Patch Manager

Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. Later in this lab we will schedule patching to occur on a regular basis using a Systems Manager Maintenance Window task. Patch Manager integrates with AWS Identity and Access Management (IAM), AWS CloudTrail, and Amazon EventBridge to provide a secure patching experience that includes event notifications and the ability to audit usage.

AWS does not test patches for Windows Server or Linux before making them available in Patch Manager. Also, Patch Manager doesn’t support upgrading major versions of operating systems, such as Windows Server 2016 to Windows Server 2019, or SUSE Linux Enterprise Server (SLES) 12.0 to SLES 15.0. Always test patches thoroughly before deploying to production environments. This is a customer owned responsibility.

In this lab we will create Patch Baselines and Patch Groups. These will be used to decide which patches to apply to our instances and which instances to target.

High-level Objectives

  • Create a custom patch baseline

  • Create a patch group to associate managed instances with the custom patch baseline

Create Patch Baseline

  1. Under Node Management in the AWS Systems Manager navigation bar, select Patch Manager.

  2. Select the View predefined patch baselines link under the Configure patching button on the upper right.

  3. Select Create patch baseline.

  4. On the Create patch baseline page in the Provide patch baseline details section:

    • Enter a Name for your custom patch baseline, such as: AmazonLinux2SecAndNonSecBaseline.
    • Optionally enter a description, such as: Amazon Linux 2patch baseline including security and non-security patches.
    • Select Amazon Linux 2 from the list.
  5. In the Approval rules section:

    • Examine the options in the lists and ensure that ProductClassification, and Severity have values of All.
    • Leave the Auto approval delay at its default of 0 days.
    • Change the value of Compliance reporting - optional to Critical.
    • Select Add another rule.
    • In the new rule, change the value of Compliance reporting - optional to Medium.
    • Check the box under Include non-security updates to include all Amazon Linux 2 updates when patching.
    • Note If an approved patch is reported as missing, the option you select in Compliance reporting, such as Critical or Medium, determines the severity of the compliance violation reported in System Manager Compliance.

  6. In the Patch exceptions section:

    • In the Rejected patches - optional text box, enter system-release.
    • In the Rejected patches action - optional section, select Block from the drop-down menu
    • This will reject patches to new Amazon Linux releases that may advance you beyond the Patch Manager supported operating systems prior to your testing new releases.

  7. For Linux operating systems, you can optionally define an alternative patch source repository.

  8. Select Create patch baseline and you will go to the Patch Baselines page where the AWS provided default patch baselines are displayed. Your custom baseline can be found on the second page.

Create and Assign a Patch Group

patch group is an optional method to organize instances for patching. For example, you can create patch groups for different operating systems (Linux or Windows), different environments (Development, Test, and Production), or different server functions (web servers, file servers, databases) and register each patch group to an appropriate patch baseline. Patch groups help ensure that you are deploying the appropriate patches, based on the associated patch baseline rules, to the correct set of instances. Patch groups can also help you avoid deploying patches before they have been adequately tested.

You create a patch group by using resource tags. Unlike other tagging scenarios across Systems Manager, a patch group must be defined with the tag key: Patch Group (tag keys are case sensitive). You can specify any value (for example, web-servers) but the key must be Patch Group.

Note: A patch group can be registered with only one patch baseline for each operating system type. Additionally, an instance can only be in one patch group.

  1. Navigate to the EC2 Console

  2. Go to Tags on the left navigation panel

  3. Select Manage Tags

  4. Select instances with Name App1 and App2

  5. Add Tag

    • Key: Patch Group

    • Value: App

  6. Select instances with Name Web1 and Web2

  7. Add Tag

    • Key: Patch Group

    • Value: Web

  8. Navigate back to Systems Manager > Patch Manager > Patch Baselines

  9. Select the second page of results and then select the Baseline you created in the previous part (AmazonLinux2SecAndNonSecBaseline)

  10. Go to Actions and Modify Patch Group

  11. Type in App and Add the Patch Group to the Baseline

From here you could utilize AWS-RunPatchBaseline pre-defined document to scan or patch your instances. Instead we are going to chain the capabilities together and utilize a Maintenance Window to execute the Run command and document mentioned above.

You can also select Configure Patching and link the Patch Baseline to the Maintenance Window, it will register the run task with the maintenance window and also register the Patch Group as targets. It utilizes the existing role AWSServiceRoleforAmazonSSM.