Patch Windows and Linux Servers Using AWS Systems Manager (SSM)

2 Comments | AWS | By

 

AWS Cloud, Cloud Patching, AWS SSM, Linux Patching, Windows Patching, AWS Patching Automation

What is AWS Systems Manager (SSM)?

AWS Systems Manager is a service that helps you manage all your servers from one place, whether they are in AWS, on-premises, or in other clouds. It has a single dashboard where you can view all your servers at once, spot issues like outdated software, and filter by factors such as operating system, AWS Region, or account.

For a server to work with Systems Manager, it must have the SSM Agent installed and connected. If it’s not connected, Systems Manager can automatically check for problems, like network errors, allowing your servers to become “managed” again.

AWS Systems Manager is a service in AWS that lets you easily view, manage, and operate your servers (called “nodes”), whether they are in AWS, in your on-premises data center, or in other cloud providers. It has a single, unified dashboard that brings together all the tools you need to manage your servers across different AWS accounts and Regions.

To work with Systems Manager, servers must be “managed nodes.” This means they need to have the latest SSM Agent installed and be able to communicate with the Systems Manager service. If a server doesn’t appear as managed, Systems Manager offers a one-click troubleshooting feature. This tool automatically checks for problems like network issues and can run fixes on a schedule you choose. It also provides suggestions and ready-to-use scripts to address these issues.

The SSM dashboard offers a quick overview of all your servers in one place. You can see details like which ones are running old operating systems. Additionally, you can filter the view based on factors such as operating system version, AWS Region, AWS account, or SSM Agent version. This makes it easy to find the exact information you need for a specific account, application, or your entire organization.

In this article, we will walk through how to setup and patch the servers using SSM step-by-step.

Set up patching in AWS Systems Manager

AWS Systems Manager helps to keep Windows and Linux machines up to date by automated patching. You can schedule patch jobs, apply updates at scale, and manage patching safely across many servers.

SSM lets you manage both your EC2 instances in AWS and servers inside your own network

Key features include:

  • Automatic OS patching with Patch Manager – Keeps your servers up to date without manual effort.
  • Session Manager – Securely access a server’s shell without needing SSH or RDP.
  • Software inventory & discovery tools – See what software is installed and gather system details.
  • Run Command – Run scripts or commands on remote servers without logging in.

Patch Manager allows to scan and apply patches for both Windows and Linux systems based on pre-defined rules and schedules.

Prerequisites:

Before proceed, following points need to check:

  1. SSM Agent is installed and running on all target instances
  2. IAM Role (for EC2) or IAM Managed Instance Role (for on-prem) is attached withAmazonSSMManagedInstanceCore and AmazonEC2RoleforSSM permissions.
  3. Instances are registered as managed instances in AWS Systems Manager.
  4. Security Groups allow outbound access to Systems Manager endpoints or VPC Endpoints are configured for private subnets.

Step 1: Add Tags to Your Instances

 
EC2 Instance , AWS Tagging, AWS Cloud
To keep patching organized, use tagging on your instances. With this feature, you can choose specific environments like “Prod”, “Dev” or the OS type.
 
Example:
Tagging through CLI:
aws ec2 create-tags --resources i-0123456789abcdef0 --tags Key=Environment,Value=Production
Through PowerShell:
aws ec2 create-tags --resources "i-0123456789abcdef0" --tags "Key=Environment,Value=Production"
Same Command for Both OS – Windows & Linux:
 
aws ec2 create-tags --resources i-0123456789abcdef0 --tags Key=Environment,Value=Production
Note: On Linux and macOS – Run directly in terminal. Make sure AWS CLI is installed and configured with AWS configure.
 We can also tag from the EC2 Console under “Tags” tab.
 

Step 2: Now configure Patch Baselines

aws system manager patch baseline
SSM Patch Baseline
 
Since AWS provides default patch baselines – “AWS-DefaultPatchBaseline” (Windows) & “AWS-DefaultPatchBaseline-OS” (Linux) , we can create a custom baseline to control: Approved/Rejected patches, Auto-approval rules and Compliance rules.
 
