can i use patch manager to patch my ec2 instances which are in no internet environment

Hello, Amazon Linux can be patched without internet. AWS SSM uses internal repo for patches. So you just need to meet the prerequisites: S3, SSM, SSM messages, EC2 messages VPC endpoints to have internal connections. (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html)

For other OS versions - yes, unfortunately AWS does not have patches for them internally. I'm guessing that an improvement to AWS could be done by creating DNS records on the backbone network to direct patch mirrors and be accessed from the customer's network via an EC2 endpoint.

But for now as it is not implemented you must setup local repository that will have access to the internet to receive regular updates (https://kc.jetpatch.com/hc/en-us/articles/360052181591-Setting-Up-Local-Repositories-Ubuntu#heading-0) and define it in a new source (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-alternative-source-repository.html), and customize patches (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-create-a-patch-baseline-for-linux.html).

Proof:

I have run 2 EC2 instances: Ubuntu (ubuntu-focal-20.04-amd64-server-20231025 ) and AmazonLinux 2 (amazon/amzn2-ami-kernel-5.10-hvm-2.0.20240131.0-x86_64-gp2) in private VPC with S3, SSM, SSM messages and EC2 messages endpoints. Enabled patch policies with default configurations and run it.

According to the execution: Ubuntu failed. AmazonLinux success.

Command outputs:

As expected Ubuntu server could not reach patch server:

AmazonLinux worked fine:

AmazonLinux before patching:

After patching:

Hello.

The following documents contain prerequisites for using Patch Manager.
By default, Patch Manager downloads security patches from the OS's remote repository.
Therefore, if nothing is configured and there is no route to access the remote repository using NAT Gateway etc., patch application will fail.
I think you need to configure it so that it can communicate with S3 (remote repository) using NAT Gateway or VPC endpoint.
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-installing-patches.html

Your EC2 need access to a repository to download patches. As per https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html#source-connectivity , you need to setup a remote repo.

This can be WSUS for Windows and Satellite or remote repo for RHEL

If your managed nodes don't have a direct connection to the Internet and you're using an Amazon Virtual Private Cloud (Amazon VPC) with a VPC endpoint, you must ensure that the nodes have access to the source patch repositories (repos). On Linux nodes, patch updates are typically downloaded from the remote repos configured on the node. Therefore, the node must be able to connect to the repos so the patching can be performed. For more information, see How security patches are selected.

Windows Server managed nodes must be able to connect to the Windows Update Catalog or Windows Server Update Services (WSUS). Confirm that your nodes have connectivity to the Microsoft Update Catalog through an internet gateway, NAT gateway, or NAT instance. If you are using WSUS, confirm that the node has connectivity to the WSUS server in your environment. For more information, see Issue: managed node doesn't have access to Windows Update Catalog or WSUS.