AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md

Summary

Updated documentation for installing CloudWatch agent using Systems Manager. Changes include replacing 'CloudFormation' with 'AWS CloudFormation', restructuring content for clarity, adding a note about Amazon Linux 2 end of support, fixing typos, and reorganizing IAM permission instructions.

Security assessment

The changes involve documentation restructuring, terminology updates, and clarification of IAM permissions but lack concrete evidence of addressing a specific security vulnerability. No new security features or vulnerabilities are introduced; updates to IAM policies are routine best practice guidance.

Diff

diff --git a/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md b/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md
index 27573766c..d49c11613 100644
--- a//prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md
+++ b//prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/install-cloudwatch-systems-manager.md
@@ -5 +5 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Designing and implementing logging and monitoring with Amazon CloudWatch ](welcome.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Designing and implementing logging and monitoring with Amazon CloudWatch](introduction.html)
@@ -7 +7 @@
-Set up State Manager and Distributor for CloudWatch agent deployment and configurationUse Systems Manager Quick Setup and manually update the created Systems Manager resourcesUse CloudFormation instead of Quick SetupCustomized Quick Setup in a single account and Region with an CloudFormation stackCustomized Quick Setup in multiple Regions and multiple accounts with CloudFormation StackSetsConsiderations for configuring on-premises serversConsiderations for ephemeral EC2 instancesUsing an automated solution to deploy the CloudWatch agent
+Set up State Manager and Distributor for CloudWatch agent deployment and configurationUse Systems Manager Quick Setup and manually update the created Systems Manager resourcesUse AWS CloudFormation instead of Quick SetupCustomized Quick Setup in a single account and Region with an AWS CloudFormation stackCustomized Quick Setup in multiple Regions and multiple accounts with AWS CloudFormation StackSetsConsiderations for configuring on-premises serversConsiderations for ephemeral EC2 instancesUsing an automated solution to deploy the CloudWatch agent
@@ -9 +9 @@ Set up State Manager and Distributor for CloudWatch agent deployment and configu
-# Installing the CloudWatch agent using Systems Manager Distributor and State Manager
+# Installing the CloudWatch agent using Systems Manager
@@ -21 +21 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon
-  * An IAM role or credentials that have the [required CloudWatch and Systems Manager permissions](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html) must be attached to the EC2 instance or defined in the credentials file for an on-premises server. For example, you can create an IAM role that includes the AWS managed policies: `AmazonSSMManagedInstanceCore` for Systems Manager and `CloudWatchAgentServerPolicy` for CloudWatch. You can use the [ssm-cloudwatch-instance-role.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/blob/main/ssm-cloudwatch-instance-role.yaml) CloudFormation template to deploy an IAM role and instance profile that includes both of these policies. This template can also be modified to include other standard IAM permissions for your EC2 instances. For on-premises servers or VMs, should configure the CloudWatch agent to use the [Systems Manager service role](https://docs.aws.amazon.com//systems-manager/latest/userguide/sysman-service-role.html) that was configured for the on-premises server. For more information about this, see [How can I configure on-premises servers that use Systems Manager Agent and the unified CloudWatch agent to use only temporary credentials?](https://aws.amazon.com//premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center.
+  * An IAM role or credentials that have the [required CloudWatch and Systems Manager permissions ](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-iam-roles-for-cloudwatch-agent.html)must be attached to the EC2 instance or defined in the credentials file for an on-premises server. For example, you can create an IAM role that includes the AWS managed policies: AmazonSSMManagedInstanceCore for Systems Manager and CloudWatchAgentServerPolicy for CloudWatch. 
