AWS Systems Manager Patch Manager automates the process of patching managed instances. In the last article, we have seen how to use the predefined baselines for windows and Linux instance patching using the “Patch now” method. In this article, we see how to group the instances and schedule the patching based on the patch group. As you know that AWS SSM can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Amazon Linux, Amazon Linux 2, CentOS, Debian Server, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu Server. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. You can target instances individually or in large groups by using resource tags or Resource Groups.
RESOURCE GROUPS
You can use resource groups to organize your AWS resources. Resource groups make it easier to manage, monitor, and automate tasks on large numbers of resources at one time. AWS Resource Groups provides two general methods for defining a resource group. Both methods involve using a query to identify the members of a group. The first method relies on tags applied to AWS resources to add resources to a group. Using this method, you apply the same tag key-value pairs to resources of various types in your account and then use the AWS Resource Groups service to create a group based on that tag pair or multiple pairs.
1. Create a new resource group.
2. Select tag-based resources. In most environments, instances must be classified based on the environment type (DEV, QA, PROD). Here I am fetched the instances which have “Patch Group: DEV” and added them to the patch group.
Note: EC2 / SSM managed instances should be carrying the tag – “Patch Group: DEV” for each instance.
3. Enter the new resource group name to group the resources.
AWS Systems Manager – Set Patch Baselines.
To associate a specific patch baseline with your managed nodes, you must add the patch group value to the patch baseline. By registering the patch group with a patch baseline, you can ensure that the correct patches are installed during a patching operation.
1. Navigate to AWS systems manager and navigate to patch manager. For windows, you can click on the highlighted default patch baselines provided by AWS. Select the patch baselines.
2. Click on Action – > Modify patch groups.
3. Enter the tag value you added to your managed nodes in the previous section, then choose Add.
Configure the Patching and setup maintenance window
1. In SSM, Patch Manager – > Dashboard – > Click configure patching. Select a patch group and select the patch group from the drop-down.
2. Select the cron scheduler and enter the maintenance window name for future use. You could select the patching operation as Scan & install.
Click on configure patching to set up the weekly patching for all the dev instances. On every Saturday at 12 AM, the selected instances will be patched in the defined maintenance window.
Is it possible to create a custom patch baseline?
Yes. You can also configure a custom patch baseline based on the organization’s needs rather than choosing the default patch baselines provided by AWS. To create a custom patch baseline,
1. Navigate to AWS SSM patch manager – > Patch Baselines -> Create patch baselines. Enter the name and select the operating system.
2. Approval rules for operating systems.
3. If you would like to remove any exceptions, you can configure them here.
AWS SSM Patch manager can be configured based on our requirements.
Hope this article is informative to you.
Leave a Reply