Systems Manager and event-driven automation: managing resources for SOA-C03
Automating the management of existing resources means running day-two operations — patching, configuration enforcement, ad hoc commands, and remediation — through AWS Systems Manager and event-driven services instead of SSH sessions and hand-run scripts. It is one of two tasks in Domain 3 (Deployment, Provisioning, and Automation), worth 22% of your scored SOA-C03 content, and it supplies some of the exam's most reliable one-liners: shell access without SSH means Session Manager, continuously enforced configuration means State Manager, patch compliance means Patch Manager, and an instance missing from Systems Manager means the agent, the IAM role, or the network path. This lesson covers the managed-instance prerequisites, each Systems Manager capability and when to choose it, an end-to-end automated patching campaign, and event-driven automation with EventBridge, S3 Event Notifications, and Lambda.
On this page8 sections
- Managed instances: the three prerequisites Systems Manager needs
- Session Manager and Run Command: interactive access and commands at scale
- Automation runbooks: multi-step operational workflows
- Patch Manager and maintenance windows: an automated patching campaign
- State Manager, Inventory, and Parameter Store: continuous configuration
- Choosing the right Systems Manager capability
- Event-driven automation: EventBridge, S3 events, and Lambda
- Automating processes end to end: patterns and trade-offs
- Diagnose why an instance is missing from Systems Manager by checking the SSM Agent, the instance profile, and the network path
- Operate a fleet with Session Manager, Run Command, Automation runbooks, and maintenance windows
- Design an automated patching campaign with patch baselines, patch groups, maintenance windows, and compliance reporting
- Enforce configuration continuously with State Manager associations and track fleet state with Inventory
- Build event-driven automation with EventBridge rules, S3 Event Notifications, and Lambda
- Choose between runbooks, Lambda, and State Manager for the least operational overhead
Managed instances: the three prerequisites Systems Manager needs
Systems Manager can only operate on instances it can see, and visibility rests on three prerequisites. First, the SSM Agent must be installed and running on the instance — it comes preinstalled on many AWS-provided AMIs, but a custom or minimal image may lack it, and a stopped or crashed agent makes the instance invisible. Second, the instance needs an IAM instance profile that lets the agent talk to the service — the managed policy AmazonSSMManagedInstanceCore is the standard grant. Third, the agent needs a network path to the Systems Manager endpoints (the ssm, ssmmessages, and ec2messages services): the agent makes outbound HTTPS connections, so it needs internet egress through an internet or NAT gateway, or — for private subnets with no internet access — interface VPC endpoints for those services.
The classic exam scenario: an instance does not appear in the managed-instance list, so Run Command, Session Manager, and Patch Manager all ignore it. Diagnose in exactly those three directions. Is the agent installed and running? Restart it and check its logs. Does the instance profile include AmazonSSMManagedInstanceCore? Attaching a role after launch works, but the agent has to pick up the new credentials. Can the instance reach the endpoints? The sneaky variant is an instance in a private subnet with no NAT gateway and no VPC endpoints — the agent simply cannot connect, and the security groups on interface endpoints must also allow inbound HTTPS from the instances. When a question says an instance is missing from Systems Manager, the answer is one of these three; nothing else in the scenario matters.
Session Manager and Run Command: interactive access and commands at scale
Session Manager gives you an interactive shell on a managed instance without SSH keys, bastion hosts, or any open inbound ports. The SSM Agent maintains an outbound connection to the service and sessions are brokered over it — so security groups can block all inbound traffic and you still get a shell from the console or CLI. Access is controlled by IAM policies rather than distributed keys, and sessions can be logged to CloudWatch Logs or S3 for a full audit trail of who connected and what they ran. Any scenario asking you to eliminate bastions, stop managing SSH keys, close port 22, or audit interactive access is a Session Manager answer.
Run Command is for commands, not conversations: execute a Systems Manager document — AWS-RunShellScript on Linux, AWS-RunPowerShellScript on Windows — across one instance or thousands, targeting by tags or resource groups instead of maintaining instance lists. Rate controls set how many instances run the command concurrently and how many errors stop the rollout, so one bad command cannot take down a whole fleet at once, and output can be shipped to S3 for review. Run Command is the ad hoc, imperative tool: restart a service everywhere, collect a log file, apply an urgent one-time fix. If the same command needs to run continuously to keep instances in a desired state, that is no longer Run Command's job — that is State Manager, covered below.
