Adds or overwrites one or more tags for the specified resource. Tags are metadata that you can assign to your documents, managed instances, maintenance windows, Parameter Store parameters, and patch baselines. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your account's managed instances that helps you track each instance's owner and stack level. For example:
Key=Owner,Value=DbAdmin
Key=Owner,Value=SysAdmin
Key=Owner,Value=Dev
Key=Stack,Value=Production
Key=Stack,Value=Pre-Production
Key=Stack,Value=Test
Each resource can have a maximum of 50 tags.
We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. Tags don't have any semantic meaning to and are interpreted strictly as a string of characters.
For more information about using tags with Amazon Elastic Compute Cloud (Amazon EC2) instances, see Tagging your Amazon EC2 resources in the Amazon EC2 User Guide.
" + "documentation":"Adds or overwrites one or more tags for the specified resource. Tags are metadata that you can assign to your documents, managed nodes, maintenance windows, Parameter Store parameters, and patch baselines. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and an optional value, both of which you define. For example, you could define a set of tags for your account's managed nodes that helps you track each node's owner and stack level. For example:
Key=Owner,Value=DbAdmin
Key=Owner,Value=SysAdmin
Key=Owner,Value=Dev
Key=Stack,Value=Production
Key=Stack,Value=Pre-Production
Key=Stack,Value=Test
Each resource can have a maximum of 50 tags.
We recommend that you devise a set of tag keys that meets your needs for each resource type. Using a consistent set of tag keys makes it easier for you to manage your resources. You can search and filter the resources based on the tags you add. Tags don't have any semantic meaning to and are interpreted strictly as a string of characters.
For more information about using tags with Amazon Elastic Compute Cloud (Amazon EC2) instances, see Tagging your Amazon EC2 resources in the Amazon EC2 User Guide.
" }, "AssociateOpsItemRelatedItem":{ "name":"AssociateOpsItemRelatedItem", @@ -89,7 +89,7 @@ {"shape":"InvalidParameters"}, {"shape":"InternalServerError"} ], - "documentation":"Generates an activation code and activation ID you can use to register your on-premises server or virtual machine (VM) with Amazon Web Services Systems Manager. Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises instances and VMs using Systems Manager, see Setting up Amazon Web Services Systems Manager for hybrid environments in the Amazon Web Services Systems Manager User Guide.
On-premises servers or VMs that are registered with Systems Manager and Amazon Elastic Compute Cloud (Amazon EC2) instances that you manage with Systems Manager are all called managed instances.
Generates an activation code and activation ID you can use to register your on-premises servers, edge devices, or virtual machine (VM) with Amazon Web Services Systems Manager. Registering these machines with Systems Manager makes it possible to manage them using Systems Manager capabilities. You use the activation code and ID when installing SSM Agent on machines in your hybrid environment. For more information about requirements for managing on-premises machines using Systems Manager, see Setting up Amazon Web Services Systems Manager for hybrid environments in the Amazon Web Services Systems Manager User Guide.
Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and VMs that are configured for Systems Manager are all called managed nodes.
A State Manager association defines the state that you want to maintain on your instances. For example, an association can specify that anti-virus software must be installed and running on your instances, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an Amazon Web Services resource group or an Amazon Web Services autoscaling group, State Manager, a capability of Amazon Web Services Systems Manager applies the configuration when new instances are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.
" + "documentation":"A State Manager association defines the state that you want to maintain on your managed nodes. For example, an association can specify that anti-virus software must be installed and running on your managed nodes, or that certain ports must be closed. For static targets, the association specifies a schedule for when the configuration is reapplied. For dynamic targets, such as an Amazon Web Services resource group or an Amazon Web Services autoscaling group, State Manager, a capability of Amazon Web Services Systems Manager applies the configuration when new managed nodes are added to the group. The association also specifies actions to take when applying the configuration. For example, an association for anti-virus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.
" }, "CreateAssociationBatch":{ "name":"CreateAssociationBatch", @@ -135,7 +135,7 @@ {"shape":"InvalidTarget"}, {"shape":"InvalidSchedule"} ], - "documentation":"Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified instances or targets.
When you associate a document with one or more instances using instance IDs or tags, Amazon Web Services Systems Manager Agent (SSM Agent) running on the instance processes the document and configures the instance as specified.
If you associate a document with an instance that already has an associated document, the system returns the AssociationAlreadyExists exception.
" + "documentation":"Associates the specified Amazon Web Services Systems Manager document (SSM document) with the specified managed nodes or targets.
When you associate a document with one or more managed nodes using IDs or tags, Amazon Web Services Systems Manager Agent (SSM Agent) running on the managed node processes the document and configures the node as specified.
If you associate a document with a managed node that already has an associated document, the system returns the AssociationAlreadyExists exception.
" }, "CreateDocument":{ "name":"CreateDocument", @@ -153,7 +153,7 @@ {"shape":"DocumentLimitExceeded"}, {"shape":"InvalidDocumentSchemaVersion"} ], - "documentation":"Creates a Amazon Web Services Systems Manager (SSM document). An SSM document defines the actions that Systems Manager performs on your managed instances. For more information about SSM documents, including information about supported schemas, features, and syntax, see Amazon Web Services Systems Manager Documents in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"Creates a Amazon Web Services Systems Manager (SSM document). An SSM document defines the actions that Systems Manager performs on your managed nodes. For more information about SSM documents, including information about supported schemas, features, and syntax, see Amazon Web Services Systems Manager Documents in the Amazon Web Services Systems Manager User Guide.
" }, "CreateMaintenanceWindow":{ "name":"CreateMaintenanceWindow", @@ -248,7 +248,7 @@ {"shape":"InternalServerError"}, {"shape":"TooManyUpdates"} ], - "documentation":"Deletes an activation. You aren't required to delete an activation. If you delete an activation, you can no longer use it to register additional managed instances. Deleting an activation doesn't de-register managed instances. You must manually de-register managed instances.
" + "documentation":"Deletes an activation. You aren't required to delete an activation. If you delete an activation, you can no longer use it to register additional managed nodes. Deleting an activation doesn't de-register managed nodes. You must manually de-register managed nodes.
" }, "DeleteAssociation":{ "name":"DeleteAssociation", @@ -265,7 +265,7 @@ {"shape":"InvalidInstanceId"}, {"shape":"TooManyUpdates"} ], - "documentation":"Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified instance. If you created the association by using the Targets parameter, then you must delete the association by using the association ID.
When you disassociate a document from an instance, it doesn't change the configuration of the instance. To change the configuration state of an instance after you disassociate a document, you must create a new document with the desired configuration and associate it with the instance.
" + "documentation":"Disassociates the specified Amazon Web Services Systems Manager document (SSM document) from the specified managed node. If you created the association by using the Targets parameter, then you must delete the association by using the association ID.
When you disassociate a document from a managed node, it doesn't change the configuration of the node. To change the configuration state of a managed node after you disassociate a document, you must create a new document with the desired configuration and associate it with the node.
" }, "DeleteDocument":{ "name":"DeleteDocument", @@ -281,7 +281,7 @@ {"shape":"InvalidDocumentOperation"}, {"shape":"AssociatedInstances"} ], - "documentation":"Deletes the Amazon Web Services Systems Manager document (SSM document) and all instance associations to the document.
Before you delete the document, we recommend that you use DeleteAssociation to disassociate all instances that are associated with the document.
" + "documentation":"Deletes the Amazon Web Services Systems Manager document (SSM document) and all managed node associations to the document.
Before you delete the document, we recommend that you use DeleteAssociation to disassociate all managed nodes that are associated with the document.
" }, "DeleteInventory":{ "name":"DeleteInventory", @@ -382,7 +382,7 @@ {"shape":"ResourceDataSyncNotFoundException"}, {"shape":"ResourceDataSyncInvalidConfigurationException"} ], - "documentation":"Deletes a resource data sync configuration. After the configuration is deleted, changes to data on managed instances are no longer synced to or from the target. Deleting a sync configuration doesn't delete data.
" + "documentation":"Deletes a resource data sync configuration. After the configuration is deleted, changes to data on managed nodes are no longer synced to or from the target. Deleting a sync configuration doesn't delete data.
" }, "DeregisterManagedInstance":{ "name":"DeregisterManagedInstance", @@ -396,7 +396,7 @@ {"shape":"InvalidInstanceId"}, {"shape":"InternalServerError"} ], - "documentation":"Removes the server or virtual machine from the list of registered servers. You can reregister the instance again at any time. If you don't plan to use Run Command on the server, we suggest uninstalling SSM Agent first.
" + "documentation":"Removes the server or virtual machine from the list of registered servers. You can reregister the node again at any time. If you don't plan to use Run Command on the server, we suggest uninstalling SSM Agent first.
" }, "DeregisterPatchBaselineForPatchGroup":{ "name":"DeregisterPatchBaselineForPatchGroup", @@ -454,7 +454,7 @@ {"shape":"InvalidNextToken"}, {"shape":"InternalServerError"} ], - "documentation":"Describes details about the activation, such as the date and time the activation was created, its expiration date, the Identity and Access Management (IAM) role assigned to the instances in the activation, and the number of instances registered by using this activation.
" + "documentation":"Describes details about the activation, such as the date and time the activation was created, its expiration date, the Identity and Access Management (IAM) role assigned to the managed nodes in the activation, and the number of nodes registered by using this activation.
" }, "DescribeAssociation":{ "name":"DescribeAssociation", @@ -471,7 +471,7 @@ {"shape":"InvalidDocument"}, {"shape":"InvalidInstanceId"} ], - "documentation":"Describes the association for the specified target or instance. If you created the association by using the Targets parameter, then you must retrieve the association by using the association ID.
Describes the association for the specified target or managed node. If you created the association by using the Targets parameter, then you must retrieve the association by using the association ID.
All associations for the instance(s).
" + "documentation":"All associations for the managed node(s).
" }, "DescribeEffectivePatchesForPatchBaseline":{ "name":"DescribeEffectivePatchesForPatchBaseline", @@ -626,7 +626,7 @@ {"shape":"InvalidInstanceId"}, {"shape":"InvalidNextToken"} ], - "documentation":"The status of the associations for the instance(s).
" + "documentation":"The status of the associations for the managed node(s).
" }, "DescribeInstanceInformation":{ "name":"DescribeInstanceInformation", @@ -643,7 +643,7 @@ {"shape":"InvalidInstanceInformationFilterValue"}, {"shape":"InvalidFilterKey"} ], - "documentation":"Describes one or more of your instances, including information about the operating system platform, the version of SSM Agent installed on the instance, instance status, and so on.
If you specify one or more instance IDs, it returns information for those instances. If you don't specify instance IDs, it returns information for all your instances. If you specify an instance ID that isn't valid or an instance that you don't own, you receive an error.
The IamRole field for this API operation is the Identity and Access Management (IAM) role assigned to on-premises instances. This call doesn't return the IAM role for EC2 instances.
Describes one or more of your managed nodes, including information about the operating system platform, the version of SSM Agent installed on the managed node, node status, and so on.
If you specify one or more managed node IDs, it returns information for those managed nodes. If you don't specify node IDs, it returns information for all your managed nodes. If you specify a node ID that isn't valid or a node that you don't own, you receive an error.
The IamRole field for this API operation is the Identity and Access Management (IAM) role assigned to on-premises managed nodes. This call doesn't return the IAM role for EC2 instances.
Retrieves the high-level patch state of one or more instances.
" + "documentation":"Retrieves the high-level patch state of one or more managed nodes.
" }, "DescribeInstancePatchStatesForPatchGroup":{ "name":"DescribeInstancePatchStatesForPatchGroup", @@ -672,7 +672,7 @@ {"shape":"InvalidFilter"}, {"shape":"InvalidNextToken"} ], - "documentation":"Retrieves the high-level patch state for the instances in the specified patch group.
" + "documentation":"Retrieves the high-level patch state for the managed nodes in the specified patch group.
" }, "DescribeInstancePatches":{ "name":"DescribeInstancePatches", @@ -688,7 +688,7 @@ {"shape":"InvalidFilter"}, {"shape":"InvalidNextToken"} ], - "documentation":"Retrieves information about the patches on the specified instance and their state relative to the patch baseline being used for the instance.
" + "documentation":"Retrieves information about the patches on the specified managed node and their state relative to the patch baseline being used for the node.
" }, "DescribeInventoryDeletions":{ "name":"DescribeInventoryDeletions", @@ -812,7 +812,7 @@ "errors":[ {"shape":"InternalServerError"} ], - "documentation":"Retrieves information about the maintenance window targets or tasks that an instance is associated with.
" + "documentation":"Retrieves information about the maintenance window targets or tasks that a managed node is associated with.
" }, "DescribeOpsItems":{ "name":"DescribeOpsItems", @@ -973,7 +973,7 @@ {"shape":"InvalidPluginName"}, {"shape":"InvocationDoesNotExist"} ], - "documentation":"Returns detailed information about command execution for an invocation or plugin.
GetCommandInvocation only gives the execution status of a plugin in a document. To get the command execution status on a specific instance, use ListCommandInvocations. To get the command execution status across instances, use ListCommands.
Returns detailed information about command execution for an invocation or plugin.
GetCommandInvocation only gives the execution status of a plugin in a document. To get the command execution status on a specific managed node, use ListCommandInvocations. To get the command execution status across managed nodes, use ListCommands.
Retrieves the Session Manager connection status for an instance to determine whether it is running and ready to receive Session Manager connections.
" + "documentation":"Retrieves the Session Manager connection status for a managed node to determine whether it is running and ready to receive Session Manager connections.
" }, "GetDefaultPatchBaseline":{ "name":"GetDefaultPatchBaseline", @@ -1014,7 +1014,7 @@ {"shape":"UnsupportedOperatingSystem"}, {"shape":"UnsupportedFeatureRequiredException"} ], - "documentation":"Retrieves the current snapshot for the patch baseline the instance uses. This API is primarily used by the AWS-RunPatchBaseline Systems Manager document (SSM document).
If you run the command locally, such as with the Command Line Interface (CLI), the system attempts to use your local Amazon Web Services credentials and the operation fails. To avoid this, you can run the command in the Amazon Web Services Systems Manager console. Use Run Command, a capability of Amazon Web Services Systems Manager, with an SSM document that enables you to target an instance with a script or command. For example, run the command using the AWS-RunShellScript document or the AWS-RunPowerShellScript document.
Retrieves the current snapshot for the patch baseline the managed node uses. This API is primarily used by the AWS-RunPatchBaseline Systems Manager document (SSM document).
