Maintenance Window

The Impact of Operations as Code

In a traditional environment, you would have had to set up the systems and software to perform these activities. You would require a server to execute your scripts. You would need to manage authentication credentials across all of your systems.

Operations as code reduces the resources, time, risk, and complexity of performing operations tasks and ensures consistent execution. You can take operations as code and automate operations activities by using scheduling and event triggers. Through integration at the infrastructure level you avoid “swivel chair” processes that require multiple interfaces and systems to complete a single operations activity.

AWS Systems Manager: Maintenance Windows

AWS Systems Manager Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system (OS), updating drivers, or installing software. Each Maintenance Window has a schedule, a duration, a set of registered targets, and a set of registered tasks. With Maintenance Windows, you can perform tasks like the following:

  • Installing applications, updating patches, installing or updating SSM Agent, or executing PowerShell commands and Linux shell scripts by using a Systems Manager Run Command task
  • Building Amazon Machine Images (AMIs), boot-strapping software, and configuring instances by using Systems Manager Automation
  • Executing AWS Lambda functions that trigger additional actions such as scanning your instances for patch updates
  • Running AWS Step Function state machines to perform tasks such as removing an instance from an Elastic Load Balancing environment, patching the instance, and then adding the instance back to the Elastic Load Balancing environment

Note
To register Step Function tasks you must use the AWS CLI.

5.1 Setting up Maintenance Windows

Controlling Access to Maintenance Windows

To run maintenance tasks on your target instances, the Maintenance Windows service must have permission to access and run tasks on your instances. You can provide this permission by specifying either the Systems Manager service-linked role or a custom service role as part of a task configuration.

The type of role you should choose depends on the following factors:

Custom service role: Use a custom service role for maintenance window tasks in these cases:

  • If you want to use a more restrictive set of permissions than those provided by the service-linked role. The service-linked role supports very limited resource-level constraints. For example, say you want to allow maintenance window tasks to run on a limited set of instances, or you want to allow only certain SSM documents run on your target instances. In these cases, you specify stricter permissions in a custom service role.

  • If you need a more permissive or expanded set of permissions than those provided by the service-linked role. Some actions in Automation documents require expanded permissions.

  • For example, some Automation actions work with AWS CloudFormation stacks. Therefore, the permissions cloudformation:CreateStack, cloudformation:DescribeStack, and cloudformation:DeleteStack are required.

  • Another example: the Automation document AWS-CopySnapshot requires permission to create an Amazon Elastic Block Store (Amazon EBS) snapshot, and so the service role needs the permission ec2:CreateSnapshot. This permission isn’t included in the service-linked role for Systems Manager.

  • For information about the role permissions needed by Automation documents, see the document descriptions in Systems Manager Automation document details reference.

Systems Manager service-linked role: We recommend that you use a Systems Manager service-linked role in all other cases.

For more information about the Systems Manager service-linked role, see Using service-linked roles for Systems Manager.

For the purpose of this workshop, we will use the Systems Manager service-linked role as it provides the permissions required to scan and patch our managed instances.

Creating Maintenance Windows

To create a Maintenance Window, you must do the following:

  1. Create the window and define its schedule and duration.
  2. Assign targets for the window.
  3. Assign tasks to run during the window.

After you complete these steps, the Maintenance Window runs according to the schedule you defined and runs the tasks on the targets you specified. After a task is finished, Systems Manager logs the details of the execution.

5.2 Create a Patch Maintenance Window

First, you must create the window and define its schedule and duration:

