This chapter covers AWS Systems Manager Change Manager and Change Calendar, two critical services for implementing change management in AWS environments. For the SOA-C02 exam, these topics fall under Domain 3: Deployment, Objective 3.2: Automate manual processes. Expect 2-4 questions related to Change Manager and Change Calendar, focusing on how they enforce change freezes, approve/reject changes, and integrate with other Systems Manager capabilities. Understanding the underlying mechanism—especially how Change Calendar defines allowed windows and how Change Manager evaluates approval processes—is essential to avoid common trick answers.
Jump to a section
Imagine a large construction company managing dozens of simultaneous projects. Each project requires specific permits (e.g., electrical, plumbing, structural) before work can begin. The company has a central permit office that maintains a calendar of approved work windows. For each project, the office checks the calendar: if the permit is valid and the current date falls within the approved window, work is allowed; otherwise, the office rejects the request. The permit office also integrates with the project scheduling system: when a permit expires, the scheduling system automatically blocks any new work orders for that project. Now, suppose a project manager tries to start demolition without a permit. The office denies the request and logs the attempt. Similarly, if the permit is valid but the work window hasn't opened yet, the request is queued until the window opens. The permit office also supports recurring permits (e.g., monthly maintenance) and can override a permit for emergencies (e.g., a burst pipe). This is exactly how AWS Systems Manager Change Calendar works: it defines 'permit' (allowed) and 'not allowed' time periods, and Change Manager checks this calendar before approving or rejecting change requests. The calendar integrates with Change Manager to automatically enforce change freezes during critical business periods (e.g., Black Friday), preventing unauthorized changes. Just as the permit office logs every attempt, Change Calendar records all evaluations for audit trails. The calendar can also be shared across accounts via AWS Organizations, allowing centralized control similar to a corporate permit office managing permits for multiple branch offices.
What is AWS Systems Manager Change Manager?
AWS Systems Manager Change Manager is a service that provides a standardized, automated change management process for AWS resources. It allows organizations to create, review, approve, and implement changes in a controlled manner. Change Manager integrates with other Systems Manager capabilities, such as Run Command, Automation, and Maintenance Windows, to execute approved changes. It also integrates with Change Calendar to enforce change freezes during critical periods.
Why Change Manager Exists
In traditional IT, change management is often manual, error-prone, and lacks auditability. Change Manager automates the change request lifecycle, ensuring that all changes follow a predefined approval workflow. It provides a central dashboard to track changes, enforce policies (e.g., required approvals, change windows), and generate audit logs. This helps organizations meet compliance requirements (e.g., SOC 2, PCI DSS) and reduce the risk of unauthorized or untested changes.
How Change Manager Works Internally
Change Manager operates through a change request template. A template defines: - Change type: e.g., automation runbook, run command, or maintenance window. - Approval workflow: e.g., single approver, multi-level approval, or self-service. - Scheduling: when the change should be executed. - Risk level: low, medium, high, or custom. - Change Calendar association: optional, to enforce change freezes.
When a user submits a change request, Change Manager: 1. Validates the request against the template. 2. Checks the associated Change Calendar (if any) to see if the requested time falls within an allowed window. 3. If the calendar denies the change, the request is rejected immediately. 4. If allowed, the request enters the approval workflow. 5. Once approved, the change is scheduled for execution (either immediately or at a specified time). 6. After execution, Change Manager logs the outcome and provides a detailed report.
Key Components, Values, Defaults, and Timers
Change Request Template: Defines the change process. Default templates are provided for common scenarios (e.g., patch management, AMI updates). Custom templates can be created.
Approval Workflow: Supports up to 5 approval levels. Each level can have one or more approvers (IAM users or groups). Default: single approver.
Risk Levels: Low, Medium, High, Custom. The risk level can influence the approval workflow (e.g., high-risk changes require more approvals).
Change Calendar: Defines time windows when changes are allowed or not allowed. Calendars can be shared across accounts using AWS Organizations.
Change Freeze: A period during which changes are blocked. Change Calendar can mark a time range as 'not allowed' to enforce freezes.
