Patching instances on demand (console) - AWS Systems Manager

Patching instances on demand (console)

Using the Patch now option in Patch Manager, a capability of AWS Systems Manager, you can run on-demand patching operations from the Systems Manager console. This means you don’t have to create a schedule in order to update the compliance status of your instances or to install patches on noncompliant instances. You also don’t need to switch the Systems Manager console between Patch Manager and Maintenance Windows, a capability of AWS Systems Manager, in order to set up or modify a scheduled patching window.

Patch now is especially useful when you must apply zero-day updates or install other critical patches on your managed instances as soon as possible.

How 'Patch now' works

To run Patch now, you specify just two required options:

  • Whether to scan for missing patches only, or to scan and install patches on your instances

  • Which instances to run the operation on

Other options include choosing when, or whether, to reboot instances after patching, specifying an Amazon Simple Storage Service (Amazon S3) bucket to store log data for the patching operation, and running Systems Manager documents (SSM documents) as lifecycle hooks during patching.

When the Patch now operation runs, it uses the patch baseline that is currently set as the default for the operating system type of your instances. (This can be a predefined baseline, or the custom baseline you have set as the default.) In addition, the concurrency and error threshold options are handled by Patch Manager. You don't need to specify how many instances to patch at once, nor how many errors are permitted before the operation fails. Patch Manager applies the concurrency and error threshold settings described in the following tables when you patch on demand.

Total number of instances in the Patch now operation Number of instances scanned or patched at a time
Fewer than 25 1
25-100 5%
101 to 1,000 8%
More than 1,000 10%
Error threshold
Total number of instances in the Patch now operation Number of errors permitted before the operation fails
Fewer than 25 1
25-100 5
101 to 1,000 10
More than 1,000 10

Running 'Patch now'

Use the following procedure to patch your instances on demand.

To run 'Patch now'

  1. Open the AWS Systems Manager console at

  2. In the navigation pane, choose Patch Manager.

  3. On either the AWS Systems Manager Patch Manager page or the Patch baselines page, depending on which one opens, choose Patch now.

  4. For Patching operation, choose one of the following:

    • Scan: Patch Manager finds which patches are missing from your instances but doesn't install them. You can view the results in the Compliance dashboard or in other tools you use for viewing patch compliance.

    • Scan and install: Patch Manager finds which patches are missing from your instances and installs them.

  5. Use this step only if you chose Scan and install in the previous step. For Reboot option, choose one of the following:

    • Reboot if needed: After installation, Patch Manager reboots instances only if needed to complete a patch installation.

    • Don't reboot my instances: After installation, Patch Manager doesn't reboot instances. You can reboot instances manually when you choose or manage reboots outside of Patch Manager.

    • Schedule a reboot time: Specify the date, time, and UTC time zone for Patch Manager to reboot your instances. If you want to run a Systems Manager Command document (SSM document) after the reboot, select it from Post-reboot lifecycle hook.

  6. For Instances to patch, choose one of the following:

    • Patch all instances: Patch Manager runs the specified operation on all managed instances in your AWS account in the current AWS Region.

    • Patch only the target instances I specify: You specify which instances to target in the next step.

  7. Use this step only if you chose Patch only the target instances I specify in the previous step. In the Target selection section, identify the instances on which you want to run this operation by specifying tags, selecting instances manually, or specifying a resource group.


    If an Amazon EC2 instance you expect to see isn't listed, see Troubleshooting Amazon EC2 managed instance availability for troubleshooting tips.

    If you choose to target a resource group, note that resource groups that are based on an AWS CloudFormation stack must still be tagged with the default aws:cloudformation:stack-id tag. If it has been removed, Patch Manager might be unable to determine which instances belong to the resource group.

  8. (Optional) For Patching log storage, if you want to create and save logs from this patching operation, select the S3 bucket for storing the logs.

  9. (Optional) If you want to run SSM documents as lifecycle hooks during specific points of the patching operation, do the following:

    • Choose Use lifecycle hooks.

    • For each available hook, select the SSM document to run at the specified point of the operation:

      • Before installation

      • After installation

      • On exit


      The default document, AWS-Noop, runs no operations.

  10. Choose Patch now.

    The Association execution summary page opens. (Patch now uses associations in State Manager, a capability of AWS Systems Manager, for its operations.) In the Operation summary area, you can monitor the status of scanning or patching on the instances you specified.