If you run the command locally, such as with the Command Line Interface (CLI), the system attempts to use your local Amazon Web Services credentials and the operation fails. To avoid this, you can run the command in the Amazon Web Services Systems Manager console. Use Run Command, a capability of Amazon Web Services Systems Manager, with an SSM document that enables you to target a managed node with a script or command. For example, run the command using the AWS-RunShellScript document or the AWS-RunPowerShellScript document.
Query inventory information. This includes instance status, such as Stopped or Terminated.
Query inventory information. This includes managed node status, such as Stopped or Terminated.
Returns all State Manager associations in the current Amazon Web Services account and Amazon Web Services Region. You can limit the results to a specific State Manager association document or instance by specifying a filter. State Manager is a capability of Amazon Web Services Systems Manager.
" + "documentation":"Returns all State Manager associations in the current Amazon Web Services account and Amazon Web Services Region. You can limit the results to a specific State Manager association document or managed node by specifying a filter. State Manager is a capability of Amazon Web Services Systems Manager.
" }, "ListCommandInvocations":{ "name":"ListCommandInvocations", @@ -1349,7 +1349,7 @@ {"shape":"InvalidFilterKey"}, {"shape":"InvalidNextToken"} ], - "documentation":"An invocation is copy of a command sent to a specific instance. A command can apply to one or more instances. A command invocation applies to one instance. For example, if a user runs SendCommand against three instances, then a command invocation is created for each requested instance ID. ListCommandInvocations provide status about command execution.
An invocation is copy of a command sent to a specific managed node. A command can apply to one or more managed nodes. A command invocation applies to one managed node. For example, if a user runs SendCommand against three managed nodes, then a command invocation is created for each requested managed node ID. ListCommandInvocations provide status about command execution.
Registers a compliance type and other compliance details on a designated resource. This operation lets you register custom compliance details with a resource. This call overwrites existing compliance information on the resource, so you must provide a full list of compliance items each time that you send the request.
ComplianceType can be one of the following:
ExecutionId: The execution ID when the patch, association, or custom compliance item was applied.
ExecutionType: Specify patch, association, or Custom:string.
ExecutionTime. The time the patch, association, or custom compliance item was applied to the instance.
Id: The patch, association, or custom compliance ID.
Title: A title.
Status: The status of the compliance item. For example, approved for patches, or Failed for associations.
Severity: A patch severity. For example, critical.
DocumentName: An SSM document name. For example, AWS-RunPatchBaseline.
DocumentVersion: An SSM document version number. For example, 4.
Classification: A patch classification. For example, security updates.
PatchBaselineId: A patch baseline ID.
PatchSeverity: A patch severity. For example, Critical.
PatchState: A patch state. For example, InstancesWithFailedPatches.
PatchGroup: The name of a patch group.
InstalledTime: The time the association, patch, or custom compliance item was applied to the resource. Specify the time by using the following format: yyyy-MM-dd'T'HH:mm:ss'Z'
Registers a compliance type and other compliance details on a designated resource. This operation lets you register custom compliance details with a resource. This call overwrites existing compliance information on the resource, so you must provide a full list of compliance items each time that you send the request.
ComplianceType can be one of the following:
ExecutionId: The execution ID when the patch, association, or custom compliance item was applied.
ExecutionType: Specify patch, association, or Custom:string.
ExecutionTime. The time the patch, association, or custom compliance item was applied to the managed node.
Id: The patch, association, or custom compliance ID.
Title: A title.
Status: The status of the compliance item. For example, approved for patches, or Failed for associations.
Severity: A patch severity. For example, critical.
DocumentName: An SSM document name. For example, AWS-RunPatchBaseline.
DocumentVersion: An SSM document version number. For example, 4.
Classification: A patch classification. For example, security updates.
PatchBaselineId: A patch baseline ID.
PatchSeverity: A patch severity. For example, Critical.
PatchState: A patch state. For example, InstancesWithFailedPatches.
PatchGroup: The name of a patch group.
InstalledTime: The time the association, patch, or custom compliance item was applied to the resource. Specify the time by using the following format: yyyy-MM-dd'T'HH:mm:ss'Z'
Bulk update custom inventory items on one more instance. The request adds an inventory item, if it doesn't already exist, or updates an inventory item, if it does exist.
" + "documentation":"Bulk update custom inventory items on one or more managed nodes. The request adds an inventory item, if it doesn't already exist, or updates an inventory item, if it does exist.
" }, "PutParameter":{ "name":"PutParameter", @@ -1747,7 +1747,7 @@ {"shape":"DoesNotExistException"}, {"shape":"InternalServerError"} ], - "documentation":"Reconnects a session to an instance after it has been disconnected. Connections can be resumed for disconnected sessions, but not terminated sessions.
This command is primarily for use by client machines to automatically reconnect during intermittent network issues. It isn't intended for any other use.
Reconnects a session to a managed node after it has been disconnected. Connections can be resumed for disconnected sessions, but not terminated sessions.
This command is primarily for use by client machines to automatically reconnect during intermittent network issues. It isn't intended for any other use.
Runs commands on one or more managed instances.
" + "documentation":"Runs commands on one or more managed nodes.
" }, "StartAssociationsOnce":{ "name":"StartAssociationsOnce", @@ -1853,7 +1853,7 @@ {"shape":"TargetNotConnected"}, {"shape":"InternalServerError"} ], - "documentation":"Initiates a connection to a target (for example, an instance) for a Session Manager session. Returns a URL and token that can be used to open a WebSocket connection for sending input and receiving outputs.
Amazon Web Services CLI usage: start-session is an interactive command that requires the Session Manager plugin to be installed on the client machine making the call. For information, see Install the Session Manager plugin for the Amazon Web Services CLI in the Amazon Web Services Systems Manager User Guide.
Amazon Web Services Tools for PowerShell usage: Start-SSMSession isn't currently supported by Amazon Web Services Tools for PowerShell on Windows local machines.
Initiates a connection to a target (for example, a managed node) for a Session Manager session. Returns a URL and token that can be used to open a WebSocket connection for sending input and receiving outputs.
Amazon Web Services CLI usage: start-session is an interactive command that requires the Session Manager plugin to be installed on the client machine making the call. For information, see Install the Session Manager plugin for the Amazon Web Services CLI in the Amazon Web Services Systems Manager User Guide.
Amazon Web Services Tools for PowerShell usage: Start-SSMSession isn't currently supported by Amazon Web Services Tools for PowerShell on Windows local machines.
Permanently ends a session and closes the data connection between the Session Manager client and SSM Agent on the instance. A terminated session isn't be resumed.
" + "documentation":"Permanently ends a session and closes the data connection between the Session Manager client and SSM Agent on the managed node. A terminated session isn't be resumed.
" }, "UnlabelParameterVersion":{ "name":"UnlabelParameterVersion", @@ -1940,7 +1940,7 @@ {"shape":"StatusUnchanged"}, {"shape":"TooManyUpdates"} ], - "documentation":"Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified instance.
UpdateAssociationStatus is primarily used by the Amazon Web Services Systems Manager Agent (SSM Agent) to report status updates about your associations and is only used for associations created with the InstanceId legacy parameter.
Updates the status of the Amazon Web Services Systems Manager document (SSM document) associated with the specified managed node.
UpdateAssociationStatus is primarily used by the Amazon Web Services Systems Manager Agent (SSM Agent) to report status updates about your associations and is only used for associations created with the InstanceId legacy parameter.
Changes the Identity and Access Management (IAM) role that is assigned to the on-premises instance or virtual machines (VM). IAM roles are first assigned to these hybrid instances during the activation process. For more information, see CreateActivation.
" + "documentation":"Changes the Identity and Access Management (IAM) role that is assigned to the on-premises server, edge device, or virtual machines (VM). IAM roles are first assigned to these hybrid nodes during the activation process. For more information, see CreateActivation.
" }, "UpdateOpsItem":{ "name":"UpdateOpsItem", @@ -2181,23 +2181,23 @@ }, "DefaultInstanceName":{ "shape":"DefaultInstanceName", - "documentation":"A name for the managed instance when it is created.
" + "documentation":"A name for the managed node when it is created.
" }, "IamRole":{ "shape":"IamRole", - "documentation":"The Identity and Access Management (IAM) role to assign to the managed instance.
" + "documentation":"The Identity and Access Management (IAM) role to assign to the managed node.
" }, "RegistrationLimit":{ "shape":"RegistrationLimit", - "documentation":"The maximum number of managed instances that can be registered using this activation.
" + "documentation":"The maximum number of managed nodes that can be registered using this activation.
" }, "RegistrationsCount":{ "shape":"RegistrationsCount", - "documentation":"The number of managed instances already registered with this activation.
" + "documentation":"The number of managed nodes already registered with this activation.
" }, "ExpirationDate":{ "shape":"ExpirationDate", - "documentation":"The date when this activation can no longer be used to register managed instances.
" + "documentation":"The date when this activation can no longer be used to register managed nodes.
" }, "Expired":{ "shape":"Boolean", @@ -2212,7 +2212,7 @@ "documentation":"Tags assigned to the activation.
" } }, - "documentation":"An activation registers one or more on-premises servers or virtual machines (VMs) with Amazon Web Services so that you can configure those servers or VMs using Run Command. A server or VM that has been registered with Amazon Web Services Systems Manager is called a managed instance.
" + "documentation":"An activation registers one or more on-premises servers or virtual machines (VMs) with Amazon Web Services so that you can configure those servers or VMs using Run Command. A server or VM that has been registered with Amazon Web Services Systems Manager is called a managed node.
" }, "ActivationCode":{ "type":"string", @@ -2242,11 +2242,11 @@ "members":{ "ResourceType":{ "shape":"ResourceTypeForTagging", - "documentation":"Specifies the type of resource you are tagging.
The ManagedInstance type for this API operation is for on-premises managed instances. You must specify the name of the managed instance in the following format: mi-ID_number . For example, mi-1a2b3c4d5e6f.
Specifies the type of resource you are tagging.
The ManagedInstance type for this API operation is for on-premises managed nodes. You must specify the name of the managed node in the following format: mi-ID_number . For example, mi-1a2b3c4d5e6f.
The resource ID you want to tag.
Use the ID of the resource. Here are some examples:
MaintenanceWindow: mw-012345abcde
PatchBaseline: pb-012345abcde
OpsMetadata object: ResourceID for tagging is created from the Amazon Resource Name (ARN) for the object. Specifically, ResourceID is created from the strings that come after the word opsmetadata in the ARN. For example, an OpsMetadata object with an ARN of arn:aws:ssm:us-east-2:1234567890:opsmetadata/aws/ssm/MyGroup/appmanager has a ResourceID of either aws/ssm/MyGroup/appmanager or /aws/ssm/MyGroup/appmanager.
For the Document and Parameter values, use the name of the resource.
ManagedInstance: mi-012345abcde
The ManagedInstance type for this API operation is only for on-premises managed instances. You must specify the name of the managed instance in the following format: mi-ID_number . For example, mi-1a2b3c4d5e6f.
The resource ID you want to tag.
Use the ID of the resource. Here are some examples:
MaintenanceWindow: mw-012345abcde
PatchBaseline: pb-012345abcde
OpsMetadata object: ResourceID for tagging is created from the Amazon Resource Name (ARN) for the object. Specifically, ResourceID is created from the strings that come after the word opsmetadata in the ARN. For example, an OpsMetadata object with an ARN of arn:aws:ssm:us-east-2:1234567890:opsmetadata/aws/ssm/MyGroup/appmanager has a ResourceID of either aws/ssm/MyGroup/appmanager or /aws/ssm/MyGroup/appmanager.
For the Document and Parameter values, use the name of the resource.
ManagedInstance: mi-012345abcde
The ManagedInstance type for this API operation is only for on-premises managed nodes. You must specify the name of the managed node in the following format: mi-ID_number . For example, mi-1a2b3c4d5e6f.
You must disassociate a document from all instances before you can delete it.
", + "documentation":"You must disassociate a document from all managed nodes before you can delete it.
", "exception":true }, "Association":{ @@ -2335,7 +2335,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID.
" + "documentation":"The managed node ID.
" }, "AssociationId":{ "shape":"AssociationId", @@ -2351,7 +2351,7 @@ }, "Targets":{ "shape":"Targets", - "documentation":"The instances targeted by the request to create an association. You can target all instances in an Amazon Web Services account by specifying the InstanceIds key with a value of *.
The managed nodes targeted by the request to create an association. You can target all managed nodes in an Amazon Web Services account by specifying the InstanceIds key with a value of *.
The association name.
" } }, - "documentation":"Describes an association of a Amazon Web Services Systems Manager document (SSM document) and an instance.
" + "documentation":"Describes an association of a Amazon Web Services Systems Manager document (SSM document) and a managed node.
" }, "AssociationAlreadyExists":{ "type":"structure", @@ -2398,7 +2398,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID.
" + "documentation":"The managed node ID.
" }, "AssociationVersion":{ "shape":"AssociationVersion", @@ -2438,7 +2438,7 @@ }, "Targets":{ "shape":"Targets", - "documentation":"The instances targeted by the request.
" + "documentation":"The managed nodes targeted by the request.
" }, "ScheduleExpression":{ "shape":"ScheduleExpression", @@ -2462,11 +2462,11 @@ }, "MaxErrors":{ "shape":"MaxErrors", - "documentation":"The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 instances and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new instance starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new instance will process its association within the limit specified for MaxConcurrency.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency.
The resource ID, for example, the instance ID where the association ran.
" + "documentation":"The resource ID, for example, the managed node ID where the association ran.
" }, "ResourceType":{ "shape":"AssociationResourceType", - "documentation":"The resource type, for example, instance.
" + "documentation":"The resource type, for example, EC2.
" }, "Status":{ "shape":"StatusName", @@ -2764,7 +2764,7 @@ }, "AssociationStatusAggregatedCount":{ "shape":"AssociationStatusAggregatedCount", - "documentation":"Returns the number of targets for the association status. For example, if you created an association with two instances, and one of them was successful, this would return the count of instances by status.
" + "documentation":"Returns the number of targets for the association status. For example, if you created an association with two managed nodes, and one of them was successful, this would return the count of managed nodes by status.
" } }, "documentation":"Information about the association.
" @@ -2875,11 +2875,11 @@ }, "MaxErrors":{ "shape":"MaxErrors", - "documentation":"The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 instances and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new instance starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new instance will process its association within the limit specified for MaxConcurrency.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency.
Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is false. Applies to Linux instances only.
Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false. Applies to Linux managed nodes only.
