• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). # AWS Systems Manager Inventory Inventory AWS Systems Manager Inventory provides visibility into your AWS computing environment. You can use Inventory to collect *metadata* from your managed nodes. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which nodes are running the software and configurations required by your software policy, and which nodes need to be updated. You can configure Inventory on all of your managed nodes by using a one-click procedure. You can also configure and view inventory data from multiple AWS Regions and AWS accounts by using Amazon Athena. To get started with Inventory, open the [Systems Manager console](https://console.aws.amazon.com//systems-manager/inventory). In the navigation pane, choose **Inventory**. If the pre-configured metadata types collected by Systems Manager Inventory don't meet your needs, then you can create custom inventory. Custom inventory is simply a JSON file with information that you provide and add to the managed node in a specific directory. When Systems Manager Inventory collects data, it captures this custom inventory data. For example, if you run a large data center, you can specify the rack location of each of your servers as custom inventory. You can then view the rack space data when you view other inventory data. **Important** Systems Manager Inventory collects *only* metadata from your managed nodes. Inventory doesn't access proprietary information or data. The following table describes the types of data you can collect with Systems Manager Inventory. The table also describes different offerings for targeting nodes and the collection intervals you can specify. **** | Configuration | Details | | --- | --- | | Metadata types | You can configure Inventory to collect the following types of data: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html) To view a list of all metadata collected by Inventory, see [Metadata collected by Inventory](inventory-schema.md). | | Nodes to target | You can choose to inventory all managed nodes in your AWS account, individually select nodes, or target groups of nodes by using tags. For more information about collecting inventory data from all of your managed nodes, see [Inventory all managed nodes in your AWS account](inventory-collection.md#inventory-management-inventory-all). | | When to collect information | You can specify a collection interval in terms of minutes, hours, and days. The shortest collection interval is every 30 minutes. | **Note** Depending on the amount of data collected, the system can take several minutes to report the data to the output you specified. After the information is collected, the data is sent over a secure HTTPS channel to a plain-text AWS store that is accessible only from your AWS account. You can view the data in the Systems Manager console on the **Inventory** page, which includes several predefined cards to help you query the data. ![\[Systems Manager Inventory cards in the Systems Manager console.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-cards.png) **Note** Inventory cards automatically filter out Amazon EC2 managed instances with a state of *Terminated* and *Stopped*. For on-premises and AWS IoT Greengrass core device managed nodes, Inventory cards automatically filter out nodes with a state of *Terminated*. If you create a resource data sync to synchronize and store all of your data in a single Amazon S3 bucket, then you can drill down into the data on the **Inventory Detailed View** page. For more information, see [Querying inventory data from multiple Regions and accounts](systems-manager-inventory-query.md). **EventBridge support** This Systems Manager tool is supported as an *event* type in Amazon EventBridge rules. For information, see [Monitoring Systems Manager events with Amazon EventBridge](monitoring-eventbridge-events.md) and [Reference: Amazon EventBridge event patterns and types for Systems Manager](reference-eventbridge-events.md). **Topics** + [ # Learn more about Systems Manager Inventory ](inventory-about.md) + [ # Setting up Systems Manager Inventory ](systems-manager-inventory-setting-up.md) + [ # Configuring inventory collection ](inventory-collection.md) + [ # Querying inventory data from multiple Regions and accounts ](systems-manager-inventory-query.md) + [ # Querying an inventory collection by using filters ](inventory-query-filters.md) + [ # Aggregating inventory data ](inventory-aggregate.md) + [ # Working with custom inventory ](inventory-custom.md) + [ # Viewing inventory history and change tracking ](inventory-history.md) + [ # Stopping data collection and deleting inventory data ](systems-manager-inventory-delete.md) + [ # Assigning custom inventory metadata to a managed node ](inventory-custom-metadata.md) + [ # Using the AWS CLI to configure inventory data collection ](inventory-collection-cli.md) + [ # Walkthrough: Using resource data sync to aggregate inventory data ](inventory-resource-data-sync.md) + [ # Troubleshooting problems with Systems Manager Inventory ](syman-inventory-troubleshooting.md) # Learn more about Systems Manager Inventory Learn more about Inventory When you configure AWS Systems Manager Inventory, you specify the type of metadata to collect, the managed nodes from where the metadata should be collected, and a schedule for metadata collection. These configurations are saved with your AWS account as an AWS Systems Manager State Manager association. An association is simply a configuration. **Note** Inventory only collects metadata. It doesn't collect any personal or proprietary data. **Topics** + [ # Metadata collected by Inventory ](inventory-schema.md) + [ # Working with file and Windows registry inventory ](inventory-file-and-registry.md) # Metadata collected by Inventory The following sample shows the complete list of metadata collected by each AWS Systems Manager Inventory plugin. ``` { "typeName": "AWS:InstanceInformation", "version": "1.0", "attributes":[ { "name": "AgentType", "dataType" : "STRING"}, { "name": "AgentVersion", "dataType" : "STRING"}, { "name": "ComputerName", "dataType" : "STRING"}, { "name": "InstanceId", "dataType" : "STRING"}, { "name": "IpAddress", "dataType" : "STRING"}, { "name": "PlatformName", "dataType" : "STRING"}, { "name": "PlatformType", "dataType" : "STRING"}, { "name": "PlatformVersion", "dataType" : "STRING"}, { "name": "ResourceType", "dataType" : "STRING"}, { "name": "AgentStatus", "dataType" : "STRING"}, { "name": "InstanceStatus", "dataType" : "STRING"} ] }, { "typeName" : "AWS:Application", "version": "1.1", "attributes":[ { "name": "Name", "dataType": "STRING"}, { "name": "ApplicationType", "dataType": "STRING"}, { "name": "Publisher", "dataType": "STRING"}, { "name": "Version", "dataType": "STRING"}, { "name": "Release", "dataType": "STRING"}, { "name": "Epoch", "dataType": "STRING"}, { "name": "InstalledTime", "dataType": "STRING"}, { "name": "Architecture", "dataType": "STRING"}, { "name": "URL", "dataType": "STRING"}, { "name": "Summary", "dataType": "STRING"}, { "name": "PackageId", "dataType": "STRING"} ] }, { "typeName" : "AWS:File", "version": "1.0", "attributes":[ { "name": "Name", "dataType": "STRING"}, { "name": "Size", "dataType": "STRING"}, { "name": "Description", "dataType": "STRING"}, { "name": "FileVersion", "dataType": "STRING"}, { "name": "InstalledDate", "dataType": "STRING"}, { "name": "ModificationTime", "dataType": "STRING"}, { "name": "LastAccessTime", "dataType": "STRING"}, { "name": "ProductName", "dataType": "STRING"}, { "name": "InstalledDir", "dataType": "STRING"}, { "name": "ProductLanguage", "dataType": "STRING"}, { "name": "CompanyName", "dataType": "STRING"}, { "name": "ProductVersion", "dataType": "STRING"} ] }, { "typeName": "AWS:AWSComponent", "version": "1.0", "attributes":[ { "name": "Name", "dataType": "STRING"}, { "name": "ApplicationType", "dataType": "STRING"}, { "name": "Publisher", "dataType": "STRING"}, { "name": "Version", "dataType": "STRING"}, { "name": "InstalledTime", "dataType": "STRING"}, { "name": "Architecture", "dataType": "STRING"}, { "name": "URL", "dataType": "STRING"} ] }, { "typeName": "AWS:WindowsUpdate", "version":"1.0", "attributes":[ { "name": "HotFixId", "dataType": "STRING"}, { "name": "Description", "dataType": "STRING"}, { "name": "InstalledTime", "dataType": "STRING"}, { "name": "InstalledBy", "dataType": "STRING"} ] }, { "typeName": "AWS:Network", "version":"1.0", "attributes":[ { "name": "Name", "dataType": "STRING"}, { "name": "SubnetMask", "dataType": "STRING"}, { "name": "Gateway", "dataType": "STRING"}, { "name": "DHCPServer", "dataType": "STRING"}, { "name": "DNSServer", "dataType": "STRING"}, { "name": "MacAddress", "dataType": "STRING"}, { "name": "IPV4", "dataType": "STRING"}, { "name": "IPV6", "dataType": "STRING"} ] }, { "typeName": "AWS:PatchSummary", "version":"1.0", "attributes":[ { "name": "PatchGroup", "dataType": "STRING"}, { "name": "BaselineId", "dataType": "STRING"}, { "name": "SnapshotId", "dataType": "STRING"}, { "name": "OwnerInformation", "dataType": "STRING"}, { "name": "InstalledCount", "dataType": "NUMBER"}, { "name": "InstalledPendingRebootCount", "dataType": "NUMBER"}, { "name": "InstalledOtherCount", "dataType": "NUMBER"}, { "name": "InstalledRejectedCount", "dataType": "NUMBER"}, { "name": "NotApplicableCount", "dataType": "NUMBER"}, { "name": "UnreportedNotApplicableCount", "dataType": "NUMBER"}, { "name": "MissingCount", "dataType": "NUMBER"}, { "name": "FailedCount", "dataType": "NUMBER"}, { "name": "OperationType", "dataType": "STRING"}, { "name": "OperationStartTime", "dataType": "STRING"}, { "name": "OperationEndTime", "dataType": "STRING"}, { "name": "InstallOverrideList", "dataType": "STRING"}, { "name": "RebootOption", "dataType": "STRING"}, { "name": "LastNoRebootInstallOperationTime", "dataType": "STRING"}, { "name": "ExecutionId", "dataType": "STRING", "isOptional": "true"}, { "name": "NonCompliantSeverity", "dataType": "STRING", "isOptional": "true"}, { "name": "SecurityNonCompliantCount", "dataType": "NUMBER", "isOptional": "true"}, { "name": "CriticalNonCompliantCount", "dataType": "NUMBER", "isOptional": "true"}, { "name": "OtherNonCompliantCount", "dataType": "NUMBER", "isOptional": "true"} ] }, { "typeName": "AWS:PatchCompliance", "version":"1.0", "attributes":[ { "name": "Title", "dataType": "STRING"}, { "name": "KBId", "dataType": "STRING"}, { "name": "Classification", "dataType": "STRING"}, { "name": "Severity", "dataType": "STRING"}, { "name": "State", "dataType": "STRING"}, { "name": "InstalledTime", "dataType": "STRING"} ] }, { "typeName": "AWS:ComplianceItem", "version":"1.0", "attributes":[ { "name": "ComplianceType", "dataType": "STRING", "isContext": "true"}, { "name": "ExecutionId", "dataType": "STRING", "isContext": "true"}, { "name": "ExecutionType", "dataType": "STRING", "isContext": "true"}, { "name": "ExecutionTime", "dataType": "STRING", "isContext": "true"}, { "name": "Id", "dataType": "STRING"}, { "name": "Title", "dataType": "STRING"}, { "name": "Status", "dataType": "STRING"}, { "name": "Severity", "dataType": "STRING"}, { "name": "DocumentName", "dataType": "STRING"}, { "name": "DocumentVersion", "dataType": "STRING"}, { "name": "Classification", "dataType": "STRING"}, { "name": "PatchBaselineId", "dataType": "STRING"}, { "name": "PatchSeverity", "dataType": "STRING"}, { "name": "PatchState", "dataType": "STRING"}, { "name": "PatchGroup", "dataType": "STRING"}, { "name": "InstalledTime", "dataType": "STRING"}, { "name": "InstallOverrideList", "dataType": "STRING", "isOptional": "true"}, { "name": "DetailedText", "dataType": "STRING", "isOptional": "true"}, { "name": "DetailedLink", "dataType": "STRING", "isOptional": "true"}, { "name": "CVEIds", "dataType": "STRING", "isOptional": "true"} ] }, { "typeName": "AWS:ComplianceSummary", "version":"1.0", "attributes":[ { "name": "ComplianceType", "dataType": "STRING"}, { "name": "PatchGroup", "dataType": "STRING"}, { "name": "PatchBaselineId", "dataType": "STRING"}, { "name": "Status", "dataType": "STRING"}, { "name": "OverallSeverity", "dataType": "STRING"}, { "name": "ExecutionId", "dataType": "STRING"}, { "name": "ExecutionType", "dataType": "STRING"}, { "name": "ExecutionTime", "dataType": "STRING"}, { "name": "CompliantCriticalCount", "dataType": "NUMBER"}, { "name": "CompliantHighCount", "dataType": "NUMBER"}, { "name": "CompliantMediumCount", "dataType": "NUMBER"}, { "name": "CompliantLowCount", "dataType": "NUMBER"}, { "name": "CompliantInformationalCount", "dataType": "NUMBER"}, { "name": "CompliantUnspecifiedCount", "dataType": "NUMBER"}, { "name": "NonCompliantCriticalCount", "dataType": "NUMBER"}, { "name": "NonCompliantHighCount", "dataType": "NUMBER"}, { "name": "NonCompliantMediumCount", "dataType": "NUMBER"}, { "name": "NonCompliantLowCount", "dataType": "NUMBER"}, { "name": "NonCompliantInformationalCount", "dataType": "NUMBER"}, { "name": "NonCompliantUnspecifiedCount", "dataType": "NUMBER"} ] }, { "typeName": "AWS:InstanceDetailedInformation", "version":"1.0", "attributes":[ { "name": "CPUModel", "dataType": "STRING"}, { "name": "CPUCores", "dataType": "NUMBER"}, { "name": "CPUs", "dataType": "NUMBER"}, { "name": "CPUSpeedMHz", "dataType": "NUMBER"}, { "name": "CPUSockets", "dataType": "NUMBER"}, { "name": "CPUHyperThreadEnabled", "dataType": "STRING"}, { "name": "OSServicePack", "dataType": "STRING"} ] }, { "typeName": "AWS:Service", "version":"1.0", "attributes":[ { "name": "Name", "dataType": "STRING"}, { "name": "DisplayName", "dataType": "STRING"}, { "name": "ServiceType", "dataType": "STRING"}, { "name": "Status", "dataType": "STRING"}, { "name": "DependentServices", "dataType": "STRING"}, { "name": "ServicesDependedOn", "dataType": "STRING"}, { "name": "StartType", "dataType": "STRING"} ] }, { "typeName": "AWS:WindowsRegistry", "version":"1.0", "attributes":[ { "name": "KeyPath", "dataType": "STRING"}, { "name": "ValueName", "dataType": "STRING"}, { "name": "ValueType", "dataType": "STRING"}, { "name": "Value", "dataType": "STRING"} ] }, { "typeName": "AWS:WindowsRole", "version":"1.0", "attributes":[ { "name": "Name", "dataType": "STRING"}, { "name": "DisplayName", "dataType": "STRING"}, { "name": "Path", "dataType": "STRING"}, { "name": "FeatureType", "dataType": "STRING"}, { "name": "DependsOn", "dataType": "STRING"}, { "name": "Description", "dataType": "STRING"}, { "name": "Installed", "dataType": "STRING"}, { "name": "InstalledState", "dataType": "STRING"}, { "name": "SubFeatures", "dataType": "STRING"}, { "name": "ServerComponentDescriptor", "dataType": "STRING"}, { "name": "Parent", "dataType": "STRING"} ] }, { "typeName": "AWS:Tag", "version":"1.0", "attributes":[ { "name": "Key", "dataType": "STRING"}, { "name": "Value", "dataType": "STRING"} ] }, { "typeName": "AWS:ResourceGroup", "version":"1.0", "attributes":[ { "name": "Name", "dataType": "STRING"}, { "name": "Arn", "dataType": "STRING"} ] }, { "typeName": "AWS:BillingInfo", "version": "1.0", "attributes": [ { "name": "BillingProductId", "dataType": "STRING"} ] } ``` **Note** For `"typeName": "AWS:InstanceInformation"`, `InstanceStatus` can be one of the following: Active, ConnectionLost, Stopped, Terminated. With the release of version 2.5, RPM Package Manager replaced the Serial attribute with Epoch. The Epoch attribute is a monotonically increasing integer like Serial. When you inventory by using the `AWS:Application` type, a larger value for Epoch means a newer version. If Epoch values are the same or empty, then use the value of the Version or Release attribute to determine the newer version. Some metadata is not available from Linux instances. Specifically, for "typeName": "AWS:Network", the following metadata types are not yet supported for Linux instances. They ARE supported for Windows. \$1 "name": "SubnetMask", "dataType": "STRING"\$1, \$1 "name": "DHCPServer", "dataType": "STRING"\$1, \$1 "name": "DNSServer", "dataType": "STRING"\$1, \$1 "name": "Gateway", "dataType": "STRING"\$1, # Working with file and Windows registry inventory AWS Systems Manager Inventory allows you to search and inventory files on Windows