Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.3.6. Maintaining Software Compliance (Systems Manager)

2.2.3.6. Maintaining Software Compliance (Systems Manager)

Software compliance means ensuring every managed instance meets organizational standards for patches, packages, and configurations.

SSM Compliance aggregates data from multiple sources:

  • Patch compliance: Missing critical patches (from Patch Manager)
  • Association compliance: Failed State Manager associations
  • Custom compliance: Your own types published via PutComplianceItems API
Compliance reporting workflow:
  1. SSM collects compliance data from all managed instances
  2. Resource Data Sync streams data to S3 for long-term storage
  3. Athena queries: "Show all instances missing critical patches"
  4. QuickSight dashboards for executive reporting
# Query compliance for a specific instance
aws ssm list-compliance-items \
  --resource-ids "i-1234567890abcdef0" \
  --resource-types "ManagedInstance" \
  --filters "Key=ComplianceType,Values=Patch,Type=EQUAL"

Resource Data Sync streams SSM inventory and compliance data to S3 continuously. For cross-account reporting, each account syncs to a central bucket and Athena queries span all accounts.

Integration with AWS Config: SSM compliance data feeds into Config's dashboard, providing a unified view of infrastructure configuration compliance (Config rules) and software compliance (SSM). Security Hub aggregates both into security findings.

Exam Trap: SSM compliance data shows only current state — no historical trends natively. To track compliance over time, use Resource Data Sync to S3 and query historical snapshots with Athena.

Alvin Varughese
Written byAlvin Varughese•Founder•15 professional certifications