Automating AWS Systems Manager Patch Management: A Step-by-Step Guide with AWS CLI

Certainly, let’s improve the explanation by providing detailed parameter descriptions and demonstrating how to use them in the context of the scenario.

Step 1: Tag Each Instance Based on Its Environment and OS:

Use the aws ec2 create-tags command to tag each EC2 instance based on its environment and OS. Here are the parameters explained:

  • --resources: This specifies the resource ID of the instance you want to tag.
  • --tags: This parameter is used to specify the tags you want to add. Tags are key-value pairs.


# Tag instances with their environment
aws ec2 create-tags --resources i-0123456789abcdef0 --tags Key=Environment,Value=Development

# Tag instances with their OS type (e.g., Ubuntu)
aws ec2 create-tags --resources i-0123456789abcdef1 --tags Key=OS,Value=Ubuntu

In the demonstration, replace i-0123456789abcdef0 and i-0123456789abcdef1 with your actual instance IDs, and set appropriate values for the Environment and OS tags.

Step 2: Create a Patch Baseline in AWS Systems Manager Patch Manager for Each Environment:

Use the aws ssm create-patch-baseline command to create a patch baseline for each environment. Here are the parameters explained:

  • --name: Specifies the name for the patch baseline.
  • --approval-rules: This parameter defines approval rules for the patch baseline.
  • --operating-system-filters: Specifies filters for the operating system to which the patch baseline applies.


# Create a patch baseline for the development environment
aws ssm create-patch-baseline \
  --name DevelopmentBaseline \
  --approval-rules "{\"patchRules\":[{\"approveAfterDays\":1,\"complianceLevel\":\"CRITICAL\"}]}" \
  --operating-system-filters '[{"Key": "PRODUCT", "Values": ["Ubuntu"]}]'

In the demonstration, replace DevelopmentBaseline with the desired baseline name, and adjust the approval rules and OS filters as per your requirements.

Step 3: Categorize EC2 Instances Based on Their Tags Using Patch Groups:

Use the aws ssm create-patch-group command to categorize instances into Patch Groups based on their tags. Here are the parameters explained:

  • --patch-group: Specifies the name of the Patch Group you want to create.
  • --filters: Filters are used to categorize instances based on their tags.


# Create a Patch Group for instances in the development environment
aws ssm create-patch-group \
  --patch-group DevelopmentGroup \
  --filters '[{"Key": "tag:Environment", "Values": ["Development"], "Type": "Equal"}, {"Key": "tag:OS", "Values": ["Ubuntu"], "Type": "Equal"}]'

In the demonstration, replace DevelopmentGroup with the desired Patch Group name and set the filters to match the tags on your instances.

Step 4: Apply Patches Specified in the Corresponding Patch Baseline to Each Patch Group:

Use the aws ssm create-association command to apply patches to instances in each Patch Group. Here are the parameters explained:

  • --name: Specifies the name of the patch baseline you want to apply.
  • --targets: Specifies the targets for the association. In this case, it’s the Patch Group.
  • --schedule-expression: This is a cron expression that defines when the association should run.


# Apply patches from the specified patch baseline to the Patch Group
aws ssm create-association \
  --name DevelopmentBaseline \
  --targets Key=PatchGroup,Values=DevelopmentGroup \
  --schedule-expression 'cron(0 0 ? * SAT *)'

In the demonstration, replace DevelopmentBaseline with the name of the patch baseline you created, and DevelopmentGroup with the Patch Group name you defined. Adjust the schedule expression to meet your patching schedule.

By following these steps, you can tag instances, create patch baselines, categorize instances into Patch Groups, and schedule patching for different environments while considering their specific requirements.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top