you the resources, such as node IDs, where the association ran and the various association statuses. You can then see which resource or node failed to run an association. With the resource ID you can then view the command execution details to see which step in a command failed. The examples in this section also include information about how to use the [StartAssociationsOnce](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartAssociationsOnce.html) API operation to run an association once at the time of creation. You can use this API operation when you investigate failed association executions. If you see that an association failed, you can make a change on the resource, and then immediately run the association to see if the change on the resource allows the association to run successfully. **Note** API operations that are initiated by the SSM document during an association run are not logged in AWS CloudTrail. ## Viewing association histories (console) Use the following procedure to view the execution history for a specific association ID and then view execution details for one or more resources. **To view execution history for a specific association ID** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. Choose **State Manager**. 1. In the **Association id** field, choose an association for which you want to view the history. 1. Choose the **View details** button. 1. Choose the **Execution history** tab. 1. Choose an association for which you want to view resource-level execution details. For example, choose an association that shows a status of **Failed**. You can then view the execution details for the nodes that failed to run the association. Use the search box filters to locate the execution for which you want to view details. ![\[Filtering the list of State Manager association executions.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/sysman-state-executions-filter.png) 1. Choose an execution ID. The **Association execution targets** page opens. This page shows all the resources that ran the association. 1. Choose a resource ID to view specific information about that resource. Use the search box filters to locate the resource for which you want to view details. ![\[Filtering the list of State Manager association executions targets.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/sysman-state-executions-targets-filter.png) 1. If you're investigating an association that failed to run, you can use the **Apply association now** button to run an association once at the time of creation. After you made changes on the resource where the association failed to run, choose the **Association ID** link in the navigation breadcrumb. 1. Choose the **Apply association now** button. After the execution is complete, verify that the association execution succeeded. ## Viewing association histories (command line) The following procedure describes how to use the AWS Command Line Interface (AWS CLI) (on Linux or Windows Server) or AWS Tools for PowerShell to view the execution history for a specific association ID. Following this, the procedure describes how to view execution details for one or more resources. **To view execution history for a specific association ID** 1. Install and configure the AWS CLI or the AWS Tools for PowerShell, if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) and [Installing the AWS Tools for PowerShell](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-getting-set-up.html). 1. Run the following command to view a list of executions for a specific association ID. ------ #### [ Linux & macOS ] ``` aws ssm describe-association-executions \ --association-id ID \ --filters Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=GREATER_THAN ``` **Note** This command includes a filter to limit the results to only those executions that occurred after a specific date and time. If you want to view all executions for a specific association ID, remove the `--filters` parameter and ` Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=GREATER_THAN` value. ------ #### [ Windows ] ``` aws ssm describe-association-executions ^ --association-id ID ^ --filters Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=GREATER_THAN ``` **Note** This command includes a filter to limit the results to only those executions that occurred after a specific date and time. If you want to view all executions for a specific association ID, remove the `--filters` parameter and ` Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=GREATER_THAN` value. ------ #### [ PowerShell ] ``` Get-SSMAssociationExecution ` -AssociationId ID ` -Filter @{"Key"="CreatedTime";"Value"="2019-06-01T19:15:38.372Z";"Type"="GREATER_THAN"} ``` **Note** This command includes a filter to limit the results to only those executions that occurred after a specific date and time. If you want to view all executions for a specific association ID, remove the `-Filter` parameter