Automate the Windows and Linux patches using AWS system manager SSM

In this blog post, we will show you how to use AWS Systems Manager SSM to patch your managed instances across multiple AWS accounts and Regions.

Based on the scenario above, each time we need to log in to the instance and list the patches in the inventory and select the patches that we need to install in the instances.

It would take more time and a manual process to be completed. This may cause a risk factor of missing patches in some of the instances, creating vulnerability issues and we may end up opening the 22 ports for all instances to access the machines and install the patches.




AWS System Manager (SSM) is the perfect solution for the above scenario. System manager is a service that enables you to automation without logging into the system. SSM can automate the task, collecting the system inventory, applying OS patches and execute the scripts without logging the instances (Linux / Windows) using SSM.

Usually, admin maintains a bastion instance by logging in to other servers, and Admin manages SSH keys and passwords to log in to other instances. But using SSM, we don’t need bastion instances to log in to other servers (Bastion-free environment), it gives additional security to all instances. There’s no need to open ports.

AWS System Manager

Amazon EC2 Systems Manager lets you automatically apply OS patches to customized maintenance windows, collect software inventory, and configure Windows and Linux operating systems. One of the features of System Manager is the Patch Manager, which can automate the patching process for Windows managed instances on a scale.  With Patch Manager, you can scan instances for missing patches or search and install missing patches to individual instances or large groups of instances using EC2 tags. Patch Manager can also be used for Windows Systems Manager Maintenance, and you can create a schedule within a customized maintenance window to conduct patch operations on your instances.

Patching the Linux instances with AWS SSM Patch Manager

Patch Manager is used to automate the patching process for managed instances, with security-related updates. For Linux instances, we can install patches for non-security updates too. It supports Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), Amazon Linux. We can scan instances to show only a report of missing patches, or scan and install all missing patches automatically.

Block diagram from AWS

Patch Manager uses patch baselines, which include guidelines for auto-approval patches within days of release and the list of patches approved and rejected. By scheduling patching to run as Systems Manager Maintenance Window we can install patches on a regular basis.

Configure Systems Manager

  • Establish the IAM role for the Systems Manager so that it can perform patch operations.
  • Associate a patch baseline for the Systems Manager with your instance to define which patches the Systems Manager will refer to.
  • Establish a maintenance window to make sure the System Manager  patches your instance when you tell it to do so.
  • Monitor patch compliance to verify the patch state of your instances.


  1. Create an IAM Role, attach the AmazonEC2RoleforSSM Managed policy.
  2. Install the SSM Agent in required instances.
  3. Create a custom patch baseline.
  4. Set the patch group for the custom patch baseline.
  5. Create a maintenance window.
  6. Register targets for the maintenance window.
  7. Verify the patch compliance report.

Note: Step 1 & 2 skipped, it is a basic installation of SSM agent. Check here

Create a Custom patch baseline

We need to create a patch baseline for which patches should be installed in your instances. The AWS patch manager provides predefined default patch baseline for all type of OS. We may use the predefined baseline, or we will create our own baseline to fulfil the patch requirements.

Click Create patch baseline > fill the required details  > Create

Below are the sample details that I have filled out and the basic line is formed. Build your own according to your requirements for your specifications.



For the auto- approval rule, an self-approval delay must be stated. This delay is the number of days to wait for the patch to be released, until patching is automatically accepted.

Patch Group

Patch groups are used to segregate the different environments such as Dev, QA and Prod. We will also build a group based on server functions such as web servers or DB servers. It will primarily help us to avoid deploying patches to the wrong set of instances.

Click Baseline ID > Actions > Modify Patch groups

Maintenance Window

Maintenance window is used to define a schedule for when to perform disruptive action on your instances such as patching OS and upgrading drivers, etc. Each Maintenance Window has a schedule, a duration, a set of registered targets. Usually, you want to apply your patches at a time when it has the least effect on your organization.

Patch Compliance

We can see the overall patch compliance of all EC2 instances that are specified in the patch groups by selecting Compliance in the System Manager Console tab of the Instances & Nodes.

 AWS System Manager > Managed Instance >  Select the instance ID > Configuration Compliance


Patches not only secure the application and its systems, but also the core activities involved in keeping the organization secure. Unpatched makes the vulnerable to cyber-attacks, with the key risk being attackers exploiting the known vulnerability that had not patched, resulting as data breach. One of the reasons for data breaches is inadequate management of patches.

Hope this guide does get you through the initial patching configuration for your EC2 instances in AWS.

Get in touch with us if you need further assistances on the configuration above.

Written by Mahavishnu Govindaraj  & Umashankar N

Sharing is caring!

Subscribe to our Newsletter1CloudHub