Automation runbooks: multi-step operational workflows
Automation runbooks are Systems Manager's multi-step workflows: a runbook defines a sequence of steps that call AWS APIs, run scripts, invoke Run Command on instances, or wait for conditions, with each step's output available to later steps. AWS ships predefined runbooks for common operations — AWS-RestartEC2Instance, AWS-StopEC2Instance, AWS-CreateImage — and you author custom runbooks when the procedure is your own. Runbooks are how you turn a wiki page of manual steps ('snapshot the volume, stop the instance, resize it, start it, verify') into a single executable, repeatable operation that behaves the same at 3am as it does in a change window.
Two features matter at exam depth. Approval steps pause the workflow until designated approvers sign off, so a runbook can automate a risky procedure while keeping a human decision in the loop — automation with a brake. And rate controls let a runbook target many resources with bounded concurrency and error thresholds, the same safety valves Run Command offers.
Runbooks are also the standard target of other automation: a maintenance window can run one on a schedule, and an EventBridge rule can invoke one in response to an event — which is how detection (an alarm, a finding, a state change) becomes remediation without a human in the chain. When a question describes a multi-step operational procedure that should be standardized, repeatable, and optionally gated by an approval, the answer is an Automation runbook.
Patch Manager and maintenance windows: an automated patching campaign
Patch Manager is the exam's patching answer, and it is worth walking a real campaign end to end. Say you run 200 Linux instances across three environments and must patch on a schedule with evidence for auditors.
First, the patch baseline defines what patched means: which patch classifications and severities are approved, any explicitly approved or rejected patches, and an auto-approval delay — for example, approving security patches several days after release so early regressions surface elsewhere first. AWS provides default baselines per operating system; custom baselines encode your own policy. Instances map to baselines through patch groups, assigned by a tag on the instances.
Second, a maintenance window defines when disruptive work may happen: a schedule, a duration, and a cutoff after which no new tasks start. Register the patch task — the AWS-RunPatchBaseline document — as a window task with rate controls: limited concurrency, and an error threshold that halts a rollout gone bad. AWS-RunPatchBaseline runs in two operations: Scan reports missing patches without changing anything, and Install applies approved patches, rebooting as configured. A common pattern is scanning daily for visibility and installing inside the weekly or monthly window.
Third, compliance reporting closes the loop: Patch Manager records per-instance patch compliance, so you can see which instances are missing which approved patches and export the evidence. Keep the framing operational here — this data answers whether the fleet is patched; wider security posture aggregation is a different domain's concern.
The pattern to lock in: baseline defines what, the patch-group tag defines which instances, the maintenance window defines when, AWS-RunPatchBaseline Scan or Install defines how, and compliance provides the proof.
State Manager, Inventory, and Parameter Store: continuous configuration
State Manager is the desired-state half of Systems Manager: an association binds a document to a set of targets on a schedule, and Systems Manager reapplies it continuously — correcting configuration drift rather than merely detecting it. Where Run Command fires once, an association keeps being enforced: keep the CloudWatch agent installed and running on every instance carrying a tag, keep the SSM Agent itself current with AWS-UpdateSSMAgent, keep a required configuration applied to every new instance that matches the target. When a question says configuration must stay enforced — including on instances launched later — the answer is a State Manager association, not a script.
Inventory collects what is actually on the fleet: installed applications and versions, agent versions, OS details, network configuration. Paired with Compliance, which reports association and patch status, it answers what is installed where, and whether it matches policy, without connecting to a single instance.
Parameter Store holds operational configuration in a hierarchical, versioned store: AMI IDs, endpoint URLs, feature flags, and — as SecureString parameters encrypted with KMS — values that should never sit in plain text. Runbooks, Run Command, State Manager documents, and CloudFormation templates can all resolve parameters at execution time, so a value lives in one place and every automation reads the current version. Operationally this is the difference between a hard-coded AMI ID in five scripts and one parameter that your pipeline updates whenever a new golden image ships — every downstream automation follows automatically.
