Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The SRA Patch Manager Solution is a comprehensive AWS-based design to streamline the patch management process across multiple AWS accounts. The solution assumes a role in each member account to enable or disable the Patch Manager functionality, ensuring seamless management and control. It creates three distinct Maintenance Windows - one for updating the AWS Systems Manager (SSM) Agents on all Managed Instances, one for scanning and installing critical and important security patches and bug fixes on Windows-tagged instances, and another for the same on Linux-tagged instances. The solution also configures the Default Host Configuration feature, detecting the creation of new AWS accounts and automatically deploying the solution to those accounts. Additionally, the Patch Manager can be disabled across all accounts and regions through a parameter and CloudFormation update event, providing flexibility and control over the patch management process.
Key solution features:
- Assumes a role in each member account to enable/disable the Patch Manager Solution.
- Creates 3 Maintenance Windows:
- One updates the SSM Agents on all Managed Instances.
- One scans for, or installs, missing Security patches rated Critical or Important and Bugfixes on Managed Instances tagged as Windows.
- One scans for, or installs, missing Security patches rated Critical or Important and Bugfixes on Managed Instances tagged as Linux.
- Configures the Default Host Configuration feature.
- Detects the creation of new AWS Accounts and deploys the solution into the account automatically.
- Ability to disable Patch Manager within all accounts and regions via a parameter and CloudFormation update event.
The Patch Manager solution requires:
- SSM Agent 3.0.502 or later to be installed on the managed node
- Internet connectivity from the managed node to the source patch repositories
- Supported OS
- A tag is applied to the Managed Instance. Key: InstanceOS Value: Linux or Windows
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- The
Lambda IAM Roleis used by the Lambda function in the management account to enable the Patch Manager in the management account.
- The
Patch Management IAM Roleis assumed by the Lambda function in each of the member accounts to to configure Patch Manager. - The
SSM Automation Roleis used by the Maintenance Window to execute the task. - The
DefaultHostConfig Roleis used to enable the Default Host Configuration setting. - The
Patch Mgr EC2 Profileis used if there are issue with the Default Host Configuration setting.
- The Lambda function includes logic to enable and configure Patch Manager
- The python boto3 SDK lambda layer to enable capability for lambda to enable all elements of the Patch Manager Solution.
- This is downloaded during the deployment process and packaged into a layer that is used by the lambda function in this solution.
- All the
AWS Lambda Functionlogs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Functionwill create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key.
- The
AWS Control Tower Lifecycle Event Ruletriggers theAWS Lambda Functionwhen a new AWS Account is provisioned through AWS Control Tower. - The
Organization Compliance Scheduled Event Ruletriggers theAWS Lambda Functionto capture AWS Account status updates (e.g. suspended to active).- A parameter is provided to set the schedule frequency.
- The
AWS Organizations Event Ruletriggers theAWS Lambda Functionwhen updates are made to accounts within the organization.- When AWS Accounts are added to the AWS Organization outside of the AWS Control Tower Account Factory. (e.g. account created via AWS Organizations console, account invited from another AWS Organization).
- When tags are added or updated on AWS Accounts.
- SQS dead letter queue used for retaining any failed Lambda events.
- SNS Topic used to notify subscribers when messages hit the DLQ.
- Patch Manager is enabled for each existing active account and region during the initial setup.
- If the
Home Regionis different from theGlobal Region (e.g. us-east-1), then global event rules are created within theGlobal Regionto forward events to theHome Regiondefault Event Bus. - The
AWS Organizations Event Ruleforwards AWS Organization account update events.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- The
Patch Management IAM Roleis assumed by the Lambda function in each of the member accounts to to configure Patch Manager. - The
SSM Automation Roleis used by the Maintenance Window to execute the task. - The
DefaultHostConfig Roleis used to enable the Default Host Configuration setting. - The
Patch Mgr EC2 Profileis used if there are issue with the Default Host Configuration setting.
- 74 popular IANA timezones from across the US and Europe are available to choose from. The default timezone is America/New_York (also known as Eastern or EST).
Three Maintenance Windows are created:
sra_ssm_agent_updateupdates SSM Agent on all Managed Instancessra_windows_maintenancescans for missing patches on all Managed Instances Tagged as Windowssra_linux_maintenancescans for missing patches on all Managed Instances Tagged as Linux
Three tasks are created and registered with each of the Maintenance Windows:
sra_ssm_agent_updateRuns an SSM Agent update on all Managed Instancessra_windows_maintenanceRuns a scan or install task on all Managed Instances Tagged as Windowssra_linux_maintenanceRuns a scan or install task on all Managed Instances Tagged as Linux
Three target groups are created and registered with each of the Maintenance Windows:
sra_ssm_agent_updatewhich includes all instances with the tag InstanceOS:Windows or InstanceOS:Linuxsra_windows_maintenancewhich includes all instances with the tag InstanceOS:Windowssra_linux_maintenancewhich includes all instances with the tag InstanceOS:Linux
These AWS Managed SSM Documents are used by the tasks:
AWS-UpdateSSMAgentAWS-RunPatchBaseline
NOTE: The document hashes are dynamically fetched, so any managed document changes will be used by the solution and up-to-date.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
aws cloudformation deploy --template-file $PWD/aws-sra-examples/aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/templates/sra-patch_mgmt-org-main-ssm.yaml --stack-name sra-patch-org-main-ssm --capabilities CAPABILITY_NAMED_IAM
Refer to the AWS SRA Easy Setup Guide to pick the best installation type for you.
Choose to deploy the Patch Manager solution from within the chosen deployment type.
- Log into the
management accountand navigate to the Systems Manager page.- Select Maintenance Windows.
- Verify that there is now a maintnance window with registered tasks and targets.
- Log into a member account and verify the maintenance windows also exist.
- Download and Stage the SRA Solutions. Note: Get the latest code and run the staging script.
- Update the existing CloudFormation Stack or CFCT configuration. Note: Make sure to update the
SRA Solution Versionparameter and any new added parameters.
The delete workflows are:
- In the management account (home region), delete the AWS CloudFormation Stack (sra-patch-mgmt-main-ssm)
- Update "Disable Patch Management Solution" to 'true' to delete Maintenance Windows and Default Host Management Configuration in all accounts and regions.
- In the management account (home region), delete the AWS CloudFormation Stack (sra-patch-mgmt-main-ssm)
- Delete host management role: in the management account run cli command:
aws cloudformation delete-stack-instances --stack-set-name sra-patchmgmt-default-host-mgmt-role --no-retain-stacks --deployment-targets OrganizationalUnitIds=<ORGANIZATIONAL_UNITS> --regions <HOME_REGION>
Navigate to Systems Manager then Patch Manager. From the Dashboard select the Compliance Reporting tab. This will show you all your managed instances, the Compliance Status, and the Non-Compliant Count of patches.
Selecting the link on Non-Compliant Count will show you the missing patches for that Managed Instance. Selecting Patch Now at the top right of the window will allow you to plan the installation of the patches.
Q: Its been more than 24 hours and the Instances are still not appearing in Fleet Manager (and therefore not being scanned).
A: Attach the patch-mgr-ec2-profile to the EC2 instances.