AWS Patch Manager

Maintaining a secure and up-to-date IT infrastructure is crucial for all organizations in today’s fast-paced digital world. However, scanning for vulnerabilities and applying patches will be a time-consuming job. That’s where AWS Patch Manager comes into play. In this Blog post, we will explore the capabilities of AWS Patch Manager, its features, and its use cases in simplifying patch management for AWS users.

Contents hide
1) Understanding AWS Patch Manager:
2) Patch Manager prerequisites:
3) Key Features of AWS Patch Manager:
4) Steps to Follow
5) AWS Patch Manager Using Patch Policy
6) AWS Patch Manager Using Patch Now
7) Conclusion

Understanding AWS Patch Manager:

AWS Patch Manager is a fully AWS-managed service that helps automate patching Amazon EC2 instances, on-premises servers, edge devices, and virtual machines (VMs). It provides a unified solution for managing patches across different platforms, making it easier to maintain the security and compliance of your infrastructure. It supports both Linux and Windows Server, making life easier and separating Linux and Windows patching using AWS Tags.

Patch Manager prerequisites:

There are a few prerequisites that need to be completed before using the Patch Manager

Key Features of AWS Patch Manager:

  • Automated Patching: AWS Patch Manager automates the patching process for your EC2 instances, on-premises servers, and VMs. This eliminates the need for manual intervention, saving time and reducing the risk of human errors. You just need to monitor the status. It will also send you the report on your configured email using SNS topics.
  • Centralized Patch Management: With Patch Manager, patching is managed from an AWS Patch Manager console. This allows you to maintain a consistent patching strategy across your entire infrastructure and ensures that critical updates are deployed in a consistent and timely manner.
  • Patch Compliance Monitoring: The service provides comprehensive visibility into the patch compliance status of your managed instances. You can easily track in the dashboard which instances are missing patches, identify vulnerabilities, and take necessary actions to remediate them efficiently.
  • Flexible Scheduling using Maintenance window: AWS Patch Manager has the feature to create maintenance windows and specify the preferred time for patch installations. This ensures minimal disruption to your production environment and enables you to align patching activities with your organization’s operational requirements. It means you schedule the automated patching after your business hours and you just have to track status.

AWS Patch Manager

Get Started with a Practical Demonstration of AWS Patch Manager. Here we are going to cover how to get started with AWS Patch Manager, and how to automate the patching using different methods.

Steps to Follow

  • Create 2 EC2 instances with the latest amazon linux ami. You can check our step-by-step creation of EC2 for creating the EC2 instance. Skip this step if you already have EC2 instances created in your account. Wait for a few minutes to get the instances in an available state.

  • Connect to your instances using EC2 Instance connect option or you can choose the ssh key pair also. Check for the AWS SSM agent status and start the ssm agent service. Start the agent service if it is not in a running state.

sudo systemctl status amazon-ssm-agent   :- Command to check the status

sudo systemctl start amazon-ssm-agent      :- Command to start the service

SSM_Service_check

 

  • Create an EC2 IAM role that has access to the SSM service

Choose Trusted Entity Type, AWS Service. Use case, EC2 and choose Next

Add Permissions, In the Search box add SSM and select AWSSSMFullAccess, AmazonSSMManagedInstanceCore. You can add fine-grained access after your initial testing by removing the AWSSSMFullAccess.

On the same page after selecting SSM-related permission, search for S3. Choose AmazonS3FullAccess. Please note you need to add fine-grained access after your initial testing. You can create and choose that specific bucket to store your ssm patching operation output.

Provide the Role Name and Description of your choice. Review the permissions. Hit on create role.

 

  • Attach the IAM role to EC2

We have successfully created an IAM role that provides EC2 access to SSM and S3. This IAM role now needs to be attached to the EC2 instance running.

Go back to the EC2 page, Select the Instance, Actions-> Security -> Modify IAM Role

IAM Role Attach

From the dropdown menu, Select the role name which you just created. Select Update IAM role

This step needs to be completed on all EC2 instances.

  • Add Patching Tag

Select the instance, Choose Tags -> Manage Tags

Click on Add new tag and new tag as Patching  ->  yes. Select Save

You can check the Tag to review it.

Follow this step to other EC2 instances as well.

  • Search for AWS Systems Manager in the AWS console. Select Fleet Management from the left side of the screen. You will find all your instances showing in that console. It might take few minutes to reflect the instances in the AWS system manager.

