Module Smaws_Client_SSM.Types

The reason code for the invalid request.

The new value to specify for the service setting. The following list specifies the available values for each setting.

• For /ssm/appmanager/appmanager-enabled, enter True or False.
• For /ssm/automation/customer-script-log-destination, enter CloudWatch.
• For /ssm/automation/customer-script-log-group-name, enter the name of an Amazon CloudWatch Logs log group.
• For /ssm/documents/console/public-sharing-permission, enter Enable or Disable.
• For /ssm/managed-instance/activation-tier, enter standard or advanced.
• For /ssm/managed-instance/default-ec2-instance-management-role, enter the name of an IAM role.
• For /ssm/opsinsights/opscenter, enter Enabled or Disabled.
• For /ssm/parameter-store/default-parameter-tier, enter Standard, Advanced, or Intelligent-Tiering
• For /ssm/parameter-store/high-throughput-enabled, enter true or false.

The Amazon Resource Name (ARN) of the service setting to update. For example, arn:aws:ssm:us-east-1:111122223333:servicesetting/ssm/parameter-store/high-throughput-enabled. The setting ID can be one of the following.

• /ssm/appmanager/appmanager-enabled
• /ssm/automation/customer-script-log-destination
• /ssm/automation/customer-script-log-group-name
• /ssm/automation/enable-adaptive-concurrency
• /ssm/documents/console/public-sharing-permission
• /ssm/managed-instance/activation-tier
• /ssm/managed-instance/default-ec2-instance-management-role
• /ssm/opsinsights/opscenter
• /ssm/parameter-store/default-parameter-tier
• /ssm/parameter-store/high-throughput-enabled

Permissions to update the /ssm/managed-instance/default-ec2-instance-management-role setting should only be provided to administrators. Implement least privilege access when allowing individuals to configure or modify the Default Host Management Configuration.

The Organizations unit ID data source for the sync.

The Organizations organization units included in the sync.

If an Amazon Web Services organization is present, this is either OrganizationalUnits or EntireOrganization. For OrganizationalUnits, the data is aggregated from a set of organization units. For EntireOrganization, the data is aggregated from the entire Amazon Web Services organization.

When you create a resource data sync, if you choose one of the Organizations options, then Systems Manager automatically enables all OpsData sources in the selected Amazon Web Services Regions for all Amazon Web Services accounts in your organization (or in the selected organization units). For more information, see Setting up Systems Manager Explorer to display data from multiple accounts and Regions in the Amazon Web Services Systems Manager User Guide.

Whether to automatically synchronize and aggregate data from new Amazon Web Services Regions when those Regions come online.

The SyncSource Amazon Web Services Regions included in the resource data sync.

Information about the AwsOrganizationsSource resource data sync source. A sync source of this type can synchronize data from Organizations.

The type of data source for the resource data sync. SourceType is either AwsOrganizations (if an organization is present in Organizations) or SingleAccountMultiRegions.

Specify information about the data sources to synchronize.

The type of resource data sync. The supported SyncType is SyncFromSource.

The name of the resource data sync you want to update.

The value for the filter key.

Run the DescribePatchProperties command to view lists of valid values for each key based on operating system type.

The key for the filter.

Run the DescribePatchProperties command to view lists of valid keys for each operating system type.

The set of patch filters that make up the group.

For managed nodes identified by the approval rule filters, enables a patch baseline to apply non-security updates available in the specified repository. The default value is false. Applies to Linux managed nodes only.

The cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically.

Enter dates in the format YYYY-MM-DD. For example, 2024-12-31.

This parameter is marked as Required: No, but your request must include a value for either ApproveUntilDate or ApproveAfterDays.

Not supported for Debian Server or Ubuntu Server.

Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the Amazon Web Services Systems Manager User Guide.

The number of days after the release date of each patch matched by the rule that the patch is marked as approved in the patch baseline. For example, a value of 7 means that patches are approved seven days after they are released.

This parameter is marked as Required: No, but your request must include a value for either ApproveAfterDays or ApproveUntilDate.

Not supported for Debian Server or Ubuntu Server.

Use caution when setting this value for Windows Server patch baselines. Because patch updates that are replaced by later updates are removed, setting too broad a value for this parameter can result in crucial patches not being installed. For more information, see the Windows Server tab in the topic How security patches are selected in the Amazon Web Services Systems Manager User Guide.

A compliance severity level for all approved patches in a patch baseline.

The patch filter group that defines the criteria for the rule.

