About State Manager - AWS Systems Manager

About State Manager

State Manager, a capability of AWS Systems Manager, is a secure and scalable service that automates the process of keeping your Amazon Elastic Compute Cloud (Amazon EC2) and hybrid infrastructure in a state that you define.

Here's how State Manager works:

1. Determine the state you want to apply to your managed instances.

Do you want to guarantee that your managed instance are configured with specific applications, such as antivirus or malware applications? Do you want to automate the process of updating the SSM Agent or other AWS packages such as AWSPVDriver? Do you need to guarantee that specific ports are closed or open? To get started with State Manager, determine the state that you want to apply to your managed instances. The state that you want to apply determines which SSM document you use to create a State Manager association.

A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances, or that certain ports must be closed. The association specifies a schedule for when the configuration is applied once or reapplied at specified times. The association also specifies actions to take when applying the configuration. For example, an association for antivirus software might run once a day. If the software isn't installed, then State Manager installs it. If the software is installed, but the service isn't running, then the association might instruct State Manager to start the service.

2. Determine if a preconfigured SSM document can help you create the State Manager association.

State Manager uses SSM documents to create an association. Systems Manager includes dozens of preconfigured SSM documents that you can use to create an association. Preconfigured documents are ready to perform common tasks like installing applications, configuring Amazon CloudWatch, running AWS Systems Manager automations, running PowerShell and Shell scripts, and joining a Directory Service domain for Active Directory. Specify the name of the document and information for the required parameters and then run the command to create the association.

You can view all SSM documents in the Systems Manager console. Choose the name of a document to learn more about each one. Here are two examples: AWS-ConfigureAWSPackage and AWS-InstallApplication.

3. Create the association.

You can create the association by using the Systems Manager console, the AWS Command Line Interface (AWS CLI), AWS Tools for Windows PowerShell (Tools for Windows PowerShell), or the Systems Manager API. When you create the association, you specify the following information:

  • The parameters for the SSM document (for example, the path to the application to install or the script to run on the instances).

  • Targets for the association. You can target managed instances by specifying Amazon EC2 tags, by choosing individual instance IDs, or by choosing a group in AWS Resource Groups. You can also target all managed instances in the current AWS Region and AWS account.

  • A schedule for when or how often to apply the state. You can specify a cron or rate expression. For more information about creating schedules by using cron and rate expressions, see Cron and rate expressions for associations.

When you run the command to create the association, Systems Manager binds the information you specified (schedule, targets, SSM document, and parameters) to the managed instances. The status of the association initially shows "Pending" as the system attempts to reach all targets and immediately apply the state specified in the association.


If you create a new association that is scheduled to run while an earlier association is still running, the earlier association times out and the new association runs.

Systems Manager reports the status of the request to create associations on the managed instances. You can view status details in the console or by using the DescribeInstanceAssociationsStatus API operation. If you choose to write the output of the command to Amazon Simple Storage Service (Amazon S3) when you create an association, you can also view the output in the Amazon S3 bucket you specify.

For more information, see Creating associations.

4. Monitor and update.

After you create the association, State Manager reapplies the configuration according to the schedule that you defined in the association. You can view the status of your associations on the State Manager page in the console or by directly calling the association ID generated by Systems Manager when you created the association. For more information, see Viewing association histories. You can update your association documents and reapply them as necessary. You can also create multiple versions of an association. For more information, see Editing and creating a new version of an association.