Menu
Amazon EC2 Systems Manager
User Guide

Automation Console Walkthrough: Patch a Linux AMI

This Systems Manager Automation walkthrough shows you how to use the Amazon EC2 console and the Systems Manager AWS-UpdateLinuxAmi document to automatically patch a Linux AMI. You can update any of the following Linux versions using this walkthrough: Ubuntu, CentOS, RHEL, or Amazon Linux AMIs. The AWS-UpdateLinuxAmi document also automates the installation of additional site-specific packages and configurations.

The walkthrough shows you how to specify parameters for the AWS-UpdateLinuxAmi document at runtime. If you want to add steps to your automation or specify default values, you can use the AWS-UpdateLinuxAmi document as a template.

For more information about working with Systems Manager documents, see Systems Manager Documents. For information about actions you can add to a document, see Systems Manager Automation Actions.

When you run the AWS-UpdateLinuxAmi document, Automation performs the following tasks.

  1. Launches a temporary Amazon EC2 instance from a Linux AMI. The instance is configured with a User Data script that installs the SSM Agent. The SSM Agent executes scripts sent remotely from Systems Manager Run Command.

  2. Updates the Instance by performing the following actions:

    1. Invokes a user-provided pre-update script on the instance.

    2. Updates AWS tools on the instance, if any tools are present.

    3. Updates distribution packages on the instance by using the native package manager.

    4. Invokes a user-provided post-update script on the instance.

  3. Stops the temporary instance.

  4. Creates a new AMI from the stopped instance.

  5. Terminates the instance.

After Automation successfully completes this workflow, the new AMI is available in the Amazon EC2 console on the AMIs page.

Important

If you use Automation to create an AMI from an instance, be aware that credentials, passwords, data, or other confidential information on the instance are recorded on the new image. Use caution when creating an AMI from an instance.

As you get started with Automation, note the following restrictions.

  • Automation does not perform resource clean-up. In the event your workflow stops before reaching the final instance-termination step in the example workflow, you might need to stop instances manually or disable services that were started during the Automation workflow.

  • If you use userdata with Automation, the userdata must be base-64 encoded.

  • Automation retains execution records for 30 days.

  • Systems Manager and Automation have the following service limits.

Before you begin

Create an AWS Identity and Access Management (IAM) instance profile role and Automation service role (or assume role). For more information about these roles and how to quickly create them from an AWS CloudFormation template, see Method 1: Using AWS CloudFormation to Configure Roles for Automation.

We recommend that you also collect the following information before you begin.

  • The source ID of the AMI to update.

  • (Optional) The URL of a script to run before updates are applied.

  • (Optional) The URL of a script to run after updates are applied.

  • (Optional) The names of specific packages to update. By default, Automation updates all packages.

  • (Optional) The names of specific packages to exclude from updating.

To create a patched AMI using Automation

  1. Open the Amazon EC2 console, expand Systems Manager Services in the navigation pane, and then choose Automations.

  2. Choose Run automation.

  3. In the Document name list, choose AWS-UpdateLinuxAmi.

  4. In the Version list, choose 1.

  5. In the Input parameters section, enter the information you collected in the Before You Begin section.

  6. Choose Run automation. The system displays an automation execution ID. Choose OK.

  7. In the execution list, choose the execution you just ran and then choose the Steps tab. This tab shows you the status of the workflow actions. The update process can take 30 minutes or more to complete.

After the workflow finishes, launch a test instance from the updated AMI to verify changes.

Note

If any step in the workflow fails, information about the failure is listed on the Automation Executions page. The workflow is designed to terminate the temporary instance after successfully completing all tasks. If a step fails, the system might not terminate the instance. So if a step fails, manually terminate the temporary instance.