Information about the patches to use to update the instances, including target operating systems and source repositories. Applies to Linux instances only.
" + "documentation":"Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
" } }, "documentation":"Defines the basic information about a patch baseline override.
" @@ -3532,7 +3532,7 @@ }, "InstanceIds":{ "shape":"InstanceIdList", - "documentation":"(Optional) A list of instance IDs on which you want to cancel the command. If not provided, the command is canceled on every instance on which it was requested.
" + "documentation":"(Optional) A list of managed node IDs on which you want to cancel the command. If not provided, the command is canceled on every node on which it was requested.
" } }, "documentation":"" @@ -3626,11 +3626,11 @@ }, "InstanceIds":{ "shape":"InstanceIdList", - "documentation":"The instance IDs against which this command was requested.
" + "documentation":"The managed node IDs against which this command was requested.
" }, "Targets":{ "shape":"Targets", - "documentation":"An array of search criteria that targets instances using a Key,Value combination that you specify. Targets is required if you don't provide one or more instance IDs in the call.
" + "documentation":"An array of search criteria that targets managed nodes using a Key,Value combination that you specify. Targets is required if you don't provide one or more managed node IDs in the call.
" }, "RequestedDateTime":{ "shape":"DateTime", @@ -3642,7 +3642,7 @@ }, "StatusDetails":{ "shape":"StatusDetails", - "documentation":"A detailed status of the command execution. StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to any instances.
In Progress: The command has been sent to at least one instance but hasn't reached a final state on all instances.
Success: The command successfully ran on all invocations. This is a terminal state.
Delivery Timed Out: The value of MaxErrors or more command invocations shows a status of Delivery Timed Out. This is a terminal state.
Execution Timed Out: The value of MaxErrors or more command invocations shows a status of Execution Timed Out. This is a terminal state.
Failed: The value of MaxErrors or more command invocations shows a status of Failed. This is a terminal state.
Incomplete: The command was attempted on all instances and one or more invocations doesn't have a value of Success but not enough invocations failed for the status to be Failed. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Rate Exceeded: The number of instances targeted by the command exceeded the account limit for pending invocations. The system has canceled the command before running it on any instance. This is a terminal state.
A detailed status of the command execution. StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to any managed nodes.
In Progress: The command has been sent to at least one managed node but hasn't reached a final state on all managed nodes.
Success: The command successfully ran on all invocations. This is a terminal state.
Delivery Timed Out: The value of MaxErrors or more command invocations shows a status of Delivery Timed Out. This is a terminal state.
Execution Timed Out: The value of MaxErrors or more command invocations shows a status of Execution Timed Out. This is a terminal state.
Failed: The value of MaxErrors or more command invocations shows a status of Failed. This is a terminal state.
Incomplete: The command was attempted on all managed nodes and one or more invocations doesn't have a value of Success but not enough invocations failed for the status to be Failed. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Rate Exceeded: The number of managed nodes targeted by the command exceeded the account limit for pending invocations. The system has canceled the command before running it on any managed node. This is a terminal state.
The maximum number of instances that are allowed to run the command at the same time. You can specify a number of instances, such as 10, or a percentage of instances, such as 10%. The default value is 50. For more information about how to use MaxConcurrency, see Running commands using Systems Manager Run Command in the Amazon Web Services Systems Manager User Guide.
The maximum number of managed nodes that are allowed to run the command at the same time. You can specify a number of managed nodes, such as 10, or a percentage of nodes, such as 10%. The default value is 50. For more information about how to use MaxConcurrency, see Running commands using Systems Manager Run Command in the Amazon Web Services Systems Manager User Guide.
The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2021-07-07T00:00:00Z to see a list of command executions occurring July 7, 2021, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2021-07-07T00:00:00Z to see a list of command executions from before July 7, 2021.
Status: Specify a valid command status to see a list of all command executions with that status. The status choices depend on the API you call.
The status values you can specify for ListCommands are:
Pending
InProgress
Success
Cancelled
Failed
TimedOut (this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Incomplete
NoInstancesInTag
LimitExceeded
The status values you can specify for ListCommandInvocations are:
Pending
InProgress
Delayed
Success
Cancelled
Failed
TimedOut (this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Undeliverable
InvalidPlatform
Terminated
DocumentName: Specify name of the Amazon Web Services Systems Manager document (SSM document) for which you want to see command execution results. For example, specify AWS-RunPatchBaseline to see command executions that used this SSM document to perform security patching operations on instances.
ExecutionStage: Specify one of the following values (ListCommands operations only):
Executing: Returns a list of command executions that are currently still running.
Complete: Returns a list of command executions that have already completed.
The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2021-07-07T00:00:00Z to see a list of command executions occurring July 7, 2021, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2021-07-07T00:00:00Z to see a list of command executions from before July 7, 2021.
Status: Specify a valid command status to see a list of all command executions with that status. The status choices depend on the API you call.
The status values you can specify for ListCommands are:
Pending
InProgress
Success
Cancelled
Failed
TimedOut (this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Incomplete
NoInstancesInTag
LimitExceeded
The status values you can specify for ListCommandInvocations are:
Pending
InProgress
Delayed
Success
Cancelled
Failed
TimedOut (this includes both Delivery and Execution time outs)
AccessDenied
DeliveryTimedOut
ExecutionTimedOut
Undeliverable
InvalidPlatform
Terminated
DocumentName: Specify name of the Amazon Web Services Systems Manager document (SSM document) for which you want to see command execution results. For example, specify AWS-RunPatchBaseline to see command executions that used this SSM document to perform security patching operations on managed nodes.
ExecutionStage: Specify one of the following values (ListCommands operations only):
Executing: Returns a list of command executions that are currently still running.
Complete: Returns a list of command executions that have already completed.
Describes a command filter.
An instance ID can't be specified when a command status is Pending because the command hasn't run on the instance yet.
Describes a command filter.
A managed node ID can't be specified when a command status is Pending because the command hasn't run on the node yet.
The instance ID in which this invocation was requested.
" + "documentation":"The managed node ID in which this invocation was requested.
" }, "InstanceName":{ "shape":"InstanceTagName", - "documentation":"The fully qualified host name of the managed instance.
" + "documentation":"The fully qualified host name of the managed node.
" }, "Comment":{ "shape":"Comment", @@ -3772,7 +3772,7 @@ }, "RequestedDateTime":{ "shape":"DateTime", - "documentation":"The time and date the request was sent to this instance.
" + "documentation":"The time and date the request was sent to this managed node.
" }, "Status":{ "shape":"CommandInvocationStatus", @@ -3780,7 +3780,7 @@ }, "StatusDetails":{ "shape":"StatusDetails", - "documentation":"A detailed status of the command execution for each invocation (each instance targeted by the command). StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to the instance.
In Progress: The command has been sent to the instance but hasn't reached a terminal state.
Success: The execution of the command or plugin was successfully completed. This is a terminal state.
Delivery Timed Out: The command wasn't delivered to the instance before the delivery timeout expired. Delivery timeouts don't count against the parent command's MaxErrors limit, but they do contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Execution Timed Out: Command execution started on the instance, but the execution wasn't complete before the execution timeout expired. Execution timeouts count against the MaxErrors limit of the parent command. This is a terminal state.
Failed: The command wasn't successful on the instance. For a plugin, this indicates that the result code wasn't zero. For a command invocation, this indicates that the result code for one or more plugins wasn't zero. Invocation failures count against the MaxErrors limit of the parent command. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Undeliverable: The command can't be delivered to the instance. The instance might not exist or might not be responding. Undeliverable invocations don't count against the parent command's MaxErrors limit and don't contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Terminated: The parent command exceeded its MaxErrors limit and subsequent command invocations were canceled by the system. This is a terminal state.
A detailed status of the command execution for each invocation (each managed node targeted by the command). StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to the managed node.
In Progress: The command has been sent to the managed node but hasn't reached a terminal state.
Success: The execution of the command or plugin was successfully completed. This is a terminal state.
Delivery Timed Out: The command wasn't delivered to the managed node before the delivery timeout expired. Delivery timeouts don't count against the parent command's MaxErrors limit, but they do contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Execution Timed Out: Command execution started on the managed node, but the execution wasn't complete before the execution timeout expired. Execution timeouts count against the MaxErrors limit of the parent command. This is a terminal state.
Failed: The command wasn't successful on the managed node. For a plugin, this indicates that the result code wasn't zero. For a command invocation, this indicates that the result code for one or more plugins wasn't zero. Invocation failures count against the MaxErrors limit of the parent command. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Undeliverable: The command can't be delivered to the managed node. The managed node might not exist or might not be responding. Undeliverable invocations don't count against the parent command's MaxErrors limit and don't contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Terminated: The parent command exceeded its MaxErrors limit and subsequent command invocations were canceled by the system. This is a terminal state.
The Identity and Access Management (IAM) service role that Run Command, a capability of Amazon Web Services Systems Manager, uses to act on your behalf when sending notifications about command status changes on a per instance basis.
" + "documentation":"The Identity and Access Management (IAM) service role that Run Command, a capability of Amazon Web Services Systems Manager, uses to act on your behalf when sending notifications about command status changes on a per managed node basis.
" }, "NotificationConfig":{ "shape":"NotificationConfig", - "documentation":"Configurations for sending notifications about command status changes on a per instance basis.
" + "documentation":"Configurations for sending notifications about command status changes on a per managed node basis.
" }, "CloudWatchOutputConfig":{ "shape":"CloudWatchOutputConfig", "documentation":"Amazon CloudWatch Logs information where you want Amazon Web Services Systems Manager to send the command output.
" } }, - "documentation":"An invocation is copy of a command sent to a specific instance. A command can apply to one or more instances. A command invocation applies to one instance. For example, if a user runs SendCommand against three instances, then a command invocation is created for each requested instance ID. A command invocation returns status and detail information about a command you ran.
" + "documentation":"An invocation is a copy of a command sent to a specific managed node. A command can apply to one or more managed nodes. A command invocation applies to one managed node. For example, if a user runs SendCommand against three managed nodes, then a command invocation is created for each requested managed node ID. A command invocation returns status and detail information about a command you ran.
A detailed status of the plugin execution. StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to the instance.
In Progress: The command has been sent to the instance but hasn't reached a terminal state.
Success: The execution of the command or plugin was successfully completed. This is a terminal state.
Delivery Timed Out: The command wasn't delivered to the instance before the delivery timeout expired. Delivery timeouts don't count against the parent command's MaxErrors limit, but they do contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Execution Timed Out: Command execution started on the instance, but the execution wasn't complete before the execution timeout expired. Execution timeouts count against the MaxErrors limit of the parent command. This is a terminal state.
Failed: The command wasn't successful on the instance. For a plugin, this indicates that the result code wasn't zero. For a command invocation, this indicates that the result code for one or more plugins wasn't zero. Invocation failures count against the MaxErrors limit of the parent command. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Undeliverable: The command can't be delivered to the instance. The instance might not exist, or it might not be responding. Undeliverable invocations don't count against the parent command's MaxErrors limit, and they don't contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Terminated: The parent command exceeded its MaxErrors limit and subsequent command invocations were canceled by the system. This is a terminal state.
A detailed status of the plugin execution. StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to the managed node.
In Progress: The command has been sent to the managed node but hasn't reached a terminal state.
Success: The execution of the command or plugin was successfully completed. This is a terminal state.
Delivery Timed Out: The command wasn't delivered to the managed node before the delivery timeout expired. Delivery timeouts don't count against the parent command's MaxErrors limit, but they do contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Execution Timed Out: Command execution started on the managed node, but the execution wasn't complete before the execution timeout expired. Execution timeouts count against the MaxErrors limit of the parent command. This is a terminal state.
Failed: The command wasn't successful on the managed node. For a plugin, this indicates that the result code wasn't zero. For a command invocation, this indicates that the result code for one or more plugins wasn't zero. Invocation failures count against the MaxErrors limit of the parent command. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Undeliverable: The command can't be delivered to the managed node. The managed node might not exist, or it might not be responding. Undeliverable invocations don't count against the parent command's MaxErrors limit, and they don't contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Terminated: The parent command exceeded its MaxErrors limit and subsequent command invocations were canceled by the system. This is a terminal state.
The S3 bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript
doc-example-bucket is the name of the S3 bucket;
ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix is the name of the S3 prefix;
i-02573cafcfEXAMPLE is the instance ID;
awsrunShellScript is the name of the plugin.
The S3 bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript
doc-example-bucket is the name of the S3 bucket;
ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix is the name of the S3 prefix;
i-02573cafcfEXAMPLE is the managed node ID;
awsrunShellScript is the name of the plugin.
The S3 directory path inside the bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript
doc-example-bucket is the name of the S3 bucket;
ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix is the name of the S3 prefix;
i-02573cafcfEXAMPLE is the instance ID;
awsrunShellScript is the name of the plugin.
The S3 directory path inside the bucket where the responses to the command executions should be stored. This was requested when issuing the command. For example, in the following response:
doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript
doc-example-bucket is the name of the S3 bucket;
ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix is the name of the S3 prefix;
i-02573cafcfEXAMPLE is the managed node ID;
awsrunShellScript is the name of the plugin.
Describes plugin details.
" @@ -3974,7 +3974,7 @@ }, "ResourceId":{ "shape":"ComplianceResourceId", - "documentation":"An ID for the resource. For a managed instance, this is the instance ID.
" + "documentation":"An ID for the resource. For a managed node, this is the node ID.
" }, "Id":{ "shape":"ComplianceItemId", @@ -4219,15 +4219,15 @@ }, "DefaultInstanceName":{ "shape":"DefaultInstanceName", - "documentation":"The name of the registered, managed instance as it will appear in the Amazon Web Services Systems Manager console or when you use the Amazon Web Services command line tools to list Systems Manager resources.
Don't enter personally identifiable information in this field.
The name of the registered, managed node as it will appear in the Amazon Web Services Systems Manager console or when you use the Amazon Web Services command line tools to list Systems Manager resources.
Don't enter personally identifiable information in this field.
The name of the Identity and Access Management (IAM) role that you want to assign to the managed instance. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com. For more information, see Create an IAM service role for a hybrid environment in the Amazon Web Services Systems Manager User Guide.
The name of the Identity and Access Management (IAM) role that you want to assign to the managed node. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com. For more information, see Create an IAM service role for a hybrid environment in the Amazon Web Services Systems Manager User Guide.
Specify the maximum number of managed instances you want to register. The default value is 1.
Specify the maximum number of managed nodes you want to register. The default value is 1.
Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an activation to identify which servers or virtual machines (VMs) in your on-premises environment you intend to activate. In this case, you could specify the following key-value pairs:
Key=OS,Value=Windows
Key=Environment,Value=Production
When you install SSM Agent on your on-premises servers and VMs, you specify an activation ID and code. When you specify the activation ID and code, tags assigned to the activation are automatically applied to the on-premises servers or VMs.
You can't add tags to or delete tags from an existing activation. You can tag your on-premises servers and VMs after they connect to Systems Manager for the first time and are assigned a managed instance ID. This means they are listed in the Amazon Web Services Systems Manager console with an ID that is prefixed with \"mi-\". For information about how to add tags to your managed instances, see AddTagsToResource. For information about how to remove tags from your managed instances, see RemoveTagsFromResource.
" + "documentation":"Optional metadata that you assign to a resource. Tags enable you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag an activation to identify which servers or virtual machines (VMs) in your on-premises environment you intend to activate. In this case, you could specify the following key-value pairs:
Key=OS,Value=Windows
Key=Environment,Value=Production
When you install SSM Agent on your on-premises servers and VMs, you specify an activation ID and code. When you specify the activation ID and code, tags assigned to the activation are automatically applied to the on-premises servers or VMs.
You can't add tags to or delete tags from an existing activation. You can tag your on-premises servers, edge devices, and VMs after they connect to Systems Manager for the first time and are assigned a managed node ID. This means they are listed in the Amazon Web Services Systems Manager console with an ID that is prefixed with \"mi-\". For information about how to add tags to your managed nodes, see AddTagsToResource. For information about how to remove tags from your managed nodes, see RemoveTagsFromResource.
" }, "RegistrationMetadata":{ "shape":"RegistrationMetadataList", @@ -4278,11 +4278,11 @@ "members":{ "Name":{ "shape":"DocumentARN", - "documentation":"The name of the SSM document that contains the configuration information for the instance. You can specify Command or Automation runbooks.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For SSM documents that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The name of the SSM document that contains the configuration information for the managed node. You can specify Command or Automation runbooks.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For SSM documents that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The instance ID.
InstanceId has been deprecated. To specify an instance ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The managed node ID.
InstanceId has been deprecated. To specify a managed node ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The instances targeted by the request.
" + "documentation":"The managed nodes targeted by the request.
" }, "ScheduleExpression":{ "shape":"ScheduleExpression", @@ -4314,11 +4314,11 @@ }, "MaxErrors":{ "shape":"MaxErrors", - "documentation":"The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 instances and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new instance starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new instance will process its association within the limit specified for MaxConcurrency.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency.
Use this action to create an association in multiple Regions and multiple accounts.
" } }, - "documentation":"Describes the association of a Amazon Web Services Systems Manager document (SSM document) and an instance.
" + "documentation":"Describes the association of a Amazon Web Services Systems Manager document (SSM document) and a managed node.
" }, "CreateAssociationBatchResult":{ "type":"structure", @@ -4362,7 +4362,7 @@ "members":{ "Name":{ "shape":"DocumentARN", - "documentation":"The name of the SSM Command document or Automation runbook that contains the configuration information for the instance.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager documents (SSM documents) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:partition:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The name of the SSM Command document or Automation runbook that contains the configuration information for the managed node.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager documents (SSM documents) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:partition:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The instance ID.
InstanceId has been deprecated. To specify an instance ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The managed node ID.
InstanceId has been deprecated. To specify a managed node ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The targets for the association. You can target instances by using tags, Amazon Web Services resource groups, all instances in an Amazon Web Services account, or individual instance IDs. You can target all instances in an Amazon Web Services account by specifying the InstanceIds key with a value of *. For more information about choosing targets for an association, see Using targets and rate controls with State Manager associations in the Amazon Web Services Systems Manager User Guide.
The targets for the association. You can target managed nodes by using tags, Amazon Web Services resource groups, all managed nodes in an Amazon Web Services account, or individual managed node IDs. You can target all managed nodes in an Amazon Web Services account by specifying the InstanceIds key with a value of *. For more information about choosing targets for an association, see Using targets and rate controls with State Manager associations in the Amazon Web Services Systems Manager User Guide.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 instances and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new instance starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new instance will process its association within the limit specified for MaxConcurrency.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency.
Enables a maintenance window task to run on managed instances, even if you haven't registered those instances as targets. If enabled, then you must specify the unregistered instances (by instance ID) when you register a task with the maintenance window.
If you don't enable this option, then you must specify previously-registered targets when you register a task with the maintenance window.
" + "documentation":"Enables a maintenance window task to run on managed nodes, even if you haven't registered those nodes as targets. If enabled, then you must specify the unregistered managed nodes (by node ID) when you register a task with the maintenance window.
If you don't enable this option, then you must specify previously-registered targets when you register a task with the maintenance window.
" }, "ClientToken":{ "shape":"ClientToken", @@ -4700,7 +4700,7 @@ }, "ApprovedPatchesEnableNonSecurity":{ "shape":"Boolean", - "documentation":"Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is false. Applies to Linux instances only.
Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false. Applies to Linux managed nodes only.
Information about the patches to use to update the instances, including target operating systems and source repositories. Applies to Linux instances only.
" + "documentation":"Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
" }, "ClientToken":{ "shape":"ClientToken", @@ -4807,7 +4807,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID.
InstanceId has been deprecated. To specify an instance ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The managed node ID.
InstanceId has been deprecated. To specify a managed node ID for an association, use the Targets parameter. Requests that include the parameter InstanceID with Systems Manager documents (SSM documents) that use schema version 2.0 or later will fail. In addition, if you use the parameter InstanceId, you can't use the parameters AssociationName, DocumentVersion, MaxErrors, MaxConcurrency, OutputLocation, or ScheduleExpression. To use these parameters, you must use the Targets parameter.
The ID assigned to the managed instance when you registered it using the activation process.
" + "documentation":"The ID assigned to the managed node when you registered it using the activation process.
" } } }, @@ -5253,7 +5253,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID.
" + "documentation":"The managed node ID.
" }, "AssociationId":{ "shape":"AssociationId", @@ -5261,7 +5261,7 @@ }, "AssociationVersion":{ "shape":"AssociationVersion", - "documentation":"Specify the association version to retrieve. To view the latest version, either specify $LATEST for this parameter, or omit this parameter. To view a list of all associations for an instance, use ListAssociations. To get a list of versions for a specific association, use ListAssociationVersions.
Specify the association version to retrieve. To view the latest version, either specify $LATEST for this parameter, or omit this parameter. To view a list of all associations for a managed node, use ListAssociations. To get a list of versions for a specific association, use ListAssociationVersions.
Each element in the array is a structure containing a key-value pair.
Windows Server
Supported keys for Windows Server instance patches include the following:
PATCH_SET
Sample values: OS | APPLICATION
PRODUCT
Sample values: WindowsServer2012 | Office 2010 | MicrosoftDefenderAntivirus
PRODUCT_FAMILY
Sample values: Windows | Office
MSRC_SEVERITY
Sample values: ServicePacks | Important | Moderate
CLASSIFICATION
Sample values: ServicePacks | SecurityUpdates | DefinitionUpdates
PATCH_ID
Sample values: KB123456 | KB4516046
Linux
When specifying filters for Linux patches, you must specify a key-pair for PRODUCT. For example, using the Command Line Interface (CLI), the following command fails:
aws ssm describe-available-patches --filters Key=CVE_ID,Values=CVE-2018-3615
However, the following command succeeds:
aws ssm describe-available-patches --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=CVE_ID,Values=CVE-2018-3615
Supported keys for Linux instance patches include the following:
PRODUCT
Sample values: AmazonLinux2018.03 | AmazonLinux2.0
NAME
Sample values: kernel-headers | samba-python | php
SEVERITY
Sample values: Critical | Important | Medium | Low
EPOCH
Sample values: 0 | 1
VERSION
Sample values: 78.6.1 | 4.10.16
RELEASE
Sample values: 9.56.amzn1 | 1.amzn2
ARCH
Sample values: i686 | x86_64
REPOSITORY
Sample values: Core | Updates
ADVISORY_ID
Sample values: ALAS-2018-1058 | ALAS2-2021-1594
CVE_ID
Sample values: CVE-2018-3615 | CVE-2020-1472
BUGZILLA_ID
Sample values: 1463241
Each element in the array is a structure containing a key-value pair.
Windows Server
Supported keys for Windows Server managed node patches include the following:
PATCH_SET
Sample values: OS | APPLICATION
PRODUCT
Sample values: WindowsServer2012 | Office 2010 | MicrosoftDefenderAntivirus
PRODUCT_FAMILY
Sample values: Windows | Office
MSRC_SEVERITY
Sample values: ServicePacks | Important | Moderate
CLASSIFICATION
Sample values: ServicePacks | SecurityUpdates | DefinitionUpdates
PATCH_ID
Sample values: KB123456 | KB4516046
Linux
When specifying filters for Linux patches, you must specify a key-pair for PRODUCT. For example, using the Command Line Interface (CLI), the following command fails:
aws ssm describe-available-patches --filters Key=CVE_ID,Values=CVE-2018-3615
However, the following command succeeds:
aws ssm describe-available-patches --filters Key=PRODUCT,Values=AmazonLinux2018.03 Key=CVE_ID,Values=CVE-2018-3615
Supported keys for Linux managed node patches include the following:
PRODUCT
Sample values: AmazonLinux2018.03 | AmazonLinux2.0
NAME
Sample values: kernel-headers | samba-python | php
SEVERITY
Sample values: Critical | Important | Medium | Low
EPOCH
Sample values: 0 | 1
VERSION
Sample values: 78.6.1 | 4.10.16
RELEASE
Sample values: 9.56.amzn1 | 1.amzn2
ARCH
Sample values: i686 | x86_64
REPOSITORY
Sample values: Core | Updates
ADVISORY_ID
Sample values: ALAS-2018-1058 | ALAS2-2021-1594
CVE_ID
Sample values: CVE-2018-3615 | CVE-2020-1472
BUGZILLA_ID
Sample values: 1463241
The instance ID for which you want to view all associations.
" + "documentation":"The managed node ID for which you want to view all associations.
" }, "MaxResults":{ "shape":"EffectiveInstanceAssociationMaxResults", @@ -5471,7 +5471,7 @@ "members":{ "Associations":{ "shape":"InstanceAssociationList", - "documentation":"The associations for the requested instance.
" + "documentation":"The associations for the requested managed node.
" }, "NextToken":{ "shape":"NextToken", @@ -5517,7 +5517,7 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance IDs for which you want association status information.
" + "documentation":"The managed node IDs for which you want association status information.
" }, "MaxResults":{ "shape":"MaxResults", @@ -5548,11 +5548,11 @@ "members":{ "InstanceInformationFilterList":{ "shape":"InstanceInformationFilterList", - "documentation":"This is a legacy method. We recommend that you don't use this method. Instead, use the Filters data type. Filters enables you to return instance information by filtering based on tags applied to managed instances.
Attempting to use InstanceInformationFilterList and Filters leads to an exception error.
This is a legacy method. We recommend that you don't use this method. Instead, use the Filters data type. Filters enables you to return node information by filtering based on tags applied to managed nodes.
Attempting to use InstanceInformationFilterList and Filters leads to an exception error.
One or more filters. Use a filter to return a more specific list of instances. You can filter based on tags applied to EC2 instances. Use this Filters data type instead of InstanceInformationFilterList, which is deprecated.
One or more filters. Use a filter to return a more specific list of managed nodes. You can filter based on tags applied to EC2 instances. Use this Filters data type instead of InstanceInformationFilterList, which is deprecated.
The instance information list.
" + "documentation":"The managed node information list.
" }, "NextToken":{ "shape":"NextToken", @@ -5606,7 +5606,7 @@ "members":{ "InstancePatchStates":{ "shape":"InstancePatchStatesList", - "documentation":"The high-level patch state for the requested instances.
" + "documentation":"The high-level patch state for the requested managed nodes.
" }, "NextToken":{ "shape":"NextToken", @@ -5620,7 +5620,7 @@ "members":{ "InstanceIds":{ "shape":"InstanceIdList", - "documentation":"The ID of the instance for which patch state information should be retrieved.
" + "documentation":"The ID of the managed node for which patch state information should be retrieved.
" }, "NextToken":{ "shape":"NextToken", @@ -5628,7 +5628,7 @@ }, "MaxResults":{ "shape":"PatchComplianceMaxResults", - "documentation":"The maximum number of instances to return (per page).
", + "documentation":"The maximum number of managed nodes to return (per page).
", "box":true } } @@ -5638,7 +5638,7 @@ "members":{ "InstancePatchStates":{ "shape":"InstancePatchStateList", - "documentation":"The high-level patch state for the requested instances.
" + "documentation":"The high-level patch state for the requested managed nodes.
" }, "NextToken":{ "shape":"NextToken", @@ -5652,7 +5652,7 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the instance whose patch state information should be retrieved.
" + "documentation":"The ID of the managed node whose patch state information should be retrieved.
" }, "Filters":{ "shape":"PatchOrchestratorFilterList", @@ -5837,7 +5837,7 @@ }, "Targets":{ "shape":"Targets", - "documentation":"The instance ID or key-value pair to retrieve information about.
" + "documentation":"The managed node ID or key-value pair to retrieve information about.
" }, "ResourceType":{ "shape":"MaintenanceWindowResourceType", @@ -5952,7 +5952,7 @@ "members":{ "Targets":{ "shape":"Targets", - "documentation":"The instance ID or key-value pair to retrieve information about.
" + "documentation":"The managed node ID or key-value pair to retrieve information about.
" }, "ResourceType":{ "shape":"MaintenanceWindowResourceType", @@ -5974,7 +5974,7 @@ "members":{ "WindowIdentities":{ "shape":"MaintenanceWindowsForTargetList", - "documentation":"Information about the maintenance window targets and tasks an instance is associated with.
" + "documentation":"Information about the maintenance window targets and tasks a managed node is associated with.
" }, "NextToken":{ "shape":"NextToken", @@ -6124,56 +6124,56 @@ "members":{ "Instances":{ "shape":"Integer", - "documentation":"The number of instances in the patch group.
" + "documentation":"The number of managed nodes in the patch group.
" }, "InstancesWithInstalledPatches":{ "shape":"Integer", - "documentation":"The number of instances with installed patches.
" + "documentation":"The number of managed nodes with installed patches.
" }, "InstancesWithInstalledOtherPatches":{ "shape":"Integer", - "documentation":"The number of instances with patches installed that aren't defined in the patch baseline.
