AWS Systems Manager (SSM) offers a powerful and scalable way to automate patch management across both Windows and Linux instances. In this blog, we will walk through how to patch the servers using SSM step-by-step.
What is AWS Systems Manager (SSM)?
AWS Systems Manager allows you to control your EC2 instances and your servers that are located inside your network. It has the following features:
- Automatic OS patching using Patch Manager
- Session Manager is used to manage shell access.
- Tools and resources used in software discovery
- Run Command to execute commands on a remote machine
Patch Manager allows us to scan and apply patches for both Windows and Linux systems based on pre-defined rules and schedules.
Prerequisites:
Before begin, following points need to check:
- SSM Agent is installed and running on all target instances
- IAM Role (for EC2) or IAM Managed Instance Role (for on-prem) is attached with AmazonSSMManagedInstanceCore and AmazonEC2RoleforSSM permissions.
- Instances are registered as managed instances in AWS Systems Manager.
- Security Groups allow outbound access to Systems Manager endpoints or VPC Endpoints are configured for private subnets.
Step 1: Add Tags to Your Instances
To keep patching organized, use tagging on your instances. With this feature, you can choose specific environments like “Prod”, “Dev” or the OS type.
Example Tagging through CLI:
aws ec2 create-tags --resources i-0123456789abcdef0 --tags Key=Environment,Value=Production
Through PowerShell:
aws ec2 create-tags --resources "i-0123456789abcdef0" --tags "Key=Environment,Value=Production"
Same Command for Both OS - Windows & Linux:
aws ec2 create-tags --resources i-0123456789abcdef0 --tags Key=Environment,Value=Production
Note: On Linux and macOS - Run directly in terminal. Make sure AWS CLI is installed and configured with AWS configure.
We can also tag from the EC2 Console under "Tags" tab.
Step 2: Now configure Patch Baselines
Since AWS provides default patch baselines - "AWS-DefaultPatchBaseline" (Windows) & "AWS-DefaultPatchBaseline-OS" (Linux) , we can create a custom baseline to control: Approved/Rejected patches, Auto-approval rules and Compliance rules.
To create a custom patch baseline: Open Systems Manager Console → Patch Manager → Create patch baseline. Set a name like Windows-Prod-PatchBaseline and choose OS (e.g., Windows).
Then configure auto-approval rules (e.g., approve Critical patches after 6 days).
Add specific patches if needed, save and optionally set it as default for the OS.
Step 3: Create a Patch Group
Patch Group allows Systems Manager to apply the correct patch baseline to the right instances.
Tag the instances with a key: "Patch Group", and value: "ProdWindowsGroup".
In Patch Baseline, associate this value with the baseline. Console Path would be Systems Manager → Patch Manager → Patch Baselines → Select → Modify Patch Group.
Step 4: Create a Maintenance Window to schedule patching during week-off or off-peak hours
To do that, we need to go to Systems Manager → Maintenance Windows → Create maintenance window.
Give the name like; "Weekly-Prod-Patching" and MW Month and Time.
Then need to set schedule using cron (e.g., every Sunday at 2 AM UTC: cron(0 2 ? * SUN *))
Enable and allow unregistered targets if necessary
Note : This is optional but recommended if we doesn't have existing Maintenance Window available specially in new setup.
Step 5: Register Targets to Maintenance Window
In the Maintenance Window → Register Targets, choose Specify tags and enter the Patch Group tag
For example, Patch Group = "ProdWindowsGroup"
Step 6: Register Task to Apply Patches
Now attach a task to perform patching: Register task → Choose AWS-RunPatchBaseline.
Specify Task Type: Automation
Document name: AWS-RunPatchBaseline. Set Operation to Install
Rate Control: Limit number of targets and concurrency
Set IAM role: Use default SSM role or custom with permissions and Save.
Step 7: Manually Scan and Patch (Optional)
We can run patching manually as well and to do that in AWS CLI, Terminal or PowerShell
Run this command in one line for Windows : aws ssm send-command --document-name "AWS-RunPatchBaseline" --targets "Key=tag:Patch Group,Values=ProdWindowsGroup" --parameters "Operation=Install" --comment "Manual Windows patching" --region us-east-1
And run this command in one line for Linux in "Terminal"
aws ssm send-command --document-name "AWS-RunPatchBaseline" --targets "Key=tag:Patch Group,Values=ProdLinuxGroup" --parameters "Operation=Install" --comment "Manual Linux patching" --region us-east-1
Step 8: Patching Status Monitoring
After successful execution: Go to Systems Manager → Run Command to view command status.
To view patching status using AWS CLI
aws ssm list-command-invocations --command-id <command-id> --details
Replace <command-id> with the actual ID returned when you ran the send-command above for Windows and Linux.
If we didn't note down the command-id, we can retrieve from recent ones with this command
aws ssm list-commands --max-items 5
It will show status per instance (Success, InProgress, Failed, etc.), command output (including patch logs), Execution time and duration.
Also we can check compliance dashboard in Systems Manager → Compliance → View compliant and non-compliant instances
Or in AWS Console → Systems Manager → Run Command → Command history → Click on your command. From here, we can view the status for each instance, download logs and can see detailed output.
We can review detailed logs via Amazon CloudWatch or S3 if logging is enabled.
Also we can automate the report generation or sending patching summaries via email or SNS.
Final Note : Make sure always test custom patch baselines in a staging environment.
Better to use S3 for storing logs of patching operations.
Better to set up SNS notifications to get alerts on patching success/failure.
Checkout more blogs on vlookuphub