@@ -25,0 +26,2 @@ Amazon Linux 2 is nearing end of support. For more information, see the [Amazon
+You can use the [ssm-cloudwatch-instance-role.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/blob/main/ssm-cloudwatch-instance-role.yaml) AWS CloudFormation template to deploy an IAM role and instance profile that includes both of these policies. This template can also be modified to include other standard IAM permissions for your EC2 instances. For on-premises servers or VMs, should configure the CloudWatch agent to use the [Systems Manager service role](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html) that was configured for the on-premises server. For more information about this, see [How can I configure on-premises servers that use Systems Manager Agent and the unified CloudWatch agent to use only temporary credentials?](https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center.
+
@@ -28 +30 @@ The following list provides several advantages for using the Systems Manager Dis
-  * **Automated installation for multiple OSs** – You don’t need to write and maintain a script for each OS to download and install the CloudWatch agent.
+  * **Automated installation for multiple OSs** – You don't need to write and maintain a script for each OS to download and install the CloudWatch agent.
@@ -52 +54 @@ However, you should also consider the following three areas before you choose th
-You can use [Systems Manager Quick Setup](https://docs.aws.amazon.com//systems-manager/latest/userguide/systems-manager-quick-setup.html) to quickly configure Systems Manager features, including automatically installing and updating the CloudWatch agent on your EC2 instances. The Quick Setup deploys an CloudFormation stack that deploys and configures Systems Manager resources based on your choices. 
+You can use [Systems Manager Quick Setup](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-quick-setup.html) to quickly configure Systems Manager features, including automatically installing and updating the CloudWatch agent on your EC2 instances. The Quick Setup deploys an AWS CloudFormation stack that deploys and configures Systems Manager resources based on your choices.
@@ -58 +60 @@ The following list provides two important actions that are performed by Quick Se
-     * `CreateAndAttachIAMToInstance` – Creates the `AmazonSSMRoleForInstancesQuickSetup` role and instance profile if they don’t exist and attaches the `AmazonSSMManagedInstanceCore` policy to the role. This doesn’t include the required `CloudWatchAgentServerPolicy` IAM policy. You must update this policy and update this Systems Manager document to include this policy as described in the following section.
+     * CreateAndAttachIAMToInstance – Creates the AmazonSSMRoleForInstancesQuickSetup role and instance profile if they don't exist and attaches the AmazonSSMManagedInstanceCore policy to the role. This doesn't include the required CloudWatchAgentServerPolicy IAM policy. You must update this policy and update this Systems Manager document to include this policy as described in the following section.
@@ -60 +62 @@ The following list provides two important actions that are performed by Quick Se
-     * `InstallAndManageCloudWatchDocument` – Installs the CloudWatch agent with Distributor and configures each EC2 instance one time with a default CloudWatch agent configuration using the `AWS-ConfigureAWSPackage` Systems Manager document.
+     * InstallAndManageCloudWatchDocument – Installs the CloudWatch agent with Distributor and configures each EC2 instance one time with a default CloudWatch agent configuration using the AWS-ConfigureAWSPackage Systems Manager document.
@@ -62 +64 @@ The following list provides two important actions that are performed by Quick Se
-     * `UpdateCloudWatchDocument` – Updates the CloudWatch agent by installing the latest CloudWatch agent using the `AWS-ConfigureAWSPackage` Systems Manager document. Updating or uninstalling the agent doesn’t remove the existing CloudWatch configuration files from the EC2 instance.
+     * UpdateCloudWatchDocument – Updates the CloudWatch agent by installing the latest CloudWatch agent using the AWS-ConfigureAWSPackage Systems Manager document. Updating or uninstalling the agent doesn't remove the existing CloudWatch configuration files from the EC2 instance.
@@ -66,3 +68 @@ The following list provides two important actions that are performed by Quick Se
-     * `ManageCloudWatchAgent` – Runs the `InstallAndManageCloudWatchDocument` Systems Manager document one time for each EC2 instance.
-
-     * `UpdateCloudWatchAgent` – Runs the `UpdateCloudWatchDocument` Systems Manager document every 30 days for each EC2 instance.