Choosing the right Systems Manager capability
Choosing the right Systems Manager capability is its own exam skill — scenarios are engineered so exactly one fits. The discriminators are cadence (once versus continuous), shape (single command versus multi-step workflow), and domain (general operations versus patching).
| Capability | Shape | Cadence | Reach for it when |
|---|---|---|---|
| Run Command | One document, many instances | One-off | Ad hoc fix or query across the fleet, targeted by tags |
| Automation runbook | Multi-step workflow, optional approval steps | On demand, scheduled, or event-invoked | Standardized operational procedure with multiple steps |
| State Manager | Association: document + targets + schedule | Continuous | Configuration must stay enforced and self-correct |
| Patch Manager | Baselines + AWS-RunPatchBaseline | Scheduled via maintenance window | OS patching with approval rules and compliance reporting |
Two boundary reminders keep answers clean. Session Manager is interactive access, not automation — it never competes in these questions. And a maintenance window is less a capability of its own than the scheduler that coordinates disruptive work: it can run Run Command tasks and Automation runbooks alike inside an agreed operational window, which is why patching and other risky jobs anchor to it. If a scenario stresses that work must only happen during an approved window, the maintenance window is part of the answer regardless of which capability does the work.
Event-driven automation: EventBridge, S3 events, and Lambda
Event-driven automation reacts to what just happened instead of polling for it, and EventBridge is the router. The default event bus receives events from AWS services automatically; a rule matches either an event pattern (react when something happens) or a schedule (run at a cadence), and delivers matches to targets: Lambda functions, Systems Manager Automation runbooks, Run Command, SQS queues, SNS topics, Step Functions state machines. The operational vocabulary is pattern plus target: an EC2 instance changes state → invoke a runbook that tags or remediates it; a Health event lands → notify the on-call topic; a Config compliance change appears → trigger remediation; a GuardDuty finding arrives → invoke a runbook that isolates the instance. In each case the detection plumbing already exists — your job in this task is consuming the event and wiring the response.
S3 Event Notifications are the bucket-level original: object-created and object-removed events delivered to Lambda, SQS, or SNS, with prefix and suffix filters (only a given folder, only .csv keys). For richer filtering and a wider target list, enable EventBridge on the bucket and write EventBridge rules against S3 events instead — the better fit when multiple consumers or complex matching are involved.
Lambda is the glue for logic AWS does not ship: parse the event, decide, call APIs. For multi-step flows with branching and retries beyond one function, Step Functions orchestrates — know it at mention level here.
AWS DevOps Agent
The exam guide names AWS DevOps Agent — newly in scope for SOA-C03 — as an example service for event-driven automation and automated remediation, alongside Lambda and EventBridge. Know it at exactly that level: an agentic AI tool AWS positions for operational automation, recognizable as a plausible option in a question. The guide does not go deeper, so do not memorize feature details.
Automating processes end to end: patterns and trade-offs
End-to-end automation chains these pieces, and the exam rewards recognizing whole patterns. Scheduled stop/start for cost: an EventBridge schedule rule invokes AWS-StopEC2Instance against tagged development instances every evening and AWS-StartEC2Instance every morning — no custom code, because predefined runbooks already do the work. A patching campaign is baselines, patch-group tags, a maintenance window, and compliance reporting, as walked through above. An AMI refresh chain keeps golden images current: a scheduled rebuild produces a new AMI, the new AMI ID lands in a Parameter Store parameter, and downstream launch templates and automations read that parameter — the running fleet then picks it up through its normal rollout mechanism.
When several answers would technically work, apply the selection rule the exam repeats across services: prefer managed and declarative over custom code. If a predefined runbook, a State Manager association, or Patch Manager covers the requirement, choosing Lambda means writing, patching, and monitoring code for an already-solved problem — the phrase 'least operational overhead' points at the managed option. Choose Lambda when the logic is genuinely custom: parse this event, apply business rules, call several APIs in a particular order. Choose a runbook when the procedure is multi-step and operational, especially when it needs an approval gate. Choose State Manager when the requirement is a state to maintain rather than an action to perform. Read the verbs in the question — run once, keep enforced, on a schedule, when X happens — and each maps to a different tool you now know.
