Patching of Windows and Linux EC2 Instances using AWS SSM

Santosh Garole
Globant
Published in
7 min readMar 29, 2022

Introduction:

In this article, we will learn how we can patch an AWS EC2 fleet using the SSM which is a native solution for the patching processes in the AWS cloud platform. SSM can automate a task, collect the system inventory, apply OS patches and execute the scripts without logging into the instances (Linux / Windows) . Usually, an admin maintains a bastion instance to log in to other servers, and also manages the keys and passwords to log in to other instances. But using SSM, we don’t need bastion instances to log in to other servers (Bastion-free environment). This gives additional security to all instances.

You may want to read: https://medium.com/globant/secure-rdp-to-ec2-private-instance-using-aws-ssm-d0a1cadd9d6

Below points are covered in this article:

  1. Prerequisites
  2. Abbreviations
  3. AWS Patch Manager
  4. SSM Agent
  5. Block Diagram for Patching
  6. Create an IAM role for EC2
  7. AWS Maintenance windows
  8. Patch Baselines creation
  9. Patching the Instance
  10. Conclusion
  11. References

1.Prerequisites

AWS Cloud Account.

Linux and Windows EC2 instances created and managed via SSM.

2. Abbreviations:

  1. SSM → AWS Systems Manager
  2. IAM → Identity and access management
  3. EC2→ Elastic Cloud Compute
  4. SSH → Secure shell
  5. VM→ virtual machine

3. AWS Patch Manager

Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed instances with both security related and other types of updates. You can use the Patch Manager to apply patches for both Windows and Linux operating systems. (On Windows Server, application support is limited to updates for applications released by Microsoft.) You can use Patch Manager to install Service Packs on Windows instances and perform minor version upgrades on Linux instances. You can patch fleets of Amazon Elastic Compute Cloud (Amazon EC2) instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Amazon Linux, Amazon Linux 2, CentOS, Debian Server, macOS, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), Ubuntu Server, and Windows Server. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.

NOTE: Also, Patch Manager doesn’t support upgrading major versions of operating systems, such as Windows Server 2016 to Windows Server 2019, or SUSE Linux Enterprise Server (SLES) 12.0 to SLES 15.0.

4. SSM Agent

SSM Agent is Amazon software that can be installed and configured on an EC2 instance, an on-premises server, or a VM. SSM Agent makes it possible for Systems Manager to update, manage, and configure these resources. SSM Agent then sends status and execution information back to the Systems Manager service by using the Amazon Message Delivery Service (service prefix: ec2messages). By default, the SSM Agent is preinstalled on the instances created from the following Amazon Machine Images (AMIs):

  • Amazon Linux 1 & Amazon Linux 2
  • Amazon Linux 2 ECS-Optimized Base AMIs
  • macOS 10.14.x (Mojave), 10.15.x (Catalina), and 11.x (Big Sur)
  • Ubuntu Server 16.04, 18.04, and 20.04
  • Windows Server 2008–2012 R2 AMIs published in November 2016 or later
  • Windows Server 2016 and 2019

5. Block Diagram for Patching

Block Diagram

6. Create an IAM Role for EC2

Search for IAM in AWS console and Click on “Create Role” as shown below:

Once IAM is clicked you will see the below window:

IAM Dashboard

Click on Roles → Create Role

Creation of IAM

Create an IAM Role, attach the AmazonEC2RoleforSSM Managed policy as shown below:

Policy Selection

7. AWS Maintenance Windows

Maintenance window is used to define a schedule for when to perform disruptive action on your instances such as patching OS and upgrading drivers, etc. Each Maintenance Window has a schedule, a duration, a set of registered targets. Ideally, you want to apply your patches at a time when it has the least effect on your organization. Now that you have successfully set up a role and registered your Amazon EC2 instance with your patch baseline, you will define a maintenance window so that you can control when your Amazon EC2 instances will receive patches. We can avoid all the instances rebooting at the same time by creating multiple maintenance windows and assigning them to different patch groups.

