Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Patch Manager Setup

0

I am trying to setup Patch Manager, and Systems Manager as a whole, for the first time. I have not been able to setup automatic patch scanning or installing dispite my best efforts.

I will explain what I did and where I'm at in hopes someone can point out what I am missing or what else I can try.

First I went to Quick Setup and ran through the Patch Manager setup with all the default options for scan and install. Here are the settings: Patch policy name: Baseline Patching Scan for missing patches daily at 1:00 AM UTC Install missing patches weekly at 2:00 AM UTC on Sunday Reboot after installation if necessary Update nodes based on default patch baselines Store patch operation logs in s3://***** Target: Entire organization Regions: us-east-1,us-east-2,us-west-1,us-west-2,sa-east-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3,eu-north-1,ca-central-1,ap-south-1,ap-northeast-2,ap-southeast-1,ap-southeast-2,ap-northeast-1 Nodes: All managed nodes The number or percentage of nodes to run the patch policy on at the same time: 10% The number or percentage of nodes to permit errors on before the patch policy fails: 2% Deploy IAM roles required for instance management and patching using Systems Manager

At the same time I got started with fleet manager and was able to get that going after adding the AmazonSSMManagedInstanceCore permission to the IAM role.

Fleet manager appears to be working but the automatic patch scanning never triggered. I decided to try to run a scan manually and that did work.

Trying to figure out what was wrong I went through multiple articles and eventually setup Systems Manager itself under Settings (In the upper left area under Diagnose and Remediate). I couldn't figure out what Account ID was needed in setup for awhile but I eventually figured out that I need to create another account, under AWS Organizations, and use that account ID. Once I did that I thought everything would start working as the Quick Setup Configuration Associate count went up.

Alas, still no automatic patch scanning has taken place and I am at a lose on what to do next.

Any help would be greatly appreciated!

Topics
Management & GovernanceComputeSecurity, Identity, & Compliance
Tags
AWS Systems Manager Fleet ManagerAmazon EC2AWS Systems ManagerIAM Policies
Language
English
asked 8 months ago723 views
1 Answer
0

Thank you for providing such a detailed explanation of your setup process. It seems you've taken many of the correct steps to set up AWS Patch Manager, but there are a few things we can check to help resolve the issue of automatic patch scanning not triggering.

  1. Verify Patch Policy: First, ensure that your patch policy is correctly configured and active. You can do this by checking the Quick Setup dashboard in the Systems Manager console. Look for your "Baseline Patching" policy and verify its status.

  2. Check Managed Nodes: Confirm that your EC2 instances are properly set up as managed nodes. They should have the SSM Agent installed and be able to communicate with Systems Manager. You can verify this in the Fleet Manager.

  3. IAM Roles and Permissions: While you've added the AmazonSSMManagedInstanceCore permission to the IAM role, make sure that the role is actually attached to your EC2 instances. Also, verify that the role has the necessary permissions to access the S3 bucket where you're storing patch operation logs.

  4. VPC Endpoints: If you're using VPC endpoints to connect to Systems Manager, ensure that the VPC endpoint policy for S3 allows access to the Quick Setup patch policy S3 bucket.

  5. Time Zone: The scanning schedule you've set is based on UTC. Make sure you're accounting for the time difference when expecting the scans to occur.

  6. Wait Period: Sometimes, it may take some time for the patch policy to propagate and take effect, especially when targeting an entire organization. Consider waiting for 24-48 hours to see if the automatic scanning starts.

  7. Manual Patch Policy Run: If the automatic scanning still doesn't trigger, you can try to manually run the patch policy from the Quick Setup console to see if it executes successfully.

  8. CloudWatch Logs: Check CloudWatch Logs for any error messages or issues related to the patch policy execution.

If after checking these points, you're still experiencing issues, you may want to consider using the "Patch now" feature as a temporary solution. This allows you to run on-demand patching without waiting for the scheduled scan.

Remember, setting up patching across an entire organization can be complex, and it may take some time to fully propagate and take effect. If problems persist, don't hesitate to contact AWS Support for further assistance.
Sources
Working with Patch Manager resources and compliance using the console - AWS Systems Manager
Configure patching for instances in an organization using Quick Setup - AWS Systems Manager
Patching managed nodes on demand - AWS Systems Manager
Patch policy configurations in Quick Setup - AWS Systems Manager

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content