" + "documentation":"The number of managed nodes with patches installed that aren't defined in the patch baseline.
" }, "InstancesWithInstalledPendingRebootPatches":{ "shape":"InstancesCount", - "documentation":"The number of instances with patches installed by Patch Manager that haven't been rebooted after the patch installation. The status of these instances is NON_COMPLIANT.
The number of managed nodes with patches installed by Patch Manager that haven't been rebooted after the patch installation. The status of these managed nodes is NON_COMPLIANT.
The number of instances with patches installed that are specified in a RejectedPatches list. Patches with a status of INSTALLED_REJECTED were typically installed before they were added to a RejectedPatches list.
If ALLOW_AS_DEPENDENCY is the specified option for RejectedPatchesAction, the value of InstancesWithInstalledRejectedPatches will always be 0 (zero).
The number of managed nodes with patches installed that are specified in a RejectedPatches list. Patches with a status of INSTALLED_REJECTED were typically installed before they were added to a RejectedPatches list.
If ALLOW_AS_DEPENDENCY is the specified option for RejectedPatchesAction, the value of InstancesWithInstalledRejectedPatches will always be 0 (zero).
The number of instances with missing patches from the patch baseline.
" + "documentation":"The number of managed nodes with missing patches from the patch baseline.
" }, "InstancesWithFailedPatches":{ "shape":"Integer", - "documentation":"The number of instances with patches from the patch baseline that failed to install.
" + "documentation":"The number of managed nodes with patches from the patch baseline that failed to install.
" }, "InstancesWithNotApplicablePatches":{ "shape":"Integer", - "documentation":"The number of instances with patches that aren't applicable.
" + "documentation":"The number of managed nodes with patches that aren't applicable.
" }, "InstancesWithUnreportedNotApplicablePatches":{ "shape":"Integer", - "documentation":"The number of instances with NotApplicable patches beyond the supported limit, which aren't reported by name to Inventory. Inventory is a capability of Amazon Web Services Systems Manager.
The number of managed nodes with NotApplicable patches beyond the supported limit, which aren't reported by name to Inventory. Inventory is a capability of Amazon Web Services Systems Manager.
The number of instances where patches that are specified as Critical for compliance reporting in the patch baseline aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT.
The number of managed nodes where patches that are specified as Critical for compliance reporting in the patch baseline aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT.
The number of instances where patches that are specified as Security in a patch advisory aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT.
The number of managed nodes where patches that are specified as Security in a patch advisory aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT.
The number of instances with patches installed that are specified as other than Critical or Security but aren't compliant with the patch baseline. The status of these instances is NON_COMPLIANT.
The number of managed nodes with patches installed that are specified as other than Critical or Security but aren't compliant with the patch baseline. The status of these managed nodes is NON_COMPLIANT.
You can't specify an instance ID in more than one association.
", + "documentation":"You can't specify a managed node ID in more than one association.
", "exception":true }, "EffectiveInstanceAssociationMaxResults":{ @@ -7106,7 +7106,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"(Required) The ID of the managed instance targeted by the command. A managed instance can be an Amazon Elastic Compute Cloud (Amazon EC2) instance or an instance in your hybrid environment that is configured for Amazon Web Services Systems Manager.
" + "documentation":"(Required) The ID of the managed node targeted by the command. A managed node can be an Amazon Elastic Compute Cloud (Amazon EC2) instance, edge device, and on-premises server or VM in your hybrid environment that is configured for Amazon Web Services Systems Manager.
" }, "PluginName":{ "shape":"CommandPluginName", @@ -7123,7 +7123,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the managed instance targeted by the command. A managed instance can be an EC2 instance or an instance in your hybrid environment that is configured for Systems Manager.
" + "documentation":"The ID of the managed node targeted by the command. A managed node can be an Amazon Elastic Compute Cloud (Amazon EC2) instance, edge device, or on-premises server or VM in your hybrid environment that is configured for Amazon Web Services Systems Manager.
" }, "Comment":{ "shape":"Comment", @@ -7143,7 +7143,7 @@ }, "ResponseCode":{ "shape":"ResponseCode", - "documentation":"The error level response code for the plugin script. If the response code is -1, then the command hasn't started running on the instance, or it wasn't received by the instance.
The error level response code for the plugin script. If the response code is -1, then the command hasn't started running on the managed node, or it wasn't received by the node.
A detailed status of the command execution for an invocation. StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to the instance.
In Progress: The command has been sent to the instance but hasn't reached a terminal state.
Delayed: The system attempted to send the command to the target, but the target wasn't available. The instance might not be available because of network issues, because the instance was stopped, or for similar reasons. The system will try to send the command again.
Success: The command or plugin ran successfully. This is a terminal state.
Delivery Timed Out: The command wasn't delivered to the instance before the delivery timeout expired. Delivery timeouts don't count against the parent command's MaxErrors limit, but they do contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Execution Timed Out: The command started to run on the instance, but the execution wasn't complete before the timeout expired. Execution timeouts count against the MaxErrors limit of the parent command. This is a terminal state.
Failed: The command wasn't run successfully on the instance. For a plugin, this indicates that the result code wasn't zero. For a command invocation, this indicates that the result code for one or more plugins wasn't zero. Invocation failures count against the MaxErrors limit of the parent command. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Undeliverable: The command can't be delivered to the instance. The instance might not exist or might not be responding. Undeliverable invocations don't count against the parent command's MaxErrors limit and don't contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Terminated: The parent command exceeded its MaxErrors limit and subsequent command invocations were canceled by the system. This is a terminal state.
A detailed status of the command execution for an invocation. StatusDetails includes more information than Status because it includes states resulting from error and concurrency control parameters. StatusDetails can show different results than Status. For more information about these statuses, see Understanding command statuses in the Amazon Web Services Systems Manager User Guide. StatusDetails can be one of the following values:
Pending: The command hasn't been sent to the managed node.
In Progress: The command has been sent to the managed node but hasn't reached a terminal state.
Delayed: The system attempted to send the command to the target, but the target wasn't available. The managed node might not be available because of network issues, because the node was stopped, or for similar reasons. The system will try to send the command again.
Success: The command or plugin ran successfully. This is a terminal state.
Delivery Timed Out: The command wasn't delivered to the managed node before the delivery timeout expired. Delivery timeouts don't count against the parent command's MaxErrors limit, but they do contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Execution Timed Out: The command started to run on the managed node, but the execution wasn't complete before the timeout expired. Execution timeouts count against the MaxErrors limit of the parent command. This is a terminal state.
Failed: The command wasn't run successfully on the managed node. For a plugin, this indicates that the result code wasn't zero. For a command invocation, this indicates that the result code for one or more plugins wasn't zero. Invocation failures count against the MaxErrors limit of the parent command. This is a terminal state.
Canceled: The command was terminated before it was completed. This is a terminal state.
Undeliverable: The command can't be delivered to the managed node. The node might not exist or might not be responding. Undeliverable invocations don't count against the parent command's MaxErrors limit and don't contribute to whether the parent command status is Success or Incomplete. This is a terminal state.
Terminated: The parent command exceeded its MaxErrors limit and subsequent command invocations were canceled by the system. This is a terminal state.
The instance ID.
" + "documentation":"The managed node ID.
" } } }, @@ -7202,11 +7202,11 @@ "members":{ "Target":{ "shape":"SessionTarget", - "documentation":"The ID of the instance to check connection status.
" + "documentation":"The ID of the managed node to check connection status.
" }, "Status":{ "shape":"ConnectionStatus", - "documentation":"The status of the connection to the instance. For example, 'Connected' or 'Not Connected'.
" + "documentation":"The status of the connection to the managed node. For example, 'Connected' or 'Not Connected'.
" } } }, @@ -7241,7 +7241,7 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the instance for which the appropriate patch snapshot should be retrieved.
" + "documentation":"The ID of the managed node for which the appropriate patch snapshot should be retrieved.
" }, "SnapshotId":{ "shape":"SnapshotId", @@ -7258,7 +7258,7 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID.
" + "documentation":"The managed node ID.
" }, "SnapshotId":{ "shape":"SnapshotId", @@ -7270,7 +7270,7 @@ }, "Product":{ "shape":"Product", - "documentation":"Returns the specific operating system (for example Windows Server 2012 or Amazon Linux 2015.09) on the instance for the specified patch snapshot.
" + "documentation":"Returns the specific operating system (for example Windows Server 2012 or Amazon Linux 2015.09) on the managed node for the specified patch snapshot.
" } } }, @@ -7362,7 +7362,7 @@ }, "Aggregators":{ "shape":"InventoryAggregatorList", - "documentation":"Returns counts of inventory types based on one or more expressions. For example, if you aggregate by using an expression that uses the AWS:InstanceInformation.PlatformType type, you can see a count of how many Windows and Linux instances exist in your inventoried fleet.
Returns counts of inventory types based on one or more expressions. For example, if you aggregate by using an expression that uses the AWS:InstanceInformation.PlatformType type, you can see a count of how many Windows and Linux managed nodes exist in your inventoried fleet.
Collection of inventory entities such as a collection of instance inventory.
" + "documentation":"Collection of inventory entities such as a collection of managed node inventory.
" }, "NextToken":{ "shape":"NextToken", @@ -8101,7 +8101,7 @@ }, "ApprovedPatchesEnableNonSecurity":{ "shape":"Boolean", - "documentation":"Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is false. Applies to Linux instances only.
Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false. Applies to Linux managed nodes only.
Information about the patches to use to update the instances, including target operating systems and source repositories. Applies to Linux instances only.
" + "documentation":"Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
" } } }, @@ -8224,7 +8224,7 @@ }, "InstanceAssociationStatusAggregatedCount":{ "shape":"InstanceAssociationStatusAggregatedCount", - "documentation":"The number of associations for the instance(s).
" + "documentation":"The number of associations for the managed node(s).
" } }, "documentation":"Status information about the aggregated associations.
" @@ -8238,18 +8238,18 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID.
" + "documentation":"The managed node ID.
" }, "Content":{ "shape":"DocumentContent", - "documentation":"The content of the association document for the instance(s).
" + "documentation":"The content of the association document for the managed node(s).
" }, "AssociationVersion":{ "shape":"AssociationVersion", - "documentation":"Version information for the association on the instance.
" + "documentation":"Version information for the association on the managed node.
" } }, - "documentation":"One or more association documents on the instance.
" + "documentation":"One or more association documents on the managed node.
" }, "InstanceAssociationExecutionSummary":{ "type":"string", @@ -8302,23 +8302,23 @@ }, "AssociationVersion":{ "shape":"AssociationVersion", - "documentation":"The version of the association applied to the instance.
" + "documentation":"The version of the association applied to the managed node.
" }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID where the association was created.
" + "documentation":"The managed node ID where the association was created.
" }, "ExecutionDate":{ "shape":"DateTime", - "documentation":"The date the instance association ran.
" + "documentation":"The date the association ran.
" }, "Status":{ "shape":"StatusName", - "documentation":"Status information about the instance association.
" + "documentation":"Status information about the association.
" }, "DetailedStatus":{ "shape":"StatusName", - "documentation":"Detailed status information about the instance association.
" + "documentation":"Detailed status information about the association.
" }, "ExecutionSummary":{ "shape":"InstanceAssociationExecutionSummary", @@ -8334,10 +8334,10 @@ }, "AssociationName":{ "shape":"AssociationName", - "documentation":"The name of the association applied to the instance.
" + "documentation":"The name of the association applied to the managed node.
" } }, - "documentation":"Status information about the instance association.
" + "documentation":"Status information about the association.
" }, "InstanceAssociationStatusInfos":{ "type":"list", @@ -8359,7 +8359,7 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID.
" + "documentation":"The managed node ID.
" }, "PingStatus":{ "shape":"PingStatus", @@ -8372,11 +8372,11 @@ }, "AgentVersion":{ "shape":"Version", - "documentation":"The version of SSM Agent running on your Linux instance.
" + "documentation":"The version of SSM Agent running on your Linux managed node.
" }, "IsLatestVersion":{ "shape":"Boolean", - "documentation":"Indicates whether the latest version of SSM Agent is running on your Linux Managed Instance. This field doesn't indicate whether or not the latest version is installed on Windows managed instances, because some older versions of Windows Server use the EC2Config service to process Systems Manager requests.
", + "documentation":"Indicates whether the latest version of SSM Agent is running on your Linux managed node. This field doesn't indicate whether or not the latest version is installed on Windows managed nodes, because some older versions of Windows Server use the EC2Config service to process Systems Manager requests.
", "box":true }, "PlatformType":{ @@ -8385,11 +8385,11 @@ }, "PlatformName":{ "shape":"String", - "documentation":"The name of the operating system platform running on your instance.
" + "documentation":"The name of the operating system platform running on your managed node.
" }, "PlatformVersion":{ "shape":"String", - "documentation":"The version of the OS platform running on your instance.
" + "documentation":"The version of the OS platform running on your managed node.
" }, "ActivationId":{ "shape":"ActivationId", @@ -8397,11 +8397,11 @@ }, "IamRole":{ "shape":"IamRole", - "documentation":"The Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed instance. This call doesn't return the IAM role for Amazon Elastic Compute Cloud (Amazon EC2) instances. To retrieve the IAM role for an EC2 instance, use the Amazon EC2 DescribeInstances operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference.
The Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed node. This call doesn't return the IAM role for Amazon Elastic Compute Cloud (Amazon EC2) instances. To retrieve the IAM role for an EC2 instance, use the Amazon EC2 DescribeInstances operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference.
The date the server or VM was registered with Amazon Web Services as a managed instance.
", + "documentation":"The date the server or VM was registered with Amazon Web Services as a managed node.
", "box":true }, "ResourceType":{ @@ -8410,15 +8410,15 @@ }, "Name":{ "shape":"String", - "documentation":"The name assigned to an on-premises server or virtual machine (VM) when it is activated as a Systems Manager managed instance. The name is specified as the DefaultInstanceName property using the CreateActivation command. It is applied to the managed instance by specifying the Activation Code and Activation ID when you install SSM Agent on the instance, as explained in Install SSM Agent for a hybrid environment (Linux) and Install SSM Agent for a hybrid environment (Windows). To retrieve the Name tag of an EC2 instance, use the Amazon EC2 DescribeInstances operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference.