+     * ManageCloudWatchAgent – Runs the InstallAndManageCloudWatchDocument Systems Manager document one time for each EC2 instance.
@@ -70 +70 @@ The following list provides two important actions that are performed by Quick Se
-     * Runs the `CreateAndAttachIAMToInstance` Systems Manager document one time for each EC2 instance.
+     * UpdateCloudWatchAgent – Runs the UpdateCloudWatchDocument Systems Manager document every 30 days for each EC2 instance.
@@ -71,0 +72 @@ The following list provides two important actions that are performed by Quick Se
+     * Runs the CreateAndAttachIAMToInstance Systems Manager document one time for each EC2 instance.
@@ -75 +75,0 @@ The following list provides two important actions that are performed by Quick Se
-You must augment and customize the completed Quick Setup configuration to include CloudWatch permissions and support custom CloudWatch configurations. In particular, the `CreateAndAttachIAMToInstance` and the `InstallAndManageCloudWatchDocument` document will need to be updated. You can manually update the Systems Manager documents created by Quick Setup. Alternatively, you can use your own CloudFormation template to provision the same resources with the necessary updates as well as configure and deploy other Systems Manager resources and not use Quick Setup.
@@ -77 +77 @@ You must augment and customize the completed Quick Setup configuration to includ
-###### Important
+You must augment and customize the completed Quick Setup configuration to include
@@ -79 +79 @@ You must augment and customize the completed Quick Setup configuration to includ
-Quick Setup creates an CloudFormation stack to deploy and configure Systems Manager resources based on your choices. If you update your Quick Setup choices, you might need to manually re-update the Systems Manager documents.
+CloudWatch permissions and support custom CloudWatch configurations. In particular, the
@@ -81 +81 @@ Quick Setup creates an CloudFormation stack to deploy and configure Systems Mana
-The following sections describe how to manually update the Systems Manager resources created by Quick Setup, as well as use your own CloudFormation template to perform an updated Quick Setup. We recommend that you use your own CloudFormation template to avoid manually updating resources created by Quick Setup and CloudFormation. 
+CreateAndAttachIAMToInstance and the InstallAndManageCloudWatchDocument document will need to be updated. You can manually update the Systems Manager documents created by Quick Setup. Alternatively, you can use your own CloudFormation template to provision the same resources with the necessary updates as well as configure and deploy other Systems Manager resources and not use Quick Setup.
@@ -83 +83 @@ The following sections describe how to manually update the Systems Manager resou
-## Use Systems Manager Quick Setup and manually update the created Systems Manager resources
+### Important: Quick Setup creates an AWS CloudFormation stack to deploy and configure Systems Manager resources based on your choices. If you update your Quick Setup choices, you might need to manually re-update the Systems Manager documents.
@@ -85 +85 @@ The following sections describe how to manually update the Systems Manager resou
-The Systems Manager resources created by the Quick Setup approach must be updated to include the required CloudWatch agent permissions and support multiple CloudWatch configuration files. This section describes how to update the IAM role and Systems Manager documents to use a centralized S3 bucket containing CloudWatch configurations that is accessible from multiple accounts. Creating an S3 bucket to store the CloudWatch configuration files is discussed in the [Managing CloudWatch configurations](./create-store-cloudwatch-configurations.html#store-cloudwatch-configuration-s3) section of this guide.
+The following sections describe how to manually update the Systems Manager resources created by Quick Setup, as well as use your own AWS CloudFormation template to perform an updated Quick Setup. We recommend that you use your own AWS CloudFormation template to avoid manually updating resources created by Quick Setup and AWS CloudFormation.