Tip. Task 3.2 questions hand you an operational requirement and make you pick the automation primitive. The trigger phrases are unusually clean: 'shell access without SSH or bastion hosts' → Session Manager; 'keep configuration enforced' or 'correct drift automatically' → State Manager; 'patch on a schedule with compliance reporting' → Patch Manager with a maintenance window; 'instance missing from Systems Manager' → agent, IAM role, or network path; 'when X happens, do Y' → an EventBridge rule targeting Lambda or a runbook. Expect at least one 'least operational overhead' discriminator where a predefined runbook or managed capability beats custom Lambda code.
- A managed instance needs three things: a running SSM Agent, an instance profile with AmazonSSMManagedInstanceCore, and a network path to the Systems Manager endpoints.
- Shell access without SSH keys, bastion hosts, or open inbound ports → Session Manager, with sessions logged to CloudWatch Logs or S3.
- Configuration that must stay enforced and self-correct → a State Manager association, not a one-off script.
- OS patching with approval rules, maintenance windows, and compliance reporting → Patch Manager running AWS-RunPatchBaseline (Scan reports, Install applies).
- EventBridge rules are the automation router: match an event pattern or a schedule, then invoke Lambda, runbooks, or queues.
- S3 Event Notifications deliver to Lambda, SQS, or SNS; enable EventBridge on the bucket when you need richer filtering or more targets.
- Prefer managed, declarative automation over custom Lambda code whenever the question asks for the least operational overhead.
Frequently asked questions
Why is my EC2 instance not showing up in Systems Manager?
One of three prerequisites is missing. Either the SSM Agent is not installed or not running on the instance, the instance profile lacks the permissions in the AmazonSSMManagedInstanceCore managed policy, or the agent has no network path to the Systems Manager endpoints — typically an instance in a private subnet with no NAT gateway and no interface VPC endpoints for ssm, ssmmessages, and ec2messages. Check those three things in order; nothing else causes the symptom.
How does Session Manager work without SSH?
The SSM Agent on the instance opens an outbound HTTPS connection to the Systems Manager service, and your shell session is brokered over that connection. Because nothing connects inbound, you need no SSH keys, no bastion host, and no open inbound ports — security groups can deny all inbound traffic. Access is granted through IAM policies, and sessions can be logged to CloudWatch Logs or S3 for auditing.
What is the difference between Run Command, Automation runbooks, and State Manager?
Run Command executes a single document across many instances once — the ad hoc tool for a fleet-wide fix or query. Automation runbooks are multi-step workflows that call AWS APIs and can include approval steps — the tool for standardized operational procedures. State Manager creates associations that reapply a document on a schedule, continuously enforcing configuration and correcting drift. Cadence and shape decide it: once versus continuous, single command versus workflow.
How do I automate patching for hundreds of EC2 instances?
Use Patch Manager. Define a patch baseline with your approval rules and an auto-approval delay, map instances to baselines with patch-group tags, and register the AWS-RunPatchBaseline document as a maintenance window task so installs happen only during approved hours, with concurrency and error-threshold rate controls. Run Scan operations for visibility between windows and Install inside them, then use the compliance reports as evidence of which instances are fully patched.
When should I use EventBridge instead of S3 Event Notifications?
S3 Event Notifications work well for a simple bucket-to-consumer flow: object-created events to a single Lambda function, SQS queue, or SNS topic, filtered by key prefix or suffix. Enable EventBridge on the bucket when you need richer, content-based filtering, multiple independent consumers of the same events, or targets beyond those three — EventBridge rules can route S3 events to many targets, including Systems Manager Automation runbooks and Step Functions.
What is AWS DevOps Agent on the SOA-C03 exam?
AWS DevOps Agent is an agentic AI tool that the SOA-C03 exam guide (version 1.1) added to the in-scope list and names as an example service for event-driven automation and automated remediation, alongside Lambda, S3 Event Notifications, and EventBridge. The guide treats it as a named example only, so know what it is and where it fits rather than memorizing feature specifics.
Sign up free to mark lessons complete, bookmark topics and track your exam readiness.