Choosing between State Manager and Maintenance Windows
State Manager and Maintenance Windows, both capabilities of Amazon Systems Manager, can perform some similar types of updates on your managed nodes. Which one you choose depends on whether you need to automate system compliance or perform high-priority, time-sensitive tasks during periods you specify.
State Manager and Maintenance Windows: Key use cases
State Manager, a capability of Amazon Systems Manager, sets and maintains the targeted state configuration for managed nodes and Amazon resources within your Amazon Web Services account. You can define combinations of configurations and targets as association objects. State Manager is the recommended capability if you want to maintain all managed nodes in your account in a consistent state, use Amazon EC2 Auto Scaling to generate new nodes, or have strict compliance reporting requirements for the managed nodes in your account.
The main use cases for State Manager are as follows:
-
Auto Scaling scenarios: State Manager can monitor all new nodes launched within an account either manually or through Auto Scaling groups. If there are any associations in the account targeting that new node (through tags or all nodes), then that particular association is automatically applied to the new node.
-
Compliance reporting: State Manager can drive compliance reporting of required states for resources in your account.
-
Supporting all nodes: State Manager can target all nodes within a given account.
A maintenance window takes one or more actions on Amazon resources within a given time window. You can define a single maintenance window with start and end times. You can specify multiple tasks to run within this maintenance window. Use Maintenance Windows, a capability of Amazon Systems Manager, if your high priority operations include patching your managed nodes, running multiple types of tasks on your nodes during an update period, or controlling when update operations can be run on your nodes.
The main use cases for Maintenance Windows are as follows:
-
Running multiple documents: Maintenance windows can run multiple tasks. Each task can use a different document type. As a result, you can build complex workflows using different tasks within a single maintenance window.
-
Patching: A maintenance window can provide patching support for all managed nodes in a single Region that are tagged with a specific tag or resource group. Because patching usually involves bringing down nodes (for example, removing nodes from a load balancer), patching, and post processing (putting nodes back into production), patching can be achieved as a series of tasks within a given patch time window.
Note
Using a maintenance window, your patching operation is limited to a single Region in a single account. Using a patch policy created in Quick Setup, a capability of Systems Manager, you can instead configure patching for some or all accounts and Regions in an organization created in Amazon Organizations. For more information, see Using Quick Setup patch policies.
-
Window actions: Maintenance windows can make one or more sets of actions start within a specific time window. Maintenance windows won't start outside of that window. Actions already started continue until finished, even if they finish outside of the time window.
The following table compares the main features of State Manager and Maintenance Windows.
| Feature | State Manager | Maintenance Windows |
|---|---|---|
|
Amazon CloudFormation integration |
Amazon CloudFormation templates support State Manager associations. |
Amazon CloudFormation templates support maintenance windows, window targets, and window tasks. |
|
Compliance |
Every State Manager association reports compliance with respect to the required state of the targeted resource. You can use the Compliance Dashboard to aggregate and view the reported compliance. |
Not applicable. |
|
Configuration Management integration |
State Manager supports external targeted state solutions such as Microsoft PowerShell Desired State Configuration (DSC), Ansible playbooks, and Chef recipes. You can use State Manager associations to test that the Configuration Management solutions work and to apply their configuration changes to your nodes when you're ready. |
Not applicable. |
|
Documents |
State Manager configurations can be defined as Policy documents (for gathering inventory information), Automation runbooks, for Amazon resources such as Amazon Simple Storage Service (Amazon S3) buckets, or Systems Manager Command documents (SSM documents) for managed nodes. |
Maintenance Windows configurations can be defined as automation documents (multi-step actions with optional approval workflows) or SSM documents (required state for managed nodes). |
| Monitoring |
State Manager monitors changes in the configuration, association, or state of a node (for example, new nodes coming online). When State Manager detects these changes, the given association is re-applied to the nodes originally targeted with that association. |
Not applicable. |
|
Priorities within tasks |
Not applicable. |
Tasks within a maintenance window can be assigned a priority. All tasks with the same priority are run in parallel. Tasks with lower priorities are run after tasks with higher priorities reach a final state. There is no way to conditionally run tasks. After a higher priority task reaches its final state, the next priority task runs, regardless of the state of the previous task. |
|
Safety controls |
State Manager supports two safety controls when deploying configurations across a large fleet. You can use maximum concurrency to define how many concurrent nodes or resources should have the configuration applied. You can define a maximum error rate which can be used to pause the State Manager association if a certain number or percentage of errors occur across the fleet. |
Maintenance windows support two safety controls when deploying configurations across a large fleet. You can use maximum concurrency to define how many concurrent nodes or resources should have the configuration applied. You can define a maximum error rate which can be used to pause the actions in a maintenance window if a certain number or percentage of errors occur across the fleet. |
| Scheduling |
You can run State Manager associations on demand, at a particular cron interval, at a given rate, or after they're created. This is useful if you want to maintain the required state of your resources in a consistent and timely manner. ImportantCron expressions for State Manager associations do not support the
months field, such as |
Maintenance windows support several scheduling options including
|
|
Targeting |
State Manager associations can target one or more nodes by using node ID, tag, or resource group. State Manager can target all managed nodes within a given account. |
Maintenance windows can target one or more nodes using node IDs, tags, or resource groups. |
|
Tasks within maintenance windows |
Not applicable. |
Maintenance windows can support one or more tasks where each task targets a specific Automation runbook or Command document action. All tasks within a maintenance window run in parallel unless different priorities are set for different tasks. Overall, maintenance windows support four task types:
|