@@ -87 +87 @@ The Systems Manager resources created by the Quick Setup approach must be update
-### Update the `CreateAndAttachIAMToInstance` Systems Manager document
+## Use Systems Manager Quick Setup and manually update the created Systems Manager resources
@@ -89 +89 @@ The Systems Manager resources created by the Quick Setup approach must be update
-This Systems Manager document created by Quick Setup checks whether an EC2 instance has an existing IAM instance profile attached to it. If it does, it attaches the `AmazonSSMManagedInstanceCore` policy to the existing role. This protects your existing EC2 instances from losing AWS permissions that might be assigned through existing instance profiles. You need to add a step in this document to attach the `CloudWatchAgentServerPolicy` IAM policy to EC2 instances that already have an instance profile attached. The Systems Manager document also creates the IAM role if it doesn’t exist and an EC2 instance doesn’t have an instance profile attached to it. You must update this section of the document to also include the `CloudWatchAgentServerPolicy` IAM policy. 
+This Systems Manager document created by Quick Setup checks whether an EC2 instance has an existing IAM instance profile attached to it. If it does, it attaches the AmazonSSMManagedInstanceCore policy to the existing role. This protects your existing EC2 instances from losing AWS permissions that might be assigned through existing instance profiles. You need to add a step in this document to attach the CloudWatchAgentServerPolicy IAM policy to EC2 instances that already have an instance profile attached. The Systems Manager document also creates the IAM role if it doesn't exist and an EC2 instance doesn't have an instance profile attached to it. You must update this section of the document to also include the CloudWatchAgentServerPolicy IAM policy.
@@ -93 +93 @@ Review the completed [CreateAndAttachIAMToInstance.yaml](https://github.com/aws-
-### Update the `InstallAndManageCloudWatchDocument` Systems Manager document
+### Update the InstallAndManageCloudWatchDocument Systems Manager document
@@ -99 +99 @@ Review the completed [InstallAndManageCloudWatchDocument.yaml](https://github.co
-## Use CloudFormation instead of Quick Setup
+## Use AWS CloudFormation instead of Quick Setup
@@ -101 +101 @@ Review the completed [InstallAndManageCloudWatchDocument.yaml](https://github.co
-Instead of using Quick Setup, you can use CloudFormation to configure Systems Manager. This approach allows you to customize your Systems Manager configuration according to your specific requirements. This approach also avoids manual updates to the configured Systems Manager resources created by Quick Setup to support custom CloudWatch configurations. 
+Instead of using Quick Setup, you can use AWS CloudFormation to configure Systems Manager. This approach allows you to customize your Systems Manager configuration according to your specific requirements. This approach also avoids manual updates to the configured Systems Manager resources created by Quick Setup to support custom CloudWatch configurations.
@@ -103 +103 @@ Instead of using Quick Setup, you can use CloudFormation to configure Systems Ma
-The Quick Setup feature also uses CloudFormation and creates a CloudFormation stack set to deploy and configure Systems Manager resources based on your choices. Before you can use CloudFormation stack sets, you must create the IAM roles used by CloudFormation StackSets to support deployments across multiple accounts or Regions. Quick Setup creates the roles it requires to support multi-Region or multi-account deployments with CloudFormation StackSets. You must complete the prerequisites for CloudFormation StackSets if you want to configure and deploy Systems Manager resources in multiple Regions or multiple accounts from a single account and Region. For more information about this, see [Prerequisites for stack set operations](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) in the CloudFormation documentation.
+The Quick Setup feature also uses AWS CloudFormation and creates a AWS CloudFormation stack set to deploy and configure Systems Manager resources based on your choices. Before you can use AWS CloudFormation stack sets, you must create the IAM roles used by AWS CloudFormation StackSets to support deployments across multiple accounts or Regions. Quick Setup creates the roles it requires to support multi-Region or multi-account deployments with AWS CloudFormation StackSets. You must complete the prerequisites for AWS CloudFormation StackSets if you want to configure and deploy Systems Manager resources in multiple Regions or multiple accounts from a single account and Region. For more information about this, see [Prerequisites for stack set operations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) in the AWS CloudFormation documentation.
@@ -105 +105 @@ The Quick Setup feature also uses CloudFormation and creates a CloudFormation st
-Review the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) CloudFormation template for customized Quick Setup. 
