• The AWS Systems Manager CloudWatch Dashboard will no longer be available after April 30, 2026. Customers can continue to use Amazon CloudWatch console to view, create, and manage their Amazon CloudWatch dashboards, just as they do today. For more information, see [Amazon CloudWatch Dashboard documentation](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). # Create and manage maintenance windows using the console This section describes how to create, configure, update, and delete maintenance windows using the AWS Systems Manager console. This section also provides information about managing the targets and tasks of a maintenance window. **Important** We recommend that you initially create and configure maintenance windows in a test environment. **Before you begin** Before you create a maintenance window, you must configure access to Maintenance Windows, a tool in AWS Systems Manager. For more information, see [Setting up Maintenance Windows](setting-up-maintenance-windows.md). **Topics** + [ # Create a maintenance window using the console ](sysman-maintenance-create-mw.md) + [ # Assign targets to a maintenance window using the console ](sysman-maintenance-assign-targets.md) + [ # Assign tasks to a maintenance window using the console ](sysman-maintenance-assign-tasks.md) + [ # Disable or enable a maintenance window using the console ](sysman-maintenance-disable.md) + [ # Update or delete maintenance window resources using the console ](sysman-maintenance-update.md) # Create a maintenance window using the console Create a maintenance window In this procedure, you create a maintenance window in Maintenance Windows, a tool in AWS Systems Manager. You can specify its basic options, such as name, schedule, and duration. In later steps, you choose the targets, or resources, that it updates and the tasks that run when the maintenance window runs. **Note** For an explanation of how the various schedule-related options for maintenance windows relate to one another, see [Maintenance window scheduling and active period options](maintenance-windows-schedule-options.md). For more information about working with the `--schedule` option, see [Reference: Cron and rate expressions for Systems Manager](reference-cron-and-rate-expressions.md). **To create a maintenance window using the console** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. Choose **Create maintenance window**. 1. For **Name**, enter a descriptive name to help you identify this maintenance window. 1. (Optional) For **Description**, enter a description to identify how this maintenance window will be used. 1. (Optional) If you want to allow a maintenance window task to run on managed nodes, even if you haven't registered those nodes as targets, choose **Allow unregistered targets**. If you choose this option, then you can choose the unregistered nodes (by node ID) when you register a task with the maintenance window. If you don't choose this option, then you must choose previously registered targets when you register a task with the maintenance window. 1. Specify a schedule for the maintenance window by using one of the three scheduling options. For information about building cron/rate expressions, see [Reference: Cron and rate expressions for Systems Manager](reference-cron-and-rate-expressions.md). 1. For **Duration**, enter the number of hours the maintenance window will run. The value you specify determines the specific end time for the maintenance window based on the time it begins. No maintenance window tasks are permitted to start after the resulting endtime minus the number of hours you specify for **Stop initiating tasks** in the next step. For example, if the maintenance window starts at 3 PM, the duration is three hours, and the **Stop initiating tasks** value is one hour, no maintenance window tasks can start after 5 PM. 1. For **Stop initiating tasks**, enter the number of hours before the end of the maintenance window that the system should stop scheduling new tasks to run. 1. (Optional) For **Window start date**, specify a date and time, in ISO-8601 Extended format, for when you want the maintenance window to become active. This allows you to delay activation of the maintenance window until the specified future date. **Note** You can't specify a start date and time that occurs in the past. 1. (Optional) For **Window end date**, specify a date and time, in ISO-8601 Extended format, for when you want the maintenance window to become inactive. This allows you to set a date and time in the future after which the maintenance window no longer runs. 1. (Optional) For **Schedule timezone**, specify the time zone to use as the basis for when scheduled maintenance windows run, in Internet Assigned Numbers Authority (IANA) format. For example: "America/Los\$1Angeles", "etc/UTC", or "Asia/Seoul". For more information about valid formats, see the [Time Zone Database](https://www.iana.org/time-zones) on the IANA website. 1. (Optional) For **Schedule offset**, enter the number of days to wait after the date and time specified by a cron or rate expression before running the maintenance window. You can specify between one and six days. **Note** This option is available only if you specified a schedule by entering a cron or rate expression manually. 1. (Optional) In the **Manage tags** area, apply one or more tag key name/value pairs to the maintenance window. Tags are optional metadata that you assign to a resource. Tags allow you to categorize a resource in different ways, such as by purpose, owner, or environment. For example, you might want to tag a maintenance window to identify the type of tasks it runs, the types of targets, and the environment it runs in. In this case, you could specify the following key name/value pairs: + `Key=TaskType,Value=AgentUpdate` + `Key=OS,Value=Windows` + `Key=Environment,Value=Production` 1. Choose **Create maintenance window**. The system returns you to the maintenance window page. The state of the maintenance window you just created is **Enabled**. # Assign targets to a maintenance window using the console Assign targets to a maintenance window In this procedure, you register a target with a maintenance window. In other words, you specify which resources the maintenance window performs actions on. **Note** If a single maintenance window task is registered with multiple targets, its task invocations occur sequentially and not in parallel. If your task must run on multiple targets at the same time, register a task for each target individually and assign each task the same priority level. **To assign targets to a maintenance window using the console** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. In the list of maintenance windows, choose the maintenance window to add targets to. 1. Choose **Actions**, and then choose **Register targets**. 