The Cloud Infrastructure Management using AWS SSM

4 min readNov 12, 2020

[Part 02 — Patch Manager and Inventory]

This is the second part of my AWS Systems Manager (SSM) blog series. The first blog primarily talked about how we can use RUN command and how to create a SSM Managed instance.

This blog primarily will be focusing on another capability of SSM, which is the Patch Manager.

Introduction

AWS Patch Manager automates the process of patching your managed instances with both security and other types of updates.

It enables you to scan instances for missing patches and apply missing patches individually or to a patch group.

For security patches, Patch Manager uses patch baselines that include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches.

You can use Patch Manager to apply patches for both operating systems and applications running on them.

The Patching Process

There are five main steps that is required to follow in the Patch Manager patching process (See Figure 1)

Define a Default Patch Baseline
Create Patch Groups
Create a Maintenance Window
Executing the Patch RUN Command
Compliance Check

Figure 1 — Patch Manager Patching Process

Step 1 — Define a Default Patch Baseline

Patch Manager uses Patch Baselines to define what gets installed. These baselines include rules for auto approving patches within days of their release, as well as a list of approved and rejected patches.

Patch Baselines can depend on the Operating System (OS), which has its own default patch baseline. If an OS has multiple distributions (like in Linux), then you will have multiple default patch baselines for each OS distribution mainly because each distribution has its own software repositories. For example:

AWS-AmazonLinux2DefaultPatchBaseline — For Amazon Linux 2 distribution
AWS-UbuntuDefaultPatchBaseline — For Ubuntu Linux distribution
AWS-DefaultPatchBaseline — For Windows
AWS-PredefinedDefaultPatchBaseline — For Windows (Same as above)
AWS-PredefinedDefaultPatchBaseline-OS-Applications — For Windows and MS applications

Step 2 — Create Patch Groups

This defines groups of resources, which act as targets for parching tasks.

Step 3 — Create a Maintenance Window

The maintenance window defines a schedule, duration, targets and tasks. It works as the main coordinator for the whole patching process.

Step 4 — Executing the Patch RUN Command

Execute the AWS-RunPatchbaseline command (the built in RUN command) with a baseline defined to a given target(s). This process orchestrate the whole patching process with defined targets.

Step 5 — The Compliance Check

Once patches are executed, target groups are being checked for any compliance issues. This is basically being managed by AWS SSM Inventory feature.

The Patching Process — Sample Demo

Go to SSM -> Select Patch Manager -> Click Configure Patching

Select instances manually (See Figure 3).

Figure 3 — Selecting an Managed Instance (ubuntu-1) to apply patches

Select Patching Schedule as Skip scheduling and patch instances now.

Use Scan and Install as the Patching Operation (See Figure 4).

Click Configure Patching button.

Click View Details button which appears on top of the page. You will get a page like below if the patching process went well (See Figure 5).

Go to SSM -> Select Command History -> Select the latest Command it had processed.

As an alternative, you may Go to SSM -> Managed Instances -> Select the Managed Instance, where you have applied.

You can see multiple patches applied to the selected managed instance (See Figure 7).

Now start setting up the Inventory to check patching compliance.

Targets: Manually selected resources.

Keep the rest of the field attributes as default and finally click Setup Inventory.

Figure 8 — Selecting instances to start the inventory process

Go to SSM -> Inventory -> Select the instance, that your started the inventory process.

Now, from the above list (See Figure 9), select the managed instance that you have started the inventory process.

Click the Inventory tab to see the inventory data for the given managed instance. You can select Associations and Patch tabs as well to see all associations and patches (See Figure 10).