Server, Linux, and macOS operating systems. You can also search and inventory the Windows Registry. **Files**: You can collect metadata information about files, including file names, the time files were created, the time files were last modified and accessed, and file sizes, to name a few. To start collecting file inventory, you specify a file path where you want to perform the inventory, one or more patterns that define the types of files you want to inventory, and if the path should be traversed recursively. Systems Manager inventories all file metadata for files in the specified path that match the pattern. File inventory uses the following parameter input. ``` { "Path": string, "Pattern": array[string], "Recursive": true, "DirScanLimit" : number // Optional } ``` + **Path**: The directory path where you want to inventory files. For Windows, you can use environment variables like `%PROGRAMFILES% `as long as the variable maps to a single directory path. For example, if you use %PATH% that maps to multiple directory paths, Inventory throws an error. + **Pattern**: An array of patterns to identify files. + **Recursive**: A Boolean value indicating whether Inventory should recursively traverse the directories. + **DirScanLimit**: An optional value specifying how many directories to scan. Use this parameter to minimize performance impact on your managed nodes. Inventory scans a maximum of 5,000 directories. **Note** Inventory collects metadata for a maximum of 500 files across all specified paths. Here are some examples of how to specify the parameters when performing an inventory of files. + On Linux and macOS, collect metadata of .sh files in the `/home/ec2-user` directory, excluding all subdirectories. ``` [{"Path":"/home/ec2-user","Pattern":["*.sh", "*.sh"],"Recursive":false}] ``` + On Windows, collect metadata of all ".exe" files in the Program Files folder, including subdirectories recursively. ``` [{"Path":"C:\Program Files","Pattern":["*.exe"],"Recursive":true}] ``` + On Windows, collect metadata of specific log patterns. ``` [{"Path":"C:\ProgramData\Amazon","Pattern":["*amazon*.log"],"Recursive":true}] ``` + Limit the directory count when performing recursive collection. ``` [{"Path":"C:\Users","Pattern":["*.ps1"],"Recursive":true, "DirScanLimit": 1000}] ``` **Windows Registry**: You can collect Windows Registry keys and values. You can choose a key path and collect all keys and values recursively. You can also collect a specific registry key and its value for a specific path. Inventory collects the key path, name, type, and the value. ``` { "Path": string, "Recursive": true, "ValueNames": array[string] // optional } ``` + **Path**: The path to the Registry key. + **Recursive**: A Boolean value indicating whether Inventory should recursively traverse Registry paths. + **ValueNames**: An array of value names for performing inventory of Registry keys. If you use this parameter, Systems Manager will inventory only the specified value names for the specified path. **Note** Inventory collects a maximum of 250 Registry key values for all specified paths. Here are some examples of how to specify the parameters when performing an inventory of the Windows Registry. + Collect all keys and values recursively for a specific path. ``` [{"Path":"HKEY_LOCAL_MACHINE\SOFTWARE\Amazon","Recursive": true}] ``` + Collect all keys and values for a specific path (recursive search turned off). ``` [{"Path":"HKEY_LOCAL_MACHINE\SOFTWARE\Intel\PSIS\PSIS_DECODER", "Recursive": false}] ``` + Collect a specific key by using the `ValueNames` option. ``` {"Path":"HKEY_LOCAL_MACHINE\SOFTWARE\Amazon\MachineImage","ValueNames":["AMIName"]} ``` # Setting up Systems Manager Inventory Setting up Inventory Before you use AWS Systems Manager Inventory to collect metadata about the applications, services, AWS components and more running on your managed nodes, we recommend that you configure resource data sync to centralize the storage of your inventory data in a single Amazon Simple Storage Service (Amazon S3) bucket. We also recommend that you configure Amazon EventBridge monitoring of inventory events. These processes make it easier to view and manage inventory data and collection. **Topics** + [ # Creating a resource data sync for Inventory ](inventory-create-resource-data-sync.md) + [ # Using EventBridge to monitor Inventory events ](systems-manager-inventory-setting-up-eventbridge.md) # Creating a resource data sync for Inventory This topic describes how to set up and configure resource data sync for AWS Systems Manager Inventory. For information about resource data sync for Systems Manager Explorer, see [Setting up Systems Manager Explorer to display data from multiple accounts and Regions](Explorer-resource-data-sync.md). ## About resource data sync You can use Systems Manager resource data sync to send inventory data collected from all of your managed nodes to a single Amazon Simple Storage Service (Amazon S3) bucket. Resource data sync then automatically updates the centralized data when new inventory data is collected. With all inventory data stored in a target Amazon S3 bucket, you can use services like Amazon Athena and Amazon Quick to query and analyze the aggregated data. For example, say that you've configured inventory to collect data about the operating system (OS) and applications running on a fleet of 150 managed nodes. Some of these nodes are located in an on-premises data center, and others are running in Amazon Elastic Compute Cloud (Amazon EC2) across multiple AWS Regions. If you have *not* configured resource data sync, you either need to manually gather the collected inventory data for each managed node, or you have to create scripts to gather this information. You would then need to port the data into an application so that you can run queries and analyze it. With resource data sync, you perform a one-time operation that synchronizes all inventory data from all of your managed nodes. After the sync is successfully created, Systems Manager creates a baseline of all inventory data and saves it in the target Amazon S3 bucket. When new inventory data is collected, Systems Manager automatically updates the data in the Amazon S3 bucket. You can then quickly and cost-effectively port the data to Amazon Athena and Amazon Quick. Diagram 1 shows how resource data sync aggregates inventory data from Amazon EC2 and other machine types in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment to a target Amazon S3 bucket. This diagram also shows how resource data sync works with multiple AWS accounts and AWS Regions. **Diagram 1: Resource data sync with multiple AWS accounts and AWS Regions** ![\[Systems Manager resource data sync architecture\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-resource-data-sync-updated.png) If you delete a managed node, resource data sync preserves the inventory file for the deleted node. For running nodes, however, resource data sync automatically overwrites old inventory files when new files are created and written to the Amazon S3 bucket. If you want to track inventory changes over time, you can use the AWS Config service to track the `SSM:ManagedInstanceInventory` resource type. For more information, see [Getting Started with AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/getting-started.html). Use the procedures in this section to create a resource data sync for Inventory by using the Amazon S3 and AWS Systems Manager consoles. You can also use AWS CloudFormation to create or delete a resource data sync. To use CloudFormation, add the [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-resourcedatasync.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-resourcedatasync.html) resource to your CloudFormation template. For information, see one of the following documentation resources: + [AWS CloudFormation resource for resource data sync in AWS Systems Manager](https://aws.amazon.com/blogs/mt/aws-cloudformation-resource-for-resource-data-sync-in-aws-systems-manager/) (blog) + [Working with AWS CloudFormation Templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-guide.html) in the *AWS CloudFormation User Guide* **Note** You can use AWS Key Management Service (AWS KMS) to encrypt inventory data in the Amazon S3 bucket. For an example of how to create an encrypted sync by using the AWS Command Line Interface (AWS CLI) and how to work with the centralized data in Amazon Athena and Amazon Quick, see [Walkthrough: Using resource data sync to aggregate inventory data](inventory-resource-data-sync.md). ## Before you begin Before you create a resource data sync, use the following procedure to create a central Amazon S3 bucket to store aggregated inventory data. The procedure describes how to assign a bucket policy that allows Systems Manager to write inventory data to the bucket from multiple accounts. If you already have an Amazon S3 bucket that you want to use to aggregate inventory data for resource data sync, then you must configure the bucket to use the policy in the following procedure. **Note** Systems Manager Inventory can't add data to a specified Amazon S3 bucket if that bucket is configured to use Object Lock. Verify that the Amazon S3 bucket you create or choose for resource data sync isn't configured to use Amazon S3 Object Lock. For more information, see [How Amazon S3 Object Lock works](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html) in the *Amazon Simple Storage Service User Guide*. **To create and configure an Amazon S3 bucket for resource data sync** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. Create a bucket to store your aggregated Inventory data. For more information, see [Create a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CreatingABucket.html) in the *Amazon Simple Storage Service User Guide*. Make a note of the bucket name and the AWS Region where you created it. 1. Choose the **Permissions** tab, and then choose **Bucket Policy**. 1. Copy and paste the following bucket policy into the policy editor. Replace *amzn-s3-demo-bucket* with the name of the S3 bucket you created. Replace *account\$1ID\$1number* with a valid AWS account ID number. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SSMBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket" }, { "Sid": " SSMBucketDelivery", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*/accountid=111122223333/*", "arn:aws:s3:::amzn-s3-demo-bucket/*/accountid=444455556666/*", "arn:aws:s3:::amzn-s3-demo-bucket/*/accountid=123456789012/*", "arn:aws:s3:::amzn-s3-demo-bucket/*/accountid=777788889999/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:ssm:*:111122223333:resource-data-sync/*" } } } ] } ``` ------ 1. Save your changes. ## Create a resource data sync for Inventory Use the following procedure to create a resource data sync for Systems Manager Inventory by using the Systems Manager console. For information about how to create a resource data sync by using the AWS CLI, see [Using the AWS CLI to configure inventory data collection](inventory-collection-cli.md). **To create a resource data sync** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Fleet Manager**. 1. In the **Account management** menu, choose **Resource data sync**. 1. Choose **Create resource data sync**. 1. In the **Sync name** field, enter a name for the sync configuration. 1. In the **Bucket name** field, enter the name of the Amazon S3 bucket you created using the **To create and configure an Amazon S3 bucket for resource data sync** procedure. 1. (Optional) In the **Bucket prefix** field, enter the name of an Amazon S3 bucket prefix (subdirectory). 1. In the **Bucket region** field, choose **This region** if the Amazon S3 bucket you created is located in the current AWS Region. If the bucket is located in a different AWS Region, choose **Another region**, and enter the name of the Region. **Note** If the sync and the target Amazon S3 bucket are located in different regions, you might be subject to data transfer pricing. For more information, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/). 1. (Optional) In the **KMS Key ARN** field, type or paste a KMS Key ARN to encrypt inventory data in Amazon S3. 1. Choose **Create**. To synchronize inventory data from multiple AWS Regions, you must create a resource data sync in *each* Region. Repeat this procedure in each AWS Region where you want to collect inventory data and send it to the central Amazon S3 bucket. When you create the sync in each Region, specify the central Amazon S3 bucket in the **Bucket name** field. Then use the **Bucket region** option to choose the Region where you created the central Amazon S3 bucket, as shown in the following screen shot. The next time the association runs to collect inventory data, Systems Manager stores the data in the central Amazon S3 bucket. ![\[Systems Manager resource data sync from multiple AWS Regions\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-rds-multiple-regions.png) ## Creating an inventory resource data sync for accounts defined in AWS Organizations You can synchronize inventory data from AWS accounts defined in AWS Organizations to a central Amazon S3 bucket. After you complete the following procedures, inventory data is synchronized to *individual* Amazon S3 key prefixes in the central bucket. Each key prefix represents a different AWS account ID. **Before you begin** Before you begin, verify that you set up and configured AWS accounts in AWS Organizations. For more information, see [ in the *AWS Organizations User Guide*.](https://docs.aws.amazon.com/organizations/latest/userguide/rgs_getting-started.html) Also, be aware that you must create the organization-based resource data sync for each AWS Region and AWS account defined in AWS Organizations. ### Creating a central Amazon S3 bucket Use the following procedure to create a central Amazon S3 bucket to store aggregated inventory data. The procedure describes how to assign a bucket policy that allows Systems Manager to write inventory data to the bucket from your AWS Organizations account ID. If you already have an Amazon S3 bucket that you want to use to aggregate inventory data for resource data sync, then you must configure the bucket to use the policy in the following procedure. **To create and configure an Amazon S3 bucket for resource data sync for multiple accounts defined in AWS Organizations** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. Create a bucket to store your aggregated inventory data. For more information, see [Create a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CreatingABucket.html) in the *Amazon Simple Storage Service User Guide*. Make a note of the bucket name and the AWS Region where you created it. 1. Choose the **Permissions** tab, and then choose **Bucket Policy**. 1. Copy and paste the following bucket policy into the policy editor. Replace *amzn-s3-demo-bucket *and *organization-id* with the name of the Amazon S3 bucket you created and a valid AWS Organizations account ID. Optionally, replace *bucket-prefix* with the name of an Amazon S3 prefix (subdirectory). If you didn't create a prefix, remove *bucket-prefix*/ from the ARN in the following policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "SSMBucketPermissionsCheck", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3:::amzn-s3-demo-bucket" }, { "Sid": " SSMBucketDelivery", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/bucket-prefix/*/accountid=*/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceOrgID": "organization-id" } } }, { "Sid": " SSMBucketDeliveryTagging", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:PutObjectTagging", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/bucket-prefix/*/accountid=*/*" ] } ] } ``` ------ ### Create an inventory resource data sync for accounts defined in AWS Organizations The following procedure describes how to use the AWS CLI to create a resource data sync for accounts that are defined in AWS Organizations. You must use the AWS CLI to perform this task. You must also perform this procedure for each AWS Region and AWS account defined in AWS Organizations. **To create a resource data sync for an account defined in AWS Organizations (AWS CLI)** 1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). 