Create a maintenance window as per your requirements:

  1. Use the following command to define a maintenance window. In this example command, the maintenance window will start every Saturday at 10:00 P.M. UTC. It will have a duration of 4 hours and will not start any new tasks 1 hour before the end of the maintenance window.
$aws ssm create-maintenance-window — name SaturdayNight — schedule “cron(0 22 ? * SAT *)” — duration 4 — cutoff 1 — allow-unassociated-targets

For more information about defining a cron-based schedule for maintenance windows, see Cron and Rate Expressions for Maintenance Windows.

2. After defining the maintenance window, you must register the Amazon EC2 instance with the maintenance window so that the Systems Manager knows which Amazon EC2 instance it should patch in this maintenance window. You can register the instance by using the same Patch Group tag you used to associate the Amazon EC2 instance with the AWS-provided patch baseline, as shown in the following command.

$ aws ssm register-target-with-maintenance-window — window-id YourMaintenanceWindowId — resource-type INSTANCE — targets “Key=tag:Patch Group,Values=Linux Servers”{“WindowTargetId”: “YourWindowTargetId”}

3. Assign a task to the maintenance window that will install the operating system patches on your Amazon EC2 instance. The following command includes the following options.

  • name is the name of your task and is optional. I named mine Patching.
  • task-arn is the name of the task document you want to run.
  • max-concurrency allows you to specify how many of your Amazon EC2 instances Systems Manager should patch at the same time. max-errors determines when Systems Manager should abort the task. For patching, this number should not be too low, because you do not want your entire patch task to stop on all instances if one instance fails. You can set this, for example, to 20%.
  • service-role-arn is the Amazon Resource Name (ARN) of the AmazonSSMMaintenanceWindowRole role you created earlier in this blog post.
  • task-invocation-parameters defines the parameters that are specific to the AWS-RunPatchBaseline task document and tells Systems Manager that you want to install patches with a timeout of 600 seconds (10 minutes).
$ aws ssm register-task-with-maintenance-window — name “Patching” — window-id “YourMaintenanceWindowId” — targets “Key=WindowTargetIds,Values=YourWindowTargetId” — task-arn AWS-RunPatchBaseline — service-role-arn “arn:aws:iam::123456789012:role/MaintenanceWindowRole” — task-type “RUN_COMMAND” — task-invocation-parameters “RunCommand={Comment=,TimeoutSeconds=600,Parameters={SnapshotId=[‘’],Operation=[Install]}}” — max-concurrency “500” — max-errors “20%”{“WindowTaskId”: “YourWindowTaskId”}

8. Patch Baseline creation

We can create a custom patch baseline as it is an optional step if you want to follow your standard rules you can create one otherwise follow AWS one.

If you create your own patch baseline, you can choose which patches to auto-approve by using the following categories.

  • Operating system: Windows, Amazon Linux, Ubuntu Server, and so on.
  • Product name (for operating systems): For example, RHEL 6.5, Amazon Linux 2014.09, Windows Server 2012, Windows Server 2012 R2, and so on.
  • Product name (for applications released by Microsoft on Windows Server only): For example, Word 2016, BizTalk Server, and so on.
  • Classification: For example, critical updates, security updates, and so on.
  • Severity: For example, critical, important, and so on.

For each approval rule that you create, you can choose to specify an auto-approval delay or specify a patch approval cutoff date.

8. Patching the instance

To verify the patch compliance a system scan has to be performed:

  • Go To EC2->Run Command and click “Run Command”

Below is the result of scanned EC2 instances:

9. Conclusion

In this article, I covered a simple scenario of setting up the AWS Systems Manager (SSM) Patch Manager service to install patches to a Windows server on a regular basis. We performed all the configurations via PowerShell, but you can also use AWS CLI and the console to perform these tasks. This may seem a daunting process at first, due to all the various objects we had to configure, but I encourage you to copy the code described here and create your own scripts from it. You’ll see that once you have the base code working, you’ll be able to configure it much easier later.

10. References

  1. https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
  2. https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-walk-patch-linux-ami-console.html
  3. https://aws.amazon.com/blogs/security/how-to-patch-linux-workloads-on-aws/

--

--