How to Set Up AWS Systems Manager Maintenance Windows

by Hannah Grace Holladay / August 22nd, 2022

Information security regulations and standards often require businesses to perform regular maintenance tasks to ensure compliance. For example, PCI DSS Requirement 6 says merchants must deploy critical patches within a month of release. Failure to complete these tasks on time risks non-compliance. 

Unfortunately, many security-related tasks are disruptive—updating a server operating system can take the server offline. Therefore, businesses prefer to carry out patching and other potentially disruptive activities during scheduled maintenance windows. These typically occur during low traffic periods or when redundant infrastructure is available.

AWS System Manager Maintenance Windows is a cloud service that helps businesses manage and automate maintenance windows. In this article, we’ll explore what AWS Systems Manager Maintenance Windows is and how you can use it to automate compliance tasks. 

What is AWS Systems Manager Maintenance Windows?

AWS Systems Manager Maintenance Windows is a capability of AWS Systems Manager, a cloud service that allows IT administrators to automate repetitive operations and management tasks.  We discussed Systems Manager in-depth in How to Get Started Using AWS Systems Manager, so in this article, we’ll focus exclusively on its Maintenance Windows capability. 

The Maintenance Windows service can schedule actions to be carried out at a specified time on a subset of your AWS infrastructure. It can automate actions on AWS services that include S3, EC2 nodes, Amazon DynoDB, and other services that can be used with AWS Resource Groups and Tag Editor.

Each maintenance window consists of:

• A schedule that determines when to carry out tasks.
• A maximum duration to limit the length of each maintenance window. 
• Registered targets:  the cloud resources that actions will impact. 
• Registered tasks: the actions the system will take within the scheduled period.

What Actions Does Maintenance Windows Support?

Maintenance Windows supports various task types that are part of other Systems Manager capabilities. These include:

• Run Command for executing configuration commands and tasks on managed instances, including EC2 nodes and on-premises servers and VMs.
• Workflows from AWS Systems Manager’s Automation capability. 
• Serverless AWS Lambda functions.
• AWS Step Function tasks. 

Together, these task types can schedule and automate a wide range of compliance activities, including application updating, OS patching, executing shell scripts, launching serverless functions that carry out further compliance tasks, altering node configurations, and much more. 

Setting Up an AWS Maintenance Window

AWS Maintenance Windows is a powerful automation tool with many different options. We can’t cover all of its features here, but to give you an idea of what’s involved in creating a maintenance window, let’s walk through a simple maintenance window set up that updates the SSM Agent installed on an EC2 instance.  

Assuming We assume you have already configured Systems Manager to work with your EC2 instance, as described in the Systems Manager documentation, the set up process would be as follows:. 

1. Navigate to AWS Systems Manager and select Maintenance Windows from the sidebar menu.
2. Click “Create Maintenance Window.” Provide a name and set up a schedule.  Maintenance Window provides an intuitive graphical schedule builder, but you can also use rate expressions and the crontab format. 
3. Once the maintenance window is scheduled, select it from the list. You’ll be presented with a tabbed interface where you can register tasks and designate targets. 
4. On the Tasks tab, select Register tasks and choose Register Run Command task from the dropdown menu. 
5. Select AWS-UpdateSSMAgent from the Command Document section and choose your instance in the Targets section. 
6. Click Register Run Command at the bottom of the page.

As you can see, setting up scheduled automations to take care of repetitive compliance tasks is straightforward. We’ve only scratched the surface of what you can do with Maintenance Windows, so be sure to check out the Guidebook for more information. 

State Manager vs. Maintenance Windows

AWS Systems Manager also has a capability called State Manager. There is some cross-over in the functionality of State Manager and Maintenance Windows. Both can be used to automate some tasks. However, State Manager may be a better choice for compliance tasks where the goal is to maintain managed node configurations in a consistent state and for compliance reporting. Before choosing a compliance automation service, read Choosing between State Manager and Maintenance Windows. 

Learn About AWS Compliance with KirkpatrickPrice

To learn more about AWS compliance, visit our cloud security and compliance resources, which provide expert guidance for cloud audits, regulatory compliance, and information security, or connect with an expert today..