Lab 1: Auditing Your AWS Resources with AWS Systems Manager and AWS Config

© 2026 Amazon Web Services, Inc. or its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited. All trademarks are the property of their owners.

Note: Do not include any personal, identifying, or confidential information into the lab environment. Information entered may be visible to others.

Corrections, feedback, or other questions? Contact us at AWS Training and Certification.

Lab overview

You are a newly hired AWS Cloud Operations Administrator. You are assisting your company’s transition to the cloud. As part of the transition, the company wants you to employ AWS Systems Manager to aid in the management of AWS Cloud resources. You have been asked to verify that sessions from the AWS Systems Manager Fleet Manager can interact with managed Amazon EC2 instances. Next, you need to use AWS Config to create an automated system to audit for any Amazon EC2 instances that are not managed by AWS Systems Manager. Finally, you need to explore the use of AWS Systems Manager as a centralized way to view the inventory for any managed Amazon EC2 instance.

In this lab, you perform initial setup processes for both AWS Config and AWS Systems Manager Inventory in an AWS environment with Amazon Elastic Compute Cloud (Amazon EC2) instances. AWS Config and Systems Manager are services that aid a CloudOps engineer in monitoring and remediating compliance tasks.

AWS Systems Manager is a collection of capabilities for configuring and managing your Amazon EC2 instances, on-premises servers, virtual machines, and other Amazon Web Services (AWS) resources at scale. AWS Systems Manager Inventory is a component service of Systems Manager that provides visibility into your AWS computing environment. You can use Inventory to collect metadata from all of your managed nodes.

With AWS Config, you can streamline compliance auditing, security analysis, change management, and operational troubleshooting of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and automatically evaluates the recorded configurations against your desired configuration. With AWS Config you can: review changes in configurations, dive into detailed resource configuration histories, review relationships between AWS resources, and determine your overall compliance with your defined configurations and internal guidelines.

Objectives

By the end of this lab, you should be able to do the following:

• Setup AWS Systems Manager Inventory for an AWS infrastructure.
• Use AWS Systems Manager to securely log into Amazon EC2 instances.
• Setup AWS Config for an AWS infrastructure.
• Use AWS Config to audit AWS resources for organizational level compliance.
• Use AWS Systems Manager Inventory to view the metadata on your managed instances.

Technical knowledge prerequisites

This lab requires the following prerequisites:

• Access to a computer with internet and Microsoft Windows, macOS X, or Linux.
• An internet browser, such as Google Chrome, Mozilla Firefox, or Microsoft Internet Explorer 11 (previous versions of Internet Explorer are not supported).
• Basic knowledge of Amazon EC2 and Amazon CloudWatch services.

Icon key

Various icons are used throughout this lab to call attention to different types of instructions and notes. The following list explains the purpose for each icon:

• Caution: Information of special interest or importance (not so important to cause problems with the equipment or data if you miss it, but it could result in the need to repeat certain steps).
• Command: A command that you must run.
• Consider: A moment to pause to consider how you might apply a concept in your own environment or to initiate a conversation about the topic at hand.
• Expected output: A sample output that you can use to verify the output of a command or edited file.
• Learn more: Where to find more information.
• Note: A hint, tip, or important guidance.
• Refresh: A time when you might need to refresh a web browser page or list to show new information.
• Task complete: A conclusion or summary point in the lab.
• Warning: An action that is irreversible and could potentially impact the failure of a command or process (including warnings about configurations that cannot be changed after they are made).

Start lab

1. To launch the lab, at the top of the page, choose Start Lab.

   Caution: You must wait for the provisioned AWS services to be ready before you can continue.

2. To open the lab, choose Open Console .

   You are automatically signed in to the AWS Management Console in a new web browser tab.

   Warning: Do not change the Region unless instructed.

Common sign-in errors

Error: You must first sign out

If you see the message, You must first log out before logging into a different AWS account:

• Choose the click here link.
• Close your Amazon Web Services Sign In web browser tab and return to your initial lab page.
• Choose Open Console again.

Error: Choosing Start Lab has no effect

In some cases, certain pop-up or script blocker web browser extensions might prevent the Start Lab button from working as intended. If you experience an issue starting the lab:

• Add the lab domain name to your pop-up or script blocker’s allow list or turn it off.
• Refresh the page and try again.

---

Lab environment

When you start the lab, the environment contains the resources shown in the following diagram:

Note: The numbers represent the logical workflow of the architecture in this lab.

Image description: The preceding diagram depicts the architecture diagram for the lab where you setup both AWS Systems Manager components and AWS Config services for the lab AWS environment.