The rules that make up the rule group.

The value of the yum repo configuration. For example:

[main]

name=MyCustomRepository

baseurl=https://my-custom-repository

enabled=1

For information about other options available for your yum repository configuration, see dnf.conf(5).

The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09", "RedhatEnterpriseLinux7.2" or "Suse12.7". For lists of supported product values, see PatchFilter.

The name specified to identify the patch source.

Indicates the compliance status of managed nodes for which security-related patches are available but were not approved. This preference is specified when the CreatePatchBaseline or UpdatePatchBaseline commands are run.

Applies to Windows Server managed nodes only.

Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.

A description of the patch baseline.

The date when the patch baseline was last modified.

The date when the patch baseline was created.

The action specified to take on patches included in the RejectedPatches list. A patch can be allowed only if it is a dependency of another package, or blocked entirely along with packages that include it as a dependency.

A list of explicitly rejected patches for the baseline.

Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false. Applies to Linux managed nodes only.

The compliance severity level assigned to the patch baseline after the update completed.

A list of explicitly approved patches for the baseline.

A set of rules used to include patches in the baseline.

A set of global filters used to exclude patches from the baseline.

The operating system rule used by the updated patch baseline.

The name of the patch baseline.

The ID of the deleted patch baseline.

If True, then all fields that are required by the CreatePatchBaseline operation are also required for this API request. Optional fields that aren't specified are set to null.

Indicates the status to be assigned to security patches that are available but not approved because they don't meet the installation criteria specified in the patch baseline.

Example scenario: Security patches that you might want installed can be skipped if you have specified a long period to wait after a patch is released before installation. If an update to the patch is released during your specified waiting period, the waiting period for installing the patch starts over. If the waiting period is too long, multiple versions of the patch could be released but never installed.

Supported for Windows Server managed nodes only.

Information about the patches to use to update the managed nodes, including target operating systems and source repositories. Applies to Linux managed nodes only.

A description of the patch baseline.

The action for Patch Manager to take on patches included in the RejectedPackages list.

ALLOW_AS_DEPENDENCY Linux and macOS: A package in the rejected patches list is installed only if it is a dependency of another package. It is considered compliant with the patch baseline, and its status is reported as INSTALLED_OTHER. This is the default action if no option is specified.

Windows Server: Windows Server doesn't support the concept of package dependencies. If a package in the rejected patches list and already installed on the node, its status is reported as INSTALLED_OTHER. Any package not already installed on the node is skipped. This is the default action if no option is specified.

BLOCK All OSs: Packages in the rejected patches list, and packages that include them as dependencies, aren't installed by Patch Manager under any circumstances. If a package was installed before it was added to the rejected patches list, or is installed outside of Patch Manager afterward, it's considered noncompliant with the patch baseline and its status is reported as INSTALLED_REJECTED.

A list of explicitly rejected patches for the baseline.

For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.

Indicates whether the list of approved patches includes non-security updates that should be applied to the managed nodes. The default value is false. Applies to Linux managed nodes only.

Assigns a new compliance severity level to an existing patch baseline.

A list of explicitly approved patches for the baseline.

For information about accepted formats for lists of approved patches and rejected patches, see Package name formats for approved and rejected patch lists in the Amazon Web Services Systems Manager User Guide.

A set of rules used to include patches in the baseline.

A set of global filters used to include patches in the baseline.

The GlobalFilters parameter can be configured only by using the CLI or an Amazon Web Services SDK. It can't be configured from the Patch Manager console, and its value isn't displayed in the console.

The name of the patch baseline.

The ID of the patch baseline to update.

The Amazon Resource Name (ARN) of the OpsMetadata Object that was updated.

Metadata value to assign to an Application Manager application.

The metadata keys to delete from the OpsMetadata object.

Metadata to add to an OpsMetadata object.

The Amazon Resource Name (ARN) of the OpsMetadata Object to update.

The type of key-value pair. Valid types include SearchableString and String.

The value of the OperationalData key.

The Amazon Resource Name (ARN) of an Amazon Simple Notification Service (Amazon SNS) topic where notifications are sent when this OpsItem is edited or changed.

The ID of an OpsItem related to the current OpsItem.

The OpsItem Amazon Resource Name (ARN).

The time specified in a change request for a runbook workflow to end. Currently supported only for the OpsItem type /aws/changerequest.

The time specified in a change request for a runbook workflow to start. Currently supported only for the OpsItem type /aws/changerequest.

