AWS Systems Manager Patch Manager automates the process of patching managed instances with security related updates.
For Linux-based instances, you can also install patches for non-security updates.
You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. You can target instances individually or in large groups by using Amazon EC2 tags.
Warning * AWS does not test patches for Windows or Linux before making them available in Patch Manager . * If any updates are installed by Patch Manager the patched instance is rebooted. * Always test patches thoroughly before deploying to production environments.
Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. Later in this lab we will schedule patching to occur on a regular basis using a Systems Manager Maintenance Window task. Patch Manager integrates with AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon CloudWatch Events to provide a secure patching experience that includes event notifications and the ability to audit usage.
The operating systems supported by Patch Manager may vary from those supported by the SSM Agent.
a. Enter a Name for your custom patch baseline, such as
b. Optionally enter a description, such as
Windows patch baseline including security and non-security patches.
c. Select Windows from the list.
a. Examine the options in the lists but leave Product, Classification, and Severity at their default of All. b. Leave the Auto approval delay at its default of 0 days. c. Change the value of Compliance level - optional to Critical. d. Choose Add another rule. e. In the new rule, change the value of Compliance level - optional to Medium. f. Check the box under Include non-security updates to include all Windows updates when patching.
If an approved patch is reported as missing, the option you choose in Compliance level, such as
Medium, determines the severity of the compliance violation reported in System Manager Compliance.
A patch group is an optional method to organize instances for patching. For example, you can create patch groups for different operating systems (Linux or Windows), different environments (Development, Test, and Production), or different server functions (web servers, file servers, databases). Patch groups can help you avoid deploying patches to the wrong set of instances. They can also help you avoid deploying patches before they have been adequately tested.
You create a patch group by using Amazon EC2 tags. Unlike other tagging scenarios across Systems Manager, a patch group must be defined with the tag key:
Patch Group (tag keys are case sensitive). You can specify any value (for example,
web servers) but the key must be
An instance can only be in one patch group.
After you create a patch group and tag instances, you can register the patch group with a patch baseline. By registering the patch group with a patch baseline, you ensure that the correct patches are installed during the patching execution. When the system applies a patch baseline to an instance, the service checks if a patch group is defined for the instance. * If the instance is assigned to a patch group, the system checks to see which patch baseline is registered to that group. * If a patch baseline is found for that group, the system applies that patch baseline. * If an instance isn’t assigned to a patch group, the system automatically uses the currently configured default patch baseline.
Critical, choose Add, and then choose Close to be returned to the Patch Baseline details screen.
AWS-RunPatchBaseline is a command document that enables you to control patch approvals using patch baselines. It reports patch compliance information that you can view using the Systems Manager Compliance tools. For example,you can view which instances are missing patches and what those patches are.
For Linux operating systems, compliance information is provided for patches from both the default source repository configured on an instance and from any alternative source repositories you specify in a custom patch baseline. AWS-RunPatchBaseline supports both Windows and Linux operating systems.
All AWS provided Automation and Run Command documents can be viewed in AWS Systems Manager Documents. You can create your own documents or launch existing scripts using provided documents to implement custom operations as code activities.
To examine AWS-RunPatchBaseline in Documents:
AWS-Runinto the text field and press Enter on your keyboard to start the search.
AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS Management Console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs.
* Choose the search icon and select `Platform`, and then choose `Windows` to display all the available commands that can be applied to Windows instances. !(/images/sm_image006.PNG) * Choose **AWS-RunPatchBaseline** in the list.
Under Enter a tag key, enter
Workload, and under Enter a tag value, enter
The remaining Run Command features enable you to:
* Specify Rate control, limiting Concurrency to a specific number of targets or a calculated percentage of systems, or to specify an Error threshold by count or percentage of systems after which the command execution will end.
* Specify Output options to record the entire output to a preconfigured S3 bucket and optional S3 key prefix.
Only the last 2500 characters of a command document’s output are displayed in the console. * Specify SNS notifications to a specified SNS Topic on all events or on a specific event type for either the entire command or on a per-instance basis. This requires Amazon SNS to be preconfigured. * View the command as it would appear if executed within the AWS Command Line Interface.
a. Choose the search icon, select
Platform, and then choose
Windows to display all the available commands that can be applied to Windows instances.
b. Choose AWS-RunPatchBaseline in the list.
a. Under Specify targets by, choose Specifying a tag to reveal the Tags sub-section.
b. Under Enter a tag key, enter
Workload and under Enter a tag value enter
>Note You could have choosen Manually selecting instances and used the check box at the top of the list to select all instances displayed, or selected them individually.
Note there are multiple pages of instances. If manually selecting instances, individual selections must be made on each page.
a. For Concurrency, leave the default targets selected and specify
Limiting concurrency will stagger the application of patches and the reboot cycle, however, to ensure that your instances are not rebooting at the same time, create separate tags to define target groups and schedule the application of patches at separate times.
b. For Error threshold, leave the default errors selected and specify
Remember, if any updates are installed by Patch Manager, the patched instance is rebooted.
Patch. The Compliance Summary will now show that there are 4 systems that have satisfied critical severity patch compliance.
In the optional Scheduling Automated Operations Activities section of this lab you can set up Systems Manager Maintenance Windows and schedule the automated application of patches.
In a traditional environment, you would have had to set up the systems and software to perform these activities. You would require a server to execute your scripts. You would need to manage authentication credentials across all of your systems.
Operations as code reduces the resources, time, risk, and complexity of performing operations tasks and ensures consistent execution. You can take operations as code and automate operations activities by using scheduling and event triggers. Through integration at the infrastructure level you avoid “swivel chair” processes that require multiple interfaces and systems to complete a single operations activity.