Patch Windows EC2 Instances Using Systems Manager

In this blog post , We will learn to Patch Windows EC2 Instances using Systems Manager.

In my previous blog post , I have explain how you can Patch Linux EC2 Instances using Systems manager

As a best practice to help prevent malwares and vulnerabilities from affecting the instances , We should apply operating system patches and actively monitor for missing patches.

In order to manage and apply patches for EC2 instances by Systems Manager , We need to meet the below requirements.


  • Create an IAM Role with Systems Manager permission
  • Assign the IAM role with the EC2 Instance

Creating IAM Role

The EC2 instances should have necessary permission attached with it for the Systems Manager to be able to manage it.

Lets go ahead and create an IAM Role.

Login to IAM console. In the navigation pane , Choose Roles

Session Manager

Click Create role ,

For Select type of trusted entity , Choose AWS service

Session Manager

For Choose a use case , Select EC2 and click Next: Permissions

Session Manager

Search for SSM and then choose AmazonEC2RoleforSSM

Patch Linux EC2 Instances

Click Next: Tags , You can tag the role.

Click Next: Review , Provide a name for the IAM role and then click Create role

Patch Linux EC2 Instances

Attaching IAM Role With EC2 Instance

Once the IAM role with the required permission are created , We need to attach the IAM role with the EC2 Instances.

Login to EC2 management console.

In the navigation pane , Choose Instances

Select the instance , Under Actions , Hover to Instance Settings and then select Attach/Replace IAM Role

Session Manager

For IAM role* , From the drop down , Choose the IAM role which you have created.

Patch Linux EC2 Instances

and then click Apply

Verifying EC2 Instances Under Systems Manager

As we have completed minimum requirements for the Systems Manager to be able to manager EC2 instances.

To verify that , Login to Systems Manager Console.

In the navigation pane , Under Instances & Nodes , Click Managed Instances

Patch Linux EC2 Instances

You should see the EC2 instance listed here , These instances can be managed by Systems Manager.

Lets go ahead and start Patching the Windows EC2 Instances.

Tagging EC2 Instances

We need to group our EC2 instances inorder to patch multiple instances by Environment or by their usage through Systems Manager.

We need to use Key as Patch Group.

We can simply add a tag for the EC2 instances with Key – Value pairs.

From the Systems Manager to patch the group of instance , We should use Key as Patch Group and Value as Production , Note: Value can be anything as per your requirement.

To do this , Login to EC2 management console.

Select the Instance and then click Tags

Patch Linux EC2 Instances

To add a tag , Click Add/Edit Tags , Click Create Tag

Add the key – Value pairs and then click Save

If you have many instances , You can easily tag all of them at one shot.

From the EC2 management console , In the navigation pane, Choose Tags

Click Manage Tags

From the instances , Choose the lists of instances that should be grouped under particular group.

For Add Tag , Provide the Key – Value pair and Click Add Tag

All the selected instances will be tagged with this Key – value pair.

Patching Windows Instances

For patching the Windows EC2 instances we can use the Default PatchBaselines or we can create Custom PatchBaselines and use it for patching the instances.

Lets start patching the instance using the Default Patch Baselines.

Login to Systems Manager console , In the navigation pane , Under Instances & Nodes , Choose Patch Manager

Patch Linux EC2 Instances

To view all the default patch baselines , Click view predefined patch baselines

You find find the lists of default patchbaselines for each operating systems.

Patch Linux EC2 Instances

A patch baselines defines which patches are approved for installations on the instances.For this we can either use the Default PatchBaselines or we can create Custom PatchBaselines and use it for patching.

Form the above image , We can see the patch baselines for windows which patches all supported Windows operating systems.

Lets select a Windows Patch Baseline and then add a Patch group to it.

After selecting the patch baselines , Under Actions , Choose Modify patch groups

Here you have to provide the value used while tagging the EC2 instances.

Patch Linux EC2 Instances

and then click Add , Patch group is successfully added to this Patch baseline. Click Close

For each patch baselines , There will be approval rules.

Approval rules specifies certain types of patches such as Critical updates.These patches should be automatically approved and installed.

To configure patching for the patch groups , Select the Patch baselines and then click Configure patching

Under Configure patching , For Instances to patch , Select a patch group

From the drop down , choose the patch group that you have created.

Patch Linux EC2 Instances

For Patching schedule , Choose Schedule in a new Maintenance Windows

We can specify a maintenance windows for patching using cron schedule builder or rate schedule builder or we can enter CRON/rate expression.

Lets choose CRON schedule builder , and set the Maintenance windows run frequency as per your requirements.

Like how often to run the maintenance window.

For example : Everyday at 02:00 AM.

Patch Linux EC2 Instances

Provide a Maintenance window duration , Allowed hours is between 1 and 24.

Provide a name for the Maintenance window.

For Patching operation , We can find two options.

We can choose Scan only , To just scan the instances for missing patches with the help of default patch baselines . Later we can review the scan report and apply the patches accordingly.

Choose Scan and install , To scan each instances for missing patches and installs all the approved patches on the instances using the patch baselines.

and then click Configure patching

To Patch Windows Instances Ondemand

If you want to patch instances immediately , Instead of waiting till the next maintenance window.

Select the patch baseline and then click Configure patching

Select a patch group , from the drop down , choose the patch group

This image has an empty alt attribute; its file name is Screenshot-from-2020-07-03-16-59-11.png

For Patching schedule , As we need to patch the instances immediately , Choose Skip scheduling and patch instances now

Patch Linux EC2 Instances

For Patching operation , Choose Scan and install and then click Configure patching

Patch manager uses the Run command to patch the instances.

You will get the following response , Click view details

Patch Linux EC2 Instances

You can check the status of the patching.

After some time , You can see that the patching is successfully completed without any errors.

Patch Linux EC2 Instances

Under Targets and outputs , Select the instance ID to check the logs.

You can find there are two commands , One to PatchWindows and One to PatchLinux.

Patch Linux EC2 Instances

If the instance is Windows machine , The Linux command will be skipped and Vice versa.

You can’t find the complete logs as the Systems manager truncates the output having more than 2500 characters.

Creating Custom Patch Baselines

To create a custom patch baselines , Click Create patch baseline ,

Provide a name for the Patch baseline and then choose the Operating system for patching.

If you want to set this as the default patch baseline for the operating system you have chosen , Check default patch baseline

Patch Linux EC2 Instances

You can specify auto-approval rules to automatically apply those patches on the specified operating systems.

For Product , Choose the operating system

For Severity , Choose the patches by Severity

Choose the patches by Classification

Enter the auto-approval days , After the specified days , The approved patches will the automatically installed on the target windows EC2 instances.

For Patch exceptions , You can also add any patch exceptions to automatically approve or reject the individual patches if required.

Once done , Click Create patch baseline.

You can use this custom path baseline , To patch the Windows EC2 instances.

This way we can patch our Windows EC2 instances periodically to have a secure and malware free environment.


Hope this guide helps us to patch the Windows EC2 instances.

Thanks for reading.Don’t forget to check out other articles.