1. Run the following command to verify that you don't have any other *AWS Organizations-based* resource data syncs. You can have multiple standard syncs, including multiple standard syncs and an Organizations-based sync. But, you can only have one Organizations-based resource data sync. ``` aws ssm list-resource-data-sync ``` If the command returns other Organizations-based resource data sync, you must delete them or choose not to create a new one. 1. Run the following command to create a resource data sync for an account defined in AWS Organizations. For amzn-s3-demo-bucket, specify the name of the Amazon S3 bucket you created earlier in this topic. If you created a prefix (subdirectory) for your bucket, then specify this information for *prefix-name*. ``` aws ssm create-resource-data-sync --sync-name name --s3-destination "BucketName=amzn-s3-demo-bucket,Prefix=prefix-name,SyncFormat=JsonSerDe,Region=AWS Region, for example us-east-2,DestinationDataSharing={DestinationDataSharingType=Organization}" ``` 1. Repeat Steps 2 and 3 for every AWS Region and AWS account where you want to synchronize data to the central Amazon S3 bucket. ### Managing resource data syncs Each AWS account can have 5 resource data syncs per AWS Region. You can use the AWS Systems Manager Fleet Manager console to manage your resource data syncs. **To view resource data syncs** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Fleet Manager**. 1. In the **Account management** dropdown, choose **Resource data syncs**. 1. Select a resource data sync from the table, and then choose **View details** to view information about your resource data sync. **To delete a resource data sync** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Fleet Manager**. 1. In the **Account management** dropdown, choose **Resource data syncs**. 1. Select a resource data sync from the table, and then choose **Delete**. # Using EventBridge to monitor Inventory events You can configure a rule in Amazon EventBridge to create an event in response to AWS Systems Manager Inventory resource state changes. EventBridge supports events for the following Inventory state changes. All events are sent on a best effort basis. **Custom inventory type deleted for a specific instance**: If a rule is configured to monitor for this event, EventBridge creates an event when a custom inventory type on a specific managed is deleted. EventBridge sends one event per node per custom inventory type. Here is a sample event pattern. ``` { "timestampMillis": 1610042981103, "source": "SSM", "account": "123456789012", "type": "INVENTORY_RESOURCE_STATE_CHANGE", "startTime": "Jan 7, 2021 6:09:41 PM", "resources": [ { "arn": "arn:aws:ssm:us-east-1:123456789012:managed-instance/i-12345678" } ], "body": { "action-status": "succeeded", "action": "delete", "resource-type": "managed-instance", "resource-id": "i-12345678", "action-reason": "", "type-name": "Custom:MyCustomInventoryType" } } ``` **Custom inventory type deleted event for all instances**: If a rule is configured to monitor for this event, EventBridge creates an event when a custom inventory type for all managed nodes is deleted. Here is a sample event pattern. ``` { "timestampMillis": 1610042904712, "source": "SSM", "account": "123456789012", "type": "INVENTORY_RESOURCE_STATE_CHANGE", "startTime": "Jan 7, 2021 6:08:24 PM", "resources": [ ], "body": { "action-status": "succeeded", "action": "delete-summary", "resource-type": "managed-instance", "resource-id": "", "action-reason": "The delete for type name Custom:SomeCustomInventoryType was completed. The deletion summary is: {\"totalCount\":1,\"remainingCount\":0,\"summaryItems\":[{\"version\":\"1.1\",\"count\":1,\"remainingCount\":0}]}", "type-name": "Custom:MyCustomInventoryType" } } ``` **[PutInventory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutInventory.html) call with old schema version event**: If a rule is configured to monitor for this event, EventBridge creates an event when a PutInventory call is made that uses a schema version that is lower than the current schema. This event applies to all inventory types. Here is a sample event pattern. ``` { "timestampMillis": 1610042629548, "source": "SSM", "account": "123456789012", "type": "INVENTORY_RESOURCE_STATE_CHANGE", "startTime": "Jan 7, 2021 6:03:49 PM", "resources": [ { "arn": "arn:aws:ssm:us-east-1:123456789012:managed-instance/i-12345678" } ], "body": { "action-status": "failed", "action": "put", "resource-type": "managed-instance", "resource-id": "i-01f017c1b2efbe2bc", "action-reason": "The inventory item with type name Custom:MyCustomInventoryType was sent with a disabled schema verison 1.0. You must send a version greater than 1.0", "type-name": "Custom:MyCustomInventoryType" } } ``` For information about how to configure EventBridge to monitor for these events, see [Configuring EventBridge for Systems Manager events](monitoring-systems-manager-events.md). # Configuring inventory collection This section describes how to configure AWS Systems Manager Inventory collection on one or more managed nodes by using the Systems Manager console. For an example of how to configure inventory collection by using the AWS Command Line Interface (AWS CLI), see [Using the AWS CLI to configure inventory data collection](inventory-collection-cli.md). When you configure inventory collection, you start by creating a AWS Systems Manager State Manager association. Systems Manager collects the inventory data when the association is run. If you don't create the association first, and attempt to invoke the `aws:softwareInventory` plugin by using, for example, AWS Systems Manager Run Command, the system returns the following error: `The aws:softwareInventory plugin can only be invoked via ssm-associate.` **Note** Be aware of the following behavior if you create multiple inventory associations for a managed node: Each node can be assigned an inventory association that targets *all* nodes (--targets "Key=InstanceIds,Values=\$1"). Each node can also be assigned a specific association that uses either tag key/value pairs or an AWS resource group. If a node is assigned multiple inventory associations, the status shows *Skipped* for the association that hasn't run. The association that ran most recently displays the actual status of the inventory association. If a node is assigned multiple inventory associations and each uses a tag key/value pair, then those inventory associations fail to run on the node because of the tag conflict. The association still runs on nodes that don't have the tag key/value conflict. **Before You Begin** Before you configure inventory collection, complete the following tasks. + Update AWS Systems Manager SSM Agent on the nodes you want to inventory. By running the latest version of SSM Agent, you ensure that you can collect metadata for all supported inventory types. For information about how to update SSM Agent by using State Manager, see [Walkthrough: Automatically update SSM Agent with the AWS CLI](state-manager-update-ssm-agent-cli.md). + Verify that you have completed the setup requirements for your Amazon Elastic Compute Cloud (Amazon EC2) instances and non-EC2 machines in a [hybrid and multicloud](operating-systems-and-machine-types.md#supported-machine-types) environment. For information, see [Setting up managed nodes for AWS Systems Manager](systems-manager-setting-up-nodes.md). + For Microsoft Windows Server nodes, verify that your managed node is configured with Windows PowerShell 3.0 (or later). SSM Agent uses the `ConvertTo-Json` cmdlet in PowerShell to convert Windows update inventory data to the required format. + (Optional) Create a resource data sync to centrally store inventory data in an Amazon S3 bucket. resource data sync then automatically updates the centralized data when new inventory data is collected. For more information, see [Walkthrough: Using resource data sync to aggregate inventory data](inventory-resource-data-sync.md). + (Optional) Create a JSON file to collect custom inventory. For more information, see [Working with custom inventory](inventory-custom.md). ## Inventory all managed nodes in your AWS account You can inventory all managed nodes in your AWS account by creating a global inventory association. A global inventory association performs the following actions: + Automatically applies the global inventory configuration (association) to all existing managed nodes in your AWS account. Managed nodes that already have an inventory association are skipped when the global inventory association is applied and runs. When a node is skipped, the detailed status message states `Overridden By Explicit Inventory Association`. Those nodes are skipped by the global association, but they will still report inventory when they run their assigned inventory association. + Automatically adds new nodes created in your AWS account to the global inventory association. **Note** If a managed node is configured for the global inventory association, and you assign a specific association to that node, then Systems Manager Inventory deprioritizes the global association and applies the specific association. Global inventory associations are available in SSM Agent version 2.0.790.0 or later. For information about how to update SSM Agent on your nodes, see [Updating the SSM Agent using Run Command](run-command-tutorial-update-software.md#rc-console-agentexample). ### Configuring inventory collection with one click (console) Use the following procedure to configure Systems Manager Inventory for all managed nodes in your AWS account and in a single AWS Region. **To configure all of your managed nodes in the current Region for Systems Manager inventory** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Inventory**. 1. In the **Managed instances with inventory enabled** card, choose **Click here to enable inventory on all instances**. ![\[Enabling Systems Manager Inventory on all managed nodes.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-one-click-1.png) If successful, the console displays the following message. ![\[Enabling Systems Manager Inventory on all managed nodes.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-one-click-2.png) Depending on the number of managed nodes in your account, it can take several minutes for the global inventory association to be applied. Wait a few minutes and then refresh the page. Verify that the graphic changes to reflect that inventory is configured on all of your managed nodes. ### Configuring collection by using the console This section includes information about how to configure Systems Manager Inventory to collect metadata from your managed nodes by using the Systems Manager console. You can quickly collect metadata from all nodes in a specific AWS account (and any future nodes that might be created in that account) or you can selectively collect inventory data by using tags or node IDs. **Note** Before completing this procedure, check to see if a global inventory association already exists. If a global inventory association already exists, anytime you launch a new instance, the association will be applied to it, and the new instance will be inventoried. **To configure inventory collection** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Inventory**. 1. Choose **Setup Inventory**. 1. In the **Targets** section, identify the nodes where you want to run this operation by choosing one of the following. + **Selecting all managed instances in this account** - This option selects all managed nodes for which there is no existing inventory association. If you choose this option, nodes that already had inventory associations are skipped during inventory collection, and shown with a status of **Skipped** in inventory results. For more information, see [Inventory all managed nodes in your AWS account](#inventory-management-inventory-all). + **Specifying a tag** - Use this option to specify a single tag to identify nodes in your account from which you want to collect inventory. If you use a tag, any nodes created in the future with the same tag will also report inventory. If there is an existing inventory association with all nodes, using a tag to select specific nodes as a target for a different inventory overrides node membership in the **All managed instances** target group. Managed nodes with the specified tag are skipped on future inventory collection from **All managed instances**. + **Manually selecting instances** - Use this option to choose specific managed nodes in your account. Explicitly choosing specific nodes by using this option overrides inventory associations on the **All managed instances** target. The node is skipped on future inventory collection from **All managed instances**. **Note** If a managed node you expect to see isn't listed, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md) for troubleshooting tips. 1. In the **Schedule** section, choose how often you want the system to collect inventory metadata from your nodes. 1. In the **Parameters** section, use the lists to turn on or turn off different types of inventory collection. For more information about collecting File and Windows Registry inventory, see [Working with file and Windows registry inventory](inventory-file-and-registry.md). 1. In the **Advanced** section, choose **Sync inventory execution logs to an Amazon S3 bucket** if you want to store the association execution status in an Amazon S3 bucket. 1. Choose **Setup Inventory**. Systems Manager creates a State Manager association and immediately runs Inventory on the nodes. 1. In the navigation pane, choose **State Manager**. Verify that a new association was created that uses the `AWS-GatherSoftwareInventory` document. The association schedule uses a rate expression. Also, verify that the **Status** field shows **Success**. If you chose the option to **Sync inventory execution logs to an Amazon S3 bucket**, then you can view the log data in Amazon S3 after a few minutes. If you want to view inventory data for a specific node, then choose **Managed Instances** in the navigation pane. 1. Choose a node, and then choose **View details**. 