FleetManagment

AWS Patch Manager Using Patch Policy

Select the Patch Manager from the left side of the screen, Create Patch Policy.

Choose Region and Click on Get Started.

Under Create patch policy, Select the Configuration name as LinuxPatching

Select Scanning and Installation, Patch operation as  Scan and Install

Scanning schedule as Custom Scanning schedule 

Choose Cron expression cron(45 17 * * ? *). Please adjust the time as per your requirement. The timings are in UTC.  Choose cron expression for scan and scan install both operations.

Select Reboot if needed

Under Patch baseline, Use recommended defaults

Patching log storage, Write output to S3 bucket, Select bucket if you have any, or skip this.

Target, Choose the Current Region. Now AWS has come up with a solution to choose instances from another region as well. This will save time and configuration in each region and we can manage it from our central region.

Rate control, choose Concurrency: Provide the number or percentage of nodes to run the patch policy on at the same time. Error threshold: Provide the number or percentage of nodes to permit errors on before the patch policy fails.

Instance profile options: choose the tickbox.

Check for the summary.  Choose to Create.

After creating the Policy you can review it and edit it if required.

You can check the Status and Settings.

Under setting, you can review the timings for patching, scanning, reboot action, concurrency, and nodes on which automated patching is going to perform.

Please note here the timings which are mentioned in the crown expressions are in UTC. Check the status of your patching as per the UTC time. Otherwise, it might create confusion.

This is a new method that AWS introduced in December 2022.

AWS Patch Manager Using Patch Now

This is an old good way to start patching AWS EC2 instances. Go to the Patch Manager -> Patch baselines

Here you can create your own custom Patch Baseline or you can use AWS Provided default Patch Baseline.

Patch Baselines are Operating system specific, it get selected as per the OS of your EC2 instance automatically.

On the Patch Manager page, click on the Patch Now button.

 

Under Patch Instances Now  Select, Patching operation Scan and Install.

Reboot option -> Reboot if needed

Instances to patch -> Patch all instances . It will select all managed instances

Click on the Patch Now.

Use Maintenance Windows In case you want to schedule patching after business hours or during the weekend using this method.

Choose Maintenance Windows -> Create maintenance window

Provide Name and Description  -> LinuxPatchMW

Unregistered targets ->  Allow unregistered targets

Select Schedule -> CRON/Rate expression -> cron(09 19 * * ? *)  Choose this as per your requirement

Duration -> 1 Hour  CHoose this as per the timings required to complete the patching for your EC2 instances. Typically Windows EC2 takes a longer time to update the patches as compared to Linux EC2.
Choose to Create Maintenance window.
Open the Maintenance window, choose Tasks, Register tasks 
Register Run command task.
Provide a name for the task.
Select AWS-RunPatchBaseline from the Command document.
Select Targets from unregistered targets. You can also choose Target by Selecting registered target groups using Patch Groups, Instance Tags, or Manually.
Choose Rate control, Concurrency and Error threshold as per your need.
Choose IAM  Service Role.
Output options -> Write to S3 if you want to store output to S3.
SNS notifications -> Enable SNS notifications if you want email or any other form of notification from SNS.
Under Parameters -> Operation -> Install 
Reboot Option  -> RebootifNeeded
Select Register Run command task
If you face any issue with the IAM role, create one more role for the System manager which is having access to EC2, system manager, and S3.
Click on the Windows Execution ID and Select View Details.
You can check every single Ec2 output or error message if any.
Now you can edit your maintenance window schedule as per your next patching cycle.

Conclusion

AWS Patch Manager offers a robust solution for best practices of patch management across your infrastructure, enabling you to maintain a secure and compliant environment.  Automated patching enhances security, optimizes resource utilization, and reduces the risk of security breaches. Embracing AWS Patch Manager empowers organizations to stay one step ahead in the constantly evolving cybersecurity landscape. Using the awesome AWS manager service simplify your patch management journey and focus on driving your business forward with confidence.
Hope this helps you in your patching automation process. Please check our website for getting valuable knowledge and trending information about the latest technologies.

1 thought on “AWS Patch Manager”

  1. Pingback: AWS Systems Manager: A Detailed Analysis of Offerings and Pricing - Trending Tech Gurus

Leave a comment