Choosing between State Manager and Maintenance Windows - AWS Systems Manager

Choosing between State Manager and Maintenance Windows

State Manager and Maintenance Windows, both capabilities of AWS Systems Manager, can perform some similar types of updates on your managed instances. Which one you choose depends on whether you need to automate system compliance or perform high-priority, time-sensitive tasks during periods you specify.

State Manager and Maintenance Windows: Key use cases

State Manager, a capability of AWS Systems Manager, sets and maintains the desired state configuration for managed instances and AWS resources within your AWS account. You can define combinations of configurations and targets as association objects. State Manager is the recommended capability if you want to maintain all managed instances in your account in a consistent state, use Amazon EC2 Auto Scaling to generate new instances, or have strict compliance reporting requirements for the managed instances in your account.

The main use cases for State Manager are as follows:

  • Auto Scaling scenarios: State Manager can monitor all new instances launched within an account either manually or through Auto Scaling groups. If there are any associations in the account targeting that new instance (through tags or all instances), then that particular association is automatically applied to the new instance.

  • Compliance reporting: State Manager can drive compliance reporting of desired states for resources in your account.

  • Supporting all instances: State Manager can target all instances within a given account.

A maintenance window takes one or more actions on AWS resources within a given time window. You can define a single maintenance window with start and end times. You can specify multiple tasks to run within this maintenance window. Use Maintenance Windows, a capability of AWS Systems Manager, if your high priority operations include patching your managed instances, running multiple types of tasks on your instances during an update period, or controlling when update operations can be run on your instances.

The main use cases for Maintenance Windows are as follows:

  • Running multiple documents: Maintenance windows can run multiple tasks. Each task can use a different document type. As a result, you can build complex workflows using different tasks within a single maintenance window.

  • Patching: A maintenance window can provide patching support for all managed instances within an account tagged with a specific tag or resource group. Because patching usually involves bringing down instances (for example, removing instances from a load balancer), patching, and post processing (putting instances back into production), patching can be achieved as a series of tasks within a given patch time window.

  • Window actions: Maintenance windows can make one or more sets of actions start within a specific time window. Maintenance windows won't start outside of that window. Actions already started continue until finished, even if they finish outside of the time window.

The following table compares the main features of State Manager and Maintenance Windows.

Feature State Manager Maintenance Windows

AWS CloudFormation integration

AWS CloudFormation templates support State Manager associations.

AWS CloudFormation templates support maintenance windows, window targets, and window tasks.

Compliance

Every State Manager association reports compliance with respect to the desired state of the targeted resource. You can use the Compliance Dashboard to aggregate and view the reported compliance.

Not applicable.

Configuration Management integration

State Manager supports external desired state solutions such as Microsoft PowerShell Desired State Configuration (DSC), Ansible playbooks, and Chef recipes. You can use State Manager associations to test that the Configuration Management solutions work and to apply their configuration changes to your instances when you're ready.

Not applicable.

Documents

State Manager configurations can be defined as Policy documents (for gathering inventory information), Automation runbooks, for AWS resources such as Amazon Simple Storage Service (Amazon S3) buckets, or Systems Manager Command documents (SSM documents) for managed instances.

Maintenance Windows configurations can be defined as automation documents (multi-step actions with optional approval workflows) or SSM documents (desired state for managed instances).

Monitoring

State Manager monitors changes in the configuration, association, or state of an instance (for example, new instances coming online). When State Manager detects these changes, the given association is re-applied to the instances originally targeted with that association.

Not applicable.

Priorities within tasks

Not applicable.

Tasks within a maintenance window can be assigned a priority. All tasks with the same priority are run in parallel. Tasks with lower priorities are run after tasks with higher priorities reach a final state. There is no way to conditionally run tasks. After a higher priority task reaches its final state, the next priority task runs, regardless of the state of the previous task.

Safety controls

State Manager supports two safety controls when deploying configurations across a large fleet. You can use maximum concurrency to define how many concurrent instances or resources should have the configuration applied. You can define a maximum error rate which can be used to pause the State Manager association if a certain number or percentage of errors occur across the fleet.

Maintenance windows support two safety controls when deploying configurations across a large fleet. You can use maximum concurrency to define how many concurrent instances or resources should have the configuration applied. You can define a maximum error rate which can be used to pause the actions in a maintenance window if a certain number or percentage of errors occur across the fleet.

Scheduling

You can run State Manager associations on demand, at a particular cron interval, at a given rate, or once when they're created. This is useful if you want to maintain the desired state of your resources in a consistent and timely manner.

Maintenance windows support several scheduling options including at expressions (for example, "at(2021-07-07T13:15:30)"), cron and rate expressions, cron with offsets, and start and end times for when maintenance windows should run, and cutoff times to specify when to stop scheduling within a given time window.

Targeting

State Manager associations can target one or more instances by using instance ID, tag, or resource group. State Manager can target all managed instances within a given account.

Maintenance windows can target one or more instances using instance IDs, tags, or resource groups.

Tasks within maintenance windows

Not applicable.

Maintenance windows can support one or more tasks where each task targets a specific Automation runbook or Command document action. All tasks within a maintenance window run in parallel unless different priorities are set for different tasks.

Overall, maintenance windows support four task types:

  • AWS Systems Manager Run Command commands

  • AWS Systems Manager Automation workflows

  • AWS Lambda functions

  • AWS Step Functions tasks