1. On the node details page, choose **Inventory**. Use the **Inventory type** lists to filter the inventory. # Querying inventory data from multiple Regions and accounts AWS Systems Manager Inventory integrates with Amazon Athena to help you query inventory data from multiple AWS Regions and AWS accounts. Athena integration uses resource data sync so that you can view inventory data from all of your managed nodes on the **Detailed View** page in the AWS Systems Manager console. **Important** This feature uses AWS Glue to crawl the data in your Amazon Simple Storage Service (Amazon S3) bucket, and Amazon Athena to query the data. Depending on how much data is crawled and queried, you can be charged for using these services. With AWS Glue, you pay an hourly rate, billed by the second, for crawlers (discovering data) and ETL jobs (processing and loading data). With Athena, you're charged based on the amount of data scanned by each query. We encourage you to view the pricing guidelines for these services before you use Amazon Athena integration with Systems Manager Inventory. For more information, see [Amazon Athena pricing](https://aws.amazon.com/athena/pricing/) and [AWS Glue pricing](https://aws.amazon.com/glue/pricing/). You can view inventory data on the **Detailed View** page in all AWS Regions where Amazon Athena is available. For a list of supported Regions, see [Amazon Athena Service Endpoints](https://docs.aws.amazon.com/general/latest/gr/athena.html#athena_region) in the *Amazon Web Services General Reference*. **Before you begin** Athena integration uses resource data sync. You must set up and configure resource data sync to use this feature. For more information, see [Walkthrough: Using resource data sync to aggregate inventory data](inventory-resource-data-sync.md). Also, be aware that the **Detailed View** page displays inventory data for the *owner* of the central Amazon S3 bucket used by resource data sync. If you aren't the owner of the central Amazon S3 bucket, then you won't see inventory data on the **Detailed View** page. ## Configuring access Before you can query and view data from multiple accounts and Regions on the **Detailed View** page in the Systems Manager console, you must configure your IAM entity with permission to view the data. If the inventory data is stored in an Amazon S3 bucket that uses AWS Key Management Service (AWS KMS) encryption, you must also configure your IAM entity and the `Amazon-GlueServiceRoleForSSM` service role for AWS KMS encryption. **Topics** + [ ### Configuring your IAM entity to access the Detailed View page ](#systems-manager-inventory-query-iam-user) + [ ### (Optional) Configure permissions for viewing AWS KMS encrypted data ](#systems-manager-inventory-query-kms) ### Configuring your IAM entity to access the Detailed View page The following describes the minimum permissions required to view inventory data on the **Detailed View** page. The `AWSQuicksightAthenaAccess` managed policy The following `PassRole` and additional required permissions block ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowGlue", "Effect": "Allow", "Action": [ "glue:GetCrawler", "glue:GetCrawlers", "glue:GetTables", "glue:StartCrawler", "glue:CreateCrawler" ], "Resource": "*" }, { "Sid": "iamPassRole", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::111122223333:role/SSMInventoryGlueRole", "arn:aws:iam::111122223333:role/SSMInventoryServiceRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "glue.amazonaws.com" } } }, { "Sid": "iamRoleCreation", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:AttachRolePolicy" ], "Resource": "arn:aws:iam::111122223333:role/*" }, { "Sid": "iamPolicyCreation", "Effect": "Allow", "Action": "iam:CreatePolicy", "Resource": "arn:aws:iam::111122223333:policy/*" } ] } ``` ------ (Optional) If the Amazon S3 bucket used to store inventory data is encrypted by using AWS KMS, you must also add the following block to the policy. ``` { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:Region:account_ID:key/key_ARN" ] } ``` To provide access, add permissions to your users, groups, or roles: + Users and groups in AWS IAM Identity Center: Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*. + Users managed in IAM through an identity provider: Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*. + IAM users: + Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*. + (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*. ### (Optional) Configure permissions for viewing AWS KMS encrypted data If the Amazon S3 bucket used to store inventory data is encrypted by using the AWS Key Management Service (AWS KMS), you must configure your IAM entity and the **Amazon-GlueServiceRoleForSSM** role with `kms:Decrypt` permissions for the AWS KMS key. **Before you begin** To provide the `kms:Decrypt` permissions for the AWS KMS key, add the following policy block to your IAM entity: ``` { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:Region:account_ID:key/key_ARN" ] } ``` If you haven't done so already, complete that procedure and add `kms:Decrypt` permissions for the AWS KMS key. Use the following procedure to configure the **Amazon-GlueServiceRoleForSSM** role with `kms:Decrypt` permissions for the AWS KMS key. **To configure the **Amazon-GlueServiceRoleForSSM** role with `kms:Decrypt` permissions** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Roles**, and then use the search field to locate the **Amazon-GlueServiceRoleForSSM** role. The **Summary** page opens. 1. Use the search field to find the **Amazon-GlueServiceRoleForSSM** role. Choose the role name. The **Summary** page opens. 1. Choose the role name. The **Summary** page opens. 1. Choose **Add inline policy**. The **Create policy** page opens. 1. Choose the **JSON** tab. 1. Delete the existing JSON text in the editor, and then copy and paste the following policy into the JSON editor. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:us-east-1:111122223333:key/key_ARN" ] } ] } ``` ------ 1. Choose **Review policy** 1. On the **Review Policy** page, enter a name in the **Name** field. 1. Choose **Create policy**. ## Querying data on the inventory detailed view page Use the following procedure to view inventory data from multiple AWS Regions and AWS accounts on the Systems Manager Inventory **Detailed View** page. **Important** The Inventory **Detailed View** page is only available in AWS Regions that offer Amazon Athena. If the following tabs aren't displayed on the Systems Manager Inventory page, it means Athena isn't available in the Region and you can't use the **Detailed View** to query data. ![\[Displaying Inventory Dashboard | Detailed View | Settings tabs\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-detailed-view-for-error.png) **To view inventory data from multiple Regions and accounts in the AWS Systems Manager console** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Inventory**. 1. Choose the **Detailed View** tab. ![\[Accessing the AWS Systems Manager Inventory Detailed View page\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-detailed-view.png) 1. Choose the resource data sync for which you want to query data. ![\[Displaying inventory data in the AWS Systems Manager console\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-display-data.png) 1. In the **Inventory Type** list, choose the type of inventory data that you want to query, and then press Enter. ![\[Choosing an inventory type in the AWS Systems Manager console\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-type.png) 1. To filter the data, choose the Filter bar, and then choose a filter option. ![\[Filtering inventory data in the AWS Systems Manager console\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-filter.png) You can use the **Export to CSV** button to view the current query set in a spreadsheet application such as Microsoft Excel. You can also use the **Query History** and **Run Advanced Queries** buttons to view history details and interact with your data in Amazon Athena. ### Editing the AWS Glue crawler schedule AWS Glue crawls the inventory data in the central Amazon S3 bucket twice daily, by default. If you frequently change the types of data to collect on your nodes then you might want to crawl the data more frequently, as described in the following procedure. **Important** AWS Glue charges your AWS account based on an hourly rate, billed by the second, for crawlers (discovering data) and ETL jobs (processing and loading data). Before you change the crawler schedule, view the [AWS Glue pricing](https://aws.amazon.com/glue/pricing/) page. **To change the inventory data crawler schedule** 1. Open the AWS Glue console at [https://console.aws.amazon.com/glue/](https://console.aws.amazon.com/glue/). 1. In the navigation pane, choose **Crawlers**. 1. In the crawlers list, choose the option next to the Systems Manager Inventory data crawler. The crawler name uses the following format: `AWSSystemsManager-s3-bucket-name-Region-account_ID` 1. Choose **Action**, and then choose **Edit crawler**. 1. In the navigation pane, choose **Schedule**. 1. In the **Cron expression** field, specify a new schedule by using a cron format. For more information about the cron format, see [Time-Based Schedules for Jobs and Crawlers](https://docs.aws.amazon.com/glue/latest/dg/monitor-data-warehouse-schedule.html) in the *AWS Glue Developer Guide*. **Important** You can pause the crawler to stop incurring charges from AWS Glue. If you pause the crawler, or if you change the frequency so that the data is crawled less often, then the Inventory **Detailed View** might display data that isn't current. # Querying an inventory collection by using filters After you collect inventory data, you can use the filter capabilities in AWS Systems Manager to query a list of managed nodes that meet certain filter criteria. **To query nodes based on inventory filters** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Inventory**. 1. In the **Filter by resource groups, tags or inventory types** section, choose the filter box. A list of predefined filters is displayed. 1. Choose an attribute to filter on. For example, choose `AWS:Application`. If prompted, choose a secondary attribute to filter. For example, choose `AWS:Application.Name`. 1. Choose a delimiter from the list. For example, choose **Begin with**. A text box is displayed in the filter. 1. Enter a value in the text box. For example, enter *Amazon* (SSM Agent is named *Amazon SSM Agent*). 1. Press Enter. The system returns a list of managed nodes that include an application name that begins with the word *Amazon*. **Note** You can combine multiple filters to refine your search. # Aggregating inventory data After you configure your managed nodes for AWS Systems Manager Inventory, you can view aggregated counts of inventory data. For example, say you configured dozens or hundreds of managed nodes to collect the `AWS:Application` inventory type. By using the information in this section, you can see an exact count of how many nodes are configured to collect this data. You can also see specific inventory details by aggregating on a data type. For example, the `AWS:InstanceInformation` inventory type collects operating system platform information with the `Platform` data type. By aggregating data on the `Platform` data type, you can quickly see how many nodes are running Windows Server, how many are running Linux, and how many are running macOS. The procedures in this section describe how to view aggregated counts of inventory data by using the AWS Command Line Interface (AWS CLI). You can also view pre-configured aggregated counts in the AWS Systems Manager console on the **Inventory** page. These pre-configured dashboards are called *Inventory Insights* and they offer one-click remediation of your inventory configuration issues. Note the following important details about aggregation counts of inventory data: + If you terminate a managed node that is configured to collect inventory data, Systems Manager retains the inventory data for 30 days and then deletes it. For running nodes, the systems deletes inventory data that is older than 30 days. If you need to store inventory data longer than 30 days, you can use AWS Config to record history or periodically query and upload the data to an Amazon Simple Storage Service (Amazon S3) bucket. + If a node was previously configured to report a specific inventory data type, for example `AWS:Network`, and later you change the configuration to stop collecting that type, aggregation counts still show `AWS:Network` data until the node has been terminated and 30 days have passed. For information about how to quickly configure and collect inventory data from all nodes in a specific AWS account (and any future nodes that might be created in that account), see [Inventory all managed nodes in your AWS account](inventory-collection.md#inventory-management-inventory-all). **Topics** + [ ## Aggregating inventory data to see counts of nodes that collect specific types of data ](#inventory-aggregate-type) + [ ## Aggregating inventory data with groups to see which nodes are and aren't configured to collect an inventory type ](#inventory-aggregate-groups) ## Aggregating inventory data to see counts of nodes that collect specific types of data Aggregating for specific types of data You can use the AWS Systems Manager [GetInventory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetInventory.html) API operation to view aggregated counts of nodes that collect one or more inventory types and data types. For example, the `AWS:InstanceInformation` inventory type allows you to view an aggregate of operating systems by using the GetInventory API operation with the `AWS:InstanceInformation.PlatformType` data type. Here is an example AWS CLI command and output. ``` aws ssm get-inventory --aggregators "Expression=AWS:InstanceInformation.PlatformType" ``` The system returns information like the following. ``` { "Entities":[ { "Data":{ "AWS:InstanceInformation":{ "Content":[ { "Count":"7", "PlatformType":"windows" }, { "Count":"5", "PlatformType":"linux" } ] } } } ] } ``` **Getting started** Determine the inventory types and data types for which you want to view counts. You can view a list of inventory types and data types that support aggregation by running the following command in the AWS CLI. ``` aws ssm get-inventory-schema --aggregator ``` The command returns a JSON list of inventory types and data types that support aggregation. The **TypeName** field shows supported inventory types. And the **Name** field shows each data type. For example, in the following list, the `AWS:Application` inventory type includes data types for `Name` and `Version`. ``` { "Schemas": [ { "TypeName": "AWS:Application", "Version": "1.1", "DisplayName": "Application", "Attributes": [ { "DataType": "STRING", "Name": "Name" }, { "DataType": "STRING", "Name": "Version" } ] }, { "TypeName": "AWS:InstanceInformation", "Version": "1.0", "DisplayName": "Platform", "Attributes": [ { "DataType": "STRING", "Name": "PlatformName" }, { "DataType": "STRING", "Name": "PlatformType" }, { "DataType": "STRING", "Name": "PlatformVersion" } ] }, { "TypeName": "AWS:ResourceGroup", "Version": "1.0", "DisplayName": "ResourceGroup", "Attributes": [ { "DataType": "STRING", "Name": "Name" } ] }, { "TypeName": "AWS:Service", "Version": "1.0", "DisplayName": "Service", "Attributes": [ { "DataType": "STRING", "Name": "Name" }, { "DataType": "STRING", "Name": "DisplayName" }, { "DataType": "STRING", "Name": "ServiceType" }, { "DataType": "STRING", "Name": "Status" }, { "DataType": "STRING", "Name": "StartType" } ] }, { "TypeName": "AWS:WindowsRole", "Version": "1.0", "DisplayName": "WindowsRole", "Attributes": [ { "DataType": "STRING", "Name": "Name" }, { "DataType": "STRING", "Name": "DisplayName" }, { "DataType": "STRING", "Name": "FeatureType" }, { "DataType": "STRING", "Name": "Installed" } ] } ] } ``` You can aggregate data for any of the listed inventory types by creating a command that uses the following syntax. ``` aws ssm get-inventory --aggregators "Expression=InventoryType.DataType" ``` Here are some examples. **Example 1** This example aggregates a count of the Windows roles used by your nodes. ``` aws ssm get-inventory --aggregators "Expression=AWS:WindowsRole.Name" ``` **Example 2** This example aggregates a count of the applications installed on your nodes. ``` aws ssm get-inventory --aggregators "Expression=AWS:Application.Name" ``` **Combining multiple aggregators** You can also combine multiple inventory types and data types in one command to help you better understand the data. Here are some examples. **Example 1** This example aggregates a count of the operating system types used by your nodes. It also returns the specific name of the operating systems. ``` aws ssm get-inventory --aggregators '[{"Expression": "AWS:InstanceInformation.PlatformType", "Aggregators":[{"Expression": "AWS:InstanceInformation.PlatformName"}]}]' ``` **Example 2** This example aggregates a count of the applications running on your nodes and the specific version of each application. ``` aws ssm get-inventory --aggregators '[{"Expression": "AWS:Application.Name", "Aggregators":[{"Expression": "AWS:Application.Version"}]}]' ``` If you prefer, you can create an aggregation expression with one or more inventory types and data types in a JSON file and call the file from the AWS CLI. The JSON in the file must use the following syntax. ``` [ { "Expression": "string", "Aggregators": [ { "Expression": "string" } ] } ] ``` You must save the file with the .json file extension. Here is an example that uses multiple inventory types and data types. ``` [ { "Expression": "AWS:Application.Name", "Aggregators": [ { "Expression": "AWS:Application.Version", "Aggregators": [ { "Expression": "AWS:InstanceInformation.PlatformType" } ] } ] } ] ``` Use the following command to call the file from the AWS CLI. ``` aws