Execution: Changes can be executed immediately after approval, or scheduled for a specific time. Scheduling uses cron expressions (e.g., cron(0 2 * * ? *) for 2 AM daily).
Retention: Change request records are retained for 90 days by default (configurable up to 3 years).
Integration: Change Manager integrates with AWS Config, CloudTrail, and Amazon EventBridge for audit and event-driven actions.
Configuration and Verification Commands
To create a Change Calendar:
aws ssm create-document --name "MyChangeCalendar" --content file://calendar.json --document-type ChangeCalendarThe calendar JSON defines allowed and blocked windows:
{
"schemaVersion": "1.0",
"description": "Change Calendar for Black Friday freeze",
"calendarEvents": [
{
"name": "BlackFridayFreeze",
"type": "NOT_ALLOWED",
"startTime": "2024-11-28T00:00:00Z",
"endTime": "2024-11-30T23:59:59Z"
}
]
}To associate a calendar with a change request template:
aws ssm update-document --name "MyChangeTemplate" --content file://template.jsonIn the template, include:
"changeCalendar": {
"type": "ChangeCalendar",
"documentName": "MyChangeCalendar"
}To submit a change request:
aws ssm start-change-request-execution --document-name "MyChangeTemplate" --parameters "{}"To view change requests:
aws ssm list-change-requestsTo get details:
aws ssm describe-change-request --change-request-id "cr-1234567890"How Change Manager Interacts with Related Technologies
AWS Systems Manager Automation: Change Manager can trigger automation runbooks as the change action. For example, a change request to update an AMI can invoke an automation that creates a new AMI and updates an Auto Scaling group.
AWS Systems Manager Maintenance Windows: Change Manager can execute changes within a maintenance window. The change request must be scheduled to occur during the window.
AWS Config: Change Manager can be integrated with AWS Config rules to enforce compliance before and after a change.
Amazon EventBridge: Change Manager emits events (e.g., change request submitted, approved, completed) that can trigger other actions.
AWS Organizations: Change Calendar can be shared across accounts in an organization, allowing a central change freeze policy.
Change Calendar Deep Dive
Change Calendar is a document of type ChangeCalendar that defines time-based rules for when changes are allowed or not allowed. It supports two event types:
- ALLOWED: Changes are permitted during this window.
- NOT_ALLOWED: Changes are blocked during this window.
You can create recurring events (e.g., monthly maintenance windows) or one-time events (e.g., holiday freezes). The calendar can be shared across accounts via AWS Organizations, meaning a parent account can define a calendar and share it with child accounts. When a change request is submitted, Change Manager evaluates the calendar at the scheduled execution time. If the calendar says NOT_ALLOWED, the change request is rejected. If ALLOWED, the request proceeds.
Exam-Relevant Details
Default Change Calendar: There is no default calendar; you must create one and associate it with a template.
Calendar Evaluation: The calendar is evaluated at the time of submission, not at execution. However, if the execution time falls outside the allowed window, the change will fail at execution.
Multiple Calendars: A change request template can only be associated with one calendar. However, a single calendar can contain multiple events.
Sharing Calendars: Calendars can be shared across accounts using AWS Organizations. The shared calendar appears as a document in the recipient account.
Permissions: To use a shared calendar, the recipient account must have permission to read the document. The sharing account must grant access via resource-based policies.
Change Freeze: A common exam scenario: during a change freeze, all changes are blocked. The calendar defines the freeze period as NOT_ALLOWED. Any change request submitted during that period is rejected.
Step-by-Step Mechanism of a Change Request with Calendar Enforcement
User submits a change request with a scheduled execution time.
Change Manager validates the request against the template.
Change Manager checks the associated Change Calendar for the scheduled time.
If the calendar indicates NOT_ALLOWED, the request is rejected immediately with a reason.
If ALLOWED, the request enters the approval workflow.
After approval, the change is executed at the scheduled time.
Execution result is logged and available via CloudTrail.
Common Misconfigurations
Missing Calendar Association: A template without a calendar association will not enforce any change freeze, which might be unexpected.
