Get started with AWS SSM Automation

AWS Systems Manager (SSM) Automation allows you to automate common and repetitive IT operations and management tasks across AWS resources. With SSM Automation, you can create automation workflows using pre-defined "automation documents" or you can create your own custom workflows.

Automation documents define the sequence of actions to perform on managed instances and other AWS resources. The actions include running shell commands or scripts, making API calls, executing AWS Lambda functions, and more.

AWS SSM Automation can be triggered manually, scheduled, or started in response to changes in system states or AWS CloudWatch events. It can be used for a variety of use-cases such as patch management, deployment tasks, resource provisioning, etc.

Workshop: Stop the EC2 Instances with a custom Automation document

In this workshop exercise, you'll create an EC2 instance and then use AWS SSM Automation to stop the instance automatically.


  • An AWS Account with proper permissions to create EC2 instances and use Systems Manager

  • AWS CLI installed and configured


1. Create an EC2 instance

Navigate to the EC2 console and launch a new instance with Amazon Linux 2.

To launch the EC2 instance use the following guide: How to launch a single EC2 instance via AWS CLI

2. Install SSM Agent on EC2

If you chose Amazon Linux, the SSM agent should be pre-installed. Otherwise, you'll need to install it.

3. Create an IAM Role for EC2

  1. Go to the IAM console.

  2. Create a new Role.

  3. Attach the AmazonEC2RoleforSSM policy.

  4. Attach the role to the EC2 instance you created.

4. Create Automation Document

  1. Go to the Systems Manager Console.

  2. Navigate to Automation and choose Execute automation.

  3. Choose Create automation then go to Editor and paste the following JSON definition (If you prefer you can also define SSM Documents in YAML format):

  "description": "Stop an EC2 instance",
  "schemaVersion": "0.3",
  "description": "This automation stops an EC2 instance",
  "parameters": {
    "InstanceId": {
      "type": "String",
      "description": "(Required) The ID of the EC2 instance to stop."
  "mainSteps": [
      "name": "stopInstance",
      "action": "aws:changeInstanceState",
      "inputs": {
        "InstanceIds": [
        "DesiredState": "stopped"
  1. Give your document a name and save it.

5. Execute Automation

  1. In the Systems Manager Console, navigate to Automation and choose Execute automation.

  2. Select the automation document you created.

  3. Provide the InstanceId parameter (ID of the EC2 instance you created).

  4. Execute the automation.

Your EC2 instance should now be stopped. You can verify this in the EC2 console.


  1. Terminate the EC2 instance to avoid ongoing charges.

  2. Delete any resources you created as part of this workshop.

This workshop provides a basic introduction to AWS SSM Automation. For more complex workflows, you can use features like branching, error handling, and invoking other automation documents or Lambda functions.

Workshop: Applying Security Patches Using AWS Managed Pre-Defined Automation Runbook

In this exercise, you'll use a predefined AWS Systems Manager (SSM) Automation runbook to apply security patches to an EC2 instance running Amazon Linux 2. This helps simulate a typical patch management operation, using AWS's managed resources to make the process easier and more scalable.


  • An AWS account with permissions to create and manage EC2 instances and SSM Automations.

  • An EC2 instance running Amazon Linux 2. Ensure that this instance has the AmazonEC2RoleforSSM and AmazonSSMAutomationRole IAM roles attached to it so SSM can manage the instance.

Create AmazonSSMAutomationRole for SSM service

  1. Choose Systems Manager service

  2. Attach AmazonSSMAutomationRole :

  3. Give proper naming for the role:


Step 1: Navigate to Systems Manager

  1. Open the AWS Management Console in your web browser.

  2. Navigate to AWS Systems Manager from the list of all services.

Step 2: Choose Runbook

  1. In the left-hand navigation pane, click on Automation.

  2. Click on the Execute automation button.

  3. In the "Automation document" section, toggle from "Owned by me" to "Owned by Amazon"

  4. Search for AWS-UpdateLinuxAmi and select it. This is a pre-defined AWS runbook to update a Linux AMI.

Step 3: Specify Parameters

AWS-UpdateLinuxAmi will create a new AMI after updating the source AMI you specify. You'll need the ID of an existing Amazon Linux 2 AMI for this.

  1. For SourceAmiId, provide the ID of the Amazon Linux 2 AMI. AMI ID for Amazon Linux 2 t2.micro in us-east-1: ami-0f34c5ae932e6f0e4

  2. For IamInstanceProfileName, and AutomationAssumeRole use the roles that you've attached to your EC2 instance (or a role with similar permissions).

  3. Fill in any additional parameters as required for your setup.

Step 4: Execute Automation

  1. Review your parameters and click on the Execute button to start the automation.

The Automation execution will launch a temporary instance with the given source AMI, apply patches, create a new AMI, and terminate the temporary instance.

Step 5: Monitor Execution

  1. After you execute the automation, you'll be redirected to the Executions page.

  2. Click on the Execution ID to view the progress and details.

  3. Once the status changes to Success, the automation has completed successfully, and a new AMI with the patches applied is now available.

Step 6: Verify the New AMI

  1. Navigate to the EC2 Dashboard.

  2. Under Images, click AMIs.

  3. Search for the new AMI created by the automation process. You should see this AMI listed.

  4. (Optional) You may launch a new EC2 instance with this patched AMI to verify that the patches have been applied successfully.


  1. Deregister the new AMI if you do not plan to use it.

  2. Delete the associated snapshot.

  3. Terminate any temporary EC2 instances that were created during this exercise.

This exercise demonstrates how to utilize AWS Managed pre-defined Automation runbooks for common administrative tasks like patch management. It saves time and ensures that you're following AWS-recommended best practices.


  1. AWS Systems Manager Automation

  2. Automation document Schemas, features, and examples

  3. Using Markdown in the Console

  4. AWS-UpdateLinuxAmi