ssm get-inventory --aggregators file://file_name.json ``` The command returns information like the following. ``` {"Entities": [ {"Data": {"AWS:Application": {"Content": [ {"Count": "3", "PlatformType": "linux", "Version": "2.6.5", "Name": "audit-libs"}, {"Count": "2", "PlatformType": "windows", "Version": "2.6.5", "Name": "audit-libs"}, {"Count": "4", "PlatformType": "windows", "Version": "6.2.8", "Name": "microsoft office"}, {"Count": "2", "PlatformType": "windows", "Version": "2.6.5", "Name": "chrome"}, {"Count": "1", "PlatformType": "linux", "Version": "2.6.5", "Name": "chrome"}, {"Count": "2", "PlatformType": "linux", "Version": "6.3", "Name": "authconfig"} ] } }, "ResourceType": "ManagedInstance"} ] } ``` ## Aggregating inventory data with groups to see which nodes are and aren't configured to collect an inventory type Using groups Groups in Systems Manager Inventory allow you to quickly see a count of which managed nodes are and aren’t configured to collect one or more inventory types. With groups, you specify one or more inventory types and a filter that uses the `exists` operator. For example, say that you have four managed nodes configured to collect the following inventory types: + Node 1: `AWS:Application` + Node 2: `AWS:File` + Node 3: `AWS:Application`, `AWS:File` + Node 4: `AWS:Network` You can run the following command from the AWS CLI to see how many nodes are configured to collect both the `AWS:Application` and `AWS:File inventory` types. The response also returns a count of how many nodes aren't configured to collect both of these inventory types. ``` aws ssm get-inventory --aggregators 'Groups=[{Name=ApplicationAndFile,Filters=[{Key=TypeName,Values=[AWS:Application],Type=Exists},{Key=TypeName,Values=[AWS:File],Type=Exists}]}]' ``` The command response shows that only one managed node is configured to collect both the `AWS:Application` and `AWS:File` inventory types. ``` { "Entities":[ { "Data":{ "ApplicationAndFile":{ "Content":[ { "notMatchingCount":"3" }, { "matchingCount":"1" } ] } } } ] } ``` **Note** Groups don't return data type counts. Also, you can't drill-down into the results to see the IDs of nodes that are or aren't configured to collect the inventory type. If you prefer, you can create an aggregation expression with one or more inventory types in a JSON file and call the file from the AWS CLI. The JSON in the file must use the following syntax: ``` { "Aggregators":[ { "Groups":[ { "Name":"Name", "Filters":[ { "Key":"TypeName", "Values":[ "Inventory_type" ], "Type":"Exists" }, { "Key":"TypeName", "Values":[ "Inventory_type" ], "Type":"Exists" } ] } ] } ] } ``` You must save the file with the .json file extension. Use the following command to call the file from the AWS CLI. ``` aws ssm get-inventory --cli-input-json file://file_name.json ``` **Additional examples** The following examples show you how to aggregate inventory data to see which managed nodes are and aren't configured to collect the specified inventory types. These examples use the AWS CLI. Each example includes a full command with filters that you can run from the command line and a sample input.json file if you prefer to enter the information in a file. **Example 1** This example aggregates a count of nodes that are and aren't configured to collect either the `AWS:Application` or the `AWS:File` inventory types. Run the following command from the AWS CLI. ``` aws ssm get-inventory --aggregators 'Groups=[{Name=ApplicationORFile,Filters=[{Key=TypeName,Values=[AWS:Application, AWS:File],Type=Exists}]}]' ``` If you prefer to use a file, copy and paste the following sample into a file and save it as input.json. ``` { "Aggregators":[ { "Groups":[ { "Name":"ApplicationORFile", "Filters":[ { "Key":"TypeName", "Values":[ "AWS:Application", "AWS:File" ], "Type":"Exists" } ] } ] } ] } ``` Run the following command from the AWS CLI. ``` aws ssm get-inventory --cli-input-json file://input.json ``` The command returns information like the following. ``` { "Entities":[ { "Data":{ "ApplicationORFile":{ "Content":[ { "notMatchingCount":"1" }, { "matchingCount":"3" } ] } } } ] } ``` **Example 2** This example aggregates a count of nodes that are and aren't configured to collect the `AWS:Application`, `AWS:File`, and `AWS:Network` inventory types. Run the following command from the AWS CLI. ``` aws ssm get-inventory --aggregators 'Groups=[{Name=Application,Filters=[{Key=TypeName,Values=[AWS:Application],Type=Exists}]}, {Name=File,Filters=[{Key=TypeName,Values=[AWS:File],Type=Exists}]}, {Name=Network,Filters=[{Key=TypeName,Values=[AWS:Network],Type=Exists}]}]' ``` If you prefer to use a file, copy and paste the following sample into a file and save it as input.json. ``` { "Aggregators":[ { "Groups":[ { "Name":"Application", "Filters":[ { "Key":"TypeName", "Values":[ "AWS:Application" ], "Type":"Exists" } ] }, { "Name":"File", "Filters":[ { "Key":"TypeName", "Values":[ "AWS:File" ], "Type":"Exists" } ] }, { "Name":"Network", "Filters":[ { "Key":"TypeName", "Values":[ "AWS:Network" ], "Type":"Exists" } ] } ] } ] } ``` Run the following command from the AWS CLI. ``` aws ssm get-inventory --cli-input-json file://input.json ``` The command returns information like the following. ``` { "Entities":[ { "Data":{ "Application":{ "Content":[ { "notMatchingCount":"2" }, { "matchingCount":"2" } ] }, "File":{ "Content":[ { "notMatchingCount":"2" }, { "matchingCount":"2" } ] }, "Network":{ "Content":[ { "notMatchingCount":"3" }, { "matchingCount":"1" } ] } } } ] } ``` # Working with custom inventory You can assign any metadata you want to your nodes by creating AWS Systems Manager Inventory *custom inventory*. For example, let's say you manage a large number of servers in racks in your data center, and these servers have been configured as Systems Manager managed nodes. Currently, you store information about server rack location in a spreadsheet. With custom inventory, you can specify the rack location of each node as metadata on the node. When you collect inventory by using Systems Manager, the metadata is collected with other inventory metadata. You can then port all inventory metadata to a central Amazon S3 bucket by using [resource data sync](inventory-resource-data-sync.html) and query the data. **Note** Systems Manager supports a maximum of 20 custom inventory types per AWS account. To assign custom inventory to a node, you can either use the Systems Manager [PutInventory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutInventory.html) API operation, as described in [Assigning custom inventory metadata to a managed node](inventory-custom-metadata.md). Or, you can create a custom inventory JSON file and upload it to the node. This section describes how to create the JSON file. The following example JSON file with custom inventory specifies rack information about an on-premises server. This examples specifies one type of custom inventory data (`"TypeName": "Custom:RackInformation"`), with multiple entries under `Content` that describe the data. ``` { "SchemaVersion": "1.0", "TypeName": "Custom:RackInformation", "Content": { "Location": "US-EAST-02.CMH.RACK1", "InstalledTime": "2016-01-01T01:01:01Z", "vendor": "DELL", "Zone" : "BJS12", "TimeZone": "UTC-8" } } ``` You can also specify distinct entries in the `Content` section, as shown in the following example. ``` { "SchemaVersion": "1.0", "TypeName": "Custom:PuppetModuleInfo", "Content": [{ "Name": "puppetlabs/aws", "Version": "1.0" }, { "Name": "puppetlabs/dsc", "Version": "2.0" } ] } ``` The JSON schema for custom inventory requires `SchemaVersion`, `TypeName`, and `Content` sections, but you can define the information in those sections. ``` { "SchemaVersion": "user_defined", "TypeName": "Custom:user_defined", "Content": { "user_defined_attribute1": "user_defined_value1", "user_defined_attribute2": "user_defined_value2", "user_defined_attribute3": "user_defined_value3", "user_defined_attribute4": "user_defined_value4" } } ``` The value of `TypeName` is limited to 100 characters. Also, the `TypeName` value must begin with the capitalized word `Custom`. For example, `Custom:PuppetModuleInfo`. Therefore, the following examples would result in an exception: `CUSTOM:PuppetModuleInfo`, `custom:PuppetModuleInfo`. The `Content` section includes attributes and *data*. These items aren't case-sensitive. However, if you define an attribute (for example: "`Vendor`": "DELL"), then you must consistently reference this attribute in your custom inventory files. If you specify "`Vendor`": "DELL" (using a capital “V” in `vendor`) in one file, and then you specify "`vendor`": "DELL" (using a lowercase “v” in `vendor`) in another file, the system returns an error. **Note** You must save the file with a `.json` extension and the inventory you define must consist only of string values. After you create the file, you must save it on the node. The following table shows the location where custom inventory JSON files must be stored on the node. **** | Operating system | Path | | --- | --- | | Linux | /var/lib/amazon/ssm/*node-id*/inventory/custom | | macOS | `/opt/aws/ssm/data/node-id/inventory/custom` | | Windows Server | %SystemDrive%\$1ProgramData\$1Amazon\$1SSM\$1InstanceData\$1*node-id*\$1inventory\$1custom | For an example of how to use custom inventory, see [Get Disk Utilization of Your Fleet Using EC2 Systems Manager Custom Inventory Types](https://aws.amazon.com/blogs/mt/get-disk-utilization-of-your-fleet-using-ec2-systems-manager-custom-inventory-types/). ## Deleting custom inventory You can use the [DeleteInventory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DeleteInventory.html) API operation to delete a custom inventory type and the data associated with that type. You call the delete-inventory command by using the AWS Command Line Interface (AWS CLI) to delete all data for an inventory type. You call the delete-inventory command with the `SchemaDeleteOption` to delete a custom inventory type. **Note** An inventory type is also called an inventory schema. The `SchemaDeleteOption` parameter includes the following options: + **DeleteSchema**: This option deletes the specified custom type and all data associated with it. You can recreate the schema later, if you want. + **DisableSchema**: If you choose this option, the system turns off the current version, deletes all data for it, and ignores all new data if the version is less than or equal to the turned off version. You can allow this inventory type again by calling the [PutInventory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutInventory.html) action for a version greater than the turned off version. **To delete or turn off custom inventory by using the AWS CLI** 1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). 1. Run the following command to use the `dry-run` option to see which data will be deleted from the system. This command doesn't delete any data. ``` aws ssm delete-inventory --type-name "Custom:custom_type_name" --dry-run ``` The system returns information like the following. ``` { "DeletionSummary":{ "RemainingCount":3, "SummaryItems":[ { "Count":2, "RemainingCount":2, "Version":"1.0" }, { "Count":1, "RemainingCount":1, "Version":"2.0" } ], "TotalCount":3 }, "TypeName":"Custom:custom_type_name" } ``` For information about how to understand the delete inventory summary, see [Understanding the delete inventory summary](#delete-custom-inventory-summary). 1. Run the following command to delete all data for a custom inventory type. ``` aws ssm delete-inventory --type-name "Custom:custom_type_name" ``` **Note** The output of this command doesn't show the deletion progress. For this reason, TotalCount and Remaining Count are always the same because the system hasn't deleted anything yet. You can use the describe-inventory-deletions command to show the deletion progress, as described later in this topic. The system returns information like the following. ``` { "DeletionId":"system_generated_deletion_ID", "DeletionSummary":{ "RemainingCount":3, "SummaryItems":[ { "Count":2, "RemainingCount":2, "Version":"1.0" }, { "Count":1, "RemainingCount":1, "Version":"2.0" } ], "TotalCount":3 }, "TypeName":"custom_type_name" } ``` The system deletes all data for the specified custom inventory type from the Systems Manager Inventory service. 1. Run the following command. The command performs the following actions for the current version of the inventory type: turns off the current version, deletes all data for it, and ignores all new data if the version is less than or equal to the turned off version. ``` aws ssm delete-inventory --type-name "Custom:custom_type_name" --schema-delete-option "DisableSchema" ``` The system returns information like the following. ``` { "DeletionId":"system_generated_deletion_ID", "DeletionSummary":{ "RemainingCount":3, "SummaryItems":[ { "Count":2, "RemainingCount":2, "Version":"1.0" }, { "Count":1, "RemainingCount":1, "Version":"2.0" } ], "TotalCount":3 }, "TypeName":"Custom:custom_type_name" } ``` You can view a turned off inventory type by using the following command. ``` aws ssm get-inventory-schema --type-name Custom:custom_type_name ``` 1. Run the following command to delete an inventory type. ``` aws ssm delete-inventory --type-name "Custom:custom_type_name" --schema-delete-option "DeleteSchema" ``` The system deletes the schema and all inventory data for the specified custom type. The system returns information like the following. ``` { "DeletionId":"system_generated_deletion_ID", "DeletionSummary":{ "RemainingCount":3, "SummaryItems":[ { "Count":2, "RemainingCount":2, "Version":"1.0" }, { "Count":1, "RemainingCount":1, "Version":"2.0" } ], "TotalCount":3 }, "TypeName":"Custom:custom_type_name" } ``` ### Viewing the deletion status You can check the status of a delete operation by using the `describe-inventory-deletions` AWS CLI command. You can specify a deletion ID to view the status of a specific delete operation. Or, you can omit the deletion ID to view a list of all deletions run in the last 30 days. **** 1. Run the following command to view the status of a deletion operation. The system returned the deletion ID in the delete-inventory summary. ``` aws ssm describe-inventory-deletions --deletion-id system_generated_deletion_ID ``` The system returns the latest status. The delete operation might not be finished yet. The system returns information like the following. ``` {"InventoryDeletions": [ {"DeletionId": "system_generated_deletion_ID", "DeletionStartTime": 1521744844, "DeletionSummary": {"RemainingCount": 1, "SummaryItems": [ {"Count": 1, "RemainingCount": 1, "Version": "1.0"} ], "TotalCount": 1}, "LastStatus": "InProgress", "LastStatusMessage": "The Delete is in progress", "LastStatusUpdateTime": 1521744844, "TypeName": "Custom:custom_type_name"} ] } ``` If the delete operation is successful, the `LastStatusMessage` states: Deletion is successful. ``` {"InventoryDeletions": [ {"DeletionId": "system_generated_deletion_ID", "DeletionStartTime": 1521744844, "DeletionSummary": {"RemainingCount": 0, "SummaryItems": [ {"Count": 1, "RemainingCount": 0, "Version": "1.0"} ], "TotalCount": 1}, "LastStatus": "Complete", "LastStatusMessage": "Deletion is successful", "LastStatusUpdateTime": 1521745253, "TypeName": "Custom:custom_type_name"} ] } ``` 1. Run the following command to view a list of all deletions run in the last 30 days. ``` aws ssm describe-inventory-deletions --max-results a number ``` ``` {"InventoryDeletions": [ {"DeletionId": "system_generated_deletion_ID", "DeletionStartTime": 1521682552, "DeletionSummary": {"RemainingCount": 0, "SummaryItems": [ {"Count": 1, "RemainingCount": 0, "Version": "1.0"} ], "TotalCount": 1}, "LastStatus": "Complete", "LastStatusMessage": "Deletion is successful", "LastStatusUpdateTime": 1521682852, "TypeName": "Custom:custom_type_name"}, {"DeletionId": "system_generated_deletion_ID", "DeletionStartTime": 1521744844, "DeletionSummary": {"RemainingCount": 0, "SummaryItems": [ {"Count": 1, "RemainingCount": 0, "Version": "1.0"} ], "TotalCount": 1}, "LastStatus": "Complete", "LastStatusMessage": "Deletion is successful", "LastStatusUpdateTime": 