How do I troubleshoot a failed Patch Manager command on my Amazon EC2 Linux instance?

3 minute read

I want to use the AWSSupport-TroubleshootPatchManagerLinux runbook to troubleshoot a failed Patch Manager command on an Amazon Elastic Compute Cloud (Amazon EC2) Linux instance.

Short description

Use the AWSSupport-TroubleshootPatchManagerLinux AWS Systems Manager automation runbook to analyze Patch Manager issues on your Amazon EC2 Linux instance. The runbook analyzes patching logs to detect the root cause of failed commands. Then, it suggests remediation steps.

Before you start the AWSSupport-TroubleshootPatchManagerLinux runbook, make sure that your environment meets the following requirements:

The operating system is one of the following:
Amazon Linux 2 or 2023
Red Hat Enterprise Linux 8 or 9
CentOS 8 or 9
Ubuntu 18.04, 20.04, or 22.04
SUSE Linux Enterprise Server 15
AWS Systems Manager Agent (SSM Agent) manages the EC2 Linux instance.
One of the following packages must be available on the instance: Python 3.7.0 or later, GNU Wget, curl, or unzip.
The instance connects to Amazon Simple Storage Service (Amazon S3) endpoints to download code from the AWS owned bucket with the following ARN: arn:aws:s3:::aws-ssm-document-attachments-region/*.
The AWS Identity and Access Management (IAM) user or role must have the permissions listed in the Required IAM permissions section of AWSSupport-TroubleshootPatchManagerLinux.

Resolution

To launch the runbook, complete the following steps:

Navigate to the AWSSupport-TroubleshootPatchManagerLinux document in the Systems Manager console.
Choose Execute automation.
Note: For more information about the runbook's steps, see the document steps of AWSSupport-TroubleshootPatchManagerLinux.
Enter the following values for the input parameters:
InstanceId (required): The EC2 instance ID that the patch command failed against. Use the interactive instance picker or manually enter the EC2 Linux instance ID.
AutomationAssumeRole (optional): The ARN of the IAM role that allows Automation to perform actions. If you don't specify a role, then the automation uses the permissions of the user that starts the runbook.
RunCommandId (optional): The failed run command ID for the AWS-RunPatchBaseline document. If you don't provide the command ID, then the runbook reviews the instance for the latest failed patch commands from the last 30 days.
Choose Execute.
After the automation completes, review the detailed results in the Outputs section. This section displays identified issues with additional details, and suggests actionable solutions. To address your patch issues, implement the recommendations and rerun the Patch Manager command.

Related information

AWS Support Automation Workflows (SAW)

Setting up Automation

Running automations

Topics

Compute End User Computing

Relevant content

AWS System Manager Patch Manager Scan operation failed
arup
asked 2 years ago
Patch manager doesn't work on Rocky Linux
ricardobarbosams
asked a year ago
AWS Patching activity failed on Linux
Sid
asked 9 months ago
Do I need to be in the Managerment account to use System Manager / Patch Manager to patch instances across an Organization
larryjkl
asked a year ago
AWS Patch Manager Patching Task failing
Richard Dell
asked 2 years ago
How do I automate Linux updates on my EC2 instance using Systems Manager Patch Manager patch policies?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot patching issues related to Amazon EC2 Windows instance when I use the Patch Manager AWS-RunPatchBaseline document?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot a missing KB patch after a successful patching operation on EC2 Windows instances through Patch Manager?
AWS OFFICIALUpdated a year ago
How do I troubleshoot a failed Patch Manager (Linux) operation?
AWS OFFICIALUpdated 3 months ago
Support Automation Workflow (SAW) Runbook: Troubleshoot AWS Systems Manager Session Manager
EXPERT
Maya Karalic
published a year ago