How do I troubleshoot a failed Patch Manager command on my Amazon EC2 Linux instance?

3 minute read

I want to use the AWSSupport-TroubleshootPatchManagerLinux runbook to troubleshoot a failed Patch Manager command on an Amazon Elastic Compute Cloud (Amazon EC2) Linux instance.

Short description

Use the AWSSupport-TroubleshootPatchManagerLinux AWS Systems Manager automation runbook to analyze Patch Manager issues on your Amazon EC2 Linux instance. The runbook analyzes patching logs to detect the root cause of failed commands. Then, it suggests remediation steps.

Before you start the AWSSupport-TroubleshootPatchManagerLinux runbook, make sure that your environment meets the following requirements:

  • The operating system is one of the following:
    Amazon Linux 2 or 2023
    Red Hat Enterprise Linux 8 or 9
    CentOS 8 or 9
    Ubuntu 18.04, 20.04, or 22.04
    SUSE Linux Enterprise Server 15
  • AWS Systems Manager Agent (SSM Agent) manages the EC2 Linux instance.
  • One of the following packages must be available on the instance: Python 3.7.0 or later, GNU Wget, curl, or unzip.
  • The instance connects to Amazon Simple Storage Service (Amazon S3) endpoints to download code from the AWS owned bucket with the following ARN: arn:aws:s3:::aws-ssm-document-attachments-region/*.
  • The AWS Identity and Access Management (IAM) user or role must have the permissions listed in the Required IAM permissions section of AWSSupport-TroubleshootPatchManagerLinux.


To launch the runbook, complete the following steps:

  1. Navigate to the AWSSupport-TroubleshootPatchManagerLinux document in the Systems Manager console.
  2. Choose Execute automation.
    Note: For more information about the runbook's steps, see the document steps of AWSSupport-TroubleshootPatchManagerLinux.
  3. Enter the following values for the input parameters:
    InstanceId (required): The EC2 instance ID that the patch command failed against. Use the interactive instance picker or manually enter the EC2 Linux instance ID.
    AutomationAssumeRole (optional): The ARN of the IAM role that allows Automation to perform actions. If you don't specify a role, then the automation uses the permissions of the user that starts the runbook.
    RunCommandId (optional): The failed run command ID for the AWS-RunPatchBaseline document. If you don't provide the command ID, then the runbook reviews the instance for the latest failed patch commands from the last 30 days.
  4. Choose Execute.
  5. After the automation completes, review the detailed results in the Outputs section. This section displays identified issues with additional details, and suggests actionable solutions. To address your patch issues, implement the recommendations and rerun the Patch Manager command.

Related information

AWS Support Automation Workflows (SAW)

Setting up Automation

Running automations

AWS OFFICIALUpdated 2 months ago