State Manager


AWS Control Tower
AWS Control Tower
PREVIEW19m 56s
Automating Patch and State Operations with AWS Systems Manager
Manage Instances using the AWS Systems Manager Run Command, Documents, & Parameter Store

The course is part of this learning path

Start course
1h 50m

This course covers the core learning objective to meet the requirements of the 'Architecting for Management & Governance in AWS - Level 3' skill

Learning Objectives:


  • Analyze how to design a multi-account AWS environment for complex organizations
  • Analyze an effective patch management strategy for your AWS resources
  • Analyze the most effective and appropriate logging and monitoring strategy for multiple resources
  • Evaluate an appropriate AWS offering(s) to enable configuration management automation

State Manager is the secure and scalable configuration management service feature of Systems Manager. State Manager allows you to control how configurations are applied. This could be firewall settings, ports that need to be shut down, or disabling services that are not being used. State Manager can be used to enforce enterprise-wide compliance by ensuring a desired state is continuously applied to your managed instances.

We can define State Manager policies using automation documents. There are several predefined documents we can leverage for common use cases, ensuring a desired state is continuously applied. You can configure network settings or bootstrap instances with software modules at startup. Using State Manager, you can maintain configuration consistency by reapplying configuration state and view configuration history. State Manager requires for you to create an association.

The State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on those instances.

An association includes three parts. The first, a document that defines the state or what needs to get done, including optional runtime parameters. Number two, the target managed instances to apply the desired state. And finally, a schedule, the finding when the change is to take place. You can use configuration shell scripts, Ruby, and Python.

You can also use your existing configuration management tools like Ansible, Salt, or PowerShell with State Manager. State Manager quickly identifies and repairs compliant and noncompliant machines across multiple accounts, if needed. An association for a software component might run once a day. If the software is not installed, then State Manager installs it. If the software is installed, but the service is not running, then State Manager is instructed to start the service.

State Manager is supported as both an event type and a target type on Amazon EventBridge rules for you to be able to implement event-driven architectures. Finally, any API interaction sustained by State Manager is automatically sent to the CloudTrail. You can also send the outputs of commands to CloudWatch Logs or Amazon S3. Native integration with identity and access management allows you to define who will have access to State Manager and run configuration tasks.

About the Author
Jorge Negrón
AWS Content Architect
Learning Paths

Experienced in architecture and delivery of cloud-based solutions, the development, and delivery of technical training, defining requirements, use cases, and validating architectures for results. Excellent leadership, communication, and presentation skills with attention to details. Hands-on administration/development experience with the ability to mentor and train current & emerging technologies, (Cloud, ML, IoT, Microservices, Big Data & Analytics).