+Review the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) AWS CloudFormation template for customized Quick Setup.
@@ -107 +107 @@ Review the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logg
-You should review the resources and capabilities in the CloudFormation template and make adjustments according to your requirements. You should version control the CloudFormation template that you use and incrementally test changes to confirm the required result. Additionally, you should perform cloud security reviews to determine if there are any policy adjustments that are required based on your organization's requirements.
+You should review the resources and capabilities in the AWS CloudFormation template and make adjustments according to your requirements. You should version control the AWS CloudFormation template that you use and incrementally test changes to confirm the required result. Additionally, you should perform cloud security reviews to determine if there are any policy adjustments that are required based on your organization's requirements.
@@ -109 +109 @@ You should review the resources and capabilities in the CloudFormation template
-You should deploy the CloudFormation stack in a single test account and Region, and perform any necessary test cases to customize and confirm the desired result. You can then graduate your deployment to multiple Regions in a single account, and then to multiple accounts and multiple regions.
+You should deploy the AWS CloudFormation stack in a single test account and Region, and perform any necessary test cases to customize and confirm the desired result. You can then graduate your deployment to multiple Regions in a single account, and then to multiple accounts and multiple regions.
@@ -111 +111 @@ You should deploy the CloudFormation stack in a single test account and Region,
-## Customized Quick Setup in a single account and Region with an CloudFormation stack
+## Customized Quick Setup in a single account and Region with an AWS CloudFormation stack
@@ -113 +113 @@ You should deploy the CloudFormation stack in a single test account and Region,
-If you are only use a single account and Region, you can deploy the complete example as a CloudFormation stack instead of an CloudFormation stack set. However if possible, we recommend that you use the multi-account, multi-Region stack set approach even if only use a single account and Region. Using CloudFormation StackSets makes it easier to expand to additional accounts and Regions in the future. 
+If you are only use a single account and Region, you can deploy the complete example as a AWS CloudFormation stack instead of an AWS CloudFormation stack set. However if possible, we recommend that you use the multi-account, multi-Region stack set approach even if only use a single account and Region. Using AWS CloudFormation StackSets makes it easier to expand to additional accounts and Regions in the future.
@@ -115 +115 @@ If you are only use a single account and Region, you can deploy the complete exa
-Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) CloudFormation template as an CloudFormation stack in a single account and AWS Region:
+Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) AWS CloudFormation template as an AWS CloudFormation stack in a single account and Region:
@@ -119 +119 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-  2. Customize the default CloudFormation parameter values based on your organization’s requirements.
+  2. Customize the default AWS CloudFormation parameter values based on your organization's requirements.
@@ -123 +123,4 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-  4. Customize the Systems Manager document with the `InstallAndManageCloudWatchDocument` logical ID. Confirm that the S3 bucket prefixes align to the prefixes for the S3 bucket containing your CloudWatch configuration.
+  4. Customize the Systems Manager document with the InstallAndManageCloudWatchDocument
+
+
+
@@ -125 +128 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-  5. Retrieve and record the Amazon Resource Name (ARN) for the S3 bucket containing your CloudWatch configurations. For more information about this, see the [Managing CloudWatch configurations](./create-store-cloudwatch-configurations.html#store-cloudwatch-configuration-s3) section of this guide. A sample [cloudwatch-config-s3-bucket.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/blob/main/cloudwatch-config-s3-bucket.yaml) CloudFormation template is available that includes a bucket policy to provide read access to AWS Organizations accounts. 
+logical ID. Confirm that the S3 bucket prefixes align to the prefixes for the S3 bucket containing your CloudWatch configuration.
