I just created a few simple Systems Manager State Manager associations, all to accomplish small tasks like running inventory and scanning for patches. I had initially assumed that an association failing on a single instance would lead that instance to be marked as non-compliant, with whatever severity level was configured for the association. In one of the walkthroughs in the SSM documentation, however, I see this:
If the State Manager association fails, no compliance data is reported. For example, if Systems Manager attempts to download a Chef cookbook from an S3 bucket that the node doesn't have permission to access, the association fails, and Systems Manager reports no compliance data.
Is this the case for all association failures, regardless of document? And if it is, under what scenarios would association compliance show anything other than compliant instances?
AWS OFFICIALUpdated a year ago
