Patch Manager


AWS Control Tower
AWS Control Tower
PREVIEW19m 56s
Automating Patch and State Operations with AWS Systems Manager
Manage Instances using the AWS Systems Manager Run Command, Documents, & Parameter Store

The course is part of this learning path

Start course
1h 50m

This course covers the core learning objective to meet the requirements of the 'Architecting for Management & Governance in AWS - Level 3' skill

Learning Objectives:


  • Analyze how to design a multi-account AWS environment for complex organizations
  • Analyze an effective patch management strategy for your AWS resources
  • Analyze the most effective and appropriate logging and monitoring strategy for multiple resources
  • Evaluate an appropriate AWS offering(s) to enable configuration management automation

Patch Manager is the secure and scalable management service feature of Systems Manager that allows you to automate the process of patching managed instances with both security and reliability patches. You can use Patch Manager to apply updates to both the operating system and applications running on managed instances, you can patch fleets of managed instances by operating system types, including Amazon Linux, Amazon Linux 2, Ubuntu Server, and Windows Server among others.

Managed instances can be scanned for a report of missing patches, or they can be scanned and automatically have the missing patches installed. You can also generate patch compliance report. Patch Manager integrates with AWS CloudTrail, Amazon Event Bridge, Amazon S3, AWS Config, and AWS Identity and Access Management, this will permit you to gather any patch data and send it to other AWS services when necessary.

So where are these patches defined? Patch Manager uses what's called patch baselines. AWS Systems Manager provides predefined patch baselines for each operating system supported by AWS. You can use the baselines as is or you can create your own custom patch baselines. Custom patch baselines allow you greater control and flexibility to manage your fleet patch strategy. The predefined patch baselines usually include vendor patches classified as Security or Bugfix, and have a severity of critical or important.

Consider having a large fleet of instances that need patching. There are a few details important to keep in mind for patch deployment. You can use a patch group to designate groups of instances that are to be patched with a specific baseline. Patch groups can help you organize your patch deployment strategy across environments like development and production or application tiers like web servers, application servers, or data servers. You can create a patch group using resource packs.

A patch group resource tag must be defined using the tag key of Patch Group, this is a specific key, two words, the word patch capital P, the word group capital G, one space between, so they're two separate words with the proper capitalization. The key is case sensitive and it is a requirement. You can assign any value like web servers and app servers to the Patch Group key. So there are five systems manager documents available to help patching your instance with the latest security related updates. They provide a full range of patching options for Windows updates and Linux patch baselines.

Last but not least, keep in mind that you can also define maintenance windows for your patches, so that they are only applied during preset times. Patch Manager ensures that your software is up to date and meet your compliance policies. The five SSM documents include AWS-ConfigureWindowsUpdate, AWS-InstallWindowsUdate, AWS-RunPatchBaseline, AWS-RunPatchBaselineAssociation, and AWS-RunPatchBaselinewithHooks.

About the Author
Jorge Negrón
AWS Content Architect
Learning Paths

Experienced in architecture and delivery of cloud-based solutions, the development, and delivery of technical training, defining requirements, use cases, and validating architectures for results. Excellent leadership, communication, and presentation skills with attention to details. Hands-on administration/development experience with the ability to mentor and train current & emerging technologies, (Cloud, ML, IoT, Microservices, Big Data & Analytics).