@@ -127 +130 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-  6. Deploy the customized Quick Setup CloudFormation template to the same account as your S3 bucket:
+  1. Retrieve and record the Amazon Resource Name (ARN) for the S3 bucket containing your CloudWatch configurations. For more information about this, see the Storing CloudWatch configuration files in an S3 bucket (p. 9) section of this guide. A sample [cloudwatch-config-s3-bucket.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/blob/main/cloudwatch-config-s3-bucket.yaml) AWS CloudFormation template is available that includes a bucket policy to provide read access to AWS Organizations accounts.
@@ -129 +132,3 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-     * For the `CloudWatchConfigBucketARN` parameter, enter the S3 bucket's ARN.
+  2. Deploy the customized Quick Setup AWS CloudFormation template to the same account as your S3 bucket:
+
+     * For the CloudWatchConfigBucketARN parameter, enter the S3 bucket's ARN.
@@ -132,0 +138 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
+  3. Deploy a test EC2 instance with and without an IAM role to confirm that the EC2 instance works withCloudWatch.
@@ -136 +141,0 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-7\. Deploy a test EC2 instance with and without an IAM role to confirm that the EC2 instance works with CloudWatch.
@@ -138 +143 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-  * Apply the `AttachIAMToInstance` State Manager association. This is a Systems Manager runbook that is configured to run on a schedule. State Manager associations that use runbooks are not automatically applied to new EC2 instances and can be configured to run on a scheduled basis. For more information, see [Running automations with triggers using State Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-sm-target.html) in the Systems Manager documentation.
+  * Apply the AttachIAMToInstance State Manager association. This is a Systems Manager runbook that is configured to run on a schedule. State Manager associations that use runbooks are not automatically applied to new EC2 instances and can be configured to run on a scheduled basis. For more information, see [Running automations with triggers using State Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-sm-target.html) in the Systems Manager documentation.
@@ -149 +154 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-## Customized Quick Setup in multiple Regions and multiple accounts with CloudFormation StackSets
+## Customized Quick Setup in multiple Regions and multiple accounts with AWS CloudFormation StackSets
@@ -151 +156 @@ Use the following steps to deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://
-If you are using multiple accounts and Regions, then you can deploy the [AWS-QuickSetup-SSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) CloudFormation template as a stack set. You must complete the [CloudFormation StackSet prerequisites](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) before using stack sets. The requirements vary depending on whether you are deploying stack sets with [**self-managed** or **service-managed** permissions](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html). 
+If you are using multiple accounts and Regions, then you can deploy the [AWS-QuickSetupSSMHostMgmt.yaml](https://github.com/aws-samples/logging-monitoring-apg-guide-examples/tree/main/custom_ssm_setup) AWS CloudFormation template as a stack set. You must complete the [AWS CloudFormation StackSet prerequisites](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html) before using stack sets. The requirements vary depending on whether you are deploying stack sets with [**self-managed** or **service-managed** permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html).
@@ -155 +160 @@ We recommend that you deploy stack sets with service-managed permissions so that
-  1. Complete steps 1 to 5 from the Customized Quick Setup in a single account and Region with an CloudFormation stack section of this guide.
+  1. Complete steps 1 to 5 from the Customized Quick Setup in a single account and Region with an AWS CloudFormation stack section of this guide.
@@ -157 +162 @@ We recommend that you deploy stack sets with service-managed permissions so that
-  2. Sign in to the AWS Management Console, open the CloudFormation consoler and choose **Create StackSet** :
+  2. Sign in to the AWS Management Console, open the AWS CloudFormation consoler and choose **Create StackSet** :
@@ -159 +164 @@ We recommend that you deploy stack sets with service-managed permissions so that
-     * Choose **Template is ready** and **Upload a template file**. Upload the CloudFormation template that you customized to your requirements.
+     * Choose **Template is ready** and **Upload a template file**. Upload the AWS CloudFormation template that you customized to your requirements.
@@ -163 +168 @@ We recommend that you deploy stack sets with service-managed permissions so that
-       * Enter a stack set name, for example, `StackSet-SSM-QuickSetup`.
