Amazon Web Services (AWS) Systems Manager (SSM) is a time-saving cloud service that allows server administrators to keep their AWS Elastic Compute Cloud (EC2) and on-prem servers patched. SSM is handy because AWS maintains all the infrastructures and simply allows you to install an agent on cloud and on-prem servers and manage software patches either from the AWS Management Console or via the command line.

Let's check out how we can set up SSM to scan for and report on installed and missing Windows patches on your Windows Server EC2 instances.

One of the first tasks to ensure you've done this is to make sure the SSM agent is installed on your Windows Server EC2 instances. Unlike on-prem servers where you'll need to install the agent yourself, all Windows Server EC2 instances already have the SSM agent installed. Knowing that you have the SSM agent installed, your next step is to begin building out the components you need in AWS. But first, please make sure you've already set up SSM access since I'll be assuming this is the case throughout the article.

Tagging EC2 instances ^

At some point, SSM needs to know how to break up your patch targets into groups to know how to scan for and patch them. It's a good idea to begin tagging your EC2 instances now. How you tag your instances is up to you, but one way to tag for patching is to define a tag called UpdateGroup. You can then change the value of the tag to various group names you'll be targeting later. In this example, I'll be tagging my EC2 instances with the UpdateGroup tag with a value of CriticalPatches to indicate the kinds of patches I'd like applied to various instances.

For more information on tagging, check out the AWS documentation.

Maintenance windows ^

Once you've set up the tags on your instances, you can now create a maintenance window. Maintenance allows you to control when SSM installs patches. To do this, log into your AWS Management Console, head over to the Systems Manager service, and click on Create Maintenance Window. On this screen, you can define the name, how often the maintenance window should last, and how frequently the window should open. In the example below, I'm calling my maintenance window Nightly and opening it up for two hours every Sunday at 3:00 a.m.

Creating a maintenance window

Creating a maintenance window

Creating a patch baseline ^

Once you've created a maintenance window, the next step is to create a patch baseline. A patch baseline defines the patches to install on your EC2 instances. A patch baseline gives you a lot of options depending on how your internal processes are for patching. For this article, you'll create a baseline only for our Windows Server EC2 instances containing only critical updates with an auto-approval for two days.

The first step is to head to the Patch Manager section of Systems Manager and click on Configure patching. Once you're there, it'll prompt you to select how to target instances (I'll be using tags), our previously created maintenance window, and if we'd like to scan for or also install patches. For this article, I'll just be scanning for patches.

Defining update groups

Defining update groups

Once I'm happy with the settings, I'll click on Configure patching to continue with the process. On the next screen, I'll define the baseline name, OS type, and auto-approval settings.

Creating the patch baseline

Creating the patch baseline

Running a compliance check ^

Once you've set up the patch baseline, you can now force a compliance check, which will begin scanning all instances you've targeted. To do this, within the Systems Manager section, click on Run Command under Actions. Once you're there, you'll need to find a command document. You're looking for one called AWS-RunPatchBaseline.

Running a command

Running a command

Once you've found the AWS-RunPatchBaseline command document, ensure the operation is set to Scan, ensure you've selected the tag name defined earlier, and click Run. This will kick off the compliance scan.

Setting up the Run command

Setting up the Run command

Once it's complete, you can then click on the Command history tab, find the command ID that just ran, click on an instance ID, and then check out the output of the scan.

Command history

Command history

Viewing scan results

Subscribe to 4sysops newsletter!

Summary ^

At this point, you should now have an understanding of what it takes to get AWS System Manager's Patch Manager service set up for one or more EC2 instances. There's a lot more to SSM Patch Manager, so if you'd like to learn more, I encourage you to look at this informative AWS blog article that also covers using the command-line interface (CLI).


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account