The name assigned to an on-premises server, edge device, or virtual machine (VM) when it is activated as a Systems Manager managed node. The name is specified as the DefaultInstanceName property using the CreateActivation command. It is applied to the managed node by specifying the Activation Code and Activation ID when you install SSM Agent on the node, as explained in Install SSM Agent for a hybrid environment (Linux) and Install SSM Agent for a hybrid environment (Windows). To retrieve the Name tag of an EC2 instance, use the Amazon EC2 DescribeInstances operation. For information, see DescribeInstances in the Amazon EC2 API Reference or describe-instances in the Amazon Web Services CLI Command Reference.
The IP address of the managed instance.
" + "documentation":"The IP address of the managed node.
" }, "ComputerName":{ "shape":"ComputerName", - "documentation":"The fully qualified host name of the managed instance.
" + "documentation":"The fully qualified host name of the managed node.
" }, "AssociationStatus":{ "shape":"StatusName", @@ -8435,9 +8435,17 @@ "AssociationOverview":{ "shape":"InstanceAggregatedAssociationOverview", "documentation":"Information about the association.
" + }, + "SourceId":{ + "shape":"SourceId", + "documentation":"The ID of the source resource. For IoT Greengrass devices, SourceId is the Thing name.
The type of the source resource. For IoT Greengrass devices, SourceType is AWS::IoT::Thing.
Describes a filter for a specific list of instances.
" + "documentation":"Describes a filter for a specific list of managed nodes.
" }, "InstanceInformationFilter":{ "type":"structure", @@ -8455,7 +8463,7 @@ "documentation":"The filter values.
" } }, - "documentation":"Describes a filter for a specific list of instances. You can filter instances information by using tags. You specify tags by using a key-value mapping.
Use this operation instead of the DescribeInstanceInformationRequest$InstanceInformationFilterList method. The InstanceInformationFilterList method is a legacy method and doesn't support tags.
Describes a filter for a specific list of managed nodes. You can filter node information by using tags. You specify tags by using a key-value mapping.
Use this operation instead of the DescribeInstanceInformationRequest$InstanceInformationFilterList method. The InstanceInformationFilterList method is a legacy method and doesn't support tags.
The filter key name to describe your instances. For example:
\"InstanceIds\"|\"AgentVersion\"|\"PingStatus\"|\"PlatformTypes\"|\"ActivationIds\"|\"IamRole\"|\"ResourceType\"|\"AssociationStatus\"|\"Tag Key\"
Tag key isn't a valid filter. You must specify either tag-key or tag:keyname and a string. Here are some valid examples: tag-key, tag:123, tag:al!, tag:Windows. Here are some invalid examples: tag-keys, Tag Key, tag:, tagKey, abc:keyname.
The filter key name to describe your managed nodes. For example:
\"InstanceIds\"|\"AgentVersion\"|\"PingStatus\"|\"PlatformTypes\"|\"ActivationIds\"|\"IamRole\"|\"ResourceType\"|\"AssociationStatus\"|\"Tag Key\"
Tag key isn't a valid filter. You must specify either tag-key or tag:keyname and a string. Here are some valid examples: tag-key, tag:123, tag:al!, tag:Windows. Here are some invalid examples: tag-keys, Tag Key, tag:, tagKey, abc:keyname.
The filter values.
" } }, - "documentation":"The filters to describe or get information about your managed instances.
" + "documentation":"The filters to describe or get information about your managed nodes.
" }, "InstanceInformationStringFilterKey":{ "type":"string", @@ -8529,15 +8537,15 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"The ID of the managed instance the high-level patch compliance information was collected for.
" + "documentation":"The ID of the managed node the high-level patch compliance information was collected for.
" }, "PatchGroup":{ "shape":"PatchGroup", - "documentation":"The name of the patch group the managed instance belongs to.
" + "documentation":"The name of the patch group the managed node belongs to.
" }, "BaselineId":{ "shape":"BaselineId", - "documentation":"The ID of the patch baseline used to patch the instance.
" + "documentation":"The ID of the patch baseline used to patch the managed node.
" }, "SnapshotId":{ "shape":"SnapshotId", @@ -8553,25 +8561,25 @@ }, "InstalledCount":{ "shape":"PatchInstalledCount", - "documentation":"The number of patches from the patch baseline that are installed on the instance.
" + "documentation":"The number of patches from the patch baseline that are installed on the managed node.
" }, "InstalledOtherCount":{ "shape":"PatchInstalledOtherCount", - "documentation":"The number of patches not specified in the patch baseline that are installed on the instance.
" + "documentation":"The number of patches not specified in the patch baseline that are installed on the managed node.
" }, "InstalledPendingRebootCount":{ "shape":"PatchInstalledPendingRebootCount", - "documentation":"The number of patches installed by Patch Manager since the last time the instance was rebooted.
", + "documentation":"The number of patches installed by Patch Manager since the last time the managed node was rebooted.
", "box":true }, "InstalledRejectedCount":{ "shape":"PatchInstalledRejectedCount", - "documentation":"The number of patches installed on an instance that are specified in a RejectedPatches list. Patches with a status of InstalledRejected were typically installed before they were added to a RejectedPatches list.
If ALLOW_AS_DEPENDENCY is the specified option for RejectedPatchesAction, the value of InstalledRejectedCount will always be 0 (zero).
The number of patches installed on a managed node that are specified in a RejectedPatches list. Patches with a status of InstalledRejected were typically installed before they were added to a RejectedPatches list.
If ALLOW_AS_DEPENDENCY is the specified option for RejectedPatchesAction, the value of InstalledRejectedCount will always be 0 (zero).
The number of patches from the patch baseline that are applicable for the instance but aren't currently installed.
" + "documentation":"The number of patches from the patch baseline that are applicable for the managed node but aren't currently installed.
" }, "FailedCount":{ "shape":"PatchFailedCount", @@ -8584,15 +8592,15 @@ }, "NotApplicableCount":{ "shape":"PatchNotApplicableCount", - "documentation":"The number of patches from the patch baseline that aren't applicable for the instance and therefore aren't installed on the instance. This number may be truncated if the list of patch names is very large. The number of patches beyond this limit are reported in UnreportedNotApplicableCount.
The number of patches from the patch baseline that aren't applicable for the managed node and therefore aren't installed on the node. This number may be truncated if the list of patch names is very large. The number of patches beyond this limit are reported in UnreportedNotApplicableCount.
The time the most recent patching operation was started on the instance.
" + "documentation":"The time the most recent patching operation was started on the managed node.
" }, "OperationEndTime":{ "shape":"DateTime", - "documentation":"The time the most recent patching operation completed on the instance.
" + "documentation":"The time the most recent patching operation completed on the managed node.
" }, "Operation":{ "shape":"PatchOperationType", @@ -8600,29 +8608,29 @@ }, "LastNoRebootInstallOperationTime":{ "shape":"DateTime", - "documentation":"The time of the last attempt to patch the instance with NoReboot specified as the reboot option.
The time of the last attempt to patch the managed node with NoReboot specified as the reboot option.
Indicates the reboot option specified in the patch baseline.
Reboot options apply to Install operations only. Reboots aren't attempted for Patch Manager Scan operations.
RebootIfNeeded: Patch Manager tries to reboot the instance if it installed any patches, or if any patches are detected with a status of InstalledPendingReboot.
NoReboot: Patch Manager attempts to install missing packages without trying to reboot the system. Patches installed with this option are assigned a status of InstalledPendingReboot. These patches might not be in effect until a reboot is performed.
Indicates the reboot option specified in the patch baseline.
Reboot options apply to Install operations only. Reboots aren't attempted for Patch Manager Scan operations.
RebootIfNeeded: Patch Manager tries to reboot the managed node if it installed any patches, or if any patches are detected with a status of InstalledPendingReboot.
NoReboot: Patch Manager attempts to install missing packages without trying to reboot the system. Patches installed with this option are assigned a status of InstalledPendingReboot. These patches might not be in effect until a reboot is performed.
The number of instances where patches that are specified as Critical for compliance reporting in the patch baseline aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT.
The number of managed nodes where patches that are specified as Critical for compliance reporting in the patch baseline aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT.
The number of instances where patches that are specified as Security in a patch advisory aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required instance reboot. The status of these instances is NON_COMPLIANT.
The number of managed nodes where patches that are specified as Security in a patch advisory aren't installed. These patches might be missing, have failed installation, were rejected, or were installed but awaiting a required managed node reboot. The status of these managed nodes is NON_COMPLIANT.
The number of instances with patches installed that are specified as other than Critical or Security but aren't compliant with the patch baseline. The status of these instances is NON_COMPLIANT.
The number of managed nodes with patches installed that are specified as other than Critical or Security but aren't compliant with the patch baseline. The status of these managed nodes is NON_COMPLIANT.
Defines the high-level patch compliance state for a managed instance, providing information about the number of installed, missing, not applicable, and failed patches along with metadata about the operation when this information was gathered for the instance.
" + "documentation":"Defines the high-level patch compliance state for a managed node, providing information about the number of installed, missing, not applicable, and failed patches along with metadata about the operation when this information was gathered for the managed node.
" }, "InstancePatchStateFilter":{ "type":"structure", @@ -8645,7 +8653,7 @@ "documentation":"The type of comparison that should be performed for the value.
" } }, - "documentation":"Defines a filter used in DescribeInstancePatchStatesForPatchGroup to scope down the information returned by the API.
Example: To filter for all instances in a patch group having more than three patches with a FailedCount status, use the following for the filter:
Value for Key: FailedCount
Value for Type: GreaterThan
Value for Values: 3
Defines a filter used in DescribeInstancePatchStatesForPatchGroup to scope down the information returned by the API.
Example: To filter for all managed nodes in a patch group having more than three patches with a FailedCount status, use the following for the filter:
Value for Key: FailedCount
Value for Type: GreaterThan
Value for Values: 3
The following problems can cause this exception:
You don't have permission to access the instance.
Amazon Web Services Systems Manager Agent(SSM Agent) isn't running. Verify that SSM Agent is running.
SSM Agent isn't registered with the SSM endpoint. Try reinstalling SSM Agent.
The instance isn't in valid state. Valid states are: Running, Pending, Stopped, and Stopping. Invalid states are: Shutting-down and Terminated.
The following problems can cause this exception:
You don't have permission to access the managed node.
Amazon Web Services Systems Manager Agent(SSM Agent) isn't running. Verify that SSM Agent is running.
SSM Agent isn't registered with the SSM endpoint. Try reinstalling SSM Agent.
The managed node isn't in valid state. Valid states are: Running, Pending, Stopped, and Stopping. Invalid states are: Shutting-down and Terminated.
The resource type isn't valid. For example, if you are attempting to tag an instance, the instance must be a registered, managed instance.
", + "documentation":"The resource type isn't valid. For example, if you are attempting to tag an EC2 instance, the instance must be a registered managed node.
", "exception":true }, "InvalidResultAttributeException":{ @@ -9218,7 +9226,7 @@ }, "Values":{ "shape":"InventoryFilterValueList", - "documentation":"Inventory filter values. Example: inventory filter where instance IDs are specified as values Key=AWS:InstanceInformation.InstanceId,Values= i-a12b3c4d5e6g, i-1a2b3c4d5e6,Type=Equal.
Inventory filter values. Example: inventory filter where managed node IDs are specified as values Key=AWS:InstanceInformation.InstanceId,Values= i-a12b3c4d5e6g, i-1a2b3c4d5e6,Type=Equal.
A map of associated properties for a specified inventory type. For example, with this attribute, you can specify the ExecutionId, ExecutionType, ComplianceType properties of the AWS:ComplianceItem type.
Information collected from managed instances based on your inventory policy document
" + "documentation":"Information collected from managed nodes based on your inventory policy document
" }, "InventoryItemAttribute":{ "type":"structure", @@ -9429,7 +9437,7 @@ "members":{ "Id":{ "shape":"InventoryResultEntityId", - "documentation":"ID of the inventory result entity. For example, for managed instance inventory the result will be the managed instance ID. For EC2 instance inventory, the result will be the instance ID.
" + "documentation":"ID of the inventory result entity. For example, for managed node inventory the result will be the managed node ID. For EC2 instance inventory, the result will be the instance ID.
" }, "Data":{ "shape":"InventoryResultItemMap", @@ -9492,7 +9500,7 @@ "type":"structure", "members":{ }, - "documentation":"The command ID and instance ID you specified didn't match any invocations. Verify the command ID and the instance ID and try again.
", + "documentation":"The command ID and managed node ID you specified didn't match any invocations. Verify the command ID and the managed node ID and try again.
", "exception":true }, "InvocationTraceOutput":{ @@ -9605,7 +9613,7 @@ "members":{ "AssociationFilterList":{ "shape":"AssociationFilterList", - "documentation":"One or more filters. Use a filter to return a more specific list of results.
Filtering associations using the InstanceID attribute only returns legacy associations created using the InstanceID attribute. Associations targeting the instance that are part of the Target Attributes ResourceGroup or Tags aren't returned.
One or more filters. Use a filter to return a more specific list of results.
Filtering associations using the InstanceID attribute only returns legacy associations created using the InstanceID attribute. Associations targeting the managed node that are part of the Target Attributes ResourceGroup or Tags aren't returned.
(Optional) The command execution details for a specific instance ID.
" + "documentation":"(Optional) The command execution details for a specific managed node ID.
" }, "MaxResults":{ "shape":"CommandMaxResults", @@ -9683,7 +9691,7 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"(Optional) Lists commands issued against this instance ID.
You can't specify an instance ID in the same command that you specify Status = Pending. This is because the command hasn't reached the instance yet.
(Optional) Lists commands issued against this managed node ID.
You can't specify a managed node ID in the same command that you specify Status = Pending. This is because the command hasn't reached the managed node yet.
The instance ID for which you want inventory information.
" + "documentation":"The managed node ID for which you want inventory information.
" }, "TypeName":{ "shape":"InventoryItemTypeName", @@ -9944,19 +9952,19 @@ }, "InstanceId":{ "shape":"InstanceId", - "documentation":"The instance ID targeted by the request to query inventory information.
" + "documentation":"The managed node ID targeted by the request to query inventory information.
" }, "SchemaVersion":{ "shape":"InventoryItemSchemaVersion", - "documentation":"The inventory schema version used by the instance(s).
" + "documentation":"The inventory schema version used by the managed node(s).
" }, "CaptureTime":{ "shape":"InventoryItemCaptureTime", - "documentation":"The time that inventory information was collected for the instance(s).
" + "documentation":"The time that inventory information was collected for the managed node(s).
" }, "Entries":{ "shape":"InventoryItemEntryList", - "documentation":"A list of inventory items on the instance(s).