and ` @{"Key"="CreatedTime";"Value"="2019-06-01T19:15:38.372Z";"Type"="GREATER_THAN"}` value. ------ The system returns information like the following. ------ #### [ Linux & macOS ] ``` { "AssociationExecutions":[ { "Status":"Success", "DetailedStatus":"Success", "AssociationId":"c336d2ab-09de-44ba-8f6a-6136cEXAMPLE", "ExecutionId":"76a5a04f-caf6-490c-b448-92c02EXAMPLE", "CreatedTime":1523986028.219, "AssociationVersion":"1" }, { "Status":"Success", "DetailedStatus":"Success", "AssociationId":"c336d2ab-09de-44ba-8f6a-6136cEXAMPLE", "ExecutionId":"791b72e0-f0da-4021-8b35-f95dfEXAMPLE", "CreatedTime":1523984226.074, "AssociationVersion":"1" }, { "Status":"Success", "DetailedStatus":"Success", "AssociationId":"c336d2ab-09de-44ba-8f6a-6136cEXAMPLE", "ExecutionId":"ecec60fa-6bb0-4d26-98c7-140308EXAMPLE", "CreatedTime":1523982404.013, "AssociationVersion":"1" } ] } ``` ------ #### [ Windows ] ``` { "AssociationExecutions":[ { "Status":"Success", "DetailedStatus":"Success", "AssociationId":"c336d2ab-09de-44ba-8f6a-6136cEXAMPLE", "ExecutionId":"76a5a04f-caf6-490c-b448-92c02EXAMPLE", "CreatedTime":1523986028.219, "AssociationVersion":"1" }, { "Status":"Success", "DetailedStatus":"Success", "AssociationId":"c336d2ab-09de-44ba-8f6a-6136cEXAMPLE", "ExecutionId":"791b72e0-f0da-4021-8b35-f95dfEXAMPLE", "CreatedTime":1523984226.074, "AssociationVersion":"1" }, { "Status":"Success", "DetailedStatus":"Success", "AssociationId":"c336d2ab-09de-44ba-8f6a-6136cEXAMPLE", "ExecutionId":"ecec60fa-6bb0-4d26-98c7-140308EXAMPLE", "CreatedTime":1523982404.013, "AssociationVersion":"1" } ] } ``` ------ #### [ PowerShell ] ``` AssociationId : c336d2ab-09de-44ba-8f6a-6136cEXAMPLE AssociationVersion : 1 CreatedTime : 8/18/2019 2:00:50 AM DetailedStatus : Success ExecutionId : 76a5a04f-caf6-490c-b448-92c02EXAMPLE LastExecutionDate : 1/1/0001 12:00:00 AM ResourceCountByStatus : {Success=1} Status : Success AssociationId : c336d2ab-09de-44ba-8f6a-6136cEXAMPLE AssociationVersion : 1 CreatedTime : 8/11/2019 2:00:54 AM DetailedStatus : Success ExecutionId : 791b72e0-f0da-4021-8b35-f95dfEXAMPLE LastExecutionDate : 1/1/0001 12:00:00 AM ResourceCountByStatus : {Success=1} Status : Success AssociationId : c336d2ab-09de-44ba-8f6a-6136cEXAMPLE AssociationVersion : 1 CreatedTime : 8/4/2019 2:01:00 AM DetailedStatus : Success ExecutionId : ecec60fa-6bb0-4d26-98c7-140308EXAMPLE LastExecutionDate : 1/1/0001 12:00:00 AM ResourceCountByStatus : {Success=1} Status : Success ``` ------ You can limit the results by using one or more filters. The following example returns all associations that were run before a specific date and time. ------ #### [ Linux & macOS ] ``` aws ssm describe-association-executions \ --association-id ID \ --filters Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=LESS_THAN ``` ------ #### [ Windows ] ``` aws ssm describe-association-executions ^ --association-id ID ^ --filters Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=LESS_THAN ``` ------ #### [ PowerShell ] ``` Get-SSMAssociationExecution ` -AssociationId 14bea65d-5ccc-462d-a2f3-e99c8EXAMPLE ` -Filter @{"Key"="CreatedTime";"Value"="2019-06-01T19:15:38.372Z";"Type"="LESS_THAN"} ``` ------ The following returns all associations that were *successfully* run after a specific date and time. ------ #### [ Linux & macOS ] ``` aws ssm describe-association-executions \ --association-id ID \ --filters Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=GREATER_THAN Key=Status,Value=Success,Type=EQUAL ``` ------ #### [ Windows ] ``` aws ssm describe-association-executions ^ --association-id ID ^ --filters Key=CreatedTime,Value="2018-04-10T19:15:38.372Z",Type=GREATER_THAN Key=Status,Value=Success,Type=EQUAL ``` ------ #### [ PowerShell ] ``` Get-SSMAssociationExecution ` -AssociationId 14bea65d-5ccc-462d-a2f3-e99c8EXAMPLE ` -Filter @{ "Key"="CreatedTime"; "Value"="2019-06-01T19:15:38.372Z"; "Type"="GREATER_THAN" }, @{ "Key"="Status"; "Value"="Success"; "Type"="EQUAL" } ``` ------ 1. Run the following command to view all targets where the specific execution ran. ------ #### [ Linux & macOS ] ``` aws ssm describe-association-execution-targets \ --association-id ID \ --execution-id ID ``` ------ #### [ Windows ] ``` aws ssm describe-association-execution-targets ^ --association-id ID ^ --execution-id ID ``` ------ #### [ PowerShell ] ``` Get-SSMAssociationExecutionTarget ` -AssociationId 14bea65d-5ccc-462d-a2f3-e99c8EXAMPLE ` -ExecutionId 76a5a04f-caf6-490c-b448-92c02EXAMPLE ``` ------ You can limit the results by using one or more filters. The following example returns information about all targets where the specific association failed to run. ------ #### [ Linux & macOS ] ``` aws ssm describe-association-execution-targets \ --association-id ID \ --execution-id ID \ --filters Key=Status,Value="Failed" ``` ------ #### [ Windows ] ``` aws ssm describe-association-execution-targets ^ --association-id ID ^ --execution-id ID ^ --filters Key=Status,Value="Failed" ``` ------ #### [ PowerShell ] ``` Get-SSMAssociationExecutionTarget ` -AssociationId 14bea65d-5ccc-462d-a2f3-e99c8EXAMPLE ` -ExecutionId 76a5a04f-caf6-490c-b448-92c02EXAMPLE ` -Filter @{ "Key"="Status"; "Value"="Failed" } ``` ------ The following example returns information about a specific managed node where an association failed to run. ------ #### [ Linux & macOS ] ``` aws ssm describe-association-execution-targets \ --association-id ID \ --execution-id ID \ --filters Key=Status,Value=Failed Key=ResourceId,Value="i-02573cafcfEXAMPLE" Key=ResourceType,Value=ManagedInstance ``` ------ #### [ Windows ] ``` aws ssm describe-association-execution-targets ^ --association-id ID ^ --execution-id ID ^ --filters Key=Status,Value=Failed Key=ResourceId,Value="i-02573cafcfEXAMPLE" Key=ResourceType,Value=ManagedInstance ``` ------ #### [ PowerShell ] ``` Get-SSMAssociationExecutionTarget ` -AssociationId 14bea65d-5ccc-462d-a2f3-e99c8EXAMPLE ` -ExecutionId 76a5a04f-caf6-490c-b448-92c02EXAMPLE ` -Filter @{ "Key"="Status"; "Value"="Success" }, @{ "Key"="ResourceId"; "Value"="i-02573cafcfEXAMPLE" }, @{ "Key"="ResourceType"; "Value"="ManagedInstance" } ``` ------ 1. If you're investigating an association that failed to run, you can use the [StartAssociationsOnce](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartAssociationsOnce.html) API operation to run an association immediately and only one time. After you change the resource where the association failed to run, run the following command to run the association immediately and only one time. ------ #### [ Linux & macOS ] ``` aws ssm start-associations-once \ --association-id ID ``` ------ #### [ Windows ] ``` aws ssm start-associations-once ^ --association-id ID ``` ------ #### [ PowerShell ] ``` Start-SSMAssociationsOnce ` -AssociationId ID ``` ------ # Working with associations using IAM State Manager, a tool in AWS Systems Manager, uses [targets](systems-manager-state-manager-targets-and-rate-controls.md#systems-manager-state-manager-targets-and-rate-controls-about-targets) to choose which instances you configure your associations with. Originally, associations were created by specifying a document name (`Name`) and instance ID (`InstanceId`). This created an association between a document and an instance or managed node. Associations used to be identified by these parameters. These parameters are now deprecated, but they're still supported. The resources `instance` and `managed-instance` were added as resources to actions with `Name` and `InstanceId`. AWS Identity and Access Management (IAM) policy enforcement behavior depends on the type of resource specified. Resources for State Manager operations are only enforced based on the passed-in request. State Manager doesn't perform a deep check for the properties of resources in your account. A request is only validated against policy resources if the request parameter contains the specified policy resources. For example, if you specify an instance in the resource block, the policy is enforced if the request uses the `InstanceId` parameter. The `Targets` parameter for each resource in the account isn't checked for that `InstanceId`. Following are some cases with confusing behavior: + [DescribeAssociation](https://docs.aws.amazon.com//systems-manager/latest/APIReference/API_DescribeActivations.html), [DeleteAssociation](https://docs.aws.amazon.com//systems-manager/latest/APIReference/API_DeleteAssociation.html), and [UpdateAssociation](https://docs.aws.amazon.com//systems-manager/latest/APIReference/API_UpdateAssociation.html) use `instance`, `managed-instance`, and `document` resources to specify the deprecated way of referring to associations. This includes all associations created with the deprecated `InstanceId` parameter. + [CreateAssociation](https://docs.aws.amazon.com//systems-manager/latest/APIReference/API_CreateAssociation.html), [CreateAssociationBatch](https://docs.aws.amazon.com//systems-manager/latest/APIReference/API_CreateAssociationBatch.html), and [UpdateAssociation](https://docs.aws.amazon.com//systems-manager/latest/APIReference/API_UpdateAssociation.html) use `instance` and `managed-instance` resources to specify the deprecated way of referring to associations. This includes all associations created with the deprecated `InstanceId` parameter. The `document` resource type is part of the deprecated way of referring to associations and is an actual property of an association. This means you can construct IAM policies with `Allow` or `Deny` permissions for both `Create` and `Update` actions based on document name. For more information about using IAM policies with Systems Manager, see [Identity and access management for AWS Systems Manager](security-iam.md) or [Actions, resources, and condition keys for AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html) in the *Service Authorization Reference*.