In this hands-on lab, we’ll be using Patch Manager to patch different SSM-supported OSes. We’ll create a patch baseline and see firsthand how it can help maintain and patch a multi-platform infrastructure. We’ll also observe how SSM inventory can keep us more aware about metadata on managed instances and allow us to make more informed decisions regarding software policies.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Log in to AWS Management Console and verify the already provisioned managed SSM instances
Log in to the AWS Management Console with the credentials provided once the lab starts.
<br/>On the AWS SSM console, go to Managed Instances and ensure you see two managed EC2 instances: AmazonLinux-Instance and Windows-Instance. <br />
Please note that for the Windows-Instance to spin up and show in under SSM Managed Instance, it can take up to 10 minutes. <br />
If either of the instances is not showing up under SSM Managed Instances, go ahead on the EC2 console and "Reboot" that instance, wait for a bit, and check SSM Managed Instances again.- Apply tags to SSM managed instance for using with Patch Manager
Head over to the EC2 service console on the AWS GUI and look for
Running Instnaces.
<br/>
AmazonLinux-Instance&Windows-Instance.<br />
Repeat the following steps to apply Patch Group tags to both these EC2 instances.- Select either of the two instances and click on the
Tagstab in the details which show up at the bottom. - Click on the
Add/Edit Tagsto add a new tag to the instance. - In the new pop-up window which opens up, click on
Create Tagwhich should add a new row. EnterPatch Groupin the Key value andLinux ProdorWindows Prodin the Value field depending on the system that you are tagging. - Repeat these steps for the other instance.
- Select either of the two instances and click on the
- Configure Patching
Head over to the Patch Manager page on Systems Manager console. <br />
Click on View predefined patch baselines. <br />- Click on the search bar which should give you a drop down. Select
Operating Systemand chooseAmazon Linux 2orWindowsdepending on which EC2 instance you’re creating the baseline for. If the search result offers a list of options for patch baselines, select the one which is theDefault baselinepatch baseline. There should be a greem tick under the Default baseline column. - Create two patch baselines: one for the Amazon Linux 2 EC2 instance and the other for the Windows EC2 instance.
- After creating the Patch baseline, head back to the Patch Manager page, click on the search bar, click on
Name prefix, and type in the name you gave to the Patch baseline. Alternatively, you can filter by Owner -> Self. - Select your patch baseline and click on the Action drop-down button. Then click Modify Patch Groups. On the new page, in the Patch Group input area, enter either
Linux ProdorWindows Proddepending on the instance. Repeat this step for both Patch Baselines that you have created. - Head back to either one of your created patch baselines, select it and click
Configure Patching. Select the radio button for Select a patch group and select the Patch group for this baseline from the drop-down menu. Be sure to select the appropriate patch group here as selecting Linux Patch group for a Windows Patch baselines will simply skip the patching. - For Windows, select the option to Scan for required updates so it only reports back on required patching.
- For Linux, select Scan and Install.
- After configuring patching, SSM will run one-time Run Commands to carry out actions.
- Head over to the Run Command page to track patching run commands.
- Click on the search bar which should give you a drop down. Select
- Set Up Inventory
- On the Inventory page of the SSM console, click Set up inventory for both managed instances. Give it about 10 minutes (it takes about this much time on average).
- Back on the Inventory page, scroll to the bottom of the page, and select the managed instance you want to have a look at to see its inventory.
