Systems Manager Run Command To Patch Linux EC2 Instances

In my previous blog posts , I have explained How you can Patch Linux & Windows EC2 Instances using Systems Manager’s Patch Manager.

In this blog post , We will learn to Patch Linux EC2 Instances using Systems Manager’s Run command.

What Is Systems Manager?

Systems Manager is an automation tool in Amazon Web Services.It helps you to execute commands in Remote servers on both AWS as well as On-premise servers by simply installing a package called ssm-agent.

It takes care of automating OS patches,creating images,Make configuration changes for Windows and Linux Operating systems.

You can manage the servers by creating a tasks and running them on target instances by registering it in Systems Manager Console.


For the Systems Manager’s Run command to be able to patch the Linux EC2 Instances.We need to meet the following requirements.

  • Create an IAM Role with Systems Manager permission
  • Assign the IAM role with the EC2 Instance

Creating IAM Role

The EC2 instances should have necessary permission attached with it for the Systems Manager to be able to manage it.

Lets go ahead and create an IAM Role.

Login to IAM console. In the navigation pane , Choose Roles

Session Manager

Click Create role ,

For Select type of trusted entity , Choose AWS service

Session Manager

For Choose a use case , Select EC2 and click Next: Permissions

Session Manager

Search for SSM and then choose AmazonEC2RoleforSSM

Patch Linux EC2 Instances

Click Next: Tags , You can tag the role.

Click Next: Review , Provide a name for the IAM role and then click Create role

Patch Linux EC2 Instances

Attaching IAM Role With EC2 Instance

Once the IAM role with the required permission are created , We need to attach the IAM role with the EC2 Instances.

Login to EC2 management console.

In the navigation pane , Choose Instances

Select the instance , Under Actions , Hover to Instance Settings and then select Attach/Replace IAM Role

Session Manager

For IAM role* , From the drop down , Choose the IAM role which you have created.

Patch Linux EC2 Instances

and then click Apply

Verifying EC2 Instances Under Systems Manager

As we have completed minimum requirements for the Systems Manager to be able to manager EC2 instances.

To verify that , Login to Systems Manager Console.

In the navigation pane , Under Instances & Nodes , Click Managed Instances

Patch Linux EC2 Instances

You should see the EC2 instance listed here , These instances can be managed by Systems Manager.

Lets go ahead and start Patching the Linux EC2 Instances.

Run Command – Patching Linux Instances

While patching linux instances using Systems Manager’s Patch manager , We wont get complete output or the Summary of the patching.

To be able to review the complete output / summary of the Patching , We should use Systems manager’s Run command.

While patching instances using Run command , We can log the output to Cloudwatch. Later we can review the logs from the Cloudwatch console.

From the Systems Manager Console , In the navigation pane , Under Instances & Nodes , Choose Run Command

Click Run command , You can find the lists of Run command documents.We have to choose AWS-RunPatchbaseline and this document works for both Linux & Windows.

Once the document is selected , Let the Document version be default.

Under Command parameters , For operation , We can either choose Scan or Install.

Scan – It scans each target instances and generates the lists of missing patches which we can review.

Install – It scans and installs the missing patches on the target instances.

For Reboot Option , After the patch operation is completed , You can opt for either Reboot or NoReboot.

For Targets , If you have tagged the EC2 instances , You can specify them by tags or You can choose them manually.

For Other parameters , You can optionally pass the commands to the target EC2 instances.

Provide a Timeout for the commands in the seconds. Default is 10 mins.

For Rate control , If you applying patches for the group of instances at a time , You can specify the number of targets or in percentage , the patching should happen at a time.

For Output options , As I said earlier We can log the output of patching , Be it a Scan or Install.

Which will help us to review or to troubleshoot before or after patching.

You have two destinations to log the output , We can either choose S3 bucket or Cloudwatch or both.

I will choose Cloudwatch output , We can review immediately after the patching is completed.

And then provide a name for the Log group to be created in the Cloudwatch Logs.

For SNS notifications , You can use SNS to notify us about the command status.

and then finally click Run , Which will start patching right away.

You can check the status of the Command.Each command you execute will have a Command ID.

Once the command execution is completed , We will get the below response.

Under Targets and outputs , Click the instance ID , You will find two outputs , One for Linux and One for Windows.

If the Operating system is Linux , The windows document will be ignored and vice versa.

You can click the Step – Output to check the output of the command.

As I informed before , The command output displays maximum of 2500 characters and others will be Truncated.

To check the complete logs , Login to Cloudwatch Console.

In the navigation pane , Under Logs , Choose Log groups

Search for the log group name which you have provided while configuring Run command output.

Click the Log group name , You will find the log streams.

Click the Log streams to see the complete logs of the Run command.

You can expand each log events and review them.

We have used Run command to patch the Linux EC2 instances.

Lets say you want to follow the same procedures to run in a scheduled manner , For eg: Every Tuesday.

Lets go ahead and schedule the run command.

Maintenance Windows – Run Command – Linux Patching

We need to create a Maintenance Windows , Which will execute the Run command as per the Schedule we configure.

To create a maintenance window , From the Systems Manager console , From the navigation pane , under Actions & Change , Choose Maintenance Windows

Click Create Maintenance Window

Here we need to provide the maintenance window details.

Provide a name for the maintenance window.

For Schedule , We can choose one of the following.

Cron schedule builder , Rate schedule builder , CRON/rate expression.

Lets choose Cron schedule builder , For Windows starts , You can set the maintenance window to run every certain minutes , hours and days.

Lets choose Every Tuesday at 02:00 AM

Provide a duration for the maintenance to run.Also provide a time to stop starting scheduled tasks before maintenance window ends.

Click Create maintenance window

After the maintenance window is created , Click the window ID , You will see the following sections.

First We need to add the target instances to the maintenance window and then we need to add the Run command task to the Maintenance window , These tasks will be applied on each target instances using the maintenance window.

To add targets , Click Targets , Click register target

Optionally , Provide a name for the targets.

For Targets , You can choose the instances based on tags or You can choose them manually.

and click Register target

Lets go ahead and add the task. Click Tasks , Choose Register tasks , Select Register Run command task

For Command document , Choose AWS-RunPatchBaseline

Lets choose the Default document version.

For Targets , Choose the targets which are already registered in the maintenance window.

For Rate Control , Specify the number of percentage of targets on which to to execute the task at a time.

For IAM service role , Choose Use the service-linked role for Systems Manager

For Output options , Choose Cloudwatch and provide a name for the log group.

For Parameters , For operation , We can either choose Scan or Install.

Scan – It scans each target instances and generates the lists of missing patches which we can review.

Install – It scans and installs the missing patches on the target instances.

and click Register Run command task

Now As per the maintenance window schedule , The Run command patch document will be executed on the target EC2 instances and the logs for the same will be stored in Cloudwatch Logs.

Thats all.Thanks for reading this article.

Hope you find it really helpful. Don’t forget to check out other blogs.