Creating a patching configuration (console) - AWS Systems Manager

Creating a patching configuration (console)

A patching configuration defines a unique patching operation. The configuration specifies the managed nodes for patching, which patch baseline is to be applied, the schedule for patching, and typically, the maintenance window that the configuration is to be associated with.

In a patching configuration, you associate a patching configuration with an existing maintenance window, create a new maintenance window for the configuration, or run a one-time manual patching operation on a set of managed nodes.

Note

Many patching use cases benefit from patching managed nodes on a schedule with a maintenance window, but you can also run a one-time patching operation manually without a maintenance window. For more information, see Patching managed nodes on demand (console).

To minimize the impact on your server availability, we recommend that you configure a maintenance window to run patching during times that won't interrupt your business operations. For more information about maintenance windows, see AWS Systems Manager Maintenance Windows.

If you plan to add the patching configuration to a maintenance window, you must first configure roles and permissions for Maintenance Windows, a capability of AWS Systems Manager, before beginning this procedure. For more information, see Setting up Maintenance Windows.

To create a patching configuration (console)

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Patch Manager.

    -or-

    If the AWS Systems Manager home page opens first, choose the menu icon ( ) to open the navigation pane, and then choose Patch Manager.

  3. Choose Configure patching.

  4. In the Instances to patch section, choose one of the following:

    • Enter instance tags: Enter a tag key and optional tag value to specify the tagged managed node to patch. Select Add to include additional tagged managed nodes.

    • Select a patch group: Choose the name of an existing patch group that includes the managed nodes you want to patch.

      Note

      The Select a patch group list displays only those patch groups that are attached to, or registered with, a patch baseline. You can register a patch group with a patch baseline in one of two ways. You can use the register-patch-baseline-for-patch-group AWS Command Line Interface (AWS CLI) command, or you can view a patch baseline in the Systems Manager console and select Modify patch groups from the Actions menu.

      Alternatively, to specify an existing patch group that isn't registered with the patch baseline, choose Enter instance tag, enter Patch Group as the tag key and the patch group's name as the tag value.

    • Select instances manually: Select the check box next to the name of each managed node you want to patch.

      Note

      If a managed node you expect to see isn't listed, see Troubleshooting managed node availability for troubleshooting tips.

  5. In the Patching schedule section, choose one of the following:

    • Select an existing maintenance window: From the list, select a maintenance window you have already created, and then continue to Step 7.

    • Schedule in a new maintenance window: Create a new maintenance window to associate with this patching configuration.

    • Skip scheduling and patch now: Run a one-time manual patching operation without a schedule or maintenance window. Continue to Step 7.

  6. If you chose Schedule in a new maintenance window in Step 5, then under How do you want to specify a patching schedule?, do the following:

    • Under How do you want to specify a maintenance window schedule?, choose a schedule builder or expression option.

    • Under maintenance window run frequency, specify how frequently the maintenance window runs. If you're specifying a CRON/Rate expression, see Reference: Cron and rate expressions for Systems Manager for more information.

    • For Maintenance window duration, specify the number of hours the maintenance window is permitted to run before timing out.

    • For Maintenance window name, enter a name to identify the maintenance window.

  7. In the Patching operation area, choose whether to scan managed nodes for missing patches and apply them as needed, or to scan only and generate a list of missing patches.

  8. (Optional) In the Additional settings area, if any target managed nodes you selected belong to a patch group, you can change the patch baseline that is associated with the patch group. To do so, follow these steps:

    1. Choose the button next to the name of the associated patch baseline.

    2. Choose Change patch baseline registration.

    3. Choose the patch baselines you want to specify for this configuration by clearing and selecting check boxes next to the patch baseline names.

    4. Choose Close.

    Note

    For any target managed nodes you selected that aren't part of a patch group, Patch Manager instead uses the default patch baseline for the operating system type of the managed node.

  9. Choose Configure patching.

If you created a new maintenance window for this patching configuration, you can add to it or make patching configuration changes in the Maintenance Windows area of Systems Manager. For more information, see Updating or deleting maintenance window resources (console).