Automatic Patching – AWS

In this new blog entry, our colleague Asier Hernández will explain in detail the procedure to perform an automatic patch in an AWS environment. To do this we will separate it into three sections: The first will consist of the prerequisites that must be met to perform this process, the second will explain the creation of a stack in Cloudformation that we will use, and finally how to create the maintenance windows and what instances we want to affect.



First, you must check if the SSM agent is installed on the instance. In case it is not installed we must install it. If it is a Windows instance we must first connect to the machine where we are going to install the agent and download the executable from the following link.

Once it has been downloaded we execute the file to install the agent. To start or restart the agent we can do it using the following command in the PowerShell console: Restart-Service AmazonSSMAgent

The installation process is explained in more detail in the following link.

For everything to work properly, the Windows Update service must be active.

In this case, we have chosen that Windows Update never checks for updates, since they will be installed according to the maintenance window that we will configure later.

If the instance is Linux, depending on its type, it will be done in a different way. The following link explains how to do it for the different types of Linux.

Once we have the agent installed for it to work we must assign the appropriate permissions to the instance. These instances must have a role that has the AmazonEC2RoleforSSM policy. The summary of the policy is the following:

Once we have done these steps we can check that the agent is working by entering Systems Manager in AWS.

Now click on the Managed Instances section.

Once here should appear all the instances that have the agent configured, if it does not appear anything else you have to wait about 5 minutes for AWS to update the information.



A CloudFormation stack will be used to create the necessary resources for the proper functioning of the maintenance windows that will be created later. First we go to the CloudFormation section.

Once in the CloudFormation menu we select the option Create Stack and within that description With new resources (standard).

In the menu that opens select the option ‘Create template in Designer’ and then click on it:

Once in the designer, the template is inserted in the Template tab. The yaml file can be found in the blog: PatchBaseline

When it is created, it will already be located in an S3 loop and you would only have to click on Next.

Click on next and name the stack, the parameters should be completed.

By clicking on next, configurations regarding tags, permissions or policies will appear. For this example we’ll leave it as default and continue.

Once we advance we check the box that shows us AWS and click on Create stack.


Creating maintenance windows

Now we go to the Systems Manager section and inside we go to Maintenance Windows, in that section we will be able to create maintenance windows to perform the automatic updates of the different deployed instances. The selection is established through defined rules.

Once we are in Create Maintenance Window the first thing to enter is the name and an optional description.

Once this is done, we configure the periodicity of the window. There are several configuration options, in this case a chronology has been established.

The duration sets the time that the window will remain active and the stop initiating tasks field sets the time before the end of the window where no new tasks are allowed to start. You can also define the period using specific dates.

Once the window is created, the tasks to be performed are added. The first thing we will do is to create a security image of the instance we are going to update, then the document in charge of installing the updates will be executed.

Before that we must register the instances over which the tasks will be performed. We create a new group and assign it a name and a description.

To select the instances you can do it in several ways, in this case we will do it by tag. If an instance has a tag with a default value it will be updated.

Now we’ll create the tasks. To create the image we must first create the image by registering an automation task.

The AWS-CreateImage document is chosen and given priority 1, as this task must be executed first. Then we will select the target that we have created previously.

The following shows the percentage of machines that will be able to execute this task concurrently and the number of failures that are allowed.

We must also establish an appropriate role for the task to be performed. In this case, the SSM must be allowed to create images of the instances. The required role has already been created with the CloudFormation.

This document needs to input the ID of the target, that by entering it as follows, the one associated with the task will be chosen. We can also choose if the machines will restart the instances when the task is finished. To make them restart, we set the value to false.

The second task will be a Run command. This will be in charge of executing the updates in the instances.

In this case, the document that is selected is AWS-RunPatachBaseline and we set the priority to II, to make sure that it is not done before the copy of the instances.

Now the options are the same as above.

The important parameters in this document are the mode of operation and whether the instance should be restarted or not. In this case, we will choose install and RebootIfNeeded.

At the end, we can see in the description tab of the window the details such as when will be the next execution, its duration, status, or the time zone on which it is based.

The order of tasks and their associated documents can be viewed schematically on the task tab.

With this, we would have already configured an automatic patch in AWS.

Related Posts