1. (Optional) For **Target name**, enter a name for the targets. 1. (Optional) For **Description**, enter a description. 1. (Optional) For **Owner information**, specify information to include in any Amazon EventBridge event raised while running tasks for these targets in this maintenance window. For information about using EventBridge to monitor Systems Manager events, see [Monitoring Systems Manager events with Amazon EventBridge](monitoring-eventbridge-events.md). 1. In the **Targets** area, choose one of the options described in the following table. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-assign-targets.html) 1. Choose **Register target**. If you want to assign more targets to this maintenance window, choose the **Targets** tab, and then choose **Register target**. With this option, you can choose a different means of targeting. For example, if you previously targeted nodes by node ID, you can register new targets and target nodes by specifying tags applied to managed nodes or choosing resource types from a resource group. # Assign tasks to a maintenance window using the console Assign tasks to a maintenance window In this procedure, you add a task to a maintenance window. Tasks are the actions performed when a maintenance window runs. The following four types of tasks can be added to a maintenance window: + AWS Systems Manager Run Command commands + Systems Manager Automation workflows + AWS Step Functions tasks + AWS Lambda functions **Important** The IAM policy for Maintenance Windows requires that you add the prefix `SSM` to Lambda function (or alias) names. Before you proceed to register this type of task, update its name in AWS Lambda to include `SSM`. For example, if your Lambda function name is `MyLambdaFunction`, change it to `SSMMyLambdaFunction`. **To assign tasks to a maintenance window** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. In the list of maintenance windows, choose a maintenance window. 1. Choose **Actions**, and then choose the option for the type of task you want to register with the maintenance window. + **Register Run command task** + **Register Automation task** + **Register Lambda task** + **Register Step Functions task** **Note** Maintenance window tasks support Step Functions Standard state machine workflows only. They don't support Express state machine workflows. For information about state machine workflow types, see [Standard vs. Express Workflows](https://docs.aws.amazon.com/step-functions/latest/dg/concepts-standard-vs-express.html) in the *AWS Step Functions Developer Guide*. 1. (Optional) For **Name**, enter a name for the task. 1. (Optional) For **Description**, enter a description. 1. For **New task invocation cutoff**, if you don't want any new task invocations to start after the maintenance window cutoff time is reached, choose **Enabled**. When this option is *not* enabled, the task continues running when the cutoff time is reached and starts new task invocations until completion. **Note** The status for tasks that are not completed when you enable this option is `TIMED_OUT`. 1. For this step, choose the tab for your selected task type. ------ #### [ Run Command ] 1. In the **Command document** list, choose the Systems Manager Command document (SSM document) that defines the tasks to run. 1. For **Document version**, choose the document version to use. 1. For **Task priority**, specify a priority for this task. Zero (`0`) is the highest priority. Tasks in a maintenance window are scheduled in priority order with tasks that have the same priority scheduled in parallel. ------ #### [ Automation ] 1. In the **Automation document** list, choose the Automation runbook that defines the tasks to run. 1. For **Document version**, choose the runbook version to use. 1. For **Task priority**, specify a priority for this task. Zero (`0`) is the highest priority. Tasks in a maintenance window are scheduled in priority order with tasks that have the same priority scheduled in parallel. ------ #### [ Lambda ] 1. In the **Lambda parameters** area, choose a Lambda function from the list. 1. (Optional) Provide any content for **Payload**, **Client Context**, or **Qualifier** that you want to include. **Note** In some cases, you can use a *pseudo parameter* as part of your `Payload` value. Then when the maintenance window task runs, it passes the correct values instead of the pseudo parameter placeholders. For information, see [Using pseudo parameters when registering maintenance window tasks](maintenance-window-tasks-pseudo-parameters.md). 1. For **Task priority**, specify a priority for this task. Zero (`0`) is the highest priority. Tasks in a maintenance window are scheduled in priority order with tasks that have the same priority scheduled in parallel. ------ #### [ Step Functions ] 1. In the **Step Functions parameters** area, choose a state machine from the list. 1. (Optional) Provide a name for the state machine execution and any content for **Input** that you want to include. **Note** In some cases, you can use a *pseudo parameter* as part of your `Input` value. Then when the maintenance window task runs, it passes the correct values instead of the pseudo parameter placeholders. For information, see [Using pseudo parameters when registering maintenance window tasks](maintenance-window-tasks-pseudo-parameters.md). 