The AWS Systems Manager service is used to:

• manage a fleet of Amazon EC2 instances
• securely connect to any Amazon EC2 instance
• to collect inventory of instance metadata, and installed apps

The AWS Config service is used to create compliance rules at an organizational level. A common use case is to combine both AWS Config and AWS Systems Manager to automate remediation actions against those rules. However, in this lab it will be used to perform only an audit of specific resources in the lab environment.

AWS services not used in this lab

AWS service capabilities used in this lab are limited to what the lab requires. Expect errors when accessing other services or performing actions beyond those provided in this lab guide.

---

Task 1: Setup Systems Manager Inventory

As a newly hired CloudOps Administrator, your first priority is gaining visibility into the company’s EC2 fleet. AWS Systems Manager Inventory collects metadata from your managed instances, such as installed applications, OS details, and network configurations, giving your team a centralized view of what’s running across the environment. Next, you will configure Inventory to begin collecting this data from the lab’s EC2 instances, which you will review later in Task 7.

AWS Systems Manager gives you visibility and control of your infrastructure on AWS. It provides a unified user interface so you can view operational data from multiple AWS services. Systems Manager simplifies resource and application management, shortens the time to detect and resolve operational problems, and lets you manage your infrastructure securely at scale.

• To setup AWS Systems Manager for use with your Amazon EC2 instances the following prerequisites must be met:

  • The AWS Systems Manager Agent (SSM Agent) must be installed on any instance needing to communicate to AWS Systems Manager.

  • The user performing the first-time setup of the Systems Manager service needs the necessary IAM write permissions for the Systems Manager Service. By default, an IAM user does not have the necessary IAM permissions for setting up the Systems Manager service.

  • Both Amazon EC2 resources and the AWS Systems Manager service require IAM permissions to perform actions on your behalf. You must grant the appropriate IAM permissions to both the Systems Manager service and the Amazon EC2 instances that will be managed.

    Learn more: You can learn in greater detail about the Systems Management requirements from the Systems Manager documentation in the appendix.

    Note: In this lab, the necessary prerequisites to setup AWS Systems Manager have been provided to you.

  • The lab provided Amazon EC2 instances are all using the Amazon Linux 2 operating system. The Amazon Machine Image (AMI) for Amazon Linux 2 always has the SSM agent installed by default.

  • The IAM entity that you use for accessing this lab environment has the permissions needed to access AWS Systems Manager already associated with it.

  • The prerequisite IAM permissions needed for AWS Systems Manager and Amazon EC2 services to work together are provided for you.

3. At the top of the AWS Management Console, in the search bar, search for and choose

   Systems Manager
   .

4. In the left navigation pane, under Node Tools, choose Inventory.

   The Inventory page loads.

   Note: Under Dashboard filtered the Managed instances with inventory enabled card shows all instances Disabled.

5. On the top-right of the Inventory page, choose Setup Inventory.

6. On the Targets card, select Manually selecting instances.

   A selection of preconfigured nodes appear.

7. Select both Web Server and App Server in the expanded menu.

8. Leave the default values for the remainder of the options.

9. Scroll down and choose Setup Inventory.

10. Refresh: After a minute or two, refresh the browser to see Managed instances with inventory enabled show a status of Enabled.

Task complete: You configured Systems Manager Inventory to collect metadata from your EC2 instances, giving your team centralized visibility into the software and configurations running across the fleet.

---

Task 2: Log into an Amazon EC2 instance with the AWS Systems Manager Session Manager tool

Your company requires a secure way to access EC2 instances without exposing SSH ports or managing key pairs. Systems Manager Session Manager provides exactly this, allowing you to connect to instances through the console with full audit logging via AWS CloudTrail. Next, you will use Fleet Manager to review your managed instances and start a terminal session to verify connectivity and gather instance information.

Note: Other ways to start a session with managed Amazon EC2 instances include using the AWS Command Line Interface (AWS CLI) or the Amazon EC2 console.

For correctly configured Amazon EC2 instances, you can use the Session Manager tool to connect to a terminal on individual Amazon EC2 instances without having to configure Secure Shell (SSH). The Session Manager tool is more secure because the SSH port (22) does not need to be opened in Security Groups. There are additional beneficial features of connecting to instances with Systems Manager Session Manager are: key pairs no longer need to be managed, cross-platform access is streamlined for users, and an audit trail for instance access can be created with AWS CloudTrail.

11. On the AWS Systems Manager page, in the left navigation pane, under Node Tools, choose Fleet Manager.

    Fleet Manager helps you remotely manage your nodes running on AWS or on premises. It allows you to perform common troubleshooting and management tasks from the console. This includes connecting to Windows instances using the Remote Desktop Protocol (RDP), and connecting to Linux instances through Session Manager

12. Choose the Node ID link for Web Server named instance.

13. On the top-right of the Web Server page, choose Node actions and select Connect then Start terminal session link.

    A terminal for the Amazon EC2 instance is displayed in a new browser tab. The instance ID of the Amazon EC2 instance you are connected to is displayed on the top banner.

