The Cloud Infrastructure Management using AWS SSM

[Part 02 — Patch Manager and Inventory]

This is the second part of my AWS Systems Manager (SSM) blog series. The first primarily talked about how we can use RUN command and how to create a SSM Managed instance.

This blog primarily will be focusing on another capability of SSM, which is the Patch Manager.


AWS Patch Manager automates the process of patching your managed instances with both security and other types of updates.

It enables you to scan instances for missing patches and apply missing patches individually or to a patch group.

For security patches, Patch Manager uses patch baselines that include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches.

You can use Patch Manager to apply patches for both operating systems and applications running on them.

The Patching Process

There are five main steps that is required to follow in the Patch Manager patching process (See Figure 1)

  1. Define a Default Patch Baseline
  2. Create Patch Groups
  3. Create a Maintenance Window
  4. Executing the Patch RUN Command
  5. Compliance Check
Figure 1 — Patch Manager Patching Process

Step 1 — Define a Default Patch Baseline

Patch Manager uses Patch Baselines to define what gets installed. These baselines include rules for auto approving patches within days of their release, as well as a list of approved and rejected patches.

Patch Baselines can depend on the Operating System (OS), which has its own default patch baseline. If an OS has multiple distributions (like in Linux), then you will have multiple default patch baselines for each OS distribution mainly because each distribution has its own software repositories. For example:

AWS-AmazonLinux2DefaultPatchBaseline — For Amazon Linux 2 distribution

AWS-UbuntuDefaultPatchBaseline — For Ubuntu Linux distribution

AWS-DefaultPatchBaseline — For Windows

AWS-PredefinedDefaultPatchBaseline — For Windows (Same as above)

AWS-PredefinedDefaultPatchBaseline-OS-Applications — For Windows and MS applications

Step 2 — Create Patch Groups

This defines groups of resources, which act as targets for parching tasks.

Step 3 — Create a Maintenance Window

The maintenance window defines a schedule, duration, targets and tasks. It works as the main coordinator for the whole patching process.

Step 4 — Executing the Patch RUN Command

Execute the AWS-RunPatchbaseline command (the built in RUN command) with a baseline defined to a given target(s). This process orchestrate the whole patching process with defined targets.

Step 5 — The Compliance Check

Once patches are executed, target groups are being checked for any compliance issues. This is basically being managed by AWS SSM Inventory feature.

The Patching Process — Sample Demo

Go to SSM -> Select Patch Manager -> Click Configure Patching

Figure 2

Select instances manually (See Figure 3).

Figure 3 — Selecting an Managed Instance (ubuntu-1) to apply patches

Select Patching Schedule as Skip scheduling and patch instances now.

Use Scan and Install as the Patching Operation (See Figure 4).

Figure 4

Click Configure Patching button.

Click View Details button which appears on top of the page. You will get a page like below if the patching process went well (See Figure 5).

Figure 5

Go to SSM -> Select Command History -> Select the latest Command it had processed.

Figure 6

As an alternative, you may Go to SSM -> Managed Instances -> Select the Managed Instance, where you have applied.

You can see multiple patches applied to the selected managed instance (See Figure 7).

Figure 7

Now start setting up the Inventory to check patching compliance.

Targets: Manually selected resources.

Keep the rest of the field attributes as default and finally click Setup Inventory.

Figure 8 — Selecting instances to start the inventory process

Go to SSM -> Inventory -> Select the instance, that your started the inventory process.

Figure 9

Now, from the above list (See Figure 9), select the managed instance that you have started the inventory process.

Click the Inventory tab to see the inventory data for the given managed instance. You can select Associations and Patch tabs as well to see all associations and patches (See Figure 10).

Figure 10

Finally, click the Configuration Compliance tab to see the patch compliance (See Figure 11).

Figure 11

Seems patching has not applied as expected. Now you can further investigate to find the root cause of this issue.

Hope this blog gave you some insights about how patching can be done and how SSM can help you on this journey.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store