Incorrect Time Zone: Calendar events are in UTC. If users submit requests in local time, they may be blocked unexpectedly.
Overlapping Events: If two events overlap, the most restrictive (NOT_ALLOWED) takes precedence.
Permissions: If the calendar is shared but the recipient account lacks read permission, the change request will fail.
Create Change Calendar document
First, create a Change Calendar document using AWS Systems Manager. This document defines allowed and blocked time windows. Use the AWS CLI or console to create a document of type `ChangeCalendar`. The document content is a JSON object with a `calendarEvents` array. Each event has a name, type (ALLOWED or NOT_ALLOWED), startTime, and endTime. Times must be in ISO 8601 format (e.g., 2024-12-25T00:00:00Z). You can also specify a schedule for recurring events using cron expressions. The document can be shared across accounts via AWS Organizations by attaching a resource-based policy.
Associate Calendar with Change Template
Next, create or update a change request template to associate the Change Calendar. The template is a Systems Manager document of type `ChangeRequestTemplate`. In the template JSON, include a `changeCalendar` field that references the calendar document by name. Only one calendar can be associated per template. If you need multiple calendars (e.g., separate freezes for different teams), create separate templates. The association ensures that every change request using this template will be evaluated against the calendar.
Submit change request with schedule
A user submits a change request using the template. They specify the desired execution time (immediate or scheduled). The request includes parameters required by the template, such as the automation runbook to execute. The submission triggers an evaluation of the Change Calendar: the system checks whether the scheduled time falls within an ALLOWED or NOT_ALLOWED window. If NOT_ALLOWED, the request is rejected immediately with an error message. If ALLOWED, the request proceeds to the approval workflow.
Approval workflow execution
Once the calendar check passes, the change request enters the approval workflow defined in the template. This can be a simple single approver or a multi-level approval chain. Approvers receive notifications via Amazon SNS or email (configured in the template). Each approver can approve, reject, or request more information. If any approver rejects, the change request is cancelled. If all approvers approve, the change moves to the scheduled execution step.
Execution and logging
At the scheduled time, Change Manager executes the change action (e.g., runs an automation, sends a command). The execution is logged in AWS CloudTrail and in the Change Manager console. The change request status updates to 'Completed' or 'Failed'. If the execution time falls outside the allowed window (e.g., due to a delay), the execution will fail. After completion, a detailed report is available, including the input parameters, outputs, and any errors. The change request record is retained for 90 days by default.
Enterprise Scenario 1: Black Friday Change Freeze
A large e-commerce company uses Change Calendar to enforce a complete change freeze during Black Friday weekend. The operations team creates a calendar with a NOT_ALLOWED event from Thursday 00:00 UTC to Sunday 23:59 UTC. This calendar is shared with all accounts in the organization via AWS Organizations. All change request templates in production accounts are associated with this calendar. During the freeze, any attempt to submit a change request (e.g., patch deployment, configuration update) is automatically rejected. This prevents accidental disruptions during peak traffic. The change freeze is enforced across hundreds of accounts without manual intervention. One common pitfall: if a team creates a new change template without associating the calendar, changes can bypass the freeze. Therefore, the company uses AWS Config rules to enforce that all change templates have the calendar associated.
Enterprise Scenario 2: Monthly Maintenance Windows
A financial services company uses Change Manager to schedule monthly security patches. They create a Change Calendar with recurring ALLOWED events on the first Saturday of each month from 2:00 AM to 6:00 AM UTC. Change request templates are configured to only allow execution during these windows. The approval workflow requires two approvals: one from the security team and one from the application owner. During the month, if a critical patch is needed outside the window, a separate emergency change template is used that has no calendar association (or a separate calendar with broader windows). This ensures that routine changes are confined to maintenance windows while allowing flexibility for emergencies. The company uses CloudTrail to audit all change requests and their calendar evaluation results.
