AWS Systems Manager Patch Manager
SSM Patch Manager, also known as AWS Systems Manager Patch Manager, is a service provided by Amazon Web Services (AWS) designed to assist users in the efficient management and automation of software patching on their virtual machines and instances. This service operates under the broader umbrella of AWS Systems Manager, a management solution facilitating automated operational tasks across various AWS resources. Patch Manager automates the process of patching managed nodes with both security-related updates and other types of updates.
Using AWS Patch Manager, one can patch fleets of Amazon EC2 instances or the on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Amazon Linux, Amazon Linux 2, CentOS, Debian Server, Oracle Linux, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Ubuntu Server. One can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. You can target instances individually or in large groups by using resource tags or Resource Groups. So, AWS Systems Manager is useful for instance patching across multi-cloud and hybrid environments.
The primary purpose of Patch Manager is to simplify the process of ensuring instances are up to date with the latest security patches and updates. It achieves this by allowing users to establish patch baselines, which define the specific rules guiding the application of patches to instances. Users have the flexibility to create their own customized baselines or use existing ones provided by AWS.
The Systems Manager Agent is Amazon software that can be installed and configured on an (Amazon EC2) instance, an on-premises server, or a VM. The SSM Agent makes it possible for the Systems Manager to update, manage, and configure the resources that it is installed on. It pulls requests sent to the Systems Manager and then runs them as specified based on the request. When the operation is complete, the SSM Agent sends status and execution information back to Systems Manager
The SSM Agent is Amazon software that can be installed and configured on an Amazon Elastic Compute Cloud (Amazon EC2) instance, an on-premises server, or a VM. The SSM Agent makes it possible for the Systems Manager to update, manage, and configure the resources that it is installed on. It pulls requests sent to the Systems Manager and then runs them as specified based on the request. When the operation is complete, the SSM Agent sends status and execution information back to the Systems Manager.
Kernel Live Patching for Amazon Linux 2 allows you to apply security vulnerability and critical bug patches to a running Linux kernel without reboots or disruptions to running applications. This allows you to benefit from improved service and application availability, while keeping your infrastructure secure and up to date. Kernel Live Patching is supported on Amazon EC2 instances, AWS IoT Greengrass core devices, and on-premises virtual machines running Amazon Linux 2.
Patch Baselines
Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, in addition to optional lists of approved and rejected patches. When a patching operation runs, Patch Manager compares the patches currently applied to a managed node to those that should be applied according to the rules set up in the patch baseline. You can choose for Patch Manager to show you only a report of missing patches (a Scan operation), or you can choose for Patch Manager to automatically install all patches it finds are missing from a managed node (a Scan and install operation).
Compliance Reporting
After a Scan operation, you can use the Systems Manager console to view information about which of your managed nodes are out of patch compliance, and which patches are missing from each of those nodes. You can also generate patch compliance reports in .csv format that are sent to an Amazon Simple Storage Service (Amazon S3) bucket of your choice. You can generate one-time reports, or generate reports on a regular schedule. For a single managed node, reports include details of all patches for the node. For a report on all managed nodes, only a summary of how many patches are missing is provided. After a report is generated, you can use a tool like AWS QuickSight to import and analyze the data.
Integrations
Patch Manager integrates with the following other AWS services:
AWS IAM
Use Identity and Access Management (IAM) to control which users, groups, and roles have access to Patch Manager operations.
AWS CloudTrail
Use CloudTrail to record an auditable history of patching operation events initiated by users, roles, or groups.
AWS Security Hub
Patch compliance data from Patch Manager can be sent to AWS Security Hub. Security Hub gives a comprehensive view of the high-priority security alerts and compliance status. It also monitors the patching status of the fleet.
AWS Config
Set up recording in AWS Config to view Amazon EC2 instance management data in the Patch Manager Dashboard.