SSM Fundamentals

What is Run Command?

Run Command allows you to remotely execute commands on multiple EC2 instances and on-premises servers without SSH or RDP access.

No SSH Required: Execute commands without opening ports

At Scale: Run on thousands of instances simultaneously

Fully Audited: CloudTrail logs all command executions

SSM Documents

AWS-Managed

Pre-built documents for common tasks

Custom Documents

Create your own JSON/YAML documents

Shared Documents

Share across accounts and publicly

Shell Scripts

AWS-RunShellScript (Linux)
AWS-RunPowerShellScript (Windows)
Custom bash/PowerShell
Script output capture

Configuration

AWS-ConfigureAWSPackage
AWS-ConfigureDocker
AWS-InstallApplication
AWS-UpdateSSMAgent

Maintenance

AWS-RunPatchBaseline
AWS-UpdateLinuxAmi
AWS-UpdateWindowsAmi
AWS-RestartEC2Instance

Troubleshooting

AWS-GatherSoftwareInventory
AWS-CollectDiagnosticData
AWS-TroubleshootSSH
AWS-TroubleshootRDP

Run Command Example

                            aws ssm send-command \

                              --document-name "AWS-RunShellScript" \

                              --targets "Key=tag:Environment,Values=Production" \

                              --parameters 'commands=["sudo yum update -y","sudo systemctl restart httpd"]' \

                              --output-s3-bucket-name "my-command-logs" \

                              --cloud-watch-output-config CloudWatchLogGroupName=/aws/ssm/commands

Targeting Options

Instance IDs: Specify individual instances

Tags: Target by tag key-value pairs

Resource Groups: Target entire resource groups

All Instances: Execute on all managed instances

Rate Control

Concurrency: Number or percentage of targets

Error Threshold: Stop execution after X failures

Timeout: Maximum execution time per instance

Delivery Timeout: Time to wait for command delivery

Security

IAM-based access control
No inbound ports required
CloudTrail audit logging
Encrypted communication

Monitoring

Command status tracking
Output to S3 or CloudWatch
SNS notifications
EventBridge integration

Pricing

No additional charge for EC2
On-premises: $0.00695 per instance/month
Standard S3/CloudWatch charges
Free tier available

Exam Strategy Tip

Remember: Run Command requires SSM Agent installed on instances. Use tags for targeting multiple instances. Commands are executed via SSM Documents. All executions are logged to CloudTrail for auditing.

Back to Session Manager Next: Patch Manager