" + "documentation":"A list of inventory items on the managed node(s).
" }, "NextToken":{ "shape":"NextToken", @@ -10087,7 +10095,7 @@ "members":{ "ResourceComplianceSummaryItems":{ "shape":"ResourceComplianceSummaryItemList", - "documentation":"A summary count for specified or targeted managed instances. Summary count includes information about compliant and non-compliant State Manager associations, patch status, or custom items according to the filter criteria that you specify.
" + "documentation":"A summary count for specified or targeted managed nodes. Summary count includes information about compliant and non-compliant State Manager associations, patch status, or custom items according to the filter criteria that you specify.
" }, "NextToken":{ "shape":"NextToken", @@ -10172,7 +10180,7 @@ "documentation":"The Amazon Web Services Region where the S3 bucket is located.
" } }, - "documentation":"Information about an Amazon Simple Storage Service (Amazon S3) bucket to write instance-level logs to.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
Information about an Amazon Simple Storage Service (Amazon S3) bucket to write managed node-level logs to.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
Configurations for sending notifications about command status changes on a per-instance basis.
" + "documentation":"Configurations for sending notifications about command status changes on a per-managed node basis.
" }, "OutputS3BucketName":{ "shape":"S3BucketName", @@ -10654,7 +10662,7 @@ }, "Targets":{ "shape":"Targets", - "documentation":"The targets, either instances or tags.
Specify instances using the following format:
Key=instanceids,Values=<instanceid1>,<instanceid2>
Tags are specified using the following format:
Key=<tag name>,Values=<tag value>.
The targets, either managed nodes or tags.
Specify managed nodes using the following format:
Key=instanceids,Values=<instanceid1>,<instanceid2>
Tags are specified using the following format:
Key=<tag name>,Values=<tag value>.
The targets (either instances or tags). Instances are specified using Key=instanceids,Values=<instanceid1>,<instanceid2>. Tags are specified using Key=<tag name>,Values=<tag value>.
The targets (either managed nodes or tags). Managed nodes are specified using Key=instanceids,Values=<instanceid1>,<instanceid2>. Tags are specified using Key=<tag name>,Values=<tag value>.
The type of notification.
Command: Receive notification when the status of a command changes.
Invocation: For commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes.
The type of notification.
Command: Receive notification when the status of a command changes.
Invocation: For commands sent to multiple managed nodes, receive notification on a per-node basis when the status of a command changes.
Configurations for sending notifications.
" @@ -12472,35 +12480,35 @@ }, "AdvisoryIds":{ "shape":"PatchAdvisoryIdList", - "documentation":"The Advisory ID of the patch. For example, RHSA-2020:3779. Applies to Linux-based instances only.
The Advisory ID of the patch. For example, RHSA-2020:3779. Applies to Linux-based managed nodes only.
The Bugzilla ID of the patch. For example, 1600646. Applies to Linux-based instances only.
The Bugzilla ID of the patch. For example, 1600646. Applies to Linux-based managed nodes only.
The Common Vulnerabilities and Exposures (CVE) ID of the patch. For example, CVE-2011-3192. Applies to Linux-based instances only.
The Common Vulnerabilities and Exposures (CVE) ID of the patch. For example, CVE-2011-3192. Applies to Linux-based managed nodes only.
The name of the patch. Applies to Linux-based instances only.
" + "documentation":"The name of the patch. Applies to Linux-based managed nodes only.
" }, "Epoch":{ "shape":"PatchEpoch", - "documentation":"The epoch of the patch. For example in pkg-example-EE-20180914-2.2.amzn1.noarch, the epoch value is 20180914-2. Applies to Linux-based instances only.
The epoch of the patch. For example in pkg-example-EE-20180914-2.2.amzn1.noarch, the epoch value is 20180914-2. Applies to Linux-based managed nodes only.
The version number of the patch. For example, in example-pkg-1.710.10-2.7.abcd.x86_64, the version number is indicated by -1. Applies to Linux-based instances only.
The version number of the patch. For example, in example-pkg-1.710.10-2.7.abcd.x86_64, the version number is indicated by -1. Applies to Linux-based managed nodes only.
The particular release of a patch. For example, in pkg-example-EE-20180914-2.2.amzn1.noarch, the release is 2.amaz1. Applies to Linux-based instances only.
The particular release of a patch. For example, in pkg-example-EE-20180914-2.2.amzn1.noarch, the release is 2.amaz1. Applies to Linux-based managed nodes only.
The architecture of the patch. For example, in example-pkg-0.710.10-2.7.abcd.x86_64, the architecture is indicated by x86_64. Applies to Linux-based instances only.
The architecture of the patch. For example, in example-pkg-0.710.10-2.7.abcd.x86_64, the architecture is indicated by x86_64. Applies to Linux-based managed nodes only.
The source patch repository for the operating system and version, such as trusty-security for Ubuntu Server 14.04 LTE and focal-security for Ubuntu Server 20.04 LTE. Applies to Linux-based instances only.
The source patch repository for the operating system and version, such as trusty-security for Ubuntu Server 14.04 LTE and focal-security for Ubuntu Server 20.04 LTE. Applies to Linux-based managed nodes only.
Represents metadata about a patch.
" @@ -12602,18 +12610,18 @@ }, "State":{ "shape":"PatchComplianceDataState", - "documentation":"The state of the patch on the instance, such as INSTALLED or FAILED.
For descriptions of each patch state, see About patch compliance in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"The state of the patch on the managed node, such as INSTALLED or FAILED.
For descriptions of each patch state, see About patch compliance in the Amazon Web Services Systems Manager User Guide.
" }, "InstalledTime":{ "shape":"DateTime", - "documentation":"The date/time the patch was installed on the instance. Not all operating systems provide this level of information.
" + "documentation":"The date/time the patch was installed on the managed node. Not all operating systems provide this level of information.
" }, "CVEIds":{ "shape":"PatchCVEIds", "documentation":"The IDs of one or more Common Vulnerabilities and Exposure (CVE) issues that are resolved by the patch.
" } }, - "documentation":"Information about the state of a patch on a particular instance as it relates to the patch baseline used to patch the instance.
" + "documentation":"Information about the state of a patch on a particular managed node as it relates to the patch baseline used to patch the node.
" }, "PatchComplianceDataList":{ "type":"list", @@ -12875,7 +12883,7 @@ }, "EnableNonSecurity":{ "shape":"Boolean", - "documentation":"For instances identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is false. Applies to Linux instances only.
For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is false. Applies to Linux managed nodes only.
The value of the yum repo configuration. For example:
[main]
name=MyCustomRepository
baseurl=https://my-custom-repository
enabled=1
For information about other options available for your yum repository configuration, see dnf.conf(5).
Information about the patches to use to update the instances, including target operating systems and source repository. Applies to Linux instances only.
" + "documentation":"Information about the patches to use to update the managed nodes, including target operating systems and source repository. Applies to Linux managed nodes only.
" }, "PatchSourceConfiguration":{ "type":"string", @@ -12996,7 +13004,8 @@ "type":"string", "enum":[ "Windows", - "Linux" + "Linux", + "MacOS" ] }, "PlatformTypeList":{ @@ -13050,7 +13059,7 @@ "members":{ "ResourceId":{ "shape":"ComplianceResourceId", - "documentation":"Specify an ID for this resource. For a managed instance, this is the instance ID.
" + "documentation":"Specify an ID for this resource. For a managed node, this is the node ID.
" }, "ResourceType":{ "shape":"ComplianceResourceType", @@ -13094,11 +13103,11 @@ "members":{ "InstanceId":{ "shape":"InstanceId", - "documentation":"An instance ID where you want to add or update inventory items.
" + "documentation":"An managed node ID where you want to add or update inventory items.
" }, "Items":{ "shape":"InventoryItemList", - "documentation":"The inventory items that you want to add or update on instances.
" + "documentation":"The inventory items that you want to add or update on managed nodes.
" } } }, @@ -13259,7 +13268,7 @@ }, "Targets":{ "shape":"Targets", - "documentation":"The targets to register with the maintenance window. In other words, the instances to run commands on when the maintenance window runs.
If a single maintenance window task is registered with multiple targets, its task invocations occur sequentially and not in parallel. If your task must run on multiple targets at the same time, register a task for each target individually and assign each task the same priority level.
You can specify targets using instance IDs, resource group names, or tags that have been applied to instances.
Example 1: Specify instance IDs
Key=InstanceIds,Values=instance-id-1,instance-id-2,instance-id-3
Example 2: Use tag key-pairs applied to instances
Key=tag:my-tag-key,Values=my-tag-value-1,my-tag-value-2
Example 3: Use tag-keys applied to instances
Key=tag-key,Values=my-tag-key-1,my-tag-key-2
Example 4: Use resource group names
Key=resource-groups:Name,Values=resource-group-name
Example 5: Use filters for resource group types
Key=resource-groups:ResourceTypeFilters,Values=resource-type-1,resource-type-2
For Key=resource-groups:ResourceTypeFilters, specify resource types in the following format
Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
For more information about these examples formats, including the best use case for each one, see Examples: Register targets with a maintenance window in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"The targets to register with the maintenance window. In other words, the managed nodes to run commands on when the maintenance window runs.
If a single maintenance window task is registered with multiple targets, its task invocations occur sequentially and not in parallel. If your task must run on multiple targets at the same time, register a task for each target individually and assign each task the same priority level.
You can specify targets using managed node IDs, resource group names, or tags that have been applied to managed nodes.
Example 1: Specify managed node IDs
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Example 2: Use tag key-pairs applied to managed nodes
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Example 3: Use tag-keys applied to managed nodes
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Example 4: Use resource group names
Key=resource-groups:Name,Values=<resource-group-name>
Example 5: Use filters for resource group types
Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
For Key=resource-groups:ResourceTypeFilters, specify resource types in the following format
Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
For more information about these examples formats, including the best use case for each one, see Examples: Register targets with a maintenance window in the Amazon Web Services Systems Manager User Guide.
" }, "OwnerInformation":{ "shape":"OwnerInformation", @@ -13303,7 +13312,7 @@ }, "Targets":{ "shape":"Targets", - "documentation":"The targets (either instances or maintenance window targets).
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
Specify instances using the following format:
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>
Specify maintenance window targets using the following format:
Key=WindowTargetIds,Values=<window-target-id-1>,<window-target-id-2>
The targets (either managed nodes or maintenance window targets).
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
Specify managed nodes using the following format:
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>
Specify maintenance window targets using the following format:
Key=WindowTargetIds,Values=<window-target-id-1>,<window-target-id-2>
A structure containing information about an Amazon Simple Storage Service (Amazon S3) bucket to write instance-level logs to.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
A structure containing information about an Amazon Simple Storage Service (Amazon S3) bucket to write managed node-level logs to.
LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.
The type of resource from which you want to remove a tag.
The ManagedInstance type for this API operation is only for on-premises managed instances. Specify the name of the managed instance in the following format: mi-ID_number . For example, mi-1a2b3c4d5e6f.
The type of resource from which you want to remove a tag.
The ManagedInstance type for this API operation is only for on-premises managed nodes. Specify the name of the managed node in the following format: mi-ID_number . For example, mi-1a2b3c4d5e6f.
The ID of the resource from which you want to remove tags. For example:
ManagedInstance: mi-012345abcde
MaintenanceWindow: mw-012345abcde
PatchBaseline: pb-012345abcde
OpsMetadata object: ResourceID for tagging is created from the Amazon Resource Name (ARN) for the object. Specifically, ResourceID is created from the strings that come after the word opsmetadata in the ARN. For example, an OpsMetadata object with an ARN of arn:aws:ssm:us-east-2:1234567890:opsmetadata/aws/ssm/MyGroup/appmanager has a ResourceID of either aws/ssm/MyGroup/appmanager or /aws/ssm/MyGroup/appmanager.
For the Document and Parameter values, use the name of the resource.
The ManagedInstance type for this API operation is only for on-premises managed instances. Specify the name of the managed instance in the following format: mi-ID_number. For example, mi-1a2b3c4d5e6f.
The ID of the resource from which you want to remove tags. For example:
ManagedInstance: mi-012345abcde
MaintenanceWindow: mw-012345abcde
PatchBaseline: pb-012345abcde
OpsMetadata object: ResourceID for tagging is created from the Amazon Resource Name (ARN) for the object. Specifically, ResourceID is created from the strings that come after the word opsmetadata in the ARN. For example, an OpsMetadata object with an ARN of arn:aws:ssm:us-east-2:1234567890:opsmetadata/aws/ssm/MyGroup/appmanager has a ResourceID of either aws/ssm/MyGroup/appmanager or /aws/ssm/MyGroup/appmanager.
For the Document and Parameter values, use the name of the resource.
The ManagedInstance type for this API operation is only for on-premises managed nodes. Specify the name of the managed node in the following format: mi-ID_number. For example, mi-1a2b3c4d5e6f.
An encrypted token value containing session and caller information. Used to authenticate the connection to the instance.
" + "documentation":"An encrypted token value containing session and caller information. Used to authenticate the connection to the managed node.
" }, "StreamUrl":{ "shape":"StreamUrl", - "documentation":"A URL back to SSM Agent on the instance that the Session Manager client uses to send commands and receive output from the instance. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output).
region represents the Region identifier for an Amazon Web Services Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
A URL back to SSM Agent on the managed node that the Session Manager client uses to send commands and receive output from the managed node. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output).
region represents the Region identifier for an Amazon Web Services Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
The IDs of the instances where the command should run. Specifying instance IDs is most useful when you are targeting a limited number of instances, though you can specify up to 50 IDs.
To target a larger number of instances, or if you prefer not to list individual instance IDs, we recommend using the Targets option instead. Using Targets, which accepts tag key-value pairs to identify the instances to send commands to, you can a send command to tens, hundreds, or thousands of instances at once.
For more information about how to use targets, see Using targets and rate controls to send commands to a fleet in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"The IDs of the managed nodes where the command should run. Specifying managed node IDs is most useful when you are targeting a limited number of managed nodes, though you can specify up to 50 IDs.
To target a larger number of managed nodes, or if you prefer not to list individual node IDs, we recommend using the Targets option instead. Using Targets, which accepts tag key-value pairs to identify the managed nodes to send commands to, you can a send command to tens, hundreds, or thousands of nodes at once.
For more information about how to use targets, see Using targets and rate controls to send commands to a fleet in the Amazon Web Services Systems Manager User Guide.
