Patch management

Systematically distribute and apply software updates.

Patch management is the process of distributing and applying updates to software. A systematic approach to patch management will ensure that you benefit from the latest updates while minimizing risks to production environments.

If you are involved in application or infrastructure operations, you understand the importance of an OS patching solution that is flexible and scalable enough to meet the varied requirements from your application teams. In a typical organization, some application teams use an architecture that involves immutable instances, whereas others deploy their applications on mutable instances.

Immutable instance patching involves applying the patches to the AMIs that are used to provision the immutable EC2 application instances. Mutable instance patching involves an in-place patch deployment to running instances during a scheduled maintenance window.

Start

To get started with patch management on AWS, you first need to ensure that your Amazon EC2 instances are set up to register with AWS Systems Manager. Additionally, you can register hybrid environment resources, such as on-premises servers, edge devices, and virtual machines (VMs) with AWS Systems Manager, including VMs in other cloud environments. By registering your hybrid environment resources with Systems Manager, you can use a single tool to automate patching and other remote operations across your environment.

AWS Systems Manager Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, in addition to a list of approved and rejected patches. Patch Manager provides predefined patch baselines for each of the OS’ supported by Patch Manager. You can use these baselines as they are currently configured (you can’t customize them), or you can create your own custom patch baselines. Custom patch baselines allow you greater control over which patches are approved or rejected for your environment. After the appropriate approval rules have been identified, custom patch baselines should be deployed across accounts and AWS Regions to ensure patch criteria for managed nodes is consistent and in-line with your security standards.

Ensure all managed nodes are performing patch scans on a scheduled basis. To quickly enable daily patch scans across your AWS Organization, use the Quick Setup Host Management configuration. Establish standard patch installation periods during well-defined maintenance windows. You can enable Systems Manager Explorer to aggregate patch compliance states, in addition to other operational data sources, and display data across multiple accounts and Regions.

Advance

Update your machine images using EC2 Image Builder, and include components to update and test patches before rolling out to production for your immutable resources.

For mutable resources, notify users in advance with the details of the upcoming updates, and allow them to defer patches when other mitigating controls are available. Establish standard processes to remediate zero-day vulnerabilities or specific patch installation using an install override list.

Schedule centralized multi-account and multi-Region patch scan or install operations using AWS Systems Manager Automation. Deploy resource data syncs in each account and Region where managed instances are registered to aggregate patch compliance, association compliance, and inventory metadata details to a single S3 bucket.

You can deploy Systems Manager resource data syncs across your accounts and Regions to send inventory metadata, association compliance, and patch compliance data collected from all of your managed nodes to a single Amazon S3 bucket. Resource data sync then automatically updates the centralized data when new inventory data is collected. With all inventory data stored in a target Amazon S3 bucket, you can use services such as Amazon Athena and Amazon QuickSight to query and analyze the aggregated data.

To store patch compliance for long term storage or for auditory compliance and regulatory requirements, you can record using AWS Config and evaluate patch compliance using Config rules. AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another, and how they were configured in the past, so you can see how the configurations and relationships change over time.

Excel

To automate vulnerability management, enable Amazon Inspector. Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure. If your AWS environment has multiple accounts, you can centrally manage your environment through a single account by using AWS Organizations and designating an account as the delegated administrator account for Amazon Inspector. You can resolve Inspector findings using patch install operations or install override lists.

For application workloads that require customized multi-step custom patch processes, use Patch Manager lifecycle hooks. Patch lifecycle hooks enable pre-patching and post-patching hooks that allow custom, customer-specified steps to be run at different phases of the patching workflow. For example, consider a customer with a custom-built application that requires a procedure to start and stop the application. The customer can use patch lifecycle hooks to run a pre-patching custom script to safely shut down the application before performing the patching process. After patching is complete and the server has been rebooted, you can run a post-patching custom script to start the application and perform validation testing, to ensure it is operating as expected before signaling success of the overall patching process.