Automating Windows Patch Management on AWS EC2 Instances with Non-overlapping Maintenance Windows

Leave a Comment / By /

This solution involves creating two patch groups, associating them with different maintenance windows, registering targets with specific maintenance windows using Patch Group tags, and assigning the AWS-RunPatchBaseline document as a task within each maintenance window. Here are the detailed steps:

Step 1: Create two Patch Groups

# Create the first patch group
aws ssm create-patch-group --patch-group "PatchGroup1"

# Create the second patch group
aws ssm create-patch-group --patch-group "PatchGroup2"

Step 2: Associate the AWS-DefaultPatchBaseline baseline with both patch groups

# Associate the baseline with PatchGroup1
aws ssm register-patch-baseline-for-patch-group --baseline-id "AWS-DefaultPatchBaseline" --patch-group "PatchGroup1"

# Associate the baseline with PatchGroup2
aws ssm register-patch-baseline-for-patch-group --baseline-id "AWS-DefaultPatchBaseline" --patch-group "PatchGroup2"

Step 3: Set up two non-overlapping maintenance windows

You can create maintenance windows in the AWS Systems Manager Console or use the CLI. Here’s how you can create them using the CLI:

# Create the first maintenance window
aws ssm create-maintenance-window --name "MaintenanceWindow1" --schedule "CRON expression for the desired start time"

# Create the second maintenance window
aws ssm create-maintenance-window --name "MaintenanceWindow2" --schedule "CRON expression for the desired start time"

Make sure to replace "CRON expression for the desired start time" with the desired CRON expression for the maintenance windows.

Step 4: Register targets with specific maintenance windows using Patch Group tags

# Register targets from PatchGroup1 to MaintenanceWindow1
aws ssm register-targets-for-maintenance-window --window-id "MaintenanceWindow1" --targets "Key=tag:PatchGroup,Values=PatchGroup1"

# Register targets from PatchGroup2 to MaintenanceWindow2
aws ssm register-targets-for-maintenance-window --window-id "MaintenanceWindow2" --targets "Key=tag:PatchGroup,Values=PatchGroup2"

Step 5: Assign the AWS-RunPatchBaseline document as a task within each maintenance window

# Assign the AWS-RunPatchBaseline document to MaintenanceWindow1
aws ssm create-association --name "PatchAssociation1" --targets "Key=WindowTargetIds,Values=MaintenanceWindow1Id" --document-name "AWS-RunPatchBaseline"

# Assign the AWS-RunPatchBaseline document to MaintenanceWindow2
aws ssm create-association --name "PatchAssociation2" --targets "Key=WindowTargetIds,Values=MaintenanceWindow2Id" --document-name "AWS-RunPatchBaseline"

Make sure to replace "MaintenanceWindow1Id" and "MaintenanceWindow2Id" with the actual maintenance window IDs you obtained when creating the maintenance windows.

This set of AWS CLI commands should help you implement the described solution for managing patches on your Windows-based Amazon EC2 instances with non-overlapping maintenance windows.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top