1521745253, "TypeName": "Custom:custom_type_name"}, {"DeletionId": "system_generated_deletion_ID", "DeletionStartTime": 1521680145, "DeletionSummary": {"RemainingCount": 0, "SummaryItems": [ {"Count": 1, "RemainingCount": 0, "Version": "1.0"} ], "TotalCount": 1}, "LastStatus": "Complete", "LastStatusMessage": "Deletion is successful", "LastStatusUpdateTime": 1521680471, "TypeName": "Custom:custom_type_name"} ], "NextToken": "next-token" ``` ### Understanding the delete inventory summary To help you understand the contents of the delete inventory summary, consider the following example. A user assigned Custom:RackSpace inventory to three nodes. Inventory items 1 and 2 use custom type version 1.0 ("SchemaVersion":"1.0"). Inventory item 3 uses custom type version 2.0 ("SchemaVersion":"2.0"). RackSpace custom inventory 1 ``` { "CaptureTime":"2018-02-19T10:48:55Z", "TypeName":"CustomType:RackSpace", "InstanceId":"i-1234567890", "SchemaVersion":"1.0" "Content":[ { content of custom type omitted } ] } ``` RackSpace custom inventory 2 ``` { "CaptureTime":"2018-02-19T10:48:55Z", "TypeName":"CustomType:RackSpace", "InstanceId":"i-1234567891", "SchemaVersion":"1.0" "Content":[ { content of custom type omitted } ] } ``` RackSpace custom inventory 3 ``` { "CaptureTime":"2018-02-19T10:48:55Z", "TypeName":"CustomType:RackSpace", "InstanceId":"i-1234567892", "SchemaVersion":"2.0" "Content":[ { content of custom type omitted } ] } ``` The user runs the following command to preview which data will be deleted. ``` aws ssm delete-inventory --type-name "Custom:RackSpace" --dry-run ``` The system returns information like the following. ``` { "DeletionId":"1111-2222-333-444-66666", "DeletionSummary":{ "RemainingCount":3, "TotalCount":3, TotalCount and RemainingCount are the number of items that would be deleted if this was not a dry run. These numbers are the same because the system didn't delete anything. "SummaryItems":[ { "Count":2, The system found two items that use SchemaVersion 1.0. Neither item was deleted. "RemainingCount":2, "Version":"1.0" }, { "Count":1, The system found one item that uses SchemaVersion 1.0. This item was not deleted. "RemainingCount":1, "Version":"2.0" } ], }, "TypeName":"Custom:RackSpace" } ``` The user runs the following command to delete the Custom:RackSpace inventory. **Note** The output of this command doesn't show the deletion progress. For this reason, `TotalCount` and `RemainingCount` are always the same because the system hasn't deleted anything yet. You can use the `describe-inventory-deletions` command to show the deletion progress. ``` aws ssm delete-inventory --type-name "Custom:RackSpace" ``` The system returns information like the following. ``` { "DeletionId":"1111-2222-333-444-7777777", "DeletionSummary":{ "RemainingCount":3, There are three items to delete "SummaryItems":[ { "Count":2, The system found two items that use SchemaVersion 1.0. "RemainingCount":2, "Version":"1.0" }, { "Count":1, The system found one item that uses SchemaVersion 2.0. "RemainingCount":1, "Version":"2.0" } ], "TotalCount":3 }, "TypeName":"RackSpace" } ``` ### Viewing inventory delete actions in EventBridge You can configure Amazon EventBridge to create an event anytime a user deletes custom inventory. EventBridge offers three types of events for custom inventory delete operations: + **Delete action for an instance**: If the custom inventory for a specific managed node was successfully deleted or not. + **Delete action summary**: A summary of the delete action. + **Warning for turned off custom inventory type**: A warning event if a user called the [PutInventory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutInventory.html) API operation for a custom inventory type version that was previously turned off. Here are examples of each event. **Delete action for an instance** ``` { "version":"0", "id":"998c9cde-56c0-b38b-707f-0411b3ff9d11", "detail-type":"Inventory Resource State Change", "source":"aws.ssm", "account":"478678815555", "time":"2018-05-24T22:24:34Z", "region":"us-east-1", "resources":[ "arn:aws:ssm:us-east-1:478678815555:managed-instance/i-0a5feb270fc3f0b97" ], "detail":{ "action-status":"succeeded", "action":"delete", "resource-type":"managed-instance", "resource-id":"i-0a5feb270fc3f0b97", "action-reason":"", "type-name":"Custom:MyInfo" } } ``` **Delete action summary** ``` { "version":"0", "id":"83898300-f576-5181-7a67-fb3e45e4fad4", "detail-type":"Inventory Resource State Change", "source":"aws.ssm", "account":"478678815555", "time":"2018-05-24T22:28:25Z", "region":"us-east-1", "resources":[ ], "detail":{ "action-status":"succeeded", "action":"delete-summary", "resource-type":"managed-instance", "resource-id":"", "action-reason":"The delete for type name Custom:MyInfo was completed. The deletion summary is: {\"totalCount\":2,\"remainingCount\":0,\"summaryItems\":[{\"version\":\"1.0\",\"count\":2,\"remainingCount\":0}]}", "type-name":"Custom:MyInfo" } } ``` **Warning for turned off custom inventory type** ``` { "version":"0", "id":"49c1855c-9c57-b5d7-8518-b64aeeef5e4a", "detail-type":"Inventory Resource State Change", "source":"aws.ssm", "account":"478678815555", "time":"2018-05-24T22:46:58Z", "region":"us-east-1", "resources":[ "arn:aws:ssm:us-east-1:478678815555:managed-instance/i-0ee2d86a2cfc371f6" ], "detail":{ "action-status":"failed", "action":"put", "resource-type":"managed-instance", "resource-id":"i-0ee2d86a2cfc371f6", "action-reason":"The inventory item with type name Custom:MyInfo was sent with a disabled schema version 1.0. You must send a version greater than 1.0", "type-name":"Custom:MyInfo" } } ``` Use the following procedure to create an EventBridge rule for custom inventory delete operations. This procedure shows you how to create a rule that sends notifications for custom inventory delete operations to an Amazon SNS topic. Before you begin, verify that you have an Amazon SNS topic, or create a new one. For more information, see [Getting Started](https://docs.aws.amazon.com/sns/latest/dg/GettingStarted.html) in the *Amazon Simple Notification Service Developer Guide*. **To configure EventBridge for delete inventory operations** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. In the navigation pane, choose **Rules**. 1. Choose **Create rule**. 1. Enter a name and description for the rule. A rule can't have the same name as another rule in the same Region and on the same event bus. 1. For **Event bus**, choose the event bus that you want to associate with this rule. If you want this rule to respond to matching events that come from your own AWS account, select **default**. When an AWS service in your account emits an event, it always goes to your account’s default event bus. 1. For **Rule type**, choose **Rule with an event pattern**. 1. Choose **Next**. 1. For **Event source**, choose **AWS events or EventBridge partner events**. 1. In the **Event pattern** section, choose **Event pattern form**. 1. For **Event source**, choose **AWS services**. 1. For **AWS service**, choose **Systems Manager**. 1. For **Event type**, choose **Inventory**. 1. For **Specific detail type(s)**, choose **Inventory Resource State Change**. 1. Choose **Next**. 1. For **Target types**, choose **AWS service**. 1. For **Select a target**, choose **SNS topic**, and then for **Topic**, choose your topic. 1. In the **Additional settings** section, for **Configure target input**, verify that **Matched event** is selected. 1. Choose **Next**. 1. (Optional) Enter one or more tags for the rule. For more information, see [Tagging Your Amazon EventBridge Resources](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-tagging.html) in the *Amazon EventBridge User Guide*. 1. Choose **Next**. 1. Review the details of the rule and choose **Create rule**. # Viewing inventory history and change tracking You can view AWS Systems Manager Inventory history and change tracking for all of your managed nodes by using [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/). AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. To view inventory history and change tracking, you must turn on the following resources in AWS Config: + SSM:ManagedInstanceInventory + SSM:PatchCompliance + SSM:AssociationCompliance + SSM:FileData **Note** Note the following important details about Inventory history and change tracking: If you use AWS Config to track changes in your system, you must configure Systems Manager Inventory to collect `AWS:File` metadata so that you can view file changes in AWS Config (`SSM:FileData`). If you don't, then AWS Config doesn't track file changes on your system. By turning on SSM:PatchCompliance and SSM:AssociationCompliance, you can view Systems Manager Patch Manager patching and Systems Manager State Manager association compliance history and change tracking. For more information about compliance management for these resources, see [Learn details about Compliance](compliance-about.md). The following procedure describes how to turn on inventory history and change-track recording in AWS Config by using the AWS Command Line Interface (AWS CLI). For more information about how to choose and configure these resources in AWS Config, see [Selecting Which Resources AWS Config Records](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html) in the *AWS Config Developer Guide*. For information about AWS Config pricing, see [Pricing](https://aws.amazon.com/config/pricing/). **Before you begin** AWS Config requires AWS Identity and Access Management (IAM) permissions to get configuration details about Systems Manager resources. In the following procedure, you must specify an Amazon Resource Name (ARN) for an IAM role that gives AWS Config permission to Systems Manager resources. You can attach the `AWS_ConfigRole` managed policy to the IAM role that you assign to AWS Config. For more information about this role, see [AWS managed policy: AWS\$1ConfigRole](https://docs.aws.amazon.com/config/latest/developerguide/security-iam-awsmanpol.html#security-iam-awsmanpol-AWS_ConfigRole) in the *AWS Config Developer Guide*. For information about how to create an IAM role and assign the `AWS_ConfigRole` managed policy to that role, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*. **To turn on inventory history and change-track recording in AWS Config** 1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). 1. Copy and paste the following JSON sample into a simple text file and save it as recordingGroup.json. ``` { "allSupported":false, "includeGlobalResourceTypes":false, "resourceTypes":[ "AWS::SSM::AssociationCompliance", "AWS::SSM::PatchCompliance", "AWS::SSM::ManagedInstanceInventory", "AWS::SSM::FileData" ] } ``` 1. Run the following command to load the recordingGroup.json file into AWS Config. ``` aws configservice put-configuration-recorder --configuration-recorder name=myRecorder,roleARN=arn:aws:iam::123456789012:role/myConfigRole --recording-group file://recordingGroup.json ``` 1. Run the following command to start recording inventory history and change tracking. ``` aws configservice start-configuration-recorder --configuration-recorder-name myRecorder ``` After you configure history and change tracking, you can drill down into the history for a specific managed node by choosing the **AWS Config** button in the Systems Manager console. You can access the **AWS Config** button from either the **Managed Instances** page or the **Inventory** page. Depending on your monitor size, you might need to scroll to the right side of the page to see the button. # Stopping data collection and deleting inventory data If you no longer want to use AWS Systems Manager Inventory to view metadata about your AWS resources, you can stop data collection and delete data that has already been collected. This section includes the following information. **Topics** + [ ## Stopping data collection ](#systems-manager-inventory-delete-association) + [ ## Deleting an Inventory resource data sync ](#systems-manager-inventory-delete-RDS) ## Stopping data collection When you initially configure Systems Manager to collect inventory data, the system creates a State Manager association that defines the schedule and the resources from which to collect metadata. You can stop data collection by deleting any State Manager associations that use the `AWS-GatherSoftwareInventory` document. **To delete an Inventory association** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **State Manager**. 1. Choose an association that uses the `AWS-GatherSoftwareInventory` document and then choose **Delete**. 1. Repeat step three for any remaining associations that use the `AWS-GatherSoftwareInventory` document. ## Deleting an Inventory resource data sync If you no longer want to use AWS Systems Manager Inventory to view metadata about your AWS resources, then we also recommend deleting resource data syncs used for inventory data collection. **To delete an Inventory resource data sync** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Inventory**. 1. Choose **Resource Data Syncs**. 1. Choose a sync in the list. **Important** Make sure you choose the sync used for Inventory. Systems Manager supports resource data sync for multiple tools. If you choose the wrong sync, you could disrupt data aggregation for Systems Manager Explorer or Systems Manager Compliance. 1. Choose **Delete** 1. Repeat these steps for any remaining resource data syncs you want to delete. 1. Delete the Amazon Simple Storage Service (Amazon S3) bucket where the data was stored. For information about deleting an Amazon S3 bucket, see [Deleting a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-bucket.html). # Assigning custom inventory metadata to a managed node The following procedure walks you through the process of using the AWS Systems Manager [PutInventory](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PutInventory.html) API operation to assign custom inventory metadata to a managed node. This example assigns rack location information to a node. For more information about custom inventory, see [Working with custom inventory](inventory-custom.md). **To assign custom inventory metadata to a node** 1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). 1. Run the following command to assign rack location information to a node. **Linux** ``` aws ssm put-inventory --instance-id "ID" --items '[{"CaptureTime": "2016-08-22T10:01:01Z", "TypeName": "Custom:RackInfo", "Content":[{"RackLocation": "Bay B/Row C/Rack D/Shelf E"}], "SchemaVersion": "1.0"}]' ``` **Windows** ``` aws ssm put-inventory --instance-id "ID" --items "TypeName=Custom:RackInfo,SchemaVersion=1.0,CaptureTime=2021-05-22T10:01:01Z,Content=[{RackLocation='Bay B/Row C/Rack D/Shelf F'}]" ``` 1. Run the following command to view custom inventory entries for this node. ``` aws ssm list-inventory-entries --instance-id ID --type-name "Custom:RackInfo" ``` The system responds with information like the following. ``` { "InstanceId": "ID", "TypeName": "Custom:RackInfo", "Entries": [ { "RackLocation": "Bay B/Row C/Rack D/Shelf E" } ], "SchemaVersion": "1.0", "CaptureTime": "2016-08-22T10:01:01Z" } ``` 1. Run the following command to view the custom inventory schema. ``` aws ssm get-inventory-schema --type-name Custom:RackInfo ``` The system responds with information like the following. ``` { "Schemas": [ { "TypeName": "Custom:RackInfo", "Version": "1.0", "Attributes": [ { "DataType": "STRING", "Name": "RackLocation" } ] } ] } ``` # Using the AWS CLI to configure inventory data collection The following procedures walk you through the process of configuring AWS Systems Manager Inventory to collect metadata from your managed nodes. When you configure inventory collection, you start by creating a Systems Manager State Manager association. Systems Manager collects the inventory data when the association is run. If you don't create the association first, and attempt to invoke the `aws:softwareInventory` plugin by using, for example, Systems Manager Run Command, the system returns the following error: `The aws:softwareInventory plugin can only be invoked via ssm-associate`. **Note** A node can have only one inventory association configured at a time. If you configure a node with two or more inventory associations, the association doesn't run and no inventory data is collected. ## Quickly configure all of your managed nodes for Inventory (CLI) You can quickly configure all managed nodes in your AWS account and in the current Region to collect inventory data. This is called creating a global inventory association. To create a global inventory association by using the AWS CLI, use the wildcard option for the `instanceIds` value, as shown in the following procedure. **To configure inventory for all managed nodes in your AWS account and in the current Region (CLI)** 1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). 