- Install and Configure SSM Agent:Ensure that the SSM Agent is installed and running on your EC2 instances. You can use the AWS CLI’s command to install and configure the agent on multiple instances. Here’s an example command:
create-association
Replaceaws ssm create-association --name "AWS-ConfigureAWSPackage" --targets "Key=InstanceIds,Values=i-1234567890abcdef0" --parameters "Key=action,Value=Install" "Key=installationType,Value=Uninstall and reinstall" "Key=name,Value=ssm"
with the instance IDs you want to target."i-1234567890abcdef0"
- Create an SSM Patch Baseline:Create an SSM Patch Baseline that defines the patches to be applied to your instances. Use the command. An example:
create-patch-baseline
aws ssm create-patch-baseline --name "MyPatchBaseline" --operating-system "WINDOWS" --approval-rules "PatchFilters=[{Key=PRODUCT,Values=WindowsServer2019},{Key=CLASSIFICATION,Values=SecurityUpdates}]"
- Define Patch Group Tags:Tag your EC2 instances with patch group tags. This helps in organizing and grouping your instances for patching. You can tag instances when launching them or use the command.
create-tags
Replaceaws ec2 create-tags --resources "i-1234567890abcdef0" --tags "Key=PatchGroup,Value=MyPatchGroup"
with your instance ID."i-1234567890abcdef0"
- Create a Maintenance Window:Use the command to create a Maintenance Window. Specify the schedule for when patches should be applied. For example:
create-maintenance-window
Replaceaws ssm create-maintenance-window --name "PatchWindow" --schedule "CRON expression" --duration 3 --cutoff 1 --allow-unassociated-targets
with the schedule you desire."CRON expression"
- Create a Maintenance Window Task:Use the command to create a task that specifies which instances and patch baseline to use.
register-task-with-maintenance-window
Replaceaws ssm register-task-with-maintenance-window --window-id "YourWindowId" --targets "Key=WindowTargetIds,Values=YourWindowTargetId" --task-arn "YourPatchBaselineArn" --service-role "YourServiceRoleArn"
,"YourWindowId"
,"YourWindowTargetId"
, and"YourPatchBaselineArn"
with the appropriate values."YourServiceRoleArn"
- Run the Maintenance Window:The Maintenance Window will automatically run on the specified schedule. You can wait for the Maintenance Window to execute, or you can start it manually using the command.
start-automation-execution
Replaceaws ssm start-automation-execution --document-name "AWS-ApplyPatchBaseline" --document-version "$LATEST" --targets "Key=WindowTargetIds,Values=YourWindowTargetId"
with your Maintenance Window target."YourWindowTargetId"
By following these steps with the AWS CLI, you can set up patch management for your EC2 instances using AWS Systems Manager Patch Manager and Maintenance Windows. This automates the process of keeping your instances up to date with security patches based on the defined patch baselines.