Can aws SSM patch manager patch instances with state "Stopped"?



The question same as in the title. Can/does "aws SSM patch manager" patch instances with state "Stopped"? Im curious, because it seems that sometimes, even thought the patch manager is being ran every day, i still see some instances have vulnerabilities.

Thank you.

1 Answer
Accepted Answer

AWS Systems Manager (SSM) Patch Manager does not patch instances that are in a "Stopped" state. Patch Manager can only manage and apply patches to instances that are running.

You can use an Automation document to start instances before the patch window and stop them afterward.

  "description": "Starts EC2 instances",
  "schemaVersion": "0.3",
  "assumeRole": "{{ AutomationAssumeRole }}",
  "parameters": {
    "InstanceIds": {
      "type": "StringList",
      "description": "List of EC2 Instance IDs to start"
  "mainSteps": [
      "action": "aws:changeInstanceState",
      "name": "startInstances",
      "inputs": {
        "InstanceIds": "{{ InstanceIds }}",
        "State": "started"

  "description": "Stops EC2 instances",
  "schemaVersion": "0.3",
  "assumeRole": "{{ AutomationAssumeRole }}",
  "parameters": {
    "InstanceIds": {
      "type": "StringList",
      "description": "List of EC2 Instance IDs to stop"
  "mainSteps": [
      "action": "aws:changeInstanceState",
      "name": "stopInstances",
      "inputs": {
        "InstanceIds": "{{ InstanceIds }}",
        "State": "stopped"

Configure Maintenance Window:

Task 1: Schedule the automation document to start instances.

Task 2: Run the SSM Patch Manager task to patch instances.

Task 3: Schedule the automation document to stop instances.

profile picture
answered 4 months ago
profile picture
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions