SSM Patch Manager Configure Patch Sources for Managed Instances

Question

hello, how to specify patching source for Windows and Linux (RHEL, Amazon Linux2, Ubuntu etc.) instances without granting internet access to these instances? My search results are not returning public repositories for patches for said OS but let's say I have a public repo for patches, https://epel.mirror.digitalpacific.com.au/7/

1. Do I specify the link in Patch Baseline for managed instance?
2. What options does the managed instance have to reach to this repository?
3. Is WSUS in public subnet the only approach for patching Windows instances?

Accepted Answer

Hello.

> 1. Do I specify the link in Patch Baseline for managed instance?

The repository URL is required when creating a custom patch baseline as shown in the document below.  
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-create-a-patch-baseline-for-linux.html

> 2. What options does the managed instance have to reach to this repository?

A NAT Gateway is required to use public repositories such as the EPEL repository.

> 3. Is WSUS in public subnet the only approach for patching Windows instances?

You can update without using WSUS by creating a NAT Gateway and accessing the Microsoft Update Catalog in the same way as the EPEL repository.

SSM Patch Manager Configure Patch Sources for Managed Instances

관련 콘텐츠