1. For **Task priority**, specify a priority for this task. Zero (`0`) is the highest priority. Tasks in a maintenance window are scheduled in priority order with tasks that have the same priority scheduled in parallel. ------ 1. In the **Targets** area, choose one of the following: + **Selecting registered target groups**: Select one or more maintenance window targets you have registered with the current maintenance window. + **Selecting unregistered targets**: Choose available resources one by one as targets for the task. If a managed node you expect to see isn't listed, see [Troubleshooting managed node availability](fleet-manager-troubleshooting-managed-nodes.md) for troubleshooting tips. + **Task target not required**: Targets for the task might already be specified in other functions for all but Run Command-type tasks. Specify one or more targets for maintenance window Run Command-type tasks. Depending on the task, targets are optional for other maintenance window task types (Automation, AWS Lambda, and AWS Step Functions). For more information about running tasks that don't specify targets, see [Registering maintenance window tasks without targets](maintenance-windows-targetless-tasks.md). **Note** In many cases, you don't need to explicitly specify a target for an automation task. For example, say that you're creating an Automation-type task to update an Amazon Machine Image (AMI) for Linux using the `AWS-UpdateLinuxAmi` runbook. When the task runs, the AMI is updated with the latest available Linux distribution packages and Amazon software. New instances created from the AMI already have these updates installed. Because the ID of the AMI to be updated is specified in the input parameters for the runbook, there is no need to specify a target again in the maintenance window task. 1. *Automation tasks only:* In the **Input parameters** area, provide values for any required or optional parameters needed to run your task. **Note** In some cases, you can use a *pseudo parameter* for certain input parameter values. Then when the maintenance window task runs, it passes the correct values instead of the pseudo parameter placeholders. For information, see [Using pseudo parameters when registering maintenance window tasks](maintenance-window-tasks-pseudo-parameters.md). 1. For **Rate control**: + For **Concurrency**, specify either a number or a percentage of managed nodes on which to run the command at the same time. **Note** If you selected targets by specifying tags applied to managed nodes or by specifying AWS resource groups, and you aren't certain how many managed nodes are targeted, then restrict the number of targets that can run the document at the same time by specifying a percentage. + For **Error threshold**, specify when to stop running the command on other managed nodes after it fails on either a number or a percentage of nodes. For example, if you specify three errors, then Systems Manager stops sending the command when the fourth error is received. Managed nodes still processing the command might also send errors. 1. (Optional) For **IAM service role**, choose a role to provide permissions for Systems Manager to assume when running a maintenance window task. If you don't specify a service role ARN, Systems Manager uses a service-linked role in your account. This role is not listed in the drop-down menu. If no appropriate service-linked role for Systems Manager exists in your account, it's created when the task is registered successfully. **Note** For an improved security posture, we strongly recommend creating a custom policy and custom service role for running your maintenance window tasks. The policy can be crafted to provide only the permissions needed for your particular maintenance window tasks. For more information, see [Setting up Maintenance Windows](setting-up-maintenance-windows.md). 1. *Run Command tasks only:* (Optional) For **Output options**, do the following: + Select the **Enable writing to S3** check box to save the command output to a file. Enter the bucket and prefix (folder) names in the boxes. + Select the **CloudWatch output** check box to write complete output to Amazon CloudWatch Logs. Enter the name of a CloudWatch Logs log group. **Note** The permissions that grant the ability to write data to an S3 bucket or CloudWatch Logs are those of the instance profile assigned to the node, not those of the IAM user performing this task. For more information, see [Configure instance permissions required for Systems Manager](setup-instance-permissions.md). In addition, if the specified S3 bucket or log group is in a different AWS account, verify that the instance profile associated with the node has the necessary permissions to write to that bucket. 1. *Run Command tasks only:* In the **SNS notifications** section, if you want notifications sent about the status of the command execution, select the **Enable SNS notifications** check box. For more information about configuring Amazon SNS notifications for Run Command, see [Monitoring Systems Manager status changes using Amazon SNS notifications](monitoring-sns-notifications.md). 1. *Run Command tasks only:* In the **Parameters** area, specify parameters for the document. **Note** In some cases, you can use a *pseudo parameter* for certain input parameter values. Then when the maintenance window task runs, it passes the correct values instead of the pseudo parameter placeholders. For information, see [Using pseudo parameters when registering maintenance window tasks](maintenance-window-tasks-pseudo-parameters.md). 1. * Run Command and Automation tasks only:* (Optional) In the **CloudWatch alarm** area, for **Alarm name**, choose an existing CloudWatch alarm to apply to your task for monitoring. If the alarm activates, the task is stopped. **Note** To attach a CloudWatch alarm to your task, the IAM principal that runs the task must have permission for the `iam:createServiceLinkedRole` action. For more information about CloudWatch alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html). 