+     * Enter a stack set name, for example, StackSet-SSM-QuickSetup.
@@ -167 +172 @@ We recommend that you deploy stack sets with service-managed permissions so that
-       * For the `CloudWatchConfigBucketARN` parameter, enter the ARN for your CloudWatch configuration's S3 bucket. 
+     * For the CloudWatchConfigBucketARN parameter, enter the ARN for your CloudWatch configuration's S3 bucket.
@@ -171 +176,8 @@ We recommend that you deploy stack sets with service-managed permissions so that
-         * If you choose self-managed permissions, enter the **AWSCloudFormationStackSetAdministrationRole** and **AWSCloudFormationStackSetExecutionRole** IAM role details. The administrator role must exist in the account and the execution role must exist in each target account
+     * If you choose self-managed permissions, enter the
+
+
+
+
+**AWSCloudFormationStackSetAdministrationRole** and
+
+**AWSCloudFormationStackSetExecutionRole** IAM role details. The administrator role must exist in the account and the execution role must exist in each target account
@@ -181 +193 @@ We recommend that you deploy stack sets with service-managed permissions so that
-       * Confirm that the deployment is successful by viewing the status in the **Operations** **and****Stack instances** tab for the stack set.
+  * Confirm that the deployment is successful by viewing the status in the **Operations** **and Stack instances** tab for the stack set.
@@ -183 +195 @@ We recommend that you deploy stack sets with service-managed permissions so that
-       * Test that Systems Manager and CloudWatch are correctly working in the deployed accounts by following step 7 from the Customized Quick Setup in a single account and Region with an CloudFormation stack section of this guide.
+  * Test that Systems Manager and CloudWatch are correctly working in the deployed accounts by following step 7 from the Customized Quick Setup in a single account and Region with an AWS CloudFormation stack (p. 23) section of this guide.
@@ -192 +204 @@ The CloudWatch agent for on-premises servers and VMs is installed and configured
-**Point the CloudWatch agent to the same temporary credentials used for Systems Manager.** |  When you set up Systems Manager in a hybrid environment that includes on-premises servers, you can activate Systems Manager with an IAM role. You should use the role created for your EC2 instances that includes the `CloudWatchAgentServerPolicy` and `AmazonSSMManagedInstanceCore` policies. This results in the Systems Manager agent retrieving and writing temporary credentials to a local credentials file. You can point your CloudWatch agent configuration to the same file. You can use the process from [Configure on-premises servers that use Systems Manager agent and the unified CloudWatch agent to use only temporary credentials](https://aws.amazon.com//premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center.  You can also automate this process by defining a separate Systems Manager Automation runbook and State Manager association, and targeting your on-premises instances with tags. When you create an [Systems Manager activation](https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-activation-managed-nodes.html) for your on-premises instances, you should include a tag that identifies the instances as on-premises instances.   
+Point the CloudWatch agent to the same temporary credentials used for Systems Manager.| When you set up Systems Manager in a hybrid environment that includes on-premises servers, you can activate Systems Manager with an IAM role. You should use the role created for your EC2 instances that includes the CloudWatchAgentServerPolicy and AmazonSSMManagedInstanceCore policies.This results in the Systems Manager agent retrieving and writing temporary credentials  
@@ -194 +206,2 @@ The CloudWatch agent for on-premises servers and VMs is installed and configured
-**Consider using accounts and Regions that have VPN or Direct Connect access and AWS PrivateLink.** | You can use AWS Direct Connect or AWS Virtual Private Network (Site-to-Site VPN) to establish private connections between on-premises networks and your virtual private cloud (VPC). AWS PrivateLink establishes a private connection to CloudWatch Logs with an interface VPC endpoint. This approach is useful if you have restrictions that prevent data being sent over the public internet to a public service endpoint.  
