Working with Patch Manager resources and compliance using the console

To use Patch Manager, a tool in AWS Systems Manager, complete the following tasks. These tasks are described in more detail in this section.

1. Verify that the AWS predefined patch baseline for each operating system type that you use meets your needs. If it doesn't, create a patch baseline that defines a standard set of patches for that managed node type and set it as the default instead.

2. Organize managed nodes into patch groups by using Amazon Elastic Compute Cloud (Amazon EC2) tags (optional, but recommended).

3. Do one of the following:

   • (Recommended) Configure a patch policy in Quick Setup, a tool in Systems Manager, that lets you install missing patches on a schedule for an entire organization, a subset of organizational units, or a single AWS account. For more information, see Configure patching for instances in an organization using a Quick Setup patch policy.

   • Create a maintenance window that uses the Systems Manager document (SSM document) AWS-RunPatchBaseline in a Run Command task type. For more information, see Tutorial: Create a maintenance window for patching using the console.

   • Manually run AWS-RunPatchBaseline in a Run Command operation. For more information, see Running commands from the console.

   • Manually patch nodes on demand using the Patch now feature. For more information, see Patching managed nodes on demand.

4. Monitor patching to verify compliance and investigate failures.

Topics

• Creating a patch policy

• Viewing patch Dashboard summaries

• Working with patch compliance reports

• Patching managed nodes on demand

• Working with patch baselines

• Viewing available patches

• Creating and managing patch groups

• Integrating Patch Manager with AWS Security Hub