Enterprise Scenario 3: Multi-Team Change Coordination
A SaaS provider has multiple engineering teams that share the same AWS accounts. To prevent conflicting changes, they use Change Calendar to define team-specific allowed windows. For example, Team A can deploy changes on Mondays and Wednesdays, Team B on Tuesdays and Thursdays. Each team has its own change template associated with a dedicated calendar. The calendars are created centrally by the change advisory board (CAB) and shared to all accounts. This prevents overlapping changes that could cause service degradation. The CAB monitors change requests and can override a calendar for emergency changes by temporarily updating the calendar to allow changes. This approach scales to dozens of teams and hundreds of changes per week. The key challenge is managing calendar updates and ensuring teams do not accidentally use the wrong template.
What SOA-C02 Tests on This Topic
SOA-C02 Objective 3.2: Automate manual processes. Specifically, you need to know how to use Change Manager and Change Calendar to enforce change management policies. The exam focuses on:
How Change Calendar defines allowed/blocked windows.
How Change Manager evaluates calendars during change request submission.
Integration with AWS Organizations for cross-account calendar sharing.
The difference between Change Calendar and Maintenance Windows (Maintenance Windows schedule execution, Change Calendar restricts when changes can be submitted/executed).
Common Wrong Answers and Why Candidates Choose Them
1. Wrong Answer: 'Change Calendar can be used to automatically execute changes during allowed windows.' - Why wrong: Change Calendar only defines allowed/blocked windows; it does not execute changes. Execution is handled by Change Manager or other SSM capabilities. - Why candidates choose it: They confuse Change Calendar with Maintenance Windows, which can automatically start executions.
2. Wrong Answer: 'Change Calendar events are evaluated at the time of execution, not submission.' - Why wrong: Evaluation occurs at submission time. If the execution time falls outside the allowed window, the change will fail at execution, but the request is not rejected at submission. - Why candidates choose it: They think the calendar is checked only when the change is about to run.
3. Wrong Answer: 'A change request template can be associated with multiple Change Calendars.' - Why wrong: Only one calendar per template. - Why candidates choose it: They assume you can combine multiple calendars (e.g., one for freeze, one for maintenance).
4. Wrong Answer: 'Change Calendar supports both ALLOWED and NOT_ALLOWED events, and if both overlap, ALLOWED takes precedence.' - Why wrong: NOT_ALLOWED takes precedence. - Why candidates choose it: They think 'allow' overrides 'deny'.
Specific Numbers, Values, and Terms
Calendar event types: ALLOWED and NOT_ALLOWED.
Document type: ChangeCalendar.
Template document type: ChangeRequestTemplate.
Default retention: 90 days for change request records.
Maximum approval levels: 5.
Sharing: Via AWS Organizations using resource-based policies.
Time format: ISO 8601 UTC.
Edge Cases and Exceptions
Overlapping events: If an ALLOWED and NOT_ALLOWED event overlap, NOT_ALLOWED wins.
Calendar with no events: If a calendar has no events, all times are considered ALLOWED by default? Actually, the default behavior is that if no events match, the time is considered ALLOWED. But the exam might test that an empty calendar allows all changes.
Shared calendar permissions: If the shared calendar document is deleted in the source account, the calendar becomes unavailable in all recipient accounts, causing change requests to fail.
Time zone confusion: All times are UTC. If a user submits a change request for 10:00 AM local time but the calendar uses UTC, the evaluation might block the request unexpectedly.
How to Eliminate Wrong Answers
If the question mentions 'enforcing a change freeze', look for Change Calendar.
If the question mentions 'scheduling recurring changes', look for Maintenance Windows.
If the question mentions 'approval workflow', look for Change Manager.
Remember: Change Calendar does not execute changes; it only blocks/allows.
The calendar is checked at submission, not execution.
Only one calendar per template.
NOT_ALLOWED overrides ALLOWED.
Change Calendar is a Systems Manager document of type ChangeCalendar that defines ALLOWED and NOT_ALLOWED time windows.
Change Calendar is associated with a Change Request Template to enforce change freezes.
Only one Change Calendar can be associated per template.
NOT_ALLOWED events take precedence over ALLOWED events when overlapping.