The time a runbook workflow ended. Currently reported only for the OpsItem type /aws/changerequest.

The time a runbook workflow started. Currently reported only for the OpsItem type /aws/changerequest.

Specify a new severity for an OpsItem.

Specify a new category for an OpsItem.

A short heading that describes the nature of the OpsItem and the impacted resource.

The ID of the OpsItem.

The OpsItem status. For more information, see Editing OpsItem details in the Amazon Web Services Systems Manager User Guide.

One or more OpsItems that share something in common with the current OpsItems. For example, related OpsItems can include OpsItems with similar error messages, impacted resources, or statuses for the impacted resource.

The importance of this OpsItem in relation to other OpsItems in the system.

The Amazon Resource Name (ARN) of an SNS topic where notifications are sent when this OpsItem is edited or changed.

Keys that you want to remove from the OperationalData map.

Add new keys or edit existing key-value pairs of the OperationalData map in the OpsItem object.

Operational data is custom data that provides useful reference details about the OpsItem. For example, you can specify log files, error strings, license keys, troubleshooting tips, or other relevant data. You enter operational data as key-value pairs. The key has a maximum length of 128 characters. The value has a maximum size of 20 KB.

Operational data keys can't begin with the following: amazon, aws, amzn, ssm, /amazon, /aws, /amzn, /ssm.

You can choose to make the data searchable by other users in the account or you can restrict search access. Searchable data means that all users with access to the OpsItem Overview page (as provided by the DescribeOpsItems API operation) can view and search on the specified data. Operational data that isn't searchable is only viewable by users who have access to the OpsItem (as provided by the GetOpsItem API operation).

Use the /aws/resources key in OperationalData to specify a related resource in the request. Use the /aws/automations key in OperationalData to associate an Automation runbook with the OpsItem. To view Amazon Web Services CLI example commands that use these keys, see Creating OpsItems manually in the Amazon Web Services Systems Manager User Guide.

User-defined text that contains information about the OpsItem, in Markdown format.

The name of the Identity and Access Management (IAM) role that you want to assign to the managed node. This IAM role must provide AssumeRole permissions for the Amazon Web Services Systems Manager service principal ssm.amazonaws.com. For more information, see Create the IAM service role required for Systems Manager in hybrid and multicloud environments in the Amazon Web Services Systems Manager User Guide.

You can't specify an IAM service-linked role for this parameter. You must create a unique role.

The ID of the managed node where you want to update the role.

User-defined criteria that maps to Key. For example, if you specified tag:ServerRole, you could specify value:WebServer to run a command on instances that include EC2 tags of ServerRole,WebServer.

Depending on the type of target, the maximum number of values for a key might be lower than the global maximum of 50.

User-defined criteria for sending commands that target managed nodes that meet the criteria.

This field contains an array of 0 or more strings, each 1 to 255 characters in length.

Enables Systems Manager to send command output to CloudWatch Logs.

The name of the CloudWatch Logs log group where you want to send command output. If you don't specify a group name, Amazon Web Services Systems Manager automatically creates a log group for you. The log group uses the following naming format:

aws/ssm/{i SystemsManagerDocumentName} 

The type of notification.

• Command: Receive notification when the status of a command changes.
• Invocation: For commands sent to multiple managed nodes, receive notification on a per-node basis when the status of a command changes.

The different events for which you can receive notifications. To learn more about these events, see Monitoring Systems Manager status changes using Amazon SNS notifications in the Amazon Web Services Systems Manager User Guide.

An Amazon Resource Name (ARN) for an Amazon Simple Notification Service (Amazon SNS) topic. Run Command pushes notifications about command status changes to this topic.

If this time is reached and the command hasn't already started running, it doesn't run.

The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow.

However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.

The parameters for the RUN_COMMAND task execution.

The S3 bucket subfolder.

The name of the Amazon Simple Storage Service (Amazon S3) bucket.

Configurations for sending notifications about command status changes on a per-managed node basis.

The Amazon Web Services Systems Manager document (SSM document) version to use in the request. You can specify $DEFAULT, $LATEST, or a specific version number. If you run commands by using the Amazon Web Services CLI, then you must escape the first two options by using a backslash. If you specify a version number, then you don't need to use the backslash. For example:

--document-version "\$DEFAULT"

--document-version "\$LATEST"

--document-version "3"

SHA-256 or SHA-1. SHA-1 hashes have been deprecated.

The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes have been deprecated.

Information about the commands to run.

