AWS Systems Manager Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, or installing software or patches. Maintenance Windows also lets you schedule actions on numerous other AWS resource types, such as Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Queue Service (Amazon SQS) queues, AWS Key Management Service (AWS KMS) keys, and many more. For a full list of supported resource types that you can include in a maintenance window target, see Supported Resources for AWS Resource Groups in the AWS Resource Groups User Guide.
Each maintenance window has a schedule, a maximum duration, a set of registered targets (the instances or other AWS resources that are acted upon), and a set of registered tasks. You can add tags to your maintenance windows when you create or update them. (Tags are keys that help identify and sort your resources within your organization.) You can also specify dates that a maintenance window should not run before or after, and you can specify the international time zone on which to base the maintenance window schedule.
In this lab we will create a Maintenance Window to be used within Patch Manager. We will be using the default service-linked role for Systems Manager. Custom Roles can be created to restrict actions a service can perform within a Maintenance Window and selected during the association of a Maintenance Window and a service.
First, you must create the window and define its schedule and duration:
Open the AWS Systems Manager console.
In the navigation pane, select Maintenance Windows and then select Create a Maintenance Window.
In the Provide maintenance window details section:
1hour before the window closes. Allow enough time for initiate activities to complete before the close of the maintenance window.
Select Create maintenance window. The system returns you to the Maintenance Window page. The state of the Maintenance Window you just created is Enabled.
After you create a Maintenance Window, you assign targets that the tasks will run against. In this case, we will utilize the
Patch Group we created previously containing the two app servers.
On the Maintenance windows page, select the Window ID of your maintenance window to enter its Details page.
Select Actions in the top right of the window and select Register targets.
On the Register target page under Maintenance window target details:
In the Targets section, under Target selection:
Patch Groupas the key and
Appas the value. The option to add an additional tag key/value pair will appear.
Select Register target at the bottom of the page to return to the maintenance window details page.
If you want to assign more targets to this window, select the Targets tab, and then select Register target to register new targets. With this option, you can select a different means of targeting. For example, if you previously targeted instances by instance ID, you can register new targets and target instances by specifying resource tags.
This part is critical to ensure that the IAM role is setup properly for Maintenance Window use. After you assign targets, you assign tasks to perform during the window:
From the details page of your maintenance window, select Actions in the top right of the window and select Register Run command task.
On the Register Run command task page:
In the Command document section:
1(1 is the highest priority).
In the Targets section:
In the Rate control section:
In the Role section, use the default Service-linked role for Systems Manager.
In Output options, leave Enable writing to S3 unchecked.
In SNS notifications, leave Enable SNS notifications unchecked.
In the Parameters section, under Operation, select Install.
You can also toggle if you want a Reboot to be triggered after installation or schedule it at another time (NoReboot)
Select Register Run command task to complete the task definition and return to the details page.
This section will show you how to check the status of the Run command using the Management Console.
After allowing enough time for your maintenance window to complete:
On the Maintenance window ID details page, select History.
Select a Windows execution ID and select View details.
This section will cover how to view current compliance data about the patching operations.
In the AWS Systems Manager navigation pane, select Compliance.
On the Compliance page in the Compliance resources summary, you will now see that there are 2 systems that are listed as Compliant Resources. In the Resources list, you will see the individual compliance status and details.
You can also sort by Patch Group or Resource Group