In this blog post , We will learn to Patch Linux EC2 Instances using Systems Manager.

As a best practice to help prevent malwares and vulnerabilities from affecting the instances , We should apply operating system patches and actively monitor for missing patches.

In order to manage and apply patches for EC2 instances by Systems Manager , We need to meet the below requirements.

Prerequisites

  • Create an IAM Role with Systems Manager permission
  • Assign the IAM role with the EC2 Instance

Creating IAM Role

The EC2 instances should have necessary permission attached with it for the Systems Manager to be able to manage it.

Lets go ahead and create an IAM Role.

Login to IAM console. In the navigation pane , Choose Roles

Session Manager

Click Create role ,

For Select type of trusted entity , Choose AWS service

Session Manager

For Choose a use case , Select EC2 and click Next: Permissions

Session Manager

Search for SSM and then choose AmazonEC2RoleforSSM

Patch Linux EC2 Instances

Click Next: Tags , You can tag the role.

Click Next: Review , Provide a name for the IAM role and then click Create role

Patch Linux EC2 Instances

Attaching IAM Role with EC2 Instance

Once the IAM role with the required permission are created , We need to attach the IAM role with the EC2 Instances.

Login to EC2 management console.

In the navigation pane , Choose Instances

Select the instance , Under Actions , Hover to Instance Settings and then select Attach/Replace IAM Role

Session Manager

For IAM role* , From the drop down , Choose the IAM role which you have created.

Patch Linux EC2 Instances

and then click Apply

Verifying EC2 Instances under Systems Manager

As we have completed minimum requirements for the Systems Manager to be able to manager EC2 instances.

To verify that , Login to Systems Manager Console.

In the navigation pane , Under Instances & Nodes , Click Managed Instances

Patch Linux EC2 Instances

You should see the EC2 instance listed here , These instances can be managed by Systems Manager.

Patch Linux EC2 Instances

Lets go ahead and start Patching the Linux EC2 Instances.

Tagging EC2 Instances

We need to group our EC2 instances inorder to patch multiple instances by Environment or by their usage through Systems Manager.

We need to use Key as Patch Group.

We can simply add a tag for the EC2 instances with Key – Value pairs.

From the Systems Manager to patch the group of instance , We should use Key as Patch Group and Value as Production , Note: Value can be anything as per your requirement.

To do this , Login to EC2 management console.

Select the Instance and then click Tags

Patch Linux EC2 Instances

To add a tag , Click Add/Edit Tags , Click Create Tag

Add the key – Value pairs and then click Save

Patch Linux EC2 Instances

If you have many instances , You can easily tag all of them at one shot.

From the EC2 management console , In the navigation pane, Choose Tags

Click Manage Tags

From the instances , Choose the lists of instances that should be grouped under particular group.

For Add Tag , Provide the Key – Value pair and Click Add Tag

All the selected instances will be tagged with this Key – value pair.

Patching Linux Instances

For patching the Linux EC2 instances we can use the Default PatchBaselines or we can create Custom PatchBaselines and use it for patching the instances.

Lets start patching the instance using the Default Patch Baselines.

Login to Systems Manager console , In the navigation pane , Under Instances & Nodes , Choose Patch Manager

Patch Linux EC2 Instances

To view all the default patch baselines , Click view predefined patch baselines

You find find the lists of default patchbaselines for each operating systems.

Patch Linux EC2 Instances

A patch baselines defines which patches are approved for installations on the instances.For this we can either use the Default PatchBaselines or we can create Custom PatchBaselines and use it for patching.

Form the above image , We can see that we can apply the patch baselines depending on the Linux instance operating system.

But the process is some for patching instances across distributions.

Lets select a Patch Baseline and then add a Patch group to it.

After selecting the patch baselines , Under Actions , Choose Modify patch groups

Patch Linux EC2 Instances

Here you have to provide the value used while tagging the EC2 instances.

Patch Linux EC2 Instances

and then click Add , Patch group is successfully added to this Patch baseline. Click Close

For each patch baselines , There will be approval rules.

Approval rules specifies certain types of patches such as Critical updates.These patches should be automatically approved and installed.

To configure patching for the patch groups , Select the Patch baselines and then click Configure patching

Under Configure patching , For Instances to patch , Select a patch group

From the drop down , choose the patch group that you have created.

Patch Linux EC2 Instances

For Patching schedule , Choose Schedule in a new Maintenance Windows

We can specify a maintenance windows for patching using cron schedule builder or rate schedule builder or we can enter CRON/rate expression.

Lets choose CRON schedule builder , and set the Maintenance windows run frequency as per your requirements.

Like how often to run the maintenance window.

For example : Everyday at 02:00 AM.

Patch Linux EC2 Instances

Provide a Maintenance window duration , Allowed hours is between 1 and 24.

Provide a name for the Maintenance window.

Patch Linux EC2 Instances

For Patching operation , We can find two options.

We can choose Scan only , To just scan the instances for missing patches with the help of default patch baselines . Later we can review the scan report and apply the patches accordingly.

Choose Scan and install , To scan each instances for missing patches and installs all the approved patches on the instances using the patch baselines.

Patch Linux EC2 Instances

and then click Configure patching

To Patch EC2 Instances Ondemand

If you want to patch instances immediately , Instead of waiting till the next maintenance window.

Select the patch baseline and then click Configure patching

Select a patch group , from the drop down , choose the patch group

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-03-16-59-11.png

For Patching schedule , As we need to patch the instances immediately , Choose Skip scheduling and patch instances now

Patch Linux EC2 Instances

For Patching operation , Choose Scan and install and then click Configure patching

Patch manager uses the Run command to patch the instances.

You will get the following response , Click view details

Patch Linux EC2 Instances

You can check the status of the patching.

Patch Linux EC2 Instances

After some time , You can see that the patching is successfully completed without any errors.

Patch Linux EC2 Instances

Under Targets and outputs , Select the instance ID to check the logs.

You can find there are two commands , One to PatchWindows and One to PatchLinux.

Patch Linux EC2 Instances

If the instance is Windows machine , The Linux command will be skipped and Vice versa.

You can’t find the complete logs as the Systems manager truncates the output having more than 2500 characters.

Patch Linux EC2 Instances

Creating Custom Patch Baselines

To create a custom patch baselines , Click Create patch baseline ,

Provide a name for the Patch baseline and then choose the Operating system for patching.

Patch Linux EC2 Instances

If you want to set this as the default patch baseline for the operating system you have chosen , Check default patch baseline

Patch Linux EC2 Instances

You can specify auto-approval rules to automatically apply those patches on the specified operating systems.

For Product , Choose the Instance

Patch Linux EC2 Instances

Select patches by Severity

Patch Linux EC2 Instances

For section , Select patches by Classification

Patch Linux EC2 Instances

For Patch exceptions , You can also add any patch exceptions to automatically approve or reject the individual patches if required.

Patch Linux EC2 Instances

Once done , Click Create patch baseline.

You can use this custom path baseline , To patch the Linux EC2 instances.

This way we can patch our Linux EC2 instances periodically to have a secure and malware free environment.

Conclusion

Hope this guide helps us to patch the Linux EC2 instances.

Thanks for reading.Don’t forget to check out other articles.