Tracking Node Inventory and OS Patching Using SSM Patch Manager

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we’ll be using Patch Manager to patch different SSM-supported OSes. We’ll create a patch baseline and see firsthand how it can help maintain and patch a multi-platform infrastructure. We’ll also observe how SSM inventory can keep us more aware about metadata on managed instances and allow us to make more informed decisions regarding software policies.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log in to AWS Management Console and verify the already provisioned managed SSM instances

Log in to the AWS Management Console with the credentials provided once the lab starts.

On the AWS SSM console, go to Managed Instances and ensure you see two managed EC2 instances: AmazonLinux-Instance and Windows-Instance. <br />
Please note that for the Windows-Instance to spin up and show in under SSM Managed Instance, it can take up to 10 minutes. <br />
If either of the instances is not showing up under SSM Managed Instances, go ahead on the EC2 console and "Reboot" that instance, wait for a bit, and check SSM Managed Instances again.

Apply tags to SSM managed instance for using with Patch Manager

Head over to the EC2 service console on the AWS GUI and look for Running Instnaces.
AmazonLinux-Instance & Windows-Instance.<br />
Repeat the following steps to apply Patch Group tags to both these EC2 instances.

  1. Select either of the two instances and click on the Tags tab in the details which show up at the bottom.
  2. Click on the Add/Edit Tags to add a new tag to the instance.
  3. In the new pop-up window which opens up, click on Create Tag which should add a new row. Enter Patch Group in the Key value and Linux Prod or Windows Prod in the Value field depending on the system that you are tagging.
  4. Repeat these steps for the other instance.
Configure Patching

Head over to the Patch Manager page on Systems Manager console. <br />
Click on View predefined patch baselines. <br />

  1. Click on the search bar which should give you a drop down. Select Operating System and choose Amazon Linux 2 or Windows depending on which EC2 instance you’re creating the baseline for. If the search result offers a list of options for patch baselines, select the one which is the Default baseline patch baseline. There should be a greem tick under the Default baseline column.
  2. Create two patch baselines: one for the Amazon Linux 2 EC2 instance and the other for the Windows EC2 instance.
  3. After creating the Patch baseline, head back to the Patch Manager page, click on the search bar, click on Name prefix, and type in the name you gave to the Patch baseline. Alternatively, you can filter by Owner -> Self.
  4. Select your patch baseline and click on the Action drop-down button. Then click Modify Patch Groups. On the new page, in the Patch Group input area, enter either Linux Prod or Windows Prod depending on the instance. Repeat this step for both Patch Baselines that you have created.
  5. Head back to either one of your created patch baselines, select it and click Configure Patching. Select the radio button for Select a patch group and select the Patch group for this baseline from the drop-down menu. Be sure to select the appropriate patch group here as selecting Linux Patch group for a Windows Patch baselines will simply skip the patching.
  6. For Windows, select the option to Scan for required updates so it only reports back on required patching.
  7. For Linux, select Scan and Install.
  8. After configuring patching, SSM will run one-time Run Commands to carry out actions.
  9. Head over to the Run Command page to track patching run commands.
Set Up Inventory
  1. On the Inventory page of the SSM console, click Set up inventory for both managed instances. Give it about 10 minutes (it takes about this much time on average).
  2. Back on the Inventory page, scroll to the bottom of the page, and select the managed instance you want to have a look at to see its inventory.

Additional Resources

You've been put in charge of patching your Linux and Windows server fleets on AWS. Previously, you did so by logging in to the individual node and patching it manually. However, you've heard of the SSM Patch Manager and want to try it out on a couple EC2 instances in your organization to test its features and how it can make life easier.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?