" }, "Targets":{ "shape":"Targets", - "documentation":"An array of search criteria that targets instances using a Key,Value combination that you specify. Specifying targets is most useful when you want to send a command to a large number of instances at once. Using Targets, which accepts tag key-value pairs to identify instances, you can send a command to tens, hundreds, or thousands of instances at once.
To send a command to a smaller number of instances, you can use the InstanceIds option instead.
For more information about how to use targets, see Sending commands to a fleet in the Amazon Web Services Systems Manager User Guide.
" + "documentation":"An array of search criteria that targets managed nodes using a Key,Value combination that you specify. Specifying targets is most useful when you want to send a command to a large number of managed nodes at once. Using Targets, which accepts tag key-value pairs to identify managed nodes, you can send a command to tens, hundreds, or thousands of nodes at once.
To send a command to a smaller number of managed nodes, you can use the InstanceIds option instead.
For more information about how to use targets, see Sending commands to a fleet in the Amazon Web Services Systems Manager User Guide.
" }, "DocumentName":{ "shape":"DocumentARN", @@ -14158,7 +14167,7 @@ }, "MaxConcurrency":{ "shape":"MaxConcurrency", - "documentation":"(Optional) The maximum number of instances that are allowed to run the command at the same time. You can specify a number such as 10 or a percentage such as 10%. The default value is 50. For more information about how to use MaxConcurrency, see Using concurrency controls in the Amazon Web Services Systems Manager User Guide.
(Optional) The maximum number of managed nodes that are allowed to run the command at the same time. You can specify a number such as 10 or a percentage such as 10%. The default value is 50. For more information about how to use MaxConcurrency, see Using concurrency controls in the Amazon Web Services Systems Manager User Guide.
The instance that the Session Manager session connected to.
" + "documentation":"The managed node that the Session Manager session connected to.
" }, "Status":{ "shape":"SessionStatus", @@ -14284,7 +14293,7 @@ "documentation":"The maximum duration of a session before it terminates.
" } }, - "documentation":"Information about a Session Manager connection to an instance.
" + "documentation":"Information about a Session Manager connection to a managed node.
" }, "SessionDetails":{ "type":"string", @@ -14304,7 +14313,7 @@ }, "value":{ "shape":"SessionFilterValue", - "documentation":"The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2018-08-29T00:00:00Z to see sessions that started August 29, 2018, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2018-08-29T00:00:00Z to see sessions that started before August 29, 2018.
Target: Specify an instance to which session connections have been made.
Owner: Specify an Amazon Web Services user account to see a list of sessions started by that user.
Status: Specify a valid session status to see a list of all sessions with that status. Status values you can specify include:
Connected
Connecting
Disconnected
Terminated
Terminating
Failed
SessionId: Specify a session ID to return details about the session.
The filter value. Valid values for each filter key are as follows:
InvokedAfter: Specify a timestamp to limit your results. For example, specify 2018-08-29T00:00:00Z to see sessions that started August 29, 2018, and later.
InvokedBefore: Specify a timestamp to limit your results. For example, specify 2018-08-29T00:00:00Z to see sessions that started before August 29, 2018.
Target: Specify a managed node to which session connections have been made.
Owner: Specify an Amazon Web Services user account to see a list of sessions started by that user.
Status: Specify a valid session status to see a list of all sessions with that status. Status values you can specify include:
Connected
Connecting
Disconnected
Terminated
Terminating
Failed
SessionId: Specify a session ID to return details about the session.
Describes a filter for Session Manager information.
" @@ -14450,7 +14459,7 @@ "documentation":"The total number of resources or compliance items that have a severity level of unspecified. Unspecified severity is determined by the organization that published the compliance items.
" } }, - "documentation":"The number of managed instances found for each patch severity level defined in the request filter.
" + "documentation":"The number of managed nodes found for each patch severity level defined in the request filter.
" }, "SharedDocumentVersion":{ "type":"string", @@ -14475,6 +14484,20 @@ "min":36, "pattern":"^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$" }, + "SourceId":{ + "type":"string", + "max":128, + "min":0, + "pattern":"^[a-zA-Z0-9:_-]*$" + }, + "SourceType":{ + "type":"string", + "enum":[ + "AWS::EC2::Instance", + "AWS::IoT::Thing", + "AWS::SSM::ManagedInstance" + ] + }, "StandardErrorContent":{ "type":"string", "max":8000 @@ -14632,11 +14655,11 @@ "members":{ "Target":{ "shape":"SessionTarget", - "documentation":"The instance to connect to for the session.
" + "documentation":"The managed node to connect to for the session.
" }, "DocumentName":{ "shape":"DocumentARN", - "documentation":"The name of the SSM document to define the parameters and plugin settings for the session. For example, SSM-SessionManagerRunShell. You can call the GetDocument API to verify the document exists before attempting to start a session. If no document name is provided, a shell to the instance is launched by default.
The name of the SSM document to define the parameters and plugin settings for the session. For example, SSM-SessionManagerRunShell. You can call the GetDocument API to verify the document exists before attempting to start a session. If no document name is provided, a shell to the managed node is launched by default.
An encrypted token value containing session and caller information. Used to authenticate the connection to the instance.
" + "documentation":"An encrypted token value containing session and caller information. Used to authenticate the connection to the managed node.
" }, "StreamUrl":{ "shape":"StreamUrl", - "documentation":"A URL back to SSM Agent on the instance that the Session Manager client uses to send commands and receive output from the instance. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output)
region represents the Region identifier for an Amazon Web Services Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
A URL back to SSM Agent on the managed node that the Session Manager client uses to send commands and receive output from the node. Format: wss://ssmmessages.region.amazonaws.com/v1/data-channel/session-id?stream=(input|output)
region represents the Region identifier for an Amazon Web Services Region supported by Amazon Web Services Systems Manager, such as us-east-2 for the US East (Ohio) Region. For a list of supported region values, see the Region column in Systems Manager service endpoints in the Amazon Web Services General Reference.
session-id represents the ID of a Session Manager session, such as 1a2b3c4dEXAMPLE.
The value of the tag.
" } }, - "documentation":"Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed instances, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
" + "documentation":"Metadata that you assign to your Amazon Web Services resources. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. In Amazon Web Services Systems Manager, you can apply tags to Systems Manager documents (SSM documents), managed nodes, maintenance windows, parameters, patch baselines, OpsItems, and OpsMetadata.
" }, "TagKey":{ "type":"string", @@ -14922,14 +14945,14 @@ "members":{ "Key":{ "shape":"TargetKey", - "documentation":"User-defined criteria for sending commands that target instances that meet the criteria.
" + "documentation":"User-defined criteria for sending commands that target managed nodes that meet the criteria.
" }, "Values":{ "shape":"TargetValues", "documentation":"User-defined criteria that maps to Key. For example, if you specified tag:ServerRole, you could specify value:WebServer to run a command on instances that include EC2 tags of ServerRole,WebServer.
Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.
" } }, - "documentation":"An array of search criteria that targets instances using a key-value pair that you specify.
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
Supported formats include the following.
Key=InstanceIds,Values=instance-id-1,instance-id-2,instance-id-3
Key=tag:my-tag-key,Values=my-tag-value-1,my-tag-value-2
Key=tag-key,Values=my-tag-key-1,my-tag-key-2
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=resource-group-name
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=resource-type-1,resource-type-2
Automation targets only: Key=ResourceGroup;Values=resource-group-name
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.
Automation targets only: Key=ResourceGroup,Values=MyResourceGroup
State Manager association targets only: Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.
For more information about how to send commands that target instances using Key,Value parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide.
An array of search criteria that targets managed nodes using a key-value pair that you specify.
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
Supported formats include the following.
Key=InstanceIds,Values=<instance-id-1>,<instance-id-2>,<instance-id-3>
Key=tag:<my-tag-key>,Values=<my-tag-value-1>,<my-tag-value-2>
Key=tag-key,Values=<my-tag-key-1>,<my-tag-key-2>
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=<resource-group-name>
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=<resource-type-1>,<resource-type-2>
Automation targets only: Key=ResourceGroup;Values=<resource-group-name>
For example:
Key=InstanceIds,Values=i-02573cafcfEXAMPLE,i-0471e04240EXAMPLE,i-07782c72faEXAMPLE
Key=tag:CostCenter,Values=CostCenter1,CostCenter2,CostCenter3
Key=tag-key,Values=Name,Instance-Type,CostCenter
Run Command and Maintenance window targets only: Key=resource-groups:Name,Values=ProductionResourceGroup
This example demonstrates how to target all resources in the resource group ProductionResourceGroup in your maintenance window.
Maintenance window targets only: Key=resource-groups:ResourceTypeFilters,Values=AWS::EC2::INSTANCE,AWS::EC2::VPC
This example demonstrates how to target only Amazon Elastic Compute Cloud (Amazon EC2) instances and VPCs in your maintenance window.
Automation targets only: Key=ResourceGroup,Values=MyResourceGroup
State Manager association targets only: Key=InstanceIds,Values=*
This example demonstrates how to target all managed instances in the Amazon Web Services Region where the association was created.
For more information about how to send commands that target managed nodes using Key,Value parameters, see Targeting multiple instances in the Amazon Web Services Systems Manager User Guide.
The specified target instance for the session isn't fully configured for use with Session Manager. For more information, see Getting started with Session Manager in the Amazon Web Services Systems Manager User Guide. This error is also returned if you attempt to start a session on an instance that is located in a different account or Region
", + "documentation":"The specified target managed node for the session isn't fully configured for use with Session Manager. For more information, see Getting started with Session Manager in the Amazon Web Services Systems Manager User Guide. This error is also returned if you attempt to start a session on a managed node that is located in a different account or Region
", "exception":true }, "TargetParameterList":{ @@ -15187,7 +15210,7 @@ "members":{ "Message":{"shape":"String"} }, - "documentation":"The document doesn't support the platform type of the given instance ID(s). For example, you sent an document for a Windows instance to a Linux instance.
", + "documentation":"The document doesn't support the platform type of the given managed node ID(s). For example, you sent an document for a Windows managed node to a Linux node.
", "exception":true }, "UpdateAssociationRequest":{ @@ -15216,7 +15239,7 @@ }, "Name":{ "shape":"DocumentARN", - "documentation":"The name of the SSM Command document or Automation runbook that contains the configuration information for the instance.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager document (SSM document) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The name of the SSM Command document or Automation runbook that contains the configuration information for the managed node.
You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.
For Systems Manager document (SSM document) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:
arn:aws:ssm:region:account-id:document/document-name
For example:
arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document
For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 instances and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError to 10%, then the system stops sending the request when the sixth error is received.
Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new instance starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new instance will process its association within the limit specified for MaxConcurrency.
The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.
If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency.
The instance ID.
" + "documentation":"The managed node ID.
" }, "AssociationStatus":{ "shape":"AssociationStatus", @@ -15608,7 +15631,7 @@ }, "Targets":{ "shape":"Targets", - "documentation":"The targets (either instances or tags) to modify. Instances are specified using the format Key=instanceids,Values=instanceID_1,instanceID_2. Tags are specified using the format Key=tag_name,Values=tag_value.
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
The targets (either managed nodes or tags) to modify. Managed nodes are specified using the format Key=instanceids,Values=instanceID_1,instanceID_2. Tags are specified using the format Key=tag_name,Values=tag_value.
One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.
The ID of the managed instance where you want to update the role.
" + "documentation":"The ID of the managed node where you want to update the role.
" }, "IamRole":{ "shape":"IamRole", @@ -15875,7 +15898,7 @@ }, "ApprovedPatchesEnableNonSecurity":{ "shape":"Boolean", - "documentation":"Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is false. Applies to Linux instances only.
Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false. Applies to Linux managed nodes only.
Information about the patches to use to update the instances, including target operating systems and source repositories. Applies to Linux instances only.
" + "documentation":"Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
" }, "Replace":{ "shape":"Boolean", @@ -15934,7 +15957,7 @@ }, "ApprovedPatchesEnableNonSecurity":{ "shape":"Boolean", - "documentation":"Indicates whether the list of approved patches includes non-security updates that should be applied to the instances. The default value is false. Applies to Linux instances only.
Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false. Applies to Linux managed nodes only.
Information about the patches to use to update the instances, including target operating systems and source repositories. Applies to Linux instances only.
" + "documentation":"Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.
" } } }, @@ -16029,5 +16052,5 @@ "pattern":"^[0-9]{1,6}(\\.[0-9]{1,6}){2,3}$" } }, - "documentation":"Amazon Web Services Systems Manager is a collection of capabilities that helps you automate management tasks such as collecting system inventory, applying operating system (OS) patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems (OSs) and applications at scale. Systems Manager lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon Elastic Compute Cloud instance (EC2 instance), or any on-premises server or virtual machine (VM) in your hybrid environment that has been configured for Systems Manager.
This reference is intended to be used with the Amazon Web Services Systems Manager User Guide.
To get started, verify prerequisites and configure managed instances. For more information, see Setting up Amazon Web Services Systems Manager in the Amazon Web Services Systems Manager User Guide.
Related resources
For information about how to use a Query API, see Making API requests.
For information about other API operations you can perform on EC2 instances, see the Amazon EC2 API Reference.
For information about AppConfig, a capability of Systems Manager, see the AppConfig User Guide and the AppConfig API Reference.
For information about Incident Manager, a capability of Systems Manager, see the Incident Manager User Guide and the Incident Manager API Reference.
Amazon Web Services Systems Manager is a collection of capabilities that helps you automate management tasks such as collecting system inventory, applying operating system (OS) patches, automating the creation of Amazon Machine Images (AMIs), and configuring operating systems (OSs) and applications at scale. Systems Manager lets you remotely and securely manage the configuration of your managed nodes. A managed node is any Amazon Elastic Compute Cloud (Amazon EC2) instance, edge device, or on-premises server or virtual machine (VM) that has been configured for Systems Manager.
With support for IoT Greengrass Version 2 devices, the phrase managed instance has been changed to managed node in most of the Systems Manager documentation. The Systems Manager console, API calls, error messages, and SSM documents still use the term instance.
This reference is intended to be used with the Amazon Web Services Systems Manager User Guide.
To get started, verify prerequisites and configure managed nodes. For more information, see Setting up Amazon Web Services Systems Manager in the Amazon Web Services Systems Manager User Guide.
Related resources
For information about how to use a Query API, see Making API requests.
For information about other API operations you can perform on EC2 instances, see the Amazon EC2 API Reference.
For information about AppConfig, a capability of Systems Manager, see the AppConfig User Guide and the AppConfig API Reference.
For information about Incident Manager, a capability of Systems Manager, see the Incident Manager User Guide and the Incident Manager API Reference.