1. Run the following command. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --name AWS-GatherSoftwareInventory \ --targets Key=InstanceIds,Values=* \ --schedule-expression "rate(1 day)" \ --parameters applications=Enabled,awsComponents=Enabled,customInventory=Enabled,instanceDetailedInformation=Enabled,networkConfig=Enabled,services=Enabled,windowsRoles=Enabled,windowsUpdates=Enabled ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --name AWS-GatherSoftwareInventory ^ --targets Key=InstanceIds,Values=* ^ --schedule-expression "rate(1 day)" ^ --parameters applications=Enabled,awsComponents=Enabled,customInventory=Enabled,instanceDetailedInformation=Enabled,networkConfig=Enabled,services=Enabled,windowsRoles=Enabled,windowsUpdates=Enabled ``` ------ **Note** This command doesn't allow Inventory to collect metadata for the Windows Registry or files. To inventory these datatypes, use the next procedure. ## Manually configuring Inventory on your managed nodes (CLI) Use the following procedure to manually configure AWS Systems Manager Inventory on your managed nodes by using node IDs or tags. **To manually configure your managed nodes for inventory (CLI)** 1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). 1. Run the following command to create a State Manager association that runs Systems Manager Inventory on the node. Replace each *example resource placeholder* with your own information. This command configures the service to run every six hours and to collect network configuration, Windows Update, and application metadata from a node. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --name "AWS-GatherSoftwareInventory" \ --targets "Key=instanceids,Values=an_instance_ID" \ --schedule-expression "rate(240 minutes)" \ --output-location "{ \"S3Location\": { \"OutputS3Region\": \"region_ID, for example us-east-2\", \"OutputS3BucketName\": \"amzn-s3-demo-bucket\", \"OutputS3KeyPrefix\": \"Test\" } }" \ --parameters "networkConfig=Enabled,windowsUpdates=Enabled,applications=Enabled" ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --name "AWS-GatherSoftwareInventory" ^ --targets "Key=instanceids,Values=an_instance_ID" ^ --schedule-expression "rate(240 minutes)" ^ --output-location "{ \"S3Location\": { \"OutputS3Region\": \"region_ID, for example us-east-2\", \"OutputS3BucketName\": \"amzn-s3-demo-bucket\", \"OutputS3KeyPrefix\": \"Test\" } }" ^ --parameters "networkConfig=Enabled,windowsUpdates=Enabled,applications=Enabled" ``` ------ The system responds with information like the following. ``` { "AssociationDescription": { "ScheduleExpression": "rate(240 minutes)", "OutputLocation": { "S3Location": { "OutputS3KeyPrefix": "Test", "OutputS3BucketName": "Test bucket", "OutputS3Region": "us-east-2" } }, "Name": "The name you specified", "Parameters": { "applications": [ "Enabled" ], "networkConfig": [ "Enabled" ], "windowsUpdates": [ "Enabled" ] }, "Overview": { "Status": "Pending", "DetailedStatus": "Creating" }, "AssociationId": "1a2b3c4d5e6f7g-1a2b3c-1a2b3c-1a2b3c-1a2b3c4d5e6f7g", "DocumentVersion": "$DEFAULT", "LastUpdateAssociationDate": 1480544990.06, "Date": 1480544990.06, "Targets": [ { "Values": [ "i-02573cafcfEXAMPLE" ], "Key": "InstanceIds" } ] } } ``` You can target large groups of nodes by using the `Targets` parameter with EC2 tags. See the following example. ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --name "AWS-GatherSoftwareInventory" \ --targets "Key=tag:Environment,Values=Production" \ --schedule-expression "rate(240 minutes)" \ --output-location "{ \"S3Location\": { \"OutputS3Region\": \"us-east-2\", \"OutputS3BucketName\": \"amzn-s3-demo-bucket\", \"OutputS3KeyPrefix\": \"Test\" } }" \ --parameters "networkConfig=Enabled,windowsUpdates=Enabled,applications=Enabled" ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --name "AWS-GatherSoftwareInventory" ^ --targets "Key=tag:Environment,Values=Production" ^ --schedule-expression "rate(240 minutes)" ^ --output-location "{ \"S3Location\": { \"OutputS3Region\": \"us-east-2\", \"OutputS3BucketName\": \"amzn-s3-demo-bucket\", \"OutputS3KeyPrefix\": \"Test\" } }" ^ --parameters "networkConfig=Enabled,windowsUpdates=Enabled,applications=Enabled" ``` ------ You can also inventory files and Windows Registry keys on a Windows Server node by using the `files` and `windowsRegistry` inventory types with expressions. For more information about these inventory types, see [Working with file and Windows registry inventory](inventory-file-and-registry.md). ------ #### [ Linux & macOS ] ``` aws ssm create-association \ --name "AWS-GatherSoftwareInventory" \ --targets "Key=instanceids,Values=i-0704358e3a3da9eb1" \ --schedule-expression "rate(240 minutes)" \ --parameters '{"files":["[{\"Path\": \"C:\\Program Files\", \"Pattern\": [\"*.exe\"], \"Recursive\": true}]"], "windowsRegistry": ["[{\"Path\":\"HKEY_LOCAL_MACHINE\\Software\\Amazon\", \"Recursive\":true}]"]}' \ --profile dev-pdx ``` ------ #### [ Windows ] ``` aws ssm create-association ^ --name "AWS-GatherSoftwareInventory" ^ --targets "Key=instanceids,Values=i-0704358e3a3da9eb1" ^ --schedule-expression "rate(240 minutes)" ^ --parameters '{"files":["[{\"Path\": \"C:\\Program Files\", \"Pattern\": [\"*.exe\"], \"Recursive\": true}]"], "windowsRegistry": ["[{\"Path\":\"HKEY_LOCAL_MACHINE\\Software\\Amazon\", \"Recursive\":true}]"]}' ^ --profile dev-pdx ``` ------ 1. Run the following command to view the association status. ``` aws ssm describe-instance-associations-status --instance-id an_instance_ID ``` The system responds with information like the following. ``` { "InstanceAssociationStatusInfos": [ { "Status": "Pending", "DetailedStatus": "Associated", "Name": "reInvent2016PolicyDocumentTest", "InstanceId": "i-1a2b3c4d5e6f7g", "AssociationId": "1a2b3c4d5e6f7g-1a2b3c-1a2b3c-1a2b3c-1a2b3c4d5e6f7g", "DocumentVersion": "1" } ] } ``` # Walkthrough: Using resource data sync to aggregate inventory data The following walkthrough describes how to create a resource data sync configuration for AWS Systems Manager Inventory by using the AWS Command Line Interface (AWS CLI). A resource data sync automatically ports inventory data from all of your managed nodes to a central Amazon Simple Storage Service (Amazon S3) bucket. The sync automatically updates the data in the central Amazon S3 bucket whenever new inventory data is discovered. This walkthrough also describes how to use Amazon Athena and Amazon Quick to query and analyze the aggregated data. For information about creating a resource data sync by using Systems Manager in the AWS Management Console, see [Walkthrough: Using resource data sync to aggregate inventory data](#inventory-resource-data-sync). For information about querying inventory from multiple AWS Regions and accounts by using Systems Manager in the AWS Management Console, see [Querying inventory data from multiple Regions and accounts](systems-manager-inventory-query.md). **Note** This walkthrough includes information about how to encrypt the sync by using AWS Key Management Service (AWS KMS). Inventory doesn't collect any user-specific, proprietary, or sensitive data so encryption is optional. For more information about AWS KMS, see [AWS Key Management Service Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/). **Before you begin** Review or complete the following tasks before you begin the walkthrough in this section: + Collect inventory data from your managed nodes. For the purpose of the Amazon Athena and Amazon Quick sections in this walkthrough, we recommend that you collect Application data. For more information about how to collect inventory data, see [Configuring inventory collection](inventory-collection.md) or [Using the AWS CLI to configure inventory data collection](inventory-collection-cli.md). + (Optional) If the inventory data is stored in an Amazon Simple Storage Service (Amazon S3) bucket that uses AWS Key Management Service (AWS KMS) encryption, you must also configure your IAM account and the `Amazon-GlueServiceRoleForSSM` service role for AWS KMS encryption. If you don't configure your IAM account and this role, Systems Manager displays `Cannot load Glue tables` when you choose the **Detailed View** tab in the console. For more information, see [(Optional) Configure permissions for viewing AWS KMS encrypted data](systems-manager-inventory-query.md#systems-manager-inventory-query-kms). + (Optional) If you want to encrypt the resource data sync by using AWS KMS, then you must either create a new key that includes the following policy, or you must update an existing key and add this policy to it. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Id": "ssm-access-policy", "Statement": [ { "Sid": "ssm-access-policy-statement", "Action": [ "kms:GenerateDataKey" ], "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Resource": "arn:aws:kms:us-east-1:123456789012:key/KMS_key_id", "Condition": { "StringLike": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:ssm:*:123456789012:resource-data-sync/*" } } } ] } ``` ------ **To create a resource data sync for Inventory** 1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. Create a bucket to store your aggregated inventory data. For more information, see [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) in the *Amazon Simple Storage Service User Guide*. Make a note of the bucket name and the AWS Region where you created it. 1. After you create the bucket, choose the **Permissions** tab, and then choose **Bucket Policy**. 1. Copy and paste the following bucket policy into the policy editor. Replace amzn-s3-demo-bucket and *account-id* with the name of the Amazon S3 bucket you created and a valid AWS account ID. When adding multiple accounts, add an additional condition string and ARN for each account. Remove the additional placeholders from the example when adding one account. Optionally, replace *bucket-prefix* with the name of an Amazon S3 prefix (subdirectory). If you didn't created a prefix, remove *bucket-prefix/* from the ARN in the policy. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": " SSMBucketDelivery", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/bucket-prefix/*/accountid=111122223333/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": [ "111122223333", "444455556666", "123456789012", "777788889999" ] }, "ArnLike": { "aws:SourceArn": [ "arn:aws:ssm:*:111122223333:resource-data-sync/*", "arn:aws:ssm:*:444455556666:resource-data-sync/*", "arn:aws:ssm:*:123456789012:resource-data-sync/*", "arn:aws:ssm:*:777788889999:resource-data-sync/*" ] } } } ] } ``` ------ 1. (Optional) If you want to encrypt the sync, then you must add the following conditions to the policy listed in the previous step. Add these in the `StringEquals` section. ``` "s3:x-amz-server-side-encryption":"aws:kms", "s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:region:account_ID:key/KMS_key_ID" ``` Here is an example: ``` "StringEquals": { "s3:x-amz-acl": "bucket-owner-full-control", "aws:SourceAccount": "account-id", "s3:x-amz-server-side-encryption":"aws:kms", "s3:x-amz-server-side-encryption-aws-kms-key-id":"arn:aws:kms:region:account_ID:key/KMS_key_ID" } ``` 1. Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already. For information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). 1. (Optional) If you want to encrypt the sync, run the following command to verify that the bucket policy is enforcing the AWS KMS key requirement. Replace each *example resource placeholder* with your own information. ------ #### [ Linux & macOS ] ``` aws s3 cp ./A_file_in_the_bucket s3://amzn-s3-demo-bucket/prefix/ \ --sse aws:kms \ --sse-kms-key-id "arn:aws:kms:region:account_ID:key/KMS_key_id" \ --region region, for example, us-east-2 ``` ------ #### [ Windows ] ``` aws s3 cp ./A_file_in_the_bucket s3://amzn-s3-demo-bucket/prefix/ ^ --sse aws:kms ^ --sse-kms-key-id "arn:aws:kms:region:account_ID:key/KMS_key_id" ^ --region region, for example, us-east-2 ``` ------ 1. Run the following command to create a resource data sync configuration with the Amazon S3 bucket you created at the start of this procedure. This command creates a sync from the AWS Region you're logged into. **Note** If the sync and the target Amazon S3 bucket are located in different regions, you might be subject to data transfer pricing. For more information, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/). ------ #### [ Linux & macOS ] ``` aws ssm create-resource-data-sync \ --sync-name a_name \ --s3-destination "BucketName=amzn-s3-demo-bucket,Prefix=prefix_name, if_specified,SyncFormat=JsonSerDe,Region=bucket_region" ``` ------ #### [ Windows ] ``` aws ssm create-resource-data-sync ^ --sync-name a_name ^ --s3-destination "BucketName=amzn-s3-demo-bucket,Prefix=prefix_name, if_specified,SyncFormat=JsonSerDe,Region=bucket_region" ``` ------ You can use the `region` parameter to specify where the sync configuration should be created. In the following example, inventory data from the us-west-1 Region, will be synchronized in the Amazon S3 bucket in the us-west-2 Region. ------ #### [ Linux & macOS ] ``` aws ssm create-resource-data-sync \ --sync-name InventoryDataWest \ --s3-destination "BucketName=amzn-s3-demo-bucket,Prefix=HybridEnv,SyncFormat=JsonSerDe,Region=us-west-2" --region us-west-1 ``` ------ #### [ Windows ] ``` aws ssm create-resource-data-sync ^ --sync-name InventoryDataWest ^ --s3-destination "BucketName=amzn-s3-demo-bucket,Prefix=HybridEnv,SyncFormat=JsonSerDe,Region=us-west-2" ^ --region us-west-1 ``` ------ (Optional) If you want to encrypt the sync by using AWS KMS, run the following command to create the sync. If you encrypt the sync, then the AWS KMS key and the Amazon S3 bucket must be in the same Region. ------ #### [ Linux & macOS ] ``` aws ssm create-resource-data-sync \ --sync-name sync_name \ --s3-destination "BucketName=amzn-s3-demo-bucket,Prefix=prefix_name, if_specified,SyncFormat=JsonSerDe,AWSKMSKeyARN=arn:aws:kms:region:account_ID:key/KMS_key_ID,Region=bucket_region" \ --region region ``` ------ #### [ Windows ] ``` aws ssm create-resource-data-sync ^ --sync-name sync_name ^ --s3-destination "BucketName=amzn-s3-demo-bucket,Prefix=prefix_name, if_specified,SyncFormat=JsonSerDe,AWSKMSKeyARN=arn:aws:kms:region:account_ID:key/KMS_key_ID,Region=bucket_region" ^ --region region ``` ------ 1. Run the following command to view the status of sync configuration. ``` aws ssm list-resource-data-sync ``` If you created the sync configuration in a different Region, then you must specify the `region` parameter, as shown in the following example. ``` aws ssm list-resource-data-sync --region us-west-1 ``` 1. After the sync configuration is created successfully, examine the target bucket in Amazon S3. Inventory data should be displayed within a few minutes. **Working with the Data in Amazon Athena** The following section describes how to view and query the data in Amazon Athena. Before you begin, we recommend that you learn about Athena. For more information, see [What is Amazon Athena?](https://docs.aws.amazon.com/athena/latest/ug/what-is.html) and [Working with Data](https://docs.aws.amazon.com/athena/latest/ug/work-with-data.html) in the *Amazon Athena User Guide*. **To view and query the data in Amazon Athena** 1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home). 1. Copy and paste the following statement into the query editor and then choose **Run Query**. ``` CREATE DATABASE ssminventory ``` The system creates a database called ssminventory. 