Author: Dean Suzuki, Siavash Irani (Last Updated: 4/1/20)
When you manage a fleet of servers, a common operation is the need to patch them with the latest security patches. AWS provides a suite of tools to help you with keeping your servers patched. In this step, you will be getting experience with:
Systems Manager Patch Manger
Systems Manager Inventory
Systems Manager Compliance
Systems Manager Maintenance Windows
AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), CentOS, Amazon Linux, and Amazon Linux 2. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.
Once the command finishes, you can select the Command History tab to see the results of the patching.
NOTE: In the real-world application you would likely not patch immediately. For example, you could schedule patching for 2AM on the weekend. To perform this operation, you could create a Maintenance Window for the patching to occur at that time.
When a patching operation is performed on a Windows instance, the instance requests a snapshot of the appropriate patch baseline from Systems Manager. This snapshot contains the list of all updates available in the patch baseline that have been approved for deployment. This list of updates is sent to the Windows Update API, which determines which of the updates are applicable to the instance and installs them as needed. If any updates are installed, the instance is rebooted afterwards, as many times as necessary to complete all necessary patching. See the Patch Manager documentation for more information.
Please note that the patching may take some time to complete depending upon how many Microsoft patches has been released. Please continue forward with the next section.
AWS Systems Manager Inventory provides visibility into your Amazon EC2 and on-premises computing environment. You can use Inventory to collect metadata from your managed instances. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which instances are running the software and configurations required by your software policy, and which instances need to be updated. You can configure Inventory on all of your managed instances by using a one-click procedure. You can also configure and view inventory data from multiple AWS Regions and accounts.
NOTE: It will take a few minutes to collect Inventory information from the instances.
You can use AWS Systems Manager Configuration Compliance to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant. See here for more information.