In this blog post , We will learn to Patch Windows EC2 Instances using Systems Manager.
In my previous blog post , I have explain how you can Patch Linux EC2 Instances using Systems manager
As a best practice to help prevent malwares and vulnerabilities from affecting the instances , We should apply operating system patches and actively monitor for missing patches.
In order to manage and apply patches for EC2 instances by Systems Manager , We need to meet the below requirements.
- Create an IAM Role with Systems Manager permission
- Assign the IAM role with the EC2 Instance
Creating IAM Role
The EC2 instances should have necessary permission attached with it for the Systems Manager to be able to manage it.
Lets go ahead and create an IAM Role.
Login to IAM console. In the navigation pane , Choose Roles
Click Create role ,
For Select type of trusted entity , Choose AWS service
For Choose a use case , Select EC2 and click Next: Permissions
Search for SSM and then choose AmazonEC2RoleforSSM
Click Next: Tags , You can tag the role.
Click Next: Review , Provide a name for the IAM role and then click Create role
Attaching IAM Role with EC2 Instance
Once the IAM role with the required permission are created , We need to attach the IAM role with the EC2 Instances.
Login to EC2 management console.
In the navigation pane , Choose Instances
Select the instance , Under Actions , Hover to Instance Settings and then select Attach/Replace IAM Role
For IAM role* , From the drop down , Choose the IAM role which you have created.
and then click Apply
Verifying EC2 Instances under Systems Manager
As we have completed minimum requirements for the Systems Manager to be able to manager EC2 instances.
To verify that , Login to Systems Manager Console.
In the navigation pane , Under Instances & Nodes , Click Managed Instances
You should see the EC2 instance listed here , These instances can be managed by Systems Manager.
Lets go ahead and start Patching the Windows EC2 Instances.
Tagging EC2 Instances
We need to group our EC2 instances inorder to patch multiple instances by Environment or by their usage through Systems Manager.
We need to use Key as Patch Group.
We can simply add a tag for the EC2 instances with Key – Value pairs.
From the Systems Manager to patch the group of instance , We should use Key as Patch Group and Value as Production , Note: Value can be anything as per your requirement.
To do this , Login to EC2 management console.
Select the Instance and then click Tags
To add a tag , Click Add/Edit Tags , Click Create Tag
Add the key – Value pairs and then click Save
If you have many instances , You can easily tag all of them at one shot.
From the EC2 management console , In the navigation pane, Choose Tags
Click Manage Tags
From the instances , Choose the lists of instances that should be grouped under particular group.
For Add Tag , Provide the Key – Value pair and Click Add Tag
All the selected instances will be tagged with this Key – value pair.
Patching Windows Instances
For patching the Windows EC2 instances we can use the Default PatchBaselines or we can create Custom PatchBaselines and use it for patching the instances.
Lets start patching the instance using the Default Patch Baselines.
Login to Systems Manager console , In the navigation pane , Under Instances & Nodes , Choose Patch Manager
To view all the default patch baselines , Click view predefined patch baselines
You find find the lists of default patchbaselines for each operating systems.
A patch baselines defines which patches are approved for installations on the instances.For this we can either use the Default PatchBaselines or we can create Custom PatchBaselines and use it for patching.
Form the above image , We can see the patch baselines for windows which patches all supported Windows operating systems.
Lets select a Windows Patch Baseline and then add a Patch group to it.
After selecting the patch baselines , Under Actions , Choose Modify patch groups
Here you have to provide the value used while tagging the EC2 instances.
and then click Add , Patch group is successfully added to this Patch baseline. Click Close
For each patch baselines , There will be approval rules.
Approval rules specifies certain types of patches such as Critical updates.These patches should be automatically approved and installed.
To configure patching for the patch groups , Select the Patch baselines and then click Configure patching
Under Configure patching , For Instances to patch , Select a patch group
From the drop down , choose the patch group that you have created.
For Patching schedule , Choose Schedule in a new Maintenance Windows
We can specify a maintenance windows for patching using cron schedule builder or rate schedule builder or we can enter CRON/rate expression.
Lets choose CRON schedule builder , and set the Maintenance windows run frequency as per your requirements.
Like how often to run the maintenance window.
For example : Everyday at 02:00 AM.
Provide a Maintenance window duration , Allowed hours is between 1 and 24.
Provide a name for the Maintenance window.
For Patching operation , We can find two options.
We can choose Scan only , To just scan the instances for missing patches with the help of default patch baselines . Later we can review the scan report and apply the patches accordingly.
Choose Scan and install , To scan each instances for missing patches and installs all the approved patches on the instances using the patch baselines.
and then click Configure patching
To Patch Windows Instances Ondemand
If you want to patch instances immediately , Instead of waiting till the next maintenance window.
Select the patch baseline and then click Configure patching
Select a patch group , from the drop down , choose the patch group
For Patching schedule , As we need to patch the instances immediately , Choose Skip scheduling and patch instances now
For Patching operation , Choose Scan and install and then click Configure patching
Patch manager uses the Run command to patch the instances.
You will get the following response , Click view details
You can check the status of the patching.
After some time , You can see that the patching is successfully completed without any errors.
Under Targets and outputs , Select the instance ID to check the logs.
You can find there are two commands , One to PatchWindows and One to PatchLinux.
If the instance is Windows machine , The Linux command will be skipped and Vice versa.
You can’t find the complete logs as the Systems manager truncates the output having more than 2500 characters.
Creating Custom Patch Baselines
To create a custom patch baselines , Click Create patch baseline ,
Provide a name for the Patch baseline and then choose the Operating system for patching.
If you want to set this as the default patch baseline for the operating system you have chosen , Check default patch baseline
You can specify auto-approval rules to automatically apply those patches on the specified operating systems.
For Product , Choose the operating system
For Severity , Choose the patches by Severity
Choose the patches by Classification
Enter the auto-approval days , After the specified days , The approved patches will the automatically installed on the target windows EC2 instances.
For Patch exceptions , You can also add any patch exceptions to automatically approve or reject the individual patches if required.
Once done , Click Create patch baseline.
You can use this custom path baseline , To patch the Windows EC2 instances.
This way we can patch our Windows EC2 instances periodically to have a secure and malware free environment.
Hope this guide helps us to patch the Windows EC2 instances.
Thanks for reading.Don’t forget to check out other articles.