Patch Manager prerequisites - AWS Systems Manager

Patch Manager prerequisites

Make sure that you have met the required prerequisites before using Patch Manager, a capability of AWS Systems Manager.

SSM Agent version

Version 2.0.834.0 or later of SSM Agent is running on the managed node you want to manage with Patch Manager.

Note

An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or updates are made to existing capabilities. Failing to use the latest version of the agent can prevent your managed node from using various Systems Manager capabilities and features. For that reason, we recommend that you automate the process of keeping SSM Agent up to date on your machines. For information, see Automating updates to SSM Agent. Subscribe to the SSM Agent Release Notes page on GitHub to get notifications about SSM Agent updates.

Python version

For macOS and most Linux operating systems (OSs), Patch Manager currently supports Python versions 2.6 - 3.10. The AlmaLinux, Debian Server, Raspberry Pi OS, and Ubuntu Server OSs require a supported version of Python 3 (3.0 - 3.10).

Connectivity to the patch source

If your managed nodes don't have a direct connection to the Internet and you're using an Amazon Virtual Private Cloud (Amazon VPC) with a VPC endpoint, you must ensure that the nodes have access to the source patch repositories (repos). On Linux nodes, patch updates are typically downloaded from the remote repos configured on the node. Therefore, the node must be able to connect to the repos so the patching can be performed. For more information, see How security patches are selected.

Windows Server managed nodes must be able to connect to the Windows Update Catalog or Windows Server Update Services (WSUS). Confirm that your nodes have connectivity to the Microsoft Update Catalog through an internet gateway, NAT gateway, or NAT instance. If you are using WSUS, confirm that the node has connectivity to the WSUS server in your environment. For more information, see Issue: managed node doesn't have access to Windows Update Catalog or WSUS.

S3 endpoint access

Whether your managed nodes operate in a private or public network, without access to the required AWS managed Amazon Simple Storage Service (Amazon S3) buckets, patching operations fail. For information about the S3 buckets your managed nodes must be able to access, see SSM Agent communications with AWS managed S3 buckets and Step 2: Create VPC endpoints.

Supported operating systems for Patch Manager

The Patch Manager capability doesn't support all the same operating systems versions that are supported by other Systems Manager capabilities. For example, Patch Manager doesn't support CentOS 6.3 or Raspberry Pi OS 8 (Jessie). (For the full list of Systems Manager-supported operating systems, see Supported operating systems for Systems Manager.) Therefore, ensure that the managed nodes you want to use with Patch Manager are running one of the operating systems listed in the following table.

Operating system Details

Linux

  • AlmaLinux 8.3–8.7, 9.0–9.2

  • Amazon Linux 2012.03–2018.03

  • Amazon Linux 2 version 2.0 and all later versions

  • Amazon Linux 2022

  • Amazon Linux 2023

  • CentOS 6.5–7.9, 8.0–8.5

  • CentOS Stream 8

  • Debian Server 8.x, 9.x, 10.x, 11.x, and 12.x

  • Oracle Linux 7.5–8.7, 9.0 - 9.2

  • Raspberry Pi OS (formerly Raspbian) 9 (Stretch)

  • Red Hat Enterprise Linux (RHEL) 6.5–8.8, 9.0–9.2

  • Rocky Linux 8.4–8.7, 9.0–9.2

  • SUSE Linux Enterprise Server (SLES) 12.0 and later 12.x versions; 15.0 - 15.5

  • Ubuntu Server 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 20.10 STR, 22.04 LTS, and 23.04

Note

Managed nodes created from an Amazon Linux 1 AMI that use a proxy must run a current version of the Python requests module to support Patch Manager operations. For more information, see Upgrading the Python requests module on Amazon Linux 1 instances that use a proxy server.

macOS

11.3.1; 11.4–11.7 (Big Sur)

12.0–12.6 (Monterey)

13.0–13.5 (Ventura)

14.0 (Sonoma)

macOS OS updates

Patch Manager doesn't support operating system (OS) updates or upgrades for macOS, such as from 12.x to 13.x or 13.1 to 13.2. To perform OS version updates on macOS, we recommend using Apple's built-in OS upgrade mechanisms. For more information, see Device Management on the Apple Developer Documentation website.

Homebrew support

The Homebrew open-source software package management system has discontinued support for macOS 10.14.x (Mojave) and 10.15.x (Catalina). As a result, patching operations on these versions are not currently supported.

Region support

macOS is not supported in all AWS Regions. For more information about Amazon EC2 support for macOS, see Amazon EC2 Mac instances in the Amazon EC2 User Guide for Linux Instances.

macOS edge devices

SSM Agent for AWS IoT Greengrass core devices is not supported on macOS. You can't use Patch Manager to patch macOS edge devices.

Windows

Windows Server 2008 through Windows Server 2022, including R2 versions.

Note

SSM Agent for AWS IoT Greengrass core devices is not supported on Windows 10. You can't use Patch Manager to patch Windows 10 edge devices.

As of January 14, 2020, Windows Server 2008 is no longer supported for feature or security updates from Microsoft. Legacy Amazon Machine Images (AMIs) for Windows Server 2008 and 2008 R2 still include version 2 of SSM Agent preinstalled, but Systems Manager no longer officially supports 2008 versions and no longer updates the agent for these versions of Windows Server. In addition, SSM Agent version 3 might not be compatible with all operations on Windows Server 2008 and 2008 R2. The final officially supported version of SSM Agent for Windows Server 2008 versions is 2.3.1644.0.