Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

How do I manage patch notifications for Systems Manager?

3 minute read

I want to use Amazon Simple Notification Service (Amazon SNS) to create patch notifications for AWS Systems Manager.

Resolution

To create customizable notifications, integrate Amazon SNS with Patch Manager, a capability of AWS Systems Manager, and use Run command when you patch. You can also use this feature when you add patching as a Run command task in a maintenance window.

Note: You can't use Amazon SNS notifications when you use Patch now (on-demand patching) or Patch policy.

Create an SNS topic for patch notifications

Create an SNS topic, and note the topic ARN. Then, use your preferred contact method to subscribe to the topic.

Note: To create customizable notifications, configure a maintenance window for patching.

Set up the required IAM policy and role

Create an AWS Identity and Access Management (IAM) policy and IAM role for Systems Manager to publish to the SNS topic. If you don't want use the maintainance window for patch notifications, then proceed to Specify the SNS topic in your Run command.

To use the role in the maintenance window, you must edit the maintenance window service role to allow it to pass the new IAM role. Under Resource, specify the ARN of the role that you created. For more information, see Control access to maintenance windows using the console. You can create a new policy, or update the inline policy of the maintenance window with the required permissions.

Example permissions:

{      "Version": "2012-10-17",  
    "Statement": [  
        {               
            "Effect": "Allow",  
            "Action": "iam:PassRole",  
            "Resource": "arn:aws:iam::ACCOUNT_ID:role/SNS-TOPIC-ROLE"             
        }  
    ]  
}

Note: Replace arn:aws:iam::ACCOUNT_ID:role/SNS-TOPIC-ROLE with your IAM role ARN.

Specify the SNS topic in your Run command

Complete the following steps:

Open the Systems Manager console.
In the navigation pane, choose Run command.
Choose AWS-RunPatchBaseline.
Configure the AWS-RunPatchBaseline parameters.
For SNS notifications, select Enable SNS notifications.
For IAM role, enter the new IAM role.
For SNS topic, enter the SNS topic ARN .
(Optional) For Event type, select the event types that you want to be notified about, such as Timed out or Failed attempts.
Choose Save changes.

(Optional) Specify the SNS topic in your maintenance window

If you use a maintenance window, then complete the following steps:

Open the Systems Manager console.
In the navigation pane, choose Maintenance windows.
Select the maintenance window that performs patches.
For Tasks, choose AWS-RunPatchBaseline, and then choose Edit.
For SNS notifications, select Enable SNS notifications.
For IAM role, enter the new IAM role.
For SNS topic, enter the SNS topic ARN .
(Optional) For Event type, select the event types that you want to be notified about.
Choose Save changes.

Example patch maintenance email notification:

{"commandId":"abcdef12-1234-1234-1234-abcdef123456",  "documentName":"AWS-RunPatchBaseline",  
"instanceId":"i-abcdefg1234567",  
"requestedDateTime":"2023-01-01T00:00:00.000Z",  
"status":"Failed",  
"detailedStatus":"Failed",  
"eventTime":"2023-01-1T00:02:00.00Z"}