AWS Systems Manager (SSM) – Patch Management Overview


AWS Systems Manager (SSM) for Patch Management

Centralized, automated scanning, installation, and compliance reporting for EC2 and on-premises servers.

Diagram

AWS SSM Patch Management workflow diagram showing Patch Baselines & Patch Groups feeding Patch Manager during a Maintenance Window; SSM Agent applies patches on EC2/on-prem, results flow to Compliance, AWS Config, and Security Hub.
AWS Systems Manager Patch Management workflow.

Overview

AWS Systems Manager (SSM) provides native, agent-based patch management across EC2 instances and on-premises servers (via hybrid activations). The Patch Manager capability automates:

  • Scanning for missing patches
  • Approving/denying updates via patch baselines
  • Installing patches during defined maintenance windows
  • Recording compliance in a central dashboard and integrated services

Key Components & Workflow

1) SSM Agent

  • Lightweight agent on each managed instance.
  • Communicates over HTTPS (443) to SSM endpoints; no inbound SSH/RDP required.
  • Executes patch commands and reports results.
  • Supported OS: Amazon Linux, RHEL, Ubuntu, SUSE, Windows Server; also on-prem nodes via hybrid activation.

2) Patch Baselines

  • Define which patches are approved/denied.
  • Use AWS-provided defaults or create custom baselines.
  • Rules by classification (Security/Critical), severity, product family (e.g., Windows Server 2019), and auto-approval delays (e.g., 7 days after release).

3) Patch Groups

  • Tag-based logical groupings (e.g., PatchGroup=Production).
  • Associate different baselines per environment/workload.

4) Maintenance Windows

  • Define when patching runs (e.g., Sun 02:00–04:00).
  • Register tasks that run SSM documents (e.g., AWS-RunPatchBaseline).

5) Patch Manager Operations

Scan

Detects missing patches per the instance’s baseline; publishes findings to Compliance.

Install

Applies approved patches; can control reboots and failure thresholds; reports outcomes.

6) Compliance Reporting

  • Instance status: Compliant, Non-Compliant, or Unknown relative to its baseline.
  • Visible in SSM Compliance dashboard; also integrates with AWS Config, Security Hub, and EventBridge/SNS for alerts.

Example: Automated Patch Flow

  1. Tag instances with PatchGroup=Prod.
  2. Associate a custom baseline (e.g., only Security and Critical updates; 7-day auto-approval delay).
  3. Create a maintenance window: Sundays 02:00–04:00.
  4. Register a task using AWS-RunPatchBaseline to Scan then Install.
  5. SSM Agent downloads and installs approved patches, optionally reboots, then reports to Compliance.

Integrations

  • AWS Config – Tracks drift & state changes.
  • AWS Security Hub – Aggregates patch findings.
  • AWS Organizations – Manage patching at scale across accounts.
  • Amazon EventBridge / SNS – Alerting on failures/drift.

Advantages

  • Centralized, agent-based control (no SSH/RDP).
  • Works for EC2 and on-prem nodes.
  • Custom baselines, patch groups, and maintenance windows.
  • Strong compliance visibility and native integrations.