Reputation: 8374
EC2 Systems Manager - Install security patches
I am trying to use EC2 Systems Manager with maintenance windows just to apply security patches. I could not find a document that makes this. Does anyone already made this and can provide me a clue?
I know that AWS provide Patch Manager for Windows.
Upvotes: 1
Views: 1377
Answers (1)
Reputation: 1356
You can find the official documentation for getting started with patching in EC2 Systems Manager here: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/systems-manager-patch.html
There's also a walkthrough that covers the complete set of steps to get started available here: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/sysman-patch-walkthrough.html
I've added some specific examples related to your questions using the AWS CLI and the AWS Toolkit for PowerShell. You can, of course, also do all of these actions in the AWS Console.
Installing Security Patches
To control the patches that should be installed, you use a Patch Baseline. The Patch Baseline consists of a set of rules that define which patches should be approved for deployment and when they should be approved along with an optional set of explicitly approved and rejected patches.
Creating a Patch Baseline
In your case, to apply just security patches, you can create a Patch Baseline like this:
AWS CLI
aws ssm create-patch-baseline --name "Only-Security-Patches"
--approval-rules "PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=SecurityUpdates}]},ApproveAfterDays=3}]"
--description "Security updates for all versions of Windows"
AWS PowerShell
$rule = New-Object Amazon.SimpleSystemsManagement.Model.PatchRule
$rule.ApproveAfterDays = 3
$ruleFilters = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilterGroup
$classificationFilter = New-Object Amazon.SimpleSystemsManagement.Model.PatchFilter
$classificationFilter.Key = "CLASSIFICATION"
$classificationFilter.Values.Add( "SecurityUpdates" )
$ruleFilters.PatchFilters.Add($classificationFilter)
$rule.PatchFilterGroup = $ruleFilters
New-SSMPatchBaseline
-Name "Only-Security-Patches" `
-Description "Security updates for all versions of Windows" `
-ApprovalRules_PatchRule $rule
Defining the Default Patch Baseline
You control which Patch Baseline you want to use for a particular EC2 instance by tagging the instance with the Patch Group tag, setting the value of the tag to the name of the patch group of your choice. After that you can register the patch group to the Patch Baseline. For the sake of this example you can also define your new Patch Baseline as the default Patch Baseline to use for all instances that aren't tagged with the Patch Group tag:
AWS CLI
aws ssm register-default-patch-baseline --baseline-id <the id of the patch baseline created above>
*AWS PowerShell
Register-SSMDefaultPatchBaseline-BaselineId <the id of the patch baseline created above>
Driving Patching Using a Maintenance Window
Once you have your desired Patch Baseline created and configured, you can use the AWS-ApplyPatchBaseline Command document to patch an instance. If you just want to test patching you can use Run Command to send the command to your instance, but if you want to automate it, Maintenance Windows are there to help.
A Maintenance Window defines:
- What instances are valid targets for tasks in the Maintenance Window
- What tasks should be performed on what targets
- When these tasks should be performed
Registering instances as targets with a Maintenance Window is optional and in the examples below I'm choosing to not require target registration.
Creating a Maintenance Window
For the purposes of this example, let's create a Maintenance Window that runs at 4pm every Tuesday with a 4 hour duration:
AWS CLI
aws ssm create-maintenance-window
--name "My-Tuesday-Maintenance-Window"
--schedule "cron(0 16 ? * TUE *)"
--duration 4
--cutoff 1
--allow-unassociated-targets
*AWS PowerShell
New-SSMMaintenanceWindow `
-Name "My-Tuesday-Maintenance-Window" `
-Schedule "cron(0 16 ? * TUE *)" `
-Duration 4 `
-Cutoff 1 `
-AllowUnassociatedTarget $true `
Registering the Patching Task
With the Maintenance Window created, you can now register the tasks you want to run in it, in this case we want to run the AWS-ApplyPatchBaseline command.
Please note that the commands below assume that you've performed the steps to define the IAM role (I've named this role MW-Role here) you want to use for your Maintenance Windows as described here: http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/sysman-patch-walkthrough.html
AWS CLI
aws ssm register-task-with-maintenance-window
--window-id <the id of your maintenance window>
--targets "Key=InstanceIds,Values=<comma-separated list of instance ids>"
--task-arn "AWS-ApplyPatchBaseline"
--service-role-arn "arn:aws:iam::<your account id>:role/MW-Role"
--task-type "RUN_COMMAND"
--max-concurrency 2
--max-errors 1
--priority 1
--task-parameters '{\"Operation\":{\"Values\":[\"Install\"]}}'
AWS PowerShell
$parameters = @{}
$parameterValues = new-object Amazon.SimpleSystemsManagement.Model.MaintenanceWindowTaskParameterValueExpression
$parameterValues.Values = @("Install")
$parameters.Add("Operation", $parameterValues)
Register-SSMTaskWithMaintenanceWindow `
-WindowId <the id of your maintenance window> `
-Target @{ Key="InstanceIds";Values="<comma-separated list of instance ids>" } `
-TaskArn "AWS-ApplyPatchBaseline" `
-ServiceRoleArn "arn:aws:iam::<your account id>:role/MW-Role" `
-TaskType "RUN_COMMAND" `
-MaxConcurrency 2 `
-MaxErrors 1 `
-Priority 1 `
-TaskParameter $parameters `
Other Interesting Features
Now that everything has been configured you can see the history of Maintenance Window executions and the patch compliance state of the instances being patched.
Maintenance Window Executions
You can use the following commands to drill down into the execution history for your Maintenance Windows:
AWS CLI
- describe-maintenance-window-executions
- describe-maintenance-window-execution-tasks
- describe-maintenance-window-execution-task-invocations
AWS PowerShell
- Get-SSMMaintenanceWindowExecutionList
- Get-SSMMaintenanceWindowExecutionTaskList
- Get-SSMMaintenanceWindowExecutionTaskInvocationList
Patch Compliance Information
Once your instances have been patched you can get patch compliance information for them.
AWS CLI
AWS PowerShell
I hope this helps answer your question, if not please let me know.
Upvotes: 2
Related Questions
- AWS Patch Manager Fails on Ubuntu 22.04
- EC2 Security Groups: Allow access from one group to another group
- Elastic Beanstalk security patches
- How do install security updates on an Amazon Linux AMI EC2 instance?
- How to use Systems Manager `run command`
- Amazon AWS Management Console
- EC2 Automatically Install Updates
- about AWS Systems Manager Patch Management
- Amazon EC2 Upgrade
- How to run security updates automatically in new instance?