Automating EC2 Instance Patch Management with AWS Systems Manager and Maintenance Windows using the AWS CLI

  1. Install and Configure SSM Agent:Ensure that the SSM Agent is installed and running on your EC2 instances. You can use the AWS CLI’s
    command to install and configure the agent on multiple instances. Here’s an example command:
    aws ssm create-association --name "AWS-ConfigureAWSPackage" --targets "Key=InstanceIds,Values=i-1234567890abcdef0" --parameters "Key=action,Value=Install" "Key=installationType,Value=Uninstall and reinstall" "Key=name,Value=ssm" 
    with the instance IDs you want to target.
  2. Create an SSM Patch Baseline:Create an SSM Patch Baseline that defines the patches to be applied to your instances. Use the
    command. An example:
    aws ssm create-patch-baseline --name "MyPatchBaseline" --operating-system "WINDOWS" --approval-rules "PatchFilters=[{Key=PRODUCT,Values=WindowsServer2019},{Key=CLASSIFICATION,Values=SecurityUpdates}]"
  3. Define Patch Group Tags:Tag your EC2 instances with patch group tags. This helps in organizing and grouping your instances for patching. You can tag instances when launching them or use the
    aws ec2 create-tags --resources "i-1234567890abcdef0" --tags "Key=PatchGroup,Value=MyPatchGroup" 
    with your instance ID.
  4. Create a Maintenance Window:Use the
    command to create a Maintenance Window. Specify the schedule for when patches should be applied. For example:
    aws ssm create-maintenance-window --name "PatchWindow" --schedule "CRON expression" --duration 3 --cutoff 1 --allow-unassociated-targets 
    "CRON expression"
    with the schedule you desire.
  5. Create a Maintenance Window Task:Use the
    command to create a task that specifies which instances and patch baseline to use.
    aws ssm register-task-with-maintenance-window --window-id "YourWindowId" --targets "Key=WindowTargetIds,Values=YourWindowTargetId" --task-arn "YourPatchBaselineArn" --service-role "YourServiceRoleArn" 
    , and
    with the appropriate values.
  6. Run the Maintenance Window:The Maintenance Window will automatically run on the specified schedule. You can wait for the Maintenance Window to execute, or you can start it manually using the
    aws ssm start-automation-execution --document-name "AWS-ApplyPatchBaseline" --document-version "$LATEST" --targets "Key=WindowTargetIds,Values=YourWindowTargetId" 
    with your Maintenance Window target.

By following these steps with the AWS CLI, you can set up patch management for your EC2 instances using AWS Systems Manager Patch Manager and Maintenance Windows. This automates the process of keeping your instances up to date with security patches based on the defined patch baselines.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top