1. Depending on your task type, choose one of the following: + **Register Run command task** + **Register Automation task** + **Register Lambda task** + **Register Step Functions task** # Disable or enable a maintenance window using the console Disable or enable a maintenance window You can disable or enable a maintenance window in Maintenance Windows, a tool in AWS Systems Manager. You can choose one maintenance window at a time to either disable or enable the maintenance window from running. You can also select multiple or all maintenance windows to enable and disable. This section describes how to disable or enable a maintenance window by using the Systems Manager console. For examples of how to do this by using the AWS Command Line Interface (AWS CLI), see [Tutorial: Update a maintenance window using the AWS CLI](maintenance-windows-cli-tutorials-update.md). **Topics** + [ ## Disable a maintenance window using the console ](#sysman-maintenance-disable-mw) + [ ## Enable a maintenance window using the console ](#sysman-maintenance-enable-mw) ## Disable a maintenance window using the console You can disable a maintenance window to pause a task for a specified period, and it will remain available to enable again later. **To disable a maintenance window** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. Using the check box next to the maintenance window that you want to disable, select one or more maintenance windows. 1. Choose **Disable maintenance window** in the **Actions** menu. The system prompts you to confirm your actions. ## Enable a maintenance window using the console You can enable a maintenance window to resume a task. **Note** If the maintenance window uses a rate schedule and the start date is currently set to a past date and time, the current date and time is used as the start date for the maintenance window. You can change the start date of the maintenance window before or after enabling it. For information, see [Update or delete maintenance window resources using the console](sysman-maintenance-update.md). **To enable a maintenance window** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. Select the check box next to the maintenance window to enable. 1. Choose **Actions, Enable maintenance window**. The system prompts you to confirm your actions. # Update or delete maintenance window resources using the console Update or delete maintenance window resources You can update or delete a maintenance window in Maintenance Windows, a tool in AWS Systems Manager. You can also update or delete the targets or tasks of a maintenance window. If you edit the details of a maintenance window, you can change the schedule, targets, and tasks. You can also specify names and descriptions for windows, targets, and tasks, which helps you better understand their purpose, and makes it easier to manage your queue of windows. This section describes how to update or delete a maintenance window, targets, and tasks by using the Systems Manager console. For examples of how to do this by using the AWS Command Line Interface (AWS CLI), see [Tutorial: Update a maintenance window using the AWS CLI](maintenance-windows-cli-tutorials-update.md). **Topics** + [ ## Updating or deleting a maintenance window using the console ](#sysman-maintenance-update-mw) + [ ## Updating or deregistering maintenance window targets using the console ](#sysman-maintenance-update-target) + [ ## Updating or deregistering maintenance window tasks using the console ](#sysman-maintenance-update-tasks) ## Updating or deleting a maintenance window using the console You can update a maintenance window to change its name, description, and schedule, and whether the maintenance window should allow unregistered targets. **To update or delete a maintenance window** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. Select the button next to the maintenance window that you want to update or delete, and then do one of the following: + Choose **Delete**. The system prompts you to confirm your actions. + Choose **Edit**. On the **Edit maintenance window** page, change the values and options that you want, and then choose **Save changes**. For information about the configuration choices you can make, see [Create a maintenance window using the console](sysman-maintenance-create-mw.md). ## Updating or deregistering maintenance window targets using the console You can update or deregister the targets of a maintenance window. If you choose to update a maintenance window target you can specify a new target name, description, and owner. You can also choose different targets. **To update or delete the targets of a maintenance window** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. Choose the name of the maintenance window that you want to update, choose the **Targets** tab, and then do one of the following: + To update targets, select the button next to the target to update, and then choose **Edit**. + To deregister targets, select the button next to the target to deregister, and then choose **Deregister target**. In the **Deregister maintenance windows target** dialog box, choose **Deregister**. ## Updating or deregistering maintenance window tasks using the console You can update or deregister the tasks of a maintenance window. If you choose to update, you can specify a new task name, description, and owner. For Run Command and Automation tasks, you can choose a different SSM document for the tasks. You can't, however, edit a task to change its type. For example, if you created an Automation task, you can't edit that task and change it to a Run Command task. **To update or delete the tasks of a maintenance window using the console** 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, choose **Maintenance Windows**. 1. Choose the name of the maintenance window that you want to update. 1. Choose the **Tasks** tab, and then select the button next to the task to update. 1. Do one of the following: + To deregister a task, choose **Deregister task**. + To edit the task, choose **Edit**. Change the values and options that you want, and then choose **Edit task**.