  1. Open the AWS Systems Manager console.
  2. In the navigation pane, under Actions & Change choose Maintenance Windows and then choose Create maintenance window.
  3. In the Provide maintenance window details section:
    1. In the Name field, type a descriptive name to help you identify this Maintenance Window, such as PatchProdWorkloadWebServers.
    2. (Optional) you may enter a description in the Description field.
    3. Choose Allow unregistered targets if you want to allow a Maintenance Window task to run on managed instances, even if you have not registered those instances as targets. Note If you choose Allow unregistered targets, then you can choose the unregistered instances (by instance ID) when you register a task with the Maintenance Window. If you don’t, then you must choose previously registered targets when you register a task with the Maintenance Window.
    4. Specify a schedule for the Maintenance Window by using one of the scheduling options:
      1. Under Specify with, accept the default Cron schedule builder.
      2. Under Window starts, choose the third option, specify Every Day at, and select a time, such as 02:00.
      3. In the Duration field, type the number of hours the Maintenance Window should run, such as ‘3’ hours.
      4. In the Stop initiating tasks field, type the number of hours before the end of the Maintenance Window that the system should stop scheduling new tasks to run, such as 1 hour before the window closes. Allow enough time for initiate activities to complete before the close of the maintenance window.
  4. (Optionally) to have the maintenance window execute more rapidly while engaged with the lab:
    1. Under Window starts, choose Every 30 minutes to have the tasks execute on every hour and every half hour.
    2. Set the Duration to the minimum 1 hours.
    3. Set the Stop initiation tasks to the minimum 0 hours.
  5. Choose Create maintenance window. The system returns you to the Maintenance Window page. The state of the Maintenance Window you just created is Enabled.

5.3 Assigning Targets to Your Patch Maintenance Window

After you create a Maintenance Window, you assign targets where the tasks will run.

  1. On the Maintenance windows page, choose the Window ID of your maintenance window to enter its Details page.
  2. Choose Actions in the top right of the window and select Register targets.
  3. On the Register target page under Maintenance window target details:
    1. In the Target Name field, enter a name for the targets, such as ProdWebServers.
    2. (Optional) Enter a description in the Description field.
    3. (Optional) Specify a name or work alias in the Owner information field. Note: Owner information is included in any CloudWatch Events that are raised while running tasks for these targets in this Maintenance Window.
  4. In the Targets section, under Target selection:
    1. Choose the default Specify instance tags to target instances by using resource tags that were previously assigned to the instances.
    2. Under Tags, enter Workload as the key and Prod as the value, and choose Add.
    3. Add a second key/value pair using InstanceRole as the key and WebServer as the value, and choose Add.
  5. Choose Register target at the bottom of the page to return to the maintenance window details page.

If you want to assign more targets to this window, choose the Targets tab, and then choose Register targetto register new targets. With this option, you can choose a different means of targeting. For example, if you previously targeted instances by instance ID, you can register new targets and target instances by specifying Amazon EC2 tags or Systems Manager managed instance resource tags.

5.4 Assigning Tasks to Your Patch Maintenance Window

After you assign targets, you assign tasks to perform during the window:

  1. From the details page of your maintenance window, choose Actions in the top right of the window and select Register Run command task.
  2. On the Register Run command task page:
    1. In the Name field, enter a name for the task, such as PatchProdWorkloadWebServers.
    2. (Optional) Enter a description in the Description field.
  3. In the Command document section:
    1. Choose the search icon, select Platform, and then choose Linux to display all the available commands that can be applied to Linux instances.
    2. Choose AWS-RunPatchBaseline in the list.
    3. Leave the Task priority at the default value of 1 (1 is the highest priority).
    4. Tasks in a Maintenance Window are scheduled in priority order, with tasks that have the same priority scheduled in parallel.
  4. In the Targets section:
    1. For Target by, select Selecting registered target groups.
    2. Select the group you created from the list.
  5. In the Rate control section:
    1. For Concurrency, leave the default targets selected and specify 1.
    2. For Error threshold, leave the default errors selected and specify 1.
  6. In the Role section, leave the default selection of Use the service-linked role for Systems Manager.
  7. In Output options, leave Enable writing to S3 and CloudWatch output clear.
  8. In SNS notifications, leave Enable SNS notifications clear.
  9. In the Parameters section, under Operation, select Install.
  10. Choose Register Run command task to complete the task definition and return to the details page.

5.5 Review Maintenance Window Execution

  1. After allowing enough time for your maintenance window to complete:
    1. Navigate to the AWS Systems Manager console.
    2. Choose Maintenance Windows, and then select the Window ID for your new maintenance window.
  2. On the Maintenance window ID details page, choose History.
  3. Select a Windows execution ID and choose View details.
  4. On the Command ID details page, scroll down to the Targets and outputs section, select an Instance ID, and choose View output.
  5. Choose Step 1 - Output and review the output.
  6. Choose Step 2 - Output and review the output.

You have now configured a maintenance window, assigned targets, assigned tasks, and validated successful execution. The same procedures can be used to schedule the execution of any AWS Systems Manager Document.

End of Inventory and Patch Management Exercises

Thank you for using this lab.