Say you’re given a scenario where you have 10 instances, all running Linux AMI’s and you need to run patch updates on each instance.
Of course, you can log in to each instance and list the patches in the inventory, and select the patches that need to be installed on the instances. But, with companies running hundreds of different systems, applications, and extensions, one overlooked vulnerability can open the door to the entire network. Once a vulnerability is discovered, the risk of it being exploited due to a slow or manual patching process can result in customers leaving, lawsuits, denied cyber-insurance claims, and loss of employment for IT professionals.
If you’re hosted on AWS and you’d like to automate this process, you can use AWS System Manager. System Manager is a service that enables you to automate without logging directly into an EC2 Instance. AWS Systems Manager lets you view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. Systems Manager helps you maintain security and compliance by scanning your managed instances and reporting on (or taking corrective action on) any policy violations it detects.One of the features of System Manager is Patch Manager, which will be needed to carry out this automation setup.
AWS Patch Manager
Patch Manager automates the process of patching Windows and Linux managed instances. Use this feature of AWS Systems Manager to scan your instances for missing patches or scan and install missing patches. You can install patches individually or to large groups of instances by using Amazon EC2 tags.
Let’s take a quick look at this Block Diagram from AWS for a bit more clarity.
Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, as well as a list of approved and rejected patches. You can install patches on a regular basis by scheduling patching to run as a Systems Manager maintenance window task. You can also install patches individually or to large groups of instances by using Amazon EC2 tags.
Now, let’s get into setting up our automated patching!
Configure Systems Manager
Establish the IAM role for the Systems Manager so that it can perform patch operations.
Associate a patch baseline for the Systems Manager with your instance to define which patches the Systems Manager will refer to.
Establish a maintenance window to make sure the System Manager patches your instance when you tell it to do so.
Monitor patch compliance to verify the patch state of your instances.
Create an IAM Role, attach the AmazonEC2RoleforSSM Managed policy.
Install the SSM Agent on required instances.
Create a custom patch baseline.
Set the patch group for the custom patch baseline.
Create a maintenance window.
Register targets for the maintenance window.
Verify the patch compliance report.
Please Note: I decided to skip steps 1 & 2, details for SSM agent installation can be found here.
Create a Custom patch baseline
You can opt to create a patch baseline for the patches that need to be installed to your instances. Alternatively, AWS provides us with multiple predefined patch baselines for different types of operating systems. For this tutorial, we will use the AWS Patch Baselines.
Click Create patch baseline > fill the required details > Create
You can use a patch group to associate instances with a specific patch baseline. Patch groups help ensure that you are deploying the appropriate patches, based on the associated patch baseline rules, to the correct set of instances. Patch groups can also help you avoid deploying patches before they have been adequately tested. For example, you can create patch groups for different environments (such as Development, Staging, and Production) and register each patch group to an appropriate patch baseline.
Click Baseline ID > Actions > Modify Patch groups
If you haven’t created a Patch Group before, the instructions can be found here.
Next, you will need to establish a Maintenance window. This is used to define a schedule for when to perform actions on your instances. Each Maintenance Window will have a schedule, duration, and a set of registered targets. In order to minimize downtime, it would be best to apply your patches at a time when it has the least impact on your organization.
Now that you’ve created everything you’ll need to run a patch, you’ll want to see the overall patch compliance of all EC2 instances that were specified in the patch group after applying the patch. You’ll find this by selecting Compliance in the System Manager Console tab of the Instances & Nodes.
AWS System Manager > Managed Instance > Select the instance ID > Configuration Compliance
Boom! You’ve just set up automated patching with AWS System Manager! Creating a schedule of patches will not only secure the application and its systems, but also improves your organization’s overall security posture. If you were to leave instances unpatched, you will more than likely fall susceptible to cyber-attacks. This is due to attackers exploiting the known vulnerability that had not patched, which can result in potential data breaches.