+| to a local credentials file. You can point your CloudWatch agent configuration to the same file. You can use the process from [Configure onpremises servers that use Systems Manager agent and the unified CloudWatch agent to use only temporary credentials](https://aws.amazon.com/premiumsupport/knowledge-center/cloudwatch-on-premises-temp-credentials/) in the AWS Knowledge Center.You can also automate this process by defining a separate Systems Manager Automation runbook and State Manager association, and targeting your on-premises instances with tags. When you create an [Systems Manager activation](https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-activation-managed-nodes.html) for your on-premises instances, you should include a tag that identifies the instances as on-premises instances.  
+**Consider using accounts and Regions that have VPN or AWS Direct Connect access and AWS PrivateLink.**|  You can use AWS Direct Connect or AWS Virtual Private Network (AWS VPN) to establish private connections between on-premises networks and your virtual private cloud (VPC). AWS PrivateLink establishes a private connection to CloudWatch Logs with an interface VPC endpoint. This approach is useful if you have restrictions that prevent data being sent over the public internet to a public service endpoint.  
@@ -199 +212 @@ The CloudWatch agent for on-premises servers and VMs is installed and configured
-EC2 instances are temporary, or _ephemeral_ , if they are provisioned by Amazon EC2 Auto Scaling, Amazon EMR, [Amazon EC2 Spot Instances](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/using-spot-instances.html), or AWS Batch. Ephemeral EC2 instances can cause a very large number of CloudWatch streams under a common log group without additional information on their runtime origin. 
+EC2 instances are temporary, or _ephemeral_ , if they are provisioned by Amazon EC2 Auto Scaling, Amazon EMR, [Amazon EC2 Spot Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html), or AWS Batch. Ephemeral EC2 instances can cause a very large number of CloudWatch streams under a common log group without additional information on their runtime origin.
@@ -203 +216 @@ If you use ephemeral EC2 instances, consider adding additional dynamic contextua
-You should also make sure that your metrics and logs are sent by the CloudWatch agent before your ephemeral EC2 instances are terminated. The CloudWatch agent includes a `flush_interval` parameter that can be configured to define the time interval for flushing log and metric buffers. You can lower this value based on your workload and stop the CloudWatch agent and force the buffers to flush before the EC2 instance is terminated.
+You should also make sure that your metrics and logs are sent by the CloudWatch agent before your ephemeral EC2 instances are terminated. The CloudWatch agent includes a flush_interval parameter that can be configured to define the time interval for flushing log and metric buffers. You can lower this value based on your workload and stop the CloudWatch agent and force the buffers to flush before the EC2 instance is terminated.
@@ -209 +222 @@ If you use an automation solution (for example, Ansible or Chef), you can levera
-  * **Validate that the automation covers the OSs and the OS versions that you support.** If the automation script doesn't support all your organization’s OSs, you should define alternative solutions for the unsupported OSs. 
+  * **Validate that the automation covers the OSs and the OS versions that you support.** If the automation script doesn't support all your organization's OSs, you should define alternative solutions for the unsupported OSs.
@@ -213 +226 @@ If you use an automation solution (for example, Ansible or Chef), you can levera
-  * **Validate that you can confirm agent installation and configuration compliance**. Your automation solution should enable you to determine when a system doesn’t have the agent installed or when the agent isn’t working. You can implement a notification or alarm into your automation solution so that failed installations and configurations are tracked.
+  * **Validate that you can confirm agent installation and configuration compliance**. Your automation solution should enable you to determine when a system doesn't have the agent installed or when the agent isn't working. You can implement a notification or alarm into your automation solution so that failed installations and configurations are tracked.
@@ -224 +237 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-CloudWatch agent installation approaches for Amazon EC2 and on-premises servers
+CloudWatch installation for Amazon EC2 and on premises
@@ -226 +239 @@ CloudWatch agent installation approaches for Amazon EC2 and on-premises servers
-Deploying the CloudWatch agent during instance provisioning with the user data script
+Deploying the CloudWatch agent during instance provisioning