1. Copy and paste the following statement into the query editor and then choose **Run Query**. Replace amzn-s3-demo-bucket and *bucket\$1prefix* with the name and prefix of the Amazon S3 target. ``` CREATE EXTERNAL TABLE IF NOT EXISTS ssminventory.AWS_Application ( Name string, ResourceId string, ApplicationType string, Publisher string, Version string, InstalledTime string, Architecture string, URL string, Summary string, PackageId string ) PARTITIONED BY (AccountId string, Region string, ResourceType string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1' ) LOCATION 's3://amzn-s3-demo-bucket/bucket_prefix/AWS:Application/' ``` 1. Copy and paste the following statement into the query editor and then choose **Run Query**. ``` MSCK REPAIR TABLE ssminventory.AWS_Application ``` The system partitions the table. **Note** If you create resource data syncs from additional AWS Regions or AWS accounts, then you must run this command again to update the partitions. You might also need to update your Amazon S3 bucket policy. 1. To preview your data, choose the view icon next to the `AWS_Application` table. ![\[The preview data icon in Amazon Athena.\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/sysman-inventory-resource-data-sync-walk.png) 1. Copy and paste the following statement into the query editor and then choose **Run Query**. ``` SELECT a.name, a.version, count( a.version) frequency from aws_application a where a.name = 'aws-cfn-bootstrap' group by a.name, a.version order by frequency desc ``` The query returns a count of different versions of `aws-cfn-bootstrap`, which is an AWS application present on Amazon Elastic Compute Cloud (Amazon EC2) instances for Linux, macOS, and Windows Server. 1. Individually copy and paste the following statements into the query editor, replace amzn-s3-demo-bucket and *bucket-prefix* with information for Amazon S3, and then choose **Run Query**. These statements set up additional inventory tables in Athena. ``` CREATE EXTERNAL TABLE IF NOT EXISTS ssminventory.AWS_AWSComponent ( `ResourceId` string, `Name` string, `ApplicationType` string, `Publisher` string, `Version` string, `InstalledTime` string, `Architecture` string, `URL` string ) PARTITIONED BY (AccountId string, Region string, ResourceType string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1' ) LOCATION 's3://amzn-s3-demo-bucket/bucket-prefix/AWS:AWSComponent/' ``` ``` MSCK REPAIR TABLE ssminventory.AWS_AWSComponent ``` ``` CREATE EXTERNAL TABLE IF NOT EXISTS ssminventory.AWS_WindowsUpdate ( `ResourceId` string, `HotFixId` string, `Description` string, `InstalledTime` string, `InstalledBy` string ) PARTITIONED BY (AccountId string, Region string, ResourceType string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1' ) LOCATION 's3://amzn-s3-demo-bucket/bucket-prefix/AWS:WindowsUpdate/' ``` ``` MSCK REPAIR TABLE ssminventory.AWS_WindowsUpdate ``` ``` CREATE EXTERNAL TABLE IF NOT EXISTS ssminventory.AWS_InstanceInformation ( `AgentType` string, `AgentVersion` string, `ComputerName` string, `IamRole` string, `InstanceId` string, `IpAddress` string, `PlatformName` string, `PlatformType` string, `PlatformVersion` string ) PARTITIONED BY (AccountId string, Region string, ResourceType string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1' ) LOCATION 's3://amzn-s3-demo-bucket/bucket-prefix/AWS:InstanceInformation/' ``` ``` MSCK REPAIR TABLE ssminventory.AWS_InstanceInformation ``` ``` CREATE EXTERNAL TABLE IF NOT EXISTS ssminventory.AWS_Network ( `ResourceId` string, `Name` string, `SubnetMask` string, `Gateway` string, `DHCPServer` string, `DNSServer` string, `MacAddress` string, `IPV4` string, `IPV6` string ) PARTITIONED BY (AccountId string, Region string, ResourceType string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1' ) LOCATION 's3://amzn-s3-demo-bucket/bucket-prefix/AWS:Network/' ``` ``` MSCK REPAIR TABLE ssminventory.AWS_Network ``` ``` CREATE EXTERNAL TABLE IF NOT EXISTS ssminventory.AWS_PatchSummary ( `ResourceId` string, `PatchGroup` string, `BaselineId` string, `SnapshotId` string, `OwnerInformation` string, `InstalledCount` int, `InstalledOtherCount` int, `NotApplicableCount` int, `MissingCount` int, `FailedCount` int, `OperationType` string, `OperationStartTime` string, `OperationEndTime` string ) PARTITIONED BY (AccountId string, Region string, ResourceType string) ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe' WITH SERDEPROPERTIES ( 'serialization.format' = '1' ) LOCATION 's3://amzn-s3-demo-bucket/bucket-prefix/AWS:PatchSummary/' ``` ``` MSCK REPAIR TABLE ssminventory.AWS_PatchSummary ``` **Working with the Data in Amazon Quick** The following section provides an overview with links for building a visualization in Amazon Quick. **To build a visualization in Amazon Quick** 1. Sign up for [Amazon Quick](https://quicksight.aws/) and then log in to the Quick console. 1. Create a data set from the `AWS_Application` table and any other tables you created. For more information, see [Creating a dataset using Amazon Athena data](https://docs.aws.amazon.com/quicksuite/latest/userguide/create-a-data-set-athena.html) in the *Amazon Quick User Guide*. 1. Join tables. For example, you could join the `instanceid` column from `AWS_InstanceInformation` because it matches the `resourceid` column in other inventory tables. For more information about joining tables, see [Joining data](https://docs.aws.amazon.com/quicksuite/latest/userguide/joining-data.html) in the *Amazon Quick User Guide*. 1. Build a visualization. For more information, see [Analyses and reports: Visualizing data in Amazon Quick Sight](https://docs.aws.amazon.com/quicksuite/latest/userguide/working-with-visuals.html) in the *Amazon Quick User Guide*. # Troubleshooting problems with Systems Manager Inventory Troubleshooting Inventory This topic includes information about how to troubleshoot common errors or problems with AWS Systems Manager Inventory. If you're having trouble viewing your nodes in Systems Manager, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md). **Topics** + [ ## Multiple apply all associations with document '`AWS-GatherSoftwareInventory`' are not supported ](#systems-manager-inventory-troubleshooting-multiple) + [ ## Inventory execution status never exits pending ](#inventory-troubleshooting-pending) + [ ## The `AWS-ListWindowsInventory` document fails to run ](#inventory-troubleshooting-ListWindowsInventory) + [ ## Console doesn't display Inventory Dashboard \$1 Detailed View \$1 Settings tabs ](#inventory-troubleshooting-tabs) + [ ## UnsupportedAgent ](#inventory-troubleshooting-unsupported-agent) + [ ## Skipped ](#inventory-troubleshooting-skipped) + [ ## Failed ](#inventory-troubleshooting-failed) + [ ## Inventory compliance failed for an Amazon EC2 instance ](#inventory-troubleshooting-ec2-compliance) + [ ## S3 bucket object contains old data ](#systems-manager-inventory-troubleshooting-s3) ## Multiple apply all associations with document '`AWS-GatherSoftwareInventory`' are not supported An error that `Multiple apply all associations with document 'AWS-GatherSoftwareInventory' are not supported` means that one or more AWS Regions where you're trying to configure an Inventory association *for all nodes* are already configured with an inventory association for all nodes. If necessary, you can delete the existing inventory association for all nodes and then create a new one. To view existing inventory associations, choose **State Manager** in the Systems Manager console and then locate associations that use the `AWS-GatherSoftwareInventory` SSM document. If the existing inventory association for all nodes was created across multiple Regions, and you want to create a new one, you must delete the existing association from each Region where it exists. ## Inventory execution status never exits pending There are two reasons why inventory collection never exits the `Pending` status: + No nodes in the selected AWS Region: If you create a global inventory association by using Systems Manager Quick Setup, the status of the inventory association (`AWS-GatherSoftwareInventory` document) shows `Pending` if there are no nodes available in the selected Region.**** + Insufficient permissions: An inventory association shows `Pending` if one or more nodes don't have permission to run Systems Manager Inventory. Verify that the AWS Identity and Access Management (IAM) instance profile includes the **AmazonSSMManagedInstanceCore** managed policy. For information about how to add this policy to an instance profile, see [Alternative configuration for EC2 instance permissions](setup-instance-permissions.md#instance-profile-add-permissions). At a minimum, the instance profile must have the following IAM permissions. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:DescribeAssociation", "ssm:ListAssociations", "ssm:ListInstanceAssociations", "ssm:PutInventory", "ssm:PutComplianceItems", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceAssociationStatus", "ssm:UpdateInstanceInformation", "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": "*" } ] } ``` ------ ## The `AWS-ListWindowsInventory` document fails to run The `AWS-ListWindowsInventory` document is deprecated. Don't use this document to collect inventory. Instead, use one of the processes described in [Configuring inventory collection](inventory-collection.md). ## Console doesn't display Inventory Dashboard \$1 Detailed View \$1 Settings tabs The Inventory **Detailed View ** page is only available in AWS Regions that offer Amazon Athena. If the following tabs aren't displayed on the Inventory page, it means Athena isn't available in the Region and you can't use the **Detailed View** to query data. ![\[Displaying Inventory Dashboard | Detailed View | Settings tabs\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/images/inventory-detailed-view-for-error.png) ## UnsupportedAgent If the detailed status of an inventory association shows **UnsupportedAgent**, and the **Association status** shows **Failed**, then the version of AWS Systems Manager SSM Agent on the managed node isn't correct. To create a global inventory association (to inventory all nodes in your AWS account) for example, you must use SSM Agent version 2.0.790.0 or later. You can view the agent version running on each of your nodes on the **Managed Instances** page in the **Agent version** column. For information about how to update SSM Agent on your nodes, see [Updating the SSM Agent using Run Command](run-command-tutorial-update-software.md#rc-console-agentexample). ## Skipped If the status of the inventory association for a node shows **Skipped**, this means that a higher-priority inventory association is already running on that node. Systems Manager follows a specific priority order when multiple inventory associations could apply to the same managed node. ### Inventory association priority order Systems Manager applies inventory associations in the following priority order: 1. **Quick Setup inventory associations** - Associations created using Quick Setup and the unified console. These associations have names that start with `AWS-QuickSetup-SSM-CollectInventory-` and target all managed nodes. 1. **Explicit inventory associations** - Associations that target specific managed nodes using: + Instance IDs + Tag key-value pairs + AWS resource groups 1. **Global inventory associations** - Associations that target all managed nodes (using `--targets "Key=InstanceIds,Values=*"`) but were **not** created through Quick Setup. ### Common scenarios **Scenario 1: Quick Setup association overrides explicit association** + You have a Quick Setup inventory association targeting all instances + You create a manual association targeting specific managed nodes by tag + Result: The manual association shows `Skipped` with detailed status `OverriddenByExplicitInventoryAssociation` + The Quick Setup association continues to collect inventory from all instances **Scenario 2: Explicit association overrides global association** + You have a global inventory association targeting all instances (not created by Quick Setup) + You create an association targeting specific instances + Result: The global association shows `Skipped` for the specifically targeted instances + The explicit association runs on the targeted instances ### Resolution steps **If you want to use your own inventory association instead of Quick Setup:** 1. **Identify Quick Setup associations**: In the Systems Manager console, go to State Manager and look for associations with names starting with `AWS-QuickSetup-SSM-CollectInventory-`. 1. **Remove Quick Setup configuration**: + Go to Quick Setup in the Systems Manager console. + Find your inventory collection configuration. + Delete the Quick Setup configuration (this removes the associated inventory association). **Note** You don't need to manually delete the association created by Quick Setup. 1. **Verify your association runs**: After removing the Quick Setup configuration, your explicit inventory association should start running successfully. **If you want to modify existing behavior:** + To view all existing inventory associations, choose **State Manager** in the Systems Manager console and locate associations that use the `AWS-GatherSoftwareInventory` SSM document. + Remember that each managed node can only have one active inventory association at a time. **Important** Inventory data is still collected from skipped nodes when their assigned (higher-priority) inventory association runs. Quick Setup inventory associations take precedence over all other types, even those with explicit targeting. The detailed status message `OverriddenByExplicitInventoryAssociation` appears when any association is overridden by a higher-priority one, regardless of the association type. ## Failed If the status of the inventory association for a node shows **Failed**, this could mean that the node has multiple inventory associations assigned to it. A node can only have one inventory association assigned at a time. An inventory association uses the `AWS-GatherSoftwareInventory` AWS Systems Manager document (SSM document). You can run the following command by using the AWS Command Line Interface (AWS CLI) to view a list of associations for a node. ``` aws ssm describe-instance-associations-status --instance-id instance-ID ``` ## Inventory compliance failed for an Amazon EC2 instance Inventory compliance for an Amazon Elastic Compute Cloud (Amazon EC2) instance can fail if you assign multiple inventory associations to the instance. To resolve this issue, delete one or more inventory associations assigned to the instance. For more information, see [Deleting an association](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state-manager-delete-association.html). **Note** Be aware of the following behavior if you create multiple inventory associations for a managed node: Each node can be assigned an inventory association that targets *all* nodes (--targets "Key=InstanceIds,Values=\$1"). Each node can also be assigned a specific association that uses either tag key-value pairs or an AWS resource group. If a node is assigned multiple inventory associations, the status shows *Skipped* for the association that hasn't run. The association that ran most recently displays the actual status of the inventory association. If a node is assigned multiple inventory associations and each uses a tag key-value pair, then those inventory associations fail to run on the node because of the tag conflict. The association still runs on nodes that don't have the tag key-value conflict. ## S3 bucket object contains old data Data inside the Amazon S3 bucket object is updated when the inventory association is successful and new data is discovered. The Amazon S3 bucket object is updated for each node when the association runs and fails, but the data inside the object is not updated in this case. Data inside the Amazon S3 bucket object will update only when the association runs successfully. When the inventory association fails, you will see old data in the Amazon S3 bucket object.