AWS Patch Management using Systems Manager

anuj varma — Mon, 03 Nov 2025 16:02:57 +0000

AWS Systems Manager (SSM) – Patch Management Overview

AWS Systems Manager (SSM) for Patch Management

Centralized, automated scanning, installation, and compliance reporting for EC2 and on-premises servers.

Diagram

AWS Systems Manager Patch Management workflow.

Overview

AWS Systems Manager (SSM) provides native, agent-based patch management across EC2 instances and on-premises servers (via hybrid activations). The Patch Manager capability automates:

Scanning for missing patches
Approving/denying updates via patch baselines
Installing patches during defined maintenance windows
Recording compliance in a central dashboard and integrated services

Key Components & Workflow

1) SSM Agent

Lightweight agent on each managed instance.
Communicates over HTTPS (443) to SSM endpoints; no inbound SSH/RDP required.
Executes patch commands and reports results.
Supported OS: Amazon Linux, RHEL, Ubuntu, SUSE, Windows Server; also on-prem nodes via hybrid activation.

2) Patch Baselines

Define which patches are approved/denied.
Use AWS-provided defaults or create custom baselines.
Rules by classification (Security/Critical), severity, product family (e.g., Windows Server 2019), and auto-approval delays (e.g., 7 days after release).

3) Patch Groups

Tag-based logical groupings (e.g., PatchGroup=Production).
Associate different baselines per environment/workload.

4) Maintenance Windows

Define when patching runs (e.g., Sun 02:00–04:00).
Register tasks that run SSM documents (e.g., AWS-RunPatchBaseline).

5) Patch Manager Operations

Scan

Detects missing patches per the instance’s baseline; publishes findings to Compliance.

Install

Applies approved patches; can control reboots and failure thresholds; reports outcomes.

6) Compliance Reporting

Instance status: Compliant, Non-Compliant, or Unknown relative to its baseline.
Visible in SSM Compliance dashboard; also integrates with AWS Config, Security Hub, and EventBridge/SNS for alerts.

Example: Automated Patch Flow

Tag instances with PatchGroup=Prod.
Associate a custom baseline (e.g., only Security and Critical updates; 7-day auto-approval delay).
Create a maintenance window: Sundays 02:00–04:00.
Register a task using AWS-RunPatchBaseline to Scan then Install.
SSM Agent downloads and installs approved patches, optionally reboots, then reports to Compliance.

Integrations

AWS Config – Tracks drift & state changes.
AWS Security Hub – Aggregates patch findings.
AWS Organizations – Manage patching at scale across accounts.
Amazon EventBridge / SNS – Alerting on failures/drift.

Advantages

Centralized, agent-based control (no SSH/RDP).
Works for EC2 and on-prem nodes.
Custom baselines, patch groups, and maintenance windows.
Strong compliance visibility and native integrations.

The post AWS Patch Management using Systems Manager appeared first on AWS Security Architect.

patching governance Archives - AWS Security Architect