Tutorial: Patch a server environment using the AWS CLI
The following procedure describes how to patch a server environment by using a custom patch baseline, patch groups, and a maintenance window.
Before you begin
-
Install or update the SSM Agent on your managed nodes. To patch Linux managed nodes, your nodes must be running SSM Agent version 2.0.834.0 or later. For more information, see Updating the SSM Agent using Run Command.
-
Configure roles and permissions for Maintenance Windows, a capability of AWS Systems Manager. For more information, see Setting up Maintenance Windows.
Install and configure the AWS Command Line Interface (AWS CLI), if you haven't already.
For information, see Installing or updating the latest version of the AWS CLI.
To configure Patch Manager and patch managed nodes (command line)
-
Run the following command to create a patch baseline for Windows named
Production-Baseline
. This patch baseline approves patches for a production environment 7 days after they're released or last updated. That is, we have tagged the patch baseline to indicate that it's for a production environment.Note
The
OperatingSystem
parameter andPatchFilters
vary depending on the operating system of the target managed nodes the patch baseline applies to. For more information, see OperatingSystem and PatchFilter.The system returns information like the following.
{ "BaselineId":"pb-0c10e65780EXAMPLE" }
-
Run the following commands to register the "Production-Baseline" patch baseline for two patch groups. The groups are named "Database Servers" and "Front-End Servers".
The system returns information like the following.
{ "PatchGroup":"Database Servers", "BaselineId":"pb-0c10e65780EXAMPLE" }
The system returns information like the following.
{ "PatchGroup":"Front-End Servers", "BaselineId":"pb-0c10e65780EXAMPLE" }
-
Run the following commands to create two maintenance windows for the production servers. The first window runs every Tuesday at 10 PM. The second window runs every Saturday at 10 PM. In addition, the maintenance window is tagged to indicate that it's for a production environment.
The system returns information like the following.
{ "WindowId":"mw-0c50858d01EXAMPLE" }
The system returns information like the following.
{ "WindowId":"mw-9a8b7c6d5eEXAMPLE" }
-
Run the following commands to register the
Database
andFront-End
servers patch groups with their respective maintenance windows.The system returns information like the following.
{ "WindowTargetId":"e32eecb2-646c-4f4b-8ed1-205fbEXAMPLE" }
The system returns information like the following.
{ "WindowTargetId":"faa01c41-1d57-496c-ba77-ff9caEXAMPLE" }
-
Run the following commands to register a patch task that installs missing updates on the
Database
andFront-End
servers during their respective maintenance windows.The system returns information like the following.
{ "WindowTaskId":"4f7ca192-7e9a-40fe-9192-5cb15EXAMPLE" }
The system returns information like the following.
{ "WindowTaskId":"8a5c4629-31b0-4edd-8aea-33698EXAMPLE" }
-
Run the following command to get the high-level patch compliance summary for a patch group. The high-level patch compliance summary includes the number of managed nodes with patches in the respective patch states.
Note
It's expected to see zeroes for the number of managed nodes in the summary until the patch task runs during the first maintenance window.
The system returns information like the following.
{ "Instances":
number
, "InstancesWithFailedPatches":number
, "InstancesWithInstalledOtherPatches":number
, "InstancesWithInstalledPatches":number
, "InstancesWithInstalledPendingRebootPatches":number
, "InstancesWithInstalledRejectedPatches":number
, "InstancesWithMissingPatches":number
, "InstancesWithNotApplicablePatches":number
, "InstancesWithUnreportedNotApplicablePatches":number
} -
Run the following command to get patch summary states per-managed node for a patch group. The per-managed node summary includes a number of patches in the respective patch states per managed node for a patch group.
The system returns information like the following.
{ "InstancePatchStates": [ { "BaselineId": "
string
", "FailedCount":number
, "InstalledCount":number
, "InstalledOtherCount":number
, "InstalledPendingRebootCount":number
, "InstalledRejectedCount":number
, "InstallOverrideList": "string
", "InstanceId": "string
", "LastNoRebootInstallOperationTime":number
, "MissingCount":number
, "NotApplicableCount":number
, "Operation": "string
", "OperationEndTime":number
, "OperationStartTime":number
, "OwnerInformation": "string
", "PatchGroup": "string
", "RebootOption": "string
", "SnapshotId": "string
", "UnreportedNotApplicableCount":number
} ] }
For examples of other AWS CLI commands you can use for your Patch Manager configuration tasks, see Working with Patch Manager resources using the AWS CLI.