How do I better manage notifications for patching in Systems Manager?

4 minute read
0

I want to use Amazon Simple Notification Service (Amazon SNS) create notifications for patching in AWS Systems Manager.

Short Description

You can create customizable notifications by integrating Amazon SNS with Patch Manager, a capability of AWS Systems Manager, for Patch Manager maintenance windows.

Important: To create customizable notifications, configure a maintenance window for patching.

To create notifications for your maintenance window patching operations using Systems Manager, complete the following steps:

  1. Create and subscribe to an Amazon SNS topic for patching notifications.
  2. Create an AWS Identity and Access Management (IAM) policy and IAM role for Systems Manager to publish to the SNS topic.
  3. Specify the SNS topic in your Run Command, a capability of AWS Systems Manager.

Resolution

Create an SNS topic for patching notifications

First, create an SNS topic:

  1. Open the Amazon SNS console.
  2. Choose the AWS Region that you're patching.
  3. In the navigation pane, choose Topics.
  4. Choose Create Topic.
  5. Choose FIFO or Standard.
  6. Enter a name for the topic.
  7. (Optional) Configure the remaining settings to meet your use case.
  8. Choose Create topic. Note the topic ARN to use in the following sections.

Then, use your preferred contact method to subscribe to the contact.

Set up the required IAM policy and role for Systems Manager to publish to the SNS topic

First, set up the required IAM policy:

1.    Open the IAM console.

2.    In the navigation pane, choose Policies, and then choose Create Policy.

3.    Choose the JSON tab.

4.     Replace the default JSON content with the following:

Note: Replace the REGION with the Region you're using and replace ACCOUNT-ID with your AWS account ID. Replace SNS-TOPIC-NAME with the name of your SNS topic.

{  
    "Version": "2012-10-17",  
    "Statement": [
    {  
            "Effect": "Allow",  
            "Action": ["sns:Publish"],  
            "Resource": "arn:aws:sns:{REGION}:{ACCOUNT-ID}:{SNS-TOPIC-NAME}"
    }  
    ]  
}

Note: You can find the specific resource ARN for your topic in the SNS topics page under ARN.

5.    Choose Next: Tags.

6.    (Optional) Add one or more tag-key value pairs to organize, track, or control access for this policy. Then, choose Next: Review.

7.    Enter a name for the inline policy.

8.    (Optional) Enter a description for the policy.

9.    Choose Create policy.

Then, set up the required IAM role:

1.    Open the IAM console.

2.    In the navigation pane, choose Roles, and then choose Create role.

3.    Choose the AWS service role type, and then choose Systems Manager. Choose the Systems Manager use case.

4.    On the Attach permissions policies page, search for the policy you that you created in the previous section. Then, select the name of the custom policy.

5.    (Optional) Set a permissions boundary. For more information, see Permissions boundaries for IAM entities.

6.    Choose Next.

7.    Enter a role name and description for the role.

8.    Choose Edit in the Step 1: Select trusted entities or Step 2: Select permissions sections to edit the use cases and permissions for the role.

9.    Review the role, and then choose Create role. Note the IAM role name for the following section.

To use this role in a maintenance window, you must edit the maintenance window service role to allow the pass of the newly created role. For the resource, specify the ARN of the role that you created. For more information, see Use the console to configure permissions for maintenance windows.

To complete the IAM role set up, create a new policy, or update the inline policy of the maintenance window with the following values:

Note: Replace ACCOUNT-ID with your account ID and SNS-TOPIC-NAME with the name of your SNS topic.

{  
    "Version": "2012-10-17",  
    "Statement": [  
        {               
            "Effect": "Allow",  
            "Action": "iam:PassRole",  
            "Resource": "arn:aws:iam::{ACCOUNT_ID}:role/{SNS-TOPIC-ROLE}"             
        }  
    ]  
}

Specify the SNS topic in your Run Command

Specify the SNS topic in your Run Command:

  1. Open the AWS Systems Manager console.
  2. In the navigation pane, choose Maintenance Windows.
  3. Select the maintenance window that performs patching.
  4. For Tasks, choose the AWS-RunPatchBasline Run Command task or another Run Command task that you want to be notified for, and then choose Edit.
  5. For SNS notifications, choose Enable SNS notifications.
  6. Enter the IAM role that you created in the preceding section.
  7. Enter the SNS topic ARN that you created in the preceding section.
  8. (Optional) For the event type, choose the event types that you want to be notified for. For example, Timed out and Failed attempts.
  9. Choose Save changes.

SNS notifications are now set up for the commands and the event type that you selected for your patching maintenance window.

The following is an example email notification:

{"commandId":"abcdef12-1234-1234-1234-abcdef123456",  
"documentName":"AWS-RunPatchBaseline",  
"instanceId":"i-abcdefg1234567",  
"requestedDateTime":"2023-01-01T00:00:00.000Z",  
"status":"Failed",  
"detailedStatus":"Failed",  
"eventTime":"2023-01-1T00:02:00.00Z"}
AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago
2 Comments

This document is outdated as per latest aws console i cannot find option to add sns topic to aws linux patch line.

replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 months ago