Calendar evaluation occurs at change request submission time, not at execution.
Change Calendar can be shared across accounts using AWS Organizations.
Change Manager provides approval workflows with up to 5 approval levels.
Change request records are retained for 90 days by default (configurable).
Change Calendar does not execute changes; it only blocks or allows them.
Common exam scenario: Black Friday freeze using a NOT_ALLOWED event.
These come up on the exam all the time. Here's how to tell them apart.
Change Calendar
Defines allowed/blocked time windows for changes.
Does not execute any actions; only evaluates whether a change is permitted.
Used to enforce change freezes or restrict changes to specific periods.
Evaluated at change request submission time.
Integrated with Change Manager for approval workflows.
Maintenance Windows
Defines a schedule for executing maintenance tasks (e.g., patching).
Automatically runs tasks (e.g., Run Command, Automation) during the window.
Used to schedule recurring operational tasks.
Executes tasks at the scheduled time regardless of change requests.
Can be used independently of Change Manager.
Mistake
Change Calendar automatically executes changes during allowed windows.
Correct
Change Calendar only defines time windows; it does not execute changes. Execution is handled by Change Manager or other SSM services like Maintenance Windows.
Mistake
A change request template can be associated with multiple Change Calendars.
Correct
Only one Change Calendar can be associated per template. To use multiple calendars, create separate templates.
Mistake
Change Calendar events are evaluated at the time of execution, not submission.
Correct
Evaluation occurs at submission time. If the execution time falls outside the allowed window, the change will fail at execution, but the request is not rejected at submission.
Mistake
If an ALLOWED and NOT_ALLOWED event overlap, ALLOWED takes precedence.
Correct
NOT_ALLOWED takes precedence. The most restrictive rule applies.
Mistake
Change Calendar can be used without Change Manager.
Correct
Change Calendar is primarily used with Change Manager to enforce change freezes. It can also be used independently with other SSM capabilities, but the exam focuses on its integration with Change Manager.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You create a Change Calendar by creating a Systems Manager document of type ChangeCalendar. Use the AWS CLI command `aws ssm create-document --name "MyCalendar" --content file://calendar.json --document-type ChangeCalendar`. The JSON content includes a `calendarEvents` array with events that have a name, type (ALLOWED or NOT_ALLOWED), startTime, and endTime in ISO 8601 UTC format. You can also specify recurring events using a schedule expression. Once created, the calendar can be associated with a change request template.
Yes, Change Calendar can be used independently with other Systems Manager capabilities, such as Run Command or Automation, by checking the calendar status via the `GetCalendarState` API. However, on the SOA-C02 exam, the primary use case is with Change Manager to enforce change freezes. The exam focuses on the integration: you create a calendar, associate it with a change request template, and then Change Manager evaluates the calendar when a change request is submitted.
The change request is rejected immediately at submission. The user receives an error message indicating that the change is not allowed due to the calendar. The request does not proceed to the approval workflow. This is a key exam point: the calendar is checked at submission, not at execution.
Change Calendar can be shared across accounts using AWS Organizations. The calendar document must have a resource-based policy that grants access to other accounts or organizational units. The recipient account can then view and use the shared calendar. The shared calendar appears as a document in the recipient account's Systems Manager. This allows a central team to enforce change freezes across the entire organization.
Change Calendar defines time periods when changes are allowed or blocked; it is a policy enforcement tool. Maintenance Windows define a schedule for executing specific tasks (e.g., patching, automation); they are an execution scheduling tool. They can be used together: you can schedule a maintenance window during an ALLOWED calendar window to ensure changes only happen during permitted times.
No, a change request template can only be associated with one Change Calendar. If you need to enforce multiple calendars (e.g., separate freezes for different teams), you must create separate templates, each associated with its own calendar.
The change request will fail at execution time. The calendar evaluation at submission only checks if the scheduled time is allowed at that moment. If the execution time later falls outside the window (e.g., due to a calendar update), the execution will fail. This is a rare edge case but could appear on the exam.
You've just covered SSM Change Manager and Change Calendar — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?