To create a custom patch baseline: Open Systems Manager Console → Patch Manager → Create patch baseline. Set a name like Windows-Prod-PatchBaseline and choose OS (e.g., Windows).
 
  • Then configure auto-approval rules (e.g., approve Critical patches after 6 days).
  • Add specific patches if needed, save and optionally set it as default for the OS.

Step 3: Create a Patch Group

Patch Group allows Systems Manager to apply the correct patch baseline to the right instances.
Tag the instances with a key: “Patch Group”, and value: “ProdWindowsGroup“.
 
In Patch Baseline, associate this value with the baseline. Console Path would be Systems Manager → Patch Manager → Patch Baselines → Select → Modify Patch Group.
 

Step 4: Create a Maintenance Window to schedule patching during week-off or off-peak hours

 
To do that, go to Systems Manager → Maintenance Windows → Create maintenance window. 
Give the name like; “Weekly-Prod-Patching” and MW Month and Time.
Then need to set schedule using cron (e.g., every Sunday at 2 AM UTC: cron(0 2 ? * SUN *))
Enable and allow unregistered targets if necessary
Note : This is optional but recommended if we doesn’t have existing Maintenance Window available specially in new setup.

Step 5: Register Targets to Maintenance Window

In the Maintenance Window → Register Targets, choose Specify tags and enter the Patch Group tag
For example, Patch Group = “ProdWindowsGroup
 

Step 6: Register Task to Apply Patches

Now attach a task to perform patching: Register task → Choose AWS-RunPatchBaseline. 
Specify Task Type: Automation
Document name: AWS-RunPatchBaseline. Set Operation to Install
Rate Control: Limit number of targets and concurrency
Set IAM role: Use default SSM role or custom with permissions and Save.
 

Step 7: Manually Scan and Patch (Optional)

We can run patching manually as well and to do that in AWS CLI, Terminal or PowerShell
Run this command in one line for Windows : 
aws ssm send-command --document-name "AWS-RunPatchBaseline" --targets "Key=tag:Patch Group,Values=ProdWindowsGroup" --parameters "Operation=Install" --comment "Manual Windows patching" --region us-east-1
Run this command in one line for Linux in “Terminal”
aws ssm send-command --document-name "AWS-RunPatchBaseline" --targets "Key=tag:Patch Group,Values=ProdLinuxGroup" --parameters "Operation=Install" --comment "Manual Linux patching" --region us-east-1
 

Step 8: Patching Status Monitoring 

After successful execution: Go to Systems Manager → Run Command to view command status.
To view patching status using AWS CLI 
aws ssm list-command-invocations --command-id <command-id> --details
 Replace <command-id> with the actual ID returned when you ran the send-command above for Windows and Linux.
 
If you didn’t note down the command-id, we can retrieve from recent ones with this command
 
aws ssm list-commands --max-items 5
It will show status per instance (Success, InProgress, Failed, etc.), command output (including patch logs), Execution time and duration.
 
Also we can check compliance dashboard in Systems Manager → Compliance → View compliant and non-compliant instances
 
Or  in AWS Console → Systems Manager → Run Command → Command history → Click on your command. From here, we can view the status for each instance, download logs and can see detailed output.
 
You can review detailed logs via Amazon CloudWatch or S3 if logging is enabled. Also you can automate the report generation or sending patching summaries via email or SNS.
 
Note : Make sure to always test custom patch baselines in a staging environment. It would better to use S3 for storing logs of patching operations and set up SNS notifications to get alerts on patching success/failure.
 

Final Thoughts

AWS Systems Manager Patch Manager makes automated patching simple, secure, and scalable for AWS, on-premises, and hybrid servers. By keeping systems updated and compliant, it helps save lot of time, reduce risk, and maintain consistent security across environments.
 
Get more detailed inside into AWS SSM Official Docs
Explore more related articles at vlookuphub
Subscribe us to get latest update to your email directly !!

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

PHP Code Snippets Powered By : XYZScripts.com
Scroll to Top