- Newest
- Most votes
- Most comments
Good question!
From AWS's Patch Manager Documentation: https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html
The managed nodes must have access to the source patch repositories. On Linux, these are typically from the remote repos confirmed on the node unless a alternative patch source repo is specified.
As for who kicks off the patches, patch baselines include rules for auto-approving patches. Otherwise, you could either schedule patches in a maintenance window or use tags.
Additionally, the instance needs access to S3 buckets that SSM uses. More information here https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html
In this case, the private instances must have access to your private Repos (ex: private WSUS server or internal RedHat Satellite server). SSM patching in the end will call the "Windows Update" or "yum update" commands as usual - and they should be working.
Relevant content
- asked 5 years ago
- Accepted Answerasked 7 months ago
- How do I use the Microsoft KB number in Patch Manager to install a specific patch or set of patches?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
The instance must be able to connect to the source patch repositories when patching through SSM.
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html