14. Command: Enter the following command at the command prompt of the terminal.

    netstat -a | grep http

    Expected output:

    A list of connections is displayed.

15. Command: Run this command in the session window:

    TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
    # Get region
    AZ=`curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/placement/availability-zone`
    export AWS_DEFAULT_REGION=${AZ::-1}
    
    # List information about EC2 instances
    aws ec2 describe-instances

    Expected output: The command returns a JSON response describing the EC2 instances in your account, including details such as instance IDs, instance types, state, and network configuration. You should see entries for both the App Server and Web Server instances.

    Once you have reviewed the returned information you can safely end the session to the Amazon EC2 instance.

16. Choose Terminate.

17. On the Terminate session pop-up window, choose Terminate.

Task complete: You used Fleet Manager and Session Manager to securely connect to a managed EC2 instance without SSH, verifying that your team can access instances while maintaining an audit trail through CloudTrail.

---

Task 3: Enable AWS Config

With Systems Manager now managing your company’s EC2 instances, your next responsibility is to set up an automated compliance auditing system. AWS Config continuously monitors and records your resource configurations, helping you verify that your infrastructure meets organizational standards. Next, you will enable AWS Config and prepare it to evaluate resources in your environment.

18. At the top of the AWS Management Console, in the search bar, search for and choose

    AWS Config
    .

19. Choose Get started.

    The Settings page of the AWS Config setup is displayed.

20. In the Recording method section, under Recording strategy, select All resource types with customizable overrides

21. In the Default settings section, for Recording frequency, select Continuous recording.

22. In the Override settings section, choose Remove to remove the override.

23. In the Data governance section, for IAM role for AWS Config, select Choose a role from your account.

    Under Existing roles AWSServiceRoleForConfig should be auto selected.

24. Scroll down and choose Next.

25. On the Rules page, choose Next.

    The Review page of the AWS Config setup is displayed.

26. Choose Confirm.

    AWS Config finishes the setup process and the AWS Config Dashboard page is displayed if no error.

    Note: If you see Rate Exceeded error, ignore it and proceed with next steps anyways.

Task complete: You enabled AWS Config to continuously monitor and record resource configurations, establishing the foundation for automated compliance auditing in your environment.

---

Task 4: Make sure the recorder is on

Before creating compliance rules, you need to confirm that the AWS Config recorder is actively tracking resource changes. Next, you will verify the recorder status and enable it if necessary.

1.On the AWS Config page, on the left navigation pane, choose Settings.

27. If it says Recording is on under Recorder card, skip to Task 5, otherwise continue with instructions in this task.

28. In Recorder section, choose Edit.

29. On the Edit customer managed recorder settings page:

    • In the Recorder section, choose Enable recording.
    • In the Recording method section, under Recording strategy:, select All resource types with customizable overrides.
    • In the Default settings section, under Recording frequency, select Continuous recording.

30. In the Data governance section, for IAM role for AWS Config, select Use an existing AWS Config service-linked role.

31. Click Save button

Task complete: You verified that the AWS Config recorder is actively tracking resource changes, ensuring that compliance rules you create will have current configuration data to evaluate against.

---

Task 5: Create a rule to check Amazon EC2 instance compliance

Your company needs assurance that all EC2 instances remain under Systems Manager management. If an instance falls out of SSM management, it becomes a blind spot for operations and security. Next, you will create an AWS Config rule that automatically flags any EC2 instance not managed by Systems Manager.

32. At the top of the AWS Management Console, in the search bar, search for and choose

    AWS Config
    .

33. On the AWS Config page, in the left navigation pane, choose Rules. Do not choose the Rules under Aggregator.

34. Choose Add rule.

    The Specify rule type page is displayed.

35. Ensure Add AWS managed rule is selected.

36. Select the ec2-instance-managed-by-systems-manager rule returned in the search results.

37. Choose Next.

38. On the Configure rule page, keep all default settings, and choose Next.

39. On the Review and create, choose Save.

    You have added a new AWS Config rule to your infrastructure that will be NON_COMPLIANT if the EC2 instance previously associated with an SSM Agent instance inventory becomes unreachable or is not managed by SSM Agent.

    Note: It takes several minutes for AWS Config to synchronize with AWS Systems Manager about the compliance status of managed Amazon EC2 instances. However, the compliance status of any one Config rule in this lab is not critically important and does not block you from completing all other tasks in the lab. You may proceed to the next task.

Task complete: You created a Config rule that automatically flags any EC2 instance not managed by Systems Manager, helping your team detect operational blind spots before they become security risks.

---

Task 6: Create an AWS Config rule to audit user IAM permissions

As part of your company’s security posture, you need to verify that no IAM users have inline policies directly attached to them. Inline policies are harder to manage and audit at scale compared to managed policies. Next, you will create a Config rule that scans for IAM users with attached inline policies and examine the compliance results.

40. On the AWS Config Rules page, choose Add rule.

    The Specify rule type page is displayed.

41. Ensure < Add AWS managed rule is selected.

42. Enter

    iam-user-no-policies-check
    into the rule search bar.

43. Select the iam-user-no-policies-check rule.

44. Choose the Next button.

45. On the Configure rule page, keep all default settings, and choose Next.

46. On the Review and create, choose Save.

    You have added a new AWS Config rule to your infrastructure that scans for IAM users with attached inline policies. The newly added Config rule immediately begins a scan to evaluate the compliance of IAM resources.

    Note: In this case you should not expect these resources to become compliant. If you click on the resources in the scope of this rule, and view their Configuration Item, you will see they have policies attached. You do not need to remediate any non-compliant resource in this lab. In this lab scenario the task was to use AWS Config rules to verify if any company user has inline IAM policies attached.

    You have now setup more than one rule for AWS Config using the web console. In your personal AWS Environment, the creation of Config rules can be automated using either CloudFormation or one of the AWS SDK’s.

Task complete: You created a Config rule that audits IAM users for inline policies, enabling your team to continuously enforce the company’s security standard of using managed policies over inline policies.

---

Task 7: Explore inventory collected by Systems Manager

Earlier in the lab you configured Systems Manager Inventory to collect metadata from your managed instances. Now that the collection has had time to run, you can review what was gathered. Next, you will explore the inventory dashboard to see installed applications, instance details, and other metadata that helps your team maintain visibility across the fleet.

47. At the top of the AWS Management Console, in the search bar, search for and choose

    Systems Manager
    .

48. Select Inventory from the Node Tools section of the AWS Systems Manager navigation bar, found on the left.

    The Inventory dashboard is displayed.

49. Locate the Top 5 Applications section on the dashboard. What are the top 5 applications installed on the managed Amazon EC2 instances and what versions are they?

50. Scroll down to the Corresponding managed instances section.

    Consider: Both the Web Server and App Server appear here as managed instances. This confirms that Systems Manager Inventory has successfully associated with these nodes. This section links the top five application data you just reviewed to each managed node. Next, you will navigate to Fleet Manager to drill into the details of a single node.

51. In the left navigation pane, under Node Tools, choose Fleet Manager.

52. in the Managed Nodes section, select one of the nodes.

53. Choose Node actions and select Node overview.

54. In the General section. What is the IP address for this Amazon EC2 instance? What SSH key is associated with this Amazon EC2 instance? What type of Amazon EC2 instance is this node?

55. In the left navigation pane, choose Tags. Which tags are associated with this Amazon EC2 instance?

56. Select the Inventory link in the Properties pane.

57. Enter

    bind-utils
    into the filter search box. Then choose the bind-utils result that appears. Which version of the package is installed on this Amazon EC2 instance? What architecture is it for?

58. Select the Associations link in the Properties pane. When was the last SSM document run on this Amazon EC2 instance? What was the name of that SSM document?

59. Select the Patches link in the Properties pane. If there are no patches found, why might this be? Hint You will learn about Systems Manager Command Documents in later labs to address these actions such as patching and configuration changes for a entire fleet of Managed instances. If you did find patches applied to an instance the information listed in this section includes answers to the questions: How many patches have been applied to this Amazon EC2 instance since it was launched? Did any of the patches encounter an error while updating? Is any further patching currently needed?

60. Select the Configuration compliance link in the Properties pane. Is this Amazon EC2 instance out of compliance with any of the patches?

Task complete: You explored the inventory collected by Systems Manager, gaining insight into the installed applications, configurations, and compliance posture of your managed EC2 instances.

---

Conclusion

You have successfully done the following:

• Completed the initial quick setup process of AWS Systems Manager and took inventory of an environment’s compute resources.
• Completed the initial setup process and enabled AWS Config for an environment.
• Added more compliance rules to be monitored by AWS Config in your infrastructure.
• Reviewed inventory collected by AWS Systems Manager for a single Amazon EC2 instance.

End lab

Follow these steps to close the console and end your lab.

61. Return to the AWS Management Console.

62. At the upper-right corner of the page, choose AWSLabsUser, and then choose Sign out.

63. Choose End Lab and then confirm that you want to end your lab.

For more information about AWS Training and Certification, see https://aws.amazon.com/training/.

Your feedback is welcome and appreciated.
If you would like to share any feedback, suggestions, or corrections, please provide the details in our AWS Training and Certification Contact Form.

---

Additional resources

• AWS Systems Manager documentation