Hello,

Thank you for reaching out with the issue.

The error is very specific to the targeted instance does not allow execution of the downloaded script entrance.py on path /var/log/amazon/ssm/patch-baseline-operations by SSM agent.

Background

During patching SSM agent downloads the scripts to /var/lib/amazon/ssm and runs it. Patch Manager extracts the payload to /var/log/amazon/ssm/patch-baseline-operations then executes entrance.py.

In order to fix the issue, you need to have exclusive partitions to /var/log/amazon and /var/lib/amazon and they need to be mounted with exec permissions.

Reviewing the no exec on Instance

To display details about block devices mounted run the command below on the Instance terminal

#### list all the block devices including empty blocks
lsblk -a

#### Show mode of the blocks
lsblk -m


#### Preview the fstab

cat /etc/fstab

Note that sample output like this on the fstab means no exec is on sample UUID=62daa1e8-f86b-4379-914a-c228a5fxxxxxx /var/log ext4 defaults,noexec 0 0

For more information see Permission denied / failed to run commands' error

If the issue persists and not figured out, get and review the logs on the Instance paths

/var/log/amazon/ssm/amazon-ssm-agent.log
/var/lib/amazon/ssm/InstanceID/document/orchestration/CommandID

Note: Patch Manager doesn't provide patches. Instead, Patch Manager orchestrates patching by` using the appropriate built-in mechanism for each operating system (OS) to install updates on an instance. For example, Patch Manager relies on yum for instances running Amazon Linux 2.

Should you need further clarification and assistance , reach out to AWS Premium Support and Contact Us