Get started with AWS SSM Patch Manager

Photo by Trent Erwin on Unsplash

Get started with AWS SSM Patch Manager

Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed nodes with both security-related updates and other types of updates.

Beginning December 22, 2022, Systems Manager provides support for patch policies, which are the new and recommended method for configuring your patching operations. Using a single patch policy configuration, you can define patching for all accounts in all Regions in your organization, for only the accounts and Regions you choose, or for a single account-Region pair. For more information, see Using Quick Setup patch policies.

What is Patch?

A patch, in the context of computing and software, is a piece of software designed to update, fix, or improve a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.

Here are some key points about patches:

  1. Bug Fixes: One of the primary purposes of a patch is to fix a known bug or issue in the software. These bugs can range from minor glitches that cause inconvenience to major problems that can crash systems or lead to data loss.

  2. Security Vulnerabilities: Many patches are released to address security vulnerabilities discovered in software. Once a vulnerability is known, it becomes crucial to patch the software to protect systems and data from potential exploits.

  3. Performance Improvements: Some patches are designed to enhance the performance of the software, making it run faster or more efficiently.

  4. Additional Features: Occasionally, patches might add new features to the software or enhance existing ones.

  5. Compatibility: Patches can also ensure compatibility with new hardware or software components.

  6. Format: Patches can be delivered in binary form (where only the changed components are provided) or as source code modifications. Binary patches are usually smaller and quicker to apply, but source code patches can be inspected and modified if necessary.

  7. Installation: Many software systems have built-in mechanisms to automatically check for and install patches, while others require manual installation by users or administrators.

  8. Incremental vs. Cumulative: Some patches are incremental, meaning they only contain the changes made since the last patch. Others are cumulative, meaning they include all previous patches.

  9. Reversibility: Some patching systems allow for the reversal or uninstallation of a patch if issues arise after its application.

  10. Hotpatching: This refers to applying a patch without having to stop or restart the system or software. It's especially valuable in systems that require high availability.

  11. Zero-Day Patch: This is a patch released on the same day that a vulnerability is discovered, often in emergency situations.

It's essential to regularly apply patches to software and operating systems, especially those that address critical security vulnerabilities, to maintain the safety and stability of computer systems.

Patch Manager

You can use Patch Manager to apply patches for both operating systems and applications. (On Windows Server, application support is limited to updates for applications released by Microsoft.) You can use Patch Manager to install Service Packs on Windows nodes and perform minor version upgrades on Linux nodes. You can patch fleets of Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, on-premises servers, and virtual machines (VMs) by operating system type. This includes supported versions of several operating systems, as listed in Patch Manager prerequisites. You can scan instances to see only a report of missing patches, or you can scan and automatically install all missing patches. To get started with Patch Manager, open the Systems Manager console. In the navigation pane, choose Patch Manager.

Patch baselines

Patch Manager uses patch baselines, which include rules for auto-approving patches within days of their release, in addition to optional lists of approved and rejected patches. When a patching operation runs, Patch Manager compares the patches currently applied to a managed node to those that should be applied according to the rules set up in the patch baseline. You can choose for Patch Manager to show you only a report of missing patches (a Scan operation), or you can choose for Patch Manager to automatically install all patches it find are missing from a managed node (a Scan and install operation).

How Patch Manager operations work

AWS Systems Manager Patch Manager operations consist of a series of actions and configurations that work together to scan and apply patches to your managed instances. The fundamental workflow involves setting up a patch baseline, defining a maintenance window (if needed), and then either scanning for or applying updates. Here's a more detailed breakdown of how Patch Manager operations work:

  1. Patch Baseline Configuration:

    • You start by defining a Patch Baseline. This baseline specifies which patches are approved for installation on your instances and which are not.

    • The baseline can include auto-approval rules based on patch categories, severities, and other criteria. For instance, you can automatically approve all critical security patches to be installed as soon as they're available.

    • Additionally, you can manually whitelist (approve) or blacklist (reject) specific patches.

  2. Associating Patch Baseline:

    • Once you've defined a patch baseline, you associate it with one or more managed instances. This tells Patch Manager which rules to follow when patching those instances.

    • You can have multiple baselines, but each instance will have only one baseline associated with it at any given time.

  3. Maintenance Windows:

    • While it's not strictly necessary, you can define a Maintenance Window. This is a scheduled time period when Patch Manager is allowed to take action.

    • Using maintenance windows ensures that patching occurs during periods of low activity or during times when potential service disruptions are acceptable.

  4. Operation Execution:

    • With the baseline and (optionally) maintenance window in place, you execute patching operations.

    • You can initiate two primary types of operations:

      • Scan: Patch Manager will check your instances against the patch baseline to see if any patches are missing or if any non-approved patches are installed. After scanning, you get a compliance report detailing the patching status of your instances.

      • Scan and Install: Patch Manager will actually apply the patches based on the rules in the patch baseline. If you've defined a maintenance window, the patches will be applied during that window.

  5. Reporting & Monitoring:

    • After running patching operations, you can use Systems Manager to review detailed patch compliance data. This shows you which instances are in compliance with your baseline and which are not.

    • Patch Manager integrates with other AWS services like Amazon CloudWatch, allowing you to create alarms or notifications based on patching activity and compliance data.

  6. Role-based Access and Permissions:

    • Using AWS Identity and Access Management (IAM), you can control who can initiate patch operations, create or modify patch baselines, and view patch compliance data.
  7. Logging:

    • Integration with AWS CloudTrail lets you log and audit patching operations for security and compliance purposes.

To sum it up, Patch Manager operations in AWS Systems Manager provide a structured and automated way to maintain patch compliance across a fleet of instances. By defining patch baselines, optionally setting