AWS Systems Manager
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Simplify AMI Patching Using Automation, Lambda, and Parameter Store

The following example expands on how to update a Windows AMI, as described in Patch a Windows AMI. This example uses the model where an organization maintains and periodically patches their own, proprietary AMIs rather than building from Amazon EC2 AMIs.

The following procedure shows how to automatically apply operating system (OS) patches to a Windows AMI that is already considered to be the most up-to-date or latest AMI. In the example, the default value of the parameter SourceAmiId is defined by a Systems Manager Parameter Store parameter called latestAmi. The value of latestAmi is updated by an AWS Lambda function invoked at the end of the Automation workflow. As a result of this Automation process, the time and effort spent patching AMIs is minimized because patching is always applied to the most up-to-date AMI.

Before You Begin

Configure Automation roles and, optionally, CloudWatch Events for Automation. For more information, see Getting Started with Automation.

Task 1: Create a Parameter in Systems Manager Parameter Store

Create a string parameter in Parameter Store that uses the following information:

  • Name: latestAmi.

  • Value: a Windows AMI ID. For example: ami-188d6e0e.

For information about how to create a Parameter Store string parameter, see Creating Systems Manager Parameters.

Task 2: Create an IAM Role for AWS Lambda

Use the following procedure to create an IAM service role for AWS Lambda. This role includes the AWSLambdaExecute and AmazonSSMFullAccess managed policies. These policies give Lambda permission to update the value of the latestAmi parameter using a Lambda function and Systems Manager.

To create an IAM service role for Lambda

  1. Open the IAM console at

  2. In the navigation pane, choose Roles, and then choose Create New Role.

  3. For Role name, type a role name that can help you identify the purpose of this role, for example, lambda-ssm-role. Role names must be unique within your AWS account. After you type the name, choose Next Step at the bottom of the page.


    Because various entities might reference the role, you cannot change the name of the role after it has been created.

  4. On the Select Role Type page, choose the AWS Service Roles section, and then choose AWS Lambda.

  5. On the Attach Policy page, choose AWSLambdaExecute and AmazonSSMFullAccess, and then choose Next Step.

  6. Choose Create Role.

Task 3: Create an AWS Lambda Function

Use the following procedure to create a Lambda function that automatically updates the value of the latestAmi parameter.

To create a Lambda function

  1. Sign in to the AWS Management Console and open the AWS Lambda console at

  2. Choose Create a Lambda function.

  3. On the Create function page, choose Author from scratch.

  4. For Function name, type Automation-UpdateSsmParam.

  5. In the Runtime list, choose Python 2.7.

  6. In the Permissions section, choose Use an existing role and choose the service role for Lambda that you created in Task 2.

  7. Choose Create function.

  8. In the Lambda function code section, delete the pre-populated code in the field, and then paste the following code sample.

    from __future__ import print_function import json import boto3 print('Loading function') #Updates an SSM parameter #Expects parameterName, parameterValue def lambda_handler(event, context): print("Received event: " + json.dumps(event, indent=2)) # get SSM client client = boto3.client('ssm') #confirm parameter exists before updating it response = client.describe_parameters( Filters=[ { 'Key': 'Name', 'Values': [ event['parameterName'] ] }, ] ) if not response['Parameters']: print('No such parameter') return 'SSM parameter not found.' #if parameter has a Description field, update it PLUS the Value if 'Description' in response['Parameters'][0]: description = response['Parameters'][0]['Description'] response = client.put_parameter( Name=event['parameterName'], Value=event['parameterValue'], Description=description, Type='String', Overwrite=True ) #otherwise just update Value else: response = client.put_parameter( Name=event['parameterName'], Value=event['parameterValue'], Type='String', Overwrite=True ) reponseString = 'Updated parameter %s with value %s.' % (event['parameterName'], event['parameterValue']) return reponseString
  9. Choose Save.

  10. To test the Lambda function, from the Select a test event menu, choose Configure test events.

  11. For Event name, enter a name for the test event, such as MyTestEvent.

  12. Replace the existing text with the following JSON.

    { "parameterName":"latestAmi", "parameterValue":"your AMI ID" }
  13. Choose Create.

  14. Select Test to test the function. The output should state that the parameter was successfully updated and include details about the update. For example, “Updated parameter latestAmi with value ami-123456”.

Task 4: Create an Automation Document and Patch the AMI

Use the following procedure to create and run an Automation document that patches the AMI you specified for the latestAmi parameter. After the Automation workflow completes, the value of latestAmi is updated with the ID of the newly-patched AMI. Subsequent executions use the AMI created by the previous execution.

To create an Automation document and patch an AMI

  1. Open the AWS Systems Manager console at

  2. In the navigation pane, choose Documents.


    If the AWS Systems Manager home page opens first, choose the menu icon ( ) to open the navigation pane, and then choose Documents in the navigation pane.

  3. Choose Create document.

  4. In the Name field, type UpdateMyLatestWindowsAmi.

  5. In the Document type list, choose Automation document.

  6. Delete the brackets in the Content field, and then paste the following JSON sample document.


    You must change the values of assumeRole and IamInstanceProfileName in this sample with the service role ARN and instance profile role you created when Getting Started with Automation.

    { "description":"Systems Manager Automation Demo – Patch AMI and Update SSM Param", "schemaVersion":"0.3", "assumeRole":"the role ARN you created", "parameters":{ "sourceAMIid":{ "type":"String", "description":"AMI to patch", "default":"{{ssm:latestAmi}}" }, "targetAMIname":{ "type":"String", "description":"Name of new AMI", "default":"patchedAMI-{{global:DATE_TIME}}" } }, "mainSteps":[ { "name":"startInstances", "action":"aws:runInstances", "timeoutSeconds":1200, "maxAttempts":1, "onFailure":"Abort", "inputs":{ "ImageId":"{{ sourceAMIid }}", "InstanceType":"m3.large", "MinInstanceCount":1, "MaxInstanceCount":1, "IamInstanceProfileName":"the name of the IAM role you created" } }, { "name":"installMissingWindowsUpdates", "action":"aws:runCommand", "maxAttempts":1, "onFailure":"Continue", "inputs":{ "DocumentName":"AWS-InstallWindowsUpdates", "InstanceIds":[ "{{ startInstances.InstanceIds }}" ], "Parameters":{ "UpdateLevel":"Important" } } }, { "name":"stopInstance", "action":"aws:changeInstanceState", "maxAttempts":1, "onFailure":"Continue", "inputs":{ "InstanceIds":[ "{{ startInstances.InstanceIds }}" ], "DesiredState":"stopped" } }, { "name":"createImage", "action":"aws:createImage", "maxAttempts":1, "onFailure":"Continue", "inputs":{ "InstanceId":"{{ startInstances.InstanceIds }}", "ImageName":"{{ targetAMIname }}", "NoReboot":true, "ImageDescription":"AMI created by EC2 Automation" } }, { "name":"terminateInstance", "action":"aws:changeInstanceState", "maxAttempts":1, "onFailure":"Continue", "inputs":{ "InstanceIds":[ "{{ startInstances.InstanceIds }}" ], "DesiredState":"terminated" } }, { "name":"updateSsmParam", "action":"aws:invokeLambdaFunction", "timeoutSeconds":1200, "maxAttempts":1, "onFailure":"Abort", "inputs":{ "FunctionName":"Automation-UpdateSsmParam", "Payload":"{\"parameterName\":\"latestAmi\", \"parameterValue\":\"{{createImage.ImageId}}\"}" } } ], "outputs":[ "createImage.ImageId" ] }
  7. Choose Create document to save the document.

  8. In the navigation pane, choose Automations, and then choose Execute automation.

  9. In the Automation document list, choose UpdateMyLatestWindowsAmi.

  10. In the Document details section verify that Document version is set to 1.

  11. In the Execution mode section, choose Execute the entire automation at once.

  12. Leave the Targets and Rate Control option disabled.

  13. After execution completes, choose Parameter Store in the navigation pane and confirm that the new value for latestAmi matches the value returned by the Automation workflow. You can also verify the new AMI ID matches the Automation output in the AMIs section of the EC2 console.