Author: Dean Suzuki, Siavash Irani, Barret Newman (Last Updated: 8/12/20)
When you manage a fleet of servers, a common operation is the need to patch them with the latest security patches. AWS provides a suite of tools to help you with keeping your servers patched. In this step, you will be getting experience with the following AWS Systems Manager capabilities:
Patch Manager: Automates the process of patching managed instances
Inventory: Collect metadata from your managed instances
Compliance: Scan your fleet of managed instances for patch compliance and configuration inconsistencies
Maintenance Windows: Define a schedule for when to perform potentially disruptive actions on your instances
Before you can use this lab, the lab environment must be setup.
If the lab was setup by the AWS team, then the CloudFormation template should have been run by the lab setup.
You can check if the lab was setup by checking the EC2 instances. If the WEB01 and WEB02 are present, then the lab was setup.
If the lab wasn’t setup, then you can setup the environment using CloudFormation. Here is the template: CloudFormation-Template.
NOTE: Both the Remote Management using Session Manager and Run Command and Patching Windows Server and Microsoft Workloads at Scale on AWS utilize the same base CloudFormation Template. This CloudFormation template only needs to be deployed once, and can be used across both lab modules without having to be deleted or re-created.
AWS Systems Manager Patch Manager automates the process of patching managed instances with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for Microsoft applications.) You can patch fleets of Amazon EC2 instances or your on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows Server, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), CentOS, Amazon Linux, and Amazon Linux 2. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches.
In addition to Patch Manager, we will also be making use of the Maintenance Windows capability in AWS Systems Manager for this portion of the lab.
AWS Systems Manager Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, or installing software or patches. Maintenance Windows also lets you schedule actions on numerous other AWS resource types, such as Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Queue Service (Amazon SQS) queues, AWS Key Management Service (AWS KMS) keys, and many more.
Open Systems Manager and choose Patch Manager from the left navigation.
Click Configure patching button
Enter “OperatingSystem” as the tag key and “Windows” as the tag value
Click the Add button
Scroll to the Patching schedule and choose Schedule in a new Maintenance Window
Review the fields available to set a Maintenance Window. You can use Maintenance Windows to define a Maintenance Window to do the patching.
Go back to the Patching Schedule and select Skip scheduling and patch instances now. Since this is a lab, we are going to force the patching to occur right now.
Scroll to the bottom and click the Configure Patching.
Right-click on Run Command in the left navigation and open in a new tab. In Run Command, you can see the command running.
Once the command finishes, you can select the Command History tab to see the results of the patching.
NOTE: In the real-world application you would likely not patch immediately. For example, you could schedule patching for 2AM on the weekend. To perform this operation, you could create a Maintenance Window for the patching to occur at that time.
When a patching operation is performed on a Windows instance, the instance requests a snapshot of the appropriate patch baseline from Systems Manager. This snapshot contains the list of all updates available in the patch baseline that have been approved for deployment. This list of updates is sent to the Windows Update API, which determines which of the updates are applicable to the instance and installs them as needed. If any updates are installed, the instance is rebooted afterwards, as many times as necessary to complete all necessary patching. See the Patch Manager documentation for more information.
Please note that the patching may take some time to complete depending upon how many Microsoft patches has been released. Please continue forward with the next section.
AWS Systems Manager Inventory provides visibility into your Amazon EC2 and on-premises computing environment. You can use Inventory to collect metadata from your managed instances. You can store this metadata in a central Amazon Simple Storage Service (Amazon S3) bucket, and then use built-in tools to query the data and quickly determine which instances are running the software and configurations required by your software policy, and which instances need to be updated. You can configure Inventory on all of your managed instances by using a one-click procedure. You can also configure and view inventory data from multiple AWS Regions and accounts.
NOTE: It will take a few minutes to collect Inventory information from the instances.
AWS Systems Manager Configuration Compliance can be used to scan your fleet of managed instances for patch compliance and configuration inconsistencies. You can collect and aggregate data from multiple AWS accounts and Regions, and then drill down into specific resources that aren’t compliant.
NOTE: It will take a few minutes to collect Compliance information from the instances. If a page opens up with more information on how to set up Compliance, wait 2-5 minutes and re-try to access Compliance from the left navigation.