Step 2: Automated Patching

Author: Dean Suzuki, Siavash Irani (Last Updated: 4/1/20)

Abstract

When you manage a fleet of servers, a common operation is the need to patch them with the latest security patches. AWS provides a suite of tools to help you with keeping your servers patched. In this step, you will be getting experience with:

  • Systems Manager Patch Manger

  • Systems Manager Inventory

  • Systems Manager Compliance

  • Systems Manager Maintenance Windows

Use Systems Manager Patch Manager to configure patching

AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), CentOS, Amazon Linux, and Amazon Linux 2. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.

  1. Open Systems Manager and choose Patch Manager from the left navigation.
  2. Click Configure patching button
  3. Enter “OperatingSystem” as the tag key and “Windows” as the tag value
  4. Click the Add button
  5. Scroll to the Patching schedule and choose Schedule in a new Maintenance Window
  6. Review the fields available to set a Maintenance Window. You can use Maintenance Windows to define a Maintenance Window to do the patching.
  7. Go back to the Patching Schedule and select Skip scheduling and patch instances now. Since this is a lab, we are going to force the patching to occur right now.
  8. Scroll to the bottom and click the Configure Patching.
  9. Right-click on Run Command in the left navigation and open in a new tab. In Run Command, you can see the command running.
  10. Once the command finishes, you can select the Command History tab to see the results of the patching.

    NOTE: In the real-world application you would likely not patch immediately. For example, you could schedule patching for 2AM on the weekend. To perform this operation, you could create a Maintenance Window for the patching to occur at that time.

When a patching operation is performed on a Windows instance, the instance requests a snapshot of the appropriate patch baseline from Systems Manager. This snapshot contains the list of all updates available in the patch baseline that have been approved for deployment. This list of updates is sent to the Windows Update API, which determines which of the updates are applicable to the instance and installs them as needed. If any updates are installed, the instance is rebooted afterwards, as many times as necessary to complete all necessary patching. See the Patch Manager documentation for more information.

Please note that the patching may take some time to complete depending upon how many Microsoft patches has been released. Please continue forward with the next section.

Use Systems Manager Inventory to configure inventory

AWS Systems Manager Inventory provides visibility into your Amazon EC2 and on-premises computing environment. You can use Inventory to collect metadata from your managed instances. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which instances are running the software and configurations required by your software policy, and which instances need to be updated. You can configure Inventory on all of your managed instances by using a one-click procedure. You can also configure and view inventory data from multiple AWS Regions and accounts.

  1. Choose Inventory from the left navigation. NOTE: you may see a red error at the top of this page. This will not impact your ability to configure inventory.
  2. Click Setup Inventory button.
  3. Scroll down to Targets and choose Specifying a tag
  4. Enter “OperatingSystem” as the tag key and “Windows” as the tag value
  5. Scroll to the bottom and click the Setup Inventory

Explore the Results

NOTE: It will take a few minutes to collect Inventory information from the instances.

  1. Choose Managed Instances from the left navigation. Managed Instances are instances that have the System Manager agent and have been configured for AWS System Manager. These machines could be EC2 instances or on-premises machines in a hybrid environment (see here for more information).
  2. Click the link in the Instance ID column of either instance
  3. Choose the Inventory tab at the top of the page to view inventory
  4. Use the Inventory Type dropdown to explore the information collected
  5. Choose the Patch tab at the top of the page to view patching status
  6. Explore the patches that have been applied to the instance
  7. Choose the Configuration Compliance tab at the top of the page
  8. From here you track the compliance with your patching and other policies
  9. Optionally return to the Inventory page to see an aggregate view across many instances

Check Compliance

You can use AWS Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. See here for more information.

  1. Choose Compliance from the left navigation.
  2. Notice the Compliance resource summary dashboard.
  3. With Patch Manager, you can define different compliance levels (e.g. Critical) for different types of patches. If a system is missing these patches, then they will show up on the compliance dashboard. This dashboard makes it easy for you to identify which systems are missing critical patches. A State Manager association is a configuration associated to your managed instance. See here for more information.