How do I configure maintenance windows for patching Amazon EC2 and hybrid nodes in multiple environments using Systems Manager?
I want to configure and keep maintenance windows for multiple environments in AWS Systems Manager.
Short description
To configure and maintain patching Windows, use Patch Manager, a capability of AWS Systems Manager.
Note: For Windows, to patch applications released by Microsoft on virtual machines (VMs) and on-premises instances, turn on the advanced-instances tier.
Resolution
Prerequisites
The following prerequisites are for Amazon Elastic Compute Cloud (Amazon EC2) and hybrid instances:
- Check that Patch Manager supports your Operating System (OS).
- Amazon EC2 instances or hybrid instances must be managed by Systems Manager. This means that the instance must be listed under Managed instances, and the SSM Agent ping status must be Online.
- Make sure that the latest version of the AWS Systems Manager Agent (SSM Agent) is installed. For more information, see Automating updates to SSM Agent.
- Make sure that the instance can reach the source of the patches for Windows Server Update Services (WSUS), Microsoft Update servers, or Linux repositories.
The targeted instances must connect to the following endpoints:
- Systems Manager endpoint
- ec2messages endpoint
- S3 endpoint
For more information, see Step 2: Create VPC endpoints
Configuring patching operation methods
For an overview of the available patching operation methods, see AWS Systems Manager Patch Manager and review Patching operation methods.
Working with Patch Manager
First, verify that the AWS predefined patch baseline for each OS type that you use meets your requirements. If the predefined patch baseline doesn't meet your requirements, then create a custom patch baseline. Use a patch baseline that defines a standard set of patches for your managed node type, and set it as the default.
Note: It's a best practice to use Amazon EC2 tags to organize managed nodes into patch groups.
Then, complete one of the following steps:
Configure a patch policy in Quick Setup, a capability of Systems Manager. Use Quick Setup to install missing patches on a schedule for an entire organization, a subset of organizational units (OUs), or a single AWS account.
-or-
Create a maintenance window that uses the Systems Manager document (SSM document) AWS-RunPatchBaseline in a Run Command, a capability of AWS Systems Manager, task type. To use a maintenance window to patch, complete the following steps in the Systems Manager console:
- Create a maintenance window.
- Assign targets to the maintenance window.
- Assign tasks (AWS-RunPatchBaseline) to the maintenance window.
- Manually run the AWS-RunPatchBasline in a Run Command operation.
- Use the Patch now option to manually patch nodes on demand.
Be sure to monitor patching to verify compliance and investigate failures.
Related information
Centralized multi-account and multi-Region patching with AWS Systems Manager Automation
Scheduling centralized multi-account and multi-Region patching with AWS Systems Manager Automation
Patching your Windows EC2 instances using AWS Systems Manager Patch Manager
Why does my instance appear as non-compliant in the Systems Manager Compliance dashboard?
Relevant content
- asked 3 months ago
- Accepted Answerasked 7 months ago
- asked a year ago
- Accepted Answer
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