The parameters for the AUTOMATION task.

For information about specifying and updating task parameters, see RegisterTaskWithMaintenanceWindow and UpdateMaintenanceWindowTask.

LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.

TaskParameters has been deprecated. To specify parameters to pass to a task when it runs, instead use the Parameters option in the TaskInvocationParameters structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.

For AUTOMATION task types, Amazon Web Services Systems Manager ignores any values specified for these parameters.

The version of an Automation runbook to use during task execution.

The name of the STEP_FUNCTIONS task.

The inputs for the STEP_FUNCTIONS task.

JSON to provide to your Lambda function as input.

(Optional) Specify an Lambda function version or alias name. If you specify a function version, the operation uses the qualified function Amazon Resource Name (ARN) to invoke a specific Lambda function. If you specify an alias name, the operation uses the alias ARN to invoke the Lambda function version to which the alias points.

Pass client-specific information to the Lambda function that you are invoking. You can then process the client information in your Lambda function as you choose through the context variable.

The parameters for a LAMBDA task type.

The parameters for a STEP_FUNCTIONS task type.

The parameters for an AUTOMATION task type.

The parameters for a RUN_COMMAND task type.

The Amazon Web Services Region where the S3 bucket is located.

(Optional) The S3 bucket subfolder.

The name of an S3 bucket where execution logs are stored.

The name of your CloudWatch alarm.

The name of the CloudWatch alarm specified in the configuration.

When this value is true, your automation or command continues to run in cases where we can’t retrieve alarm status information from CloudWatch. In cases where we successfully retrieve an alarm status of OK or INSUFFICIENT_DATA, the automation or command continues to run, regardless of this value. Default is false.

The details for the CloudWatch alarm you applied to your maintenance window task.

The specification for whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.

The updated task description.

The updated task name.

The updated logging information in Amazon S3.

LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.

The updated MaxErrors value.

The updated MaxConcurrency value.

The updated priority value.

The updated parameter values.

The updated parameter values.

TaskParameters has been deprecated. To specify parameters to pass to a task when it runs, instead use the Parameters option in the TaskInvocationParameters structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.

The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow.

However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.

The updated task ARN value.

The updated target values.

The task ID of the maintenance window that was updated.

The ID of the maintenance window that was updated.

The CloudWatch alarm you want to apply to your maintenance window task.

Indicates whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached.

• CONTINUE_TASK: When the cutoff time is reached, any tasks that are running continue. The default value.

• CANCEL_TASK:

  • For Automation, Lambda, Step Functions tasks: When the cutoff time is reached, any task invocations that are already running continue, but no new task invocations are started.
  • For Run Command tasks: When the cutoff time is reached, the system sends a CancelCommand operation that attempts to cancel the command associated with the task. However, there is no guarantee that the command will be terminated and the underlying process stopped.

  The status for tasks that are not completed is TIMED_OUT.

If True, then all fields that are required by the RegisterTaskWithMaintenanceWindow operation are also required for this API request. Optional fields that aren't specified are set to null.

The new task description to specify.

The new task name to specify.

The new logging location in Amazon S3 to specify.

LoggingInfo has been deprecated. To specify an Amazon Simple Storage Service (Amazon S3) bucket to contain logs, instead use the OutputS3BucketName and OutputS3KeyPrefix options in the TaskInvocationParameters structure. For information about how Amazon Web Services Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.

The new MaxErrors value to specify. MaxErrors is the maximum number of errors that are allowed before the task stops being scheduled.

Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.

For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1. This value doesn't affect the running of your task.

The new MaxConcurrency value you want to specify. MaxConcurrency is the number of targets that are allowed to run this task, in parallel.

Although this element is listed as "Required: No", a value can be omitted only when you are registering or updating a targetless task You must provide a value in all other cases.

For maintenance window tasks without a target specified, you can't supply a value for this option. Instead, the system inserts a placeholder value of 1. This value doesn't affect the running of your task.

The new task priority to specify. The lower the number, the higher the priority. Tasks that have the same priority are scheduled in parallel.

The parameters that the task should use during execution. Populate only the fields that match the task type. All other fields should be empty.

When you update a maintenance window task that has options specified in TaskInvocationParameters, you must provide again all the TaskInvocationParameters values that you want to retain. The values you don't specify again are removed. For example, suppose that when you registered a Run Command task, you specified TaskInvocationParameters values for Comment, NotificationConfig, and OutputS3BucketName. If you update the maintenance window task and specify only a different OutputS3BucketName value, the values for Comment and NotificationConfig are removed.

The parameters to modify.

TaskParameters has been deprecated. To specify parameters to pass to a task when it runs, instead use the Parameters option in the TaskInvocationParameters structure. For information about how Systems Manager handles these options for the supported maintenance window task types, see MaintenanceWindowTaskInvocationParameters.

The map has the following format:

Key: string, between 1 and 255 characters

Value: an array of strings, each string is between 1 and 255 characters

The Amazon Resource Name (ARN) of the IAM service role for Amazon Web Services Systems Manager to assume when running a maintenance window task. If you do not specify a service role ARN, Systems Manager uses a service-linked role in your account. If no appropriate service-linked role for Systems Manager exists in your account, it is created when you run RegisterTaskWithMaintenanceWindow.

However, for an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see Setting up Maintenance Windows in the in the Amazon Web Services Systems Manager User Guide.

The task ARN to modify.

The targets (either managed nodes or tags) to modify. Managed nodes are specified using the format Key=instanceids,Values=instanceID_1,instanceID_2. Tags are specified using the format Key=tag_name,Values=tag_value.

One or more targets must be specified for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, Lambda, and Step Functions). For more information about running tasks that don't specify targets, see Registering maintenance window tasks without targets in the Amazon Web Services Systems Manager User Guide.

The task ID to modify.

The maintenance window ID that contains the task to modify.

The updated description.

The updated name.

The updated owner.

The updated targets.

The target ID specified in the update request.

The maintenance window ID specified in the update request.

If True, then all fields that are required by the RegisterTargetWithMaintenanceWindow operation are also required for this API request. Optional fields that aren't specified are set to null.

An optional description for the update.

A name for the update.

User-provided value that will be included in any Amazon CloudWatch Events events raised while running tasks for these targets in this maintenance window.

The targets to add or replace.

The target ID to modify.

The maintenance window ID with which to modify the target.

Whether the maintenance window is enabled.

Whether targets must be registered with the maintenance window before tasks can be defined for those targets.

The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.

The duration of the maintenance window in hours.

The number of days to wait to run a maintenance window after the scheduled cron expression date and time.

The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los_Angeles", "UTC", or "Asia/Seoul". For more information, see the Time Zone Database on the IANA website.

The schedule of the maintenance window in the form of a cron or rate expression.

The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become inactive. The maintenance window won't run after this specified time.

The date and time, in ISO-8601 Extended format, for when the maintenance window is scheduled to become active. The maintenance window won't run before this specified time.

An optional description of the update.

The name of the maintenance window.

The ID of the created maintenance window.

If True, then all fields that are required by the CreateMaintenanceWindow operation are also required for this API request. Optional fields that aren't specified are set to null.

Whether the maintenance window is enabled.

Whether targets must be registered with the maintenance window before tasks can be defined for those targets.

The number of hours before the end of the maintenance window that Amazon Web Services Systems Manager stops scheduling new tasks for execution.

The duration of the maintenance window in hours.

The number of days to wait after the date and time specified by a cron expression before running the maintenance window.

For example, the following cron expression schedules a maintenance window to run the third Tuesday of every month at 11:30 PM.

cron(30 23 ? * TUE#3 *)

If the schedule offset is 2, the maintenance window won't run until two days later.

The time zone that the scheduled maintenance window executions are based on, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los_Angeles", "UTC", or "Asia/Seoul". For more information, see the Time Zone Database on the IANA website.

The schedule of the maintenance window in the form of a cron or rate expression.

The date and time, in ISO-8601 Extended format, for when you want the maintenance window to become inactive. EndDate allows you to set a date and time in the future when the maintenance window will no longer run.

The date and time, in ISO-8601 Extended format, for when you want the maintenance window to become active. StartDate allows you to delay activation of the maintenance window until the specified future date.

When using a rate schedule, if you provide a start date that occurs in the past, the current date and time are used as the start date.

An optional description for the update request.

The name of the maintenance window.

The ID of the maintenance window to update.

If specified, the default values for the parameters. Parameters without a default value are required. Parameters with a default value are optional.

A description of what the parameter does, how to use it, the default value, and whether or not the parameter is optional.

The type of parameter. The type can be either String or StringList.

The name of the parameter.

The value of the tag.

The name of the tag.

The name of the attachment.

An optional field specifying the version of the artifact associated with the document. For example, 12.6. This value is unique across all versions of a document, and can't be changed.

The document type of the required SSM document.

The document version required by the current document.

The name of the required SSM document. The name can be an Amazon Resource Name (ARN).

The reviewer assigned to take action on the document review request.

The current status of the document review request.

The time that the reviewer took action on the document review request.

The value that identifies a document's category.

The classification of a document to help you identify and categorize its use.

The current status of the review.

The version of the document that is currently under review.

The version of the document currently approved for use in the organization.

Details about the review of a document.

The user in your organization who created the document.

A list of SSM documents required by a document. For example, an ApplicationConfiguration document requires an ApplicationConfigurationSchema document.

Details about the document attachments, including names, locations, sizes, and so on.

The tags, or metadata, that have been applied to the document.

The target type which defines the kinds of resources the document can run on. For example, /AWS::EC2::Instance. For a list of valid resource types, see Amazon Web Services resource and property types reference in the CloudFormation User Guide.

The document format, either JSON or YAML.

The default version.

The latest version of the document.

The schema version.

The type of document.

The list of operating system (OS) platforms compatible with this SSM document.

A description of the parameters for a document.

A description of the document.

The document version.

A message returned by Amazon Web Services Systems Manager that explains the Status value. For example, a Failed status might be explained by the StatusInformation message, "The specified S3 bucket doesn't exist. Verify that the URL of the S3 bucket is correct."

The status of the SSM document.

The date when the document was created.

The Amazon Web Services user that created the document.

The version of the artifact associated with the document.

The friendly name of the SSM document. This value can differ for each version of the document. If you want to update this value, see UpdateDocument.

The name of the SSM document.

The hash type of the document. Valid values include Sha256 or Sha1.

Sha1 hashes have been deprecated.

The Sha256 or Sha1 hash created by the system when the document was created.

Sha1 hashes have been deprecated.

The SHA1 hash of the document, which you can use for verification.

A description of the document that was updated.

The name of the document attachment file.

The value of a key-value pair that identifies the location of an attachment to a document. The format for Value depends on the type of key you specify.

• For the key SourceUrl, the value is an S3 bucket location. For example:

  "Values": [ "s3://amzn-s3-demo-bucket/my-prefix" ]

• For the key S3FileUrl, the value is a file in an S3 bucket. For example:

  "Values": [ "s3://amzn-s3-demo-bucket/my-prefix/my-file.py" ]

• For the key AttachmentReference, the value is constructed from the name of another SSM document in your account, a version number of that document, and a file attached to that document version that you want to reuse. For example:

  "Values": [ "MyOtherDocument/3/my-other-file.py" ]

  However, if the SSM document is shared with you from another account, the full SSM document ARN must be specified instead of the document name only. For example:

  "Values": [ "arn:aws:ssm:us-east-2:111122223333:document/OtherAccountDocument/3/their-file.py" ]

The key of a key-value pair that identifies the location of an attachment to a document.

Specify a new target type for the document.

Specify the document format for the new document version. Systems Manager supports JSON and YAML documents. JSON is the default format.

The version of the document that you want to update. Currently, Systems Manager supports updating only the latest version of the document. You can specify the version number of the latest version or use the $LATEST variable.

If you change a document version for a State Manager association, Systems Manager immediately runs the association unless you previously specifed the apply-only-at-cron-interval parameter.

An optional field specifying the version of the artifact you are updating with the document. For example, 12.6. This value is unique across all versions of a document, and can't be changed.

The friendly name of the SSM document that you want to update. This value can differ for each version of the document. If you don't specify a value for this parameter in your request, the existing value is applied to the new document version.

The name of the SSM document that you want to update.

A list of key-value pairs that describe attachments to a version of a document.

A valid JSON or YAML string.

The content of a comment entered by a user who requests a review of a new document version, or who reviews the new version.

The type of information added to a review request. Currently, only the value Comment is supported.

A comment entered by a user in your organization about the document review request.

The action to take on a document approval review request.

The change template review details to update.

The version of a change template in which to update approval metadata.

The name of the change template for which a version's metadata is to be updated.

The SSM document doesn't exist or the document isn't available to the user. This exception can be issued by various API operations.

The default version of the artifact associated with the document.

The default version of the document.

The name of the document.

The description of a custom document that you want to set as the default version.

The version of a custom document that you want to set as the default version.

The name of a custom document that you want to set as the default version.

A description of the validation error.

A user-defined string.

The reason for the status.

The status.

The date when the status changed.

Returns the number of targets for the association status. For example, if you created an association with two managed nodes, and one of them was successful, this would return the count of managed nodes by status.

A detailed status of the association.

The status of the association. Status can be: Pending, Success, or Failed.

The S3 bucket subfolder.

The name of the S3 bucket.

The Amazon Web Services Region of the S3 bucket.

An S3 bucket where you want to store the results of this request.

The maximum number of errors that are allowed before the system stops running the automation on additional targets. This TargetsMaxErrors parameter takes precedence over the StartAutomationExecution:MaxErrors parameter if both are supplied.

The maximum number of targets allowed to run this task in parallel. This TargetsMaxConcurrency takes precedence over the StartAutomationExecution:MaxConcurrency parameter if both are supplied.

A list of key-value mappings to target resources. If you specify values for this data type, you must also specify a value for TargetParameterName.

This Targets parameter takes precedence over the StartAutomationExecution:Targets parameter if both are supplied.

Amazon Web Services accounts or organizational units to exclude as expanded targets.

Indicates whether to include child organizational units (OUs) that are children of the targeted OUs. The default is false.

The Automation execution role used by the currently running Automation. If not specified, the default value is AWS-SystemsManager-AutomationExecutionRole.

The maximum number of errors allowed before the system stops queueing additional Automation executions for the currently running Automation.

The maximum number of Amazon Web Services Regions and Amazon Web Services accounts allowed to run the Automation concurrently.

The Amazon Web Services Regions targeted by the current Automation execution.

The Amazon Web Services accounts targeted by the current Automation execution.

The state of your CloudWatch alarm.

The name of your CloudWatch alarm.

The CloudWatch alarm that was invoked during the association.

A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.

The number of hours that an association can run on specified targets. After the resulting cutoff time passes, associations that are currently running are cancelled, and no pending executions are started on remaining targets.

Number of days to wait after the scheduled day to run an association.

The combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association.

The names or Amazon Resource Names (ARNs) of the Change Calendar type documents your associations are gated under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar in the Amazon Web Services Systems Manager User Guide.

By default, when you create a new associations, the system runs it immediately after it is created and then according to the schedule you specified. Specify this option if you don't want an association to run immediately after you create it. This parameter isn't supported for rate expressions.

The mode for generating association compliance. You can specify AUTO or MANUAL. In AUTO mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT. If the association execution doesn't run successfully, the association is NON-COMPLIANT.

In MANUAL mode, you must specify the AssociationId as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager, a tool in Amazon Web Services Systems Manager. It is managed by your direct call to the PutComplianceItems API operation.

By default, all associations use AUTO mode.

The severity level that is assigned to the association.

The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.

If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency.

The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError to 10%, then the system stops sending the request when the sixth error is received.

Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.

The association name.

The last date on which the association was successfully run.

The date on which the association was last run.

An S3 bucket where you want to store the output details of the request.

A cron expression that specifies a schedule when the association runs.

The managed nodes targeted by the request.

The association ID.

A description of the parameters for a document.

Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a tool in Amazon Web Services Systems Manager.

The document version.

Information about the association.

The association status.

The date when the association was last updated.

The date when the association was made.

The association version.

The managed node ID.

The name of the SSM document.

Information about the association.

The association status.

The managed node ID.

The name of the SSM document.

The description of the association that was updated.

A key-value mapping of document parameters to target resources. Both Targets and TargetMaps can't be specified together.

The number of hours the association can run before it is canceled. Duration applies to associations that are currently running, and any pending and in progress commands on all targets. If a target was taken offline for the association to run, it is made available again immediately, without a reboot.

The Duration parameter applies only when both these conditions are true:

• The association for which you specify a duration is cancelable according to the parameters of the SSM command document or Automation runbook associated with this execution.

• The command specifies the

   {{:https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_UpdateAssociation.html#systemsmanager-UpdateAssociation-request-ApplyOnlyAtCronInterval}ApplyOnlyAtCronInterval} 

  parameter, which means that the association doesn't run immediately after it is updated, but only according to the specified schedule.

Number of days to wait after the scheduled day to run an association. For example, if you specified a cron schedule of cron(0 0 ? * THU#2 *), you could specify an offset of 3 to run the association each Sunday after the second Thursday of the month. For more information about cron schedules for associations, see Reference: Cron and rate expressions for Systems Manager in the Amazon Web Services Systems Manager User Guide.

To use offsets, you must specify the ApplyOnlyAtCronInterval parameter. This option tells the system not to run an association immediately after you create it.

A location is a combination of Amazon Web Services Regions and Amazon Web Services accounts where you want to run the association. Use this action to update an association in multiple Regions and multiple accounts.

The names or Amazon Resource Names (ARNs) of the Change Calendar type documents you want to gate your associations under. The associations only run when that change calendar is open. For more information, see Amazon Web Services Systems Manager Change Calendar in the Amazon Web Services Systems Manager User Guide.

By default, when you update an association, the system runs it immediately after it is updated and then according to the schedule you specified. Specify true for ApplyOnlyAtCronInterval if you want the association to run only according to the schedule you specified.

If you chose this option when you created an association and later you edit that association or you make changes to the Automation runbook or SSM document on which that association is based, State Manager applies the association at the next specified cron interval. For example, if you chose the Latest version of an SSM document when you created an association and you edit the association by choosing a different document version on the Documents page, State Manager applies the association at the next specified cron interval if you previously set ApplyOnlyAtCronInterval to true. If this option wasn't selected, State Manager immediately runs the association.

For more information, see Understanding when associations are applied to resources and About target updates with Automation runbooks in the Amazon Web Services Systems Manager User Guide.

This parameter isn't supported for rate expressions.

You can reset this parameter. To do so, specify the no-apply-only-at-cron-interval parameter when you update the association from the command line. This parameter forces the association to run immediately after updating it and according to the interval specified.

The mode for generating association compliance. You can specify AUTO or MANUAL. In AUTO mode, the system uses the status of the association execution to determine the compliance status. If the association execution runs successfully, then the association is COMPLIANT. If the association execution doesn't run successfully, the association is NON-COMPLIANT.

In MANUAL mode, you must specify the AssociationId as a parameter for the PutComplianceItems API operation. In this case, compliance data isn't managed by State Manager, a tool in Amazon Web Services Systems Manager. It is managed by your direct call to the PutComplianceItems API operation.

By default, all associations use AUTO mode.

The severity level to assign to the association.

The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%. The default value is 100%, which means all targets run the association at the same time.

If a new managed node starts and attempts to run an association while Systems Manager is running MaxConcurrency associations, the association is allowed to run. During the next association interval, the new managed node will process its association within the limit specified for MaxConcurrency.

The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify either an absolute number of errors, for example 10, or a percentage of the target set, for example 10%. If you specify 3, for example, the system stops sending requests when the fourth error is received. If you specify 0, then the system stops sending requests after the first error is returned. If you run an association on 50 managed nodes and set MaxError to 10%, then the system stops sending the request when the sixth error is received.

Executions that are already running an association when MaxErrors is reached are allowed to complete, but some of these executions may fail as well. If you need to ensure that there won't be more than max-errors failed executions, set MaxConcurrency to 1 so that executions proceed one at a time.

Choose the parameter that will define how your automation will branch out. This target is required for associations that use an Automation runbook and target resources by using rate controls. Automation is a tool in Amazon Web Services Systems Manager.

This parameter is provided for concurrency control purposes. You must specify the latest association version in the service. If you want to ensure that this request succeeds, either specify $LATEST, or omit this parameter.

The name of the association that you want to update.

The targets of the association.

The name of the SSM Command document or Automation runbook that contains the configuration information for the managed node.

You can specify Amazon Web Services-predefined documents, documents you created, or a document that is shared with you from another account.

For Systems Manager document (SSM document) that are shared with you from other Amazon Web Services accounts, you must specify the complete SSM document ARN, in the following format:

arn:aws:ssm:{i region}:{i account-id}:document/{i document-name} 

For example:

arn:aws:ssm:us-east-2:12345678912:document/My-Shared-Document

For Amazon Web Services-predefined documents and SSM documents you created in your account, you only need to specify the document name. For example, AWS-ApplyPatchBaseline or My-Document.

An S3 bucket where you want to store the results of this request.

The cron expression used to schedule the association that you want to update.

The document version you want update for the association.

State Manager doesn't support running associations that use a new version of a document if that document is shared from another account. State Manager always runs the default version of a document if shared from another account, even though the Systems Manager console shows that a new version was processed. If you want to run an association using a new version of a document shared form another account, you must set the document version to default.

The parameters you want to update for the association. If you create a parameter using Parameter Store, a tool in Amazon Web Services Systems Manager, you can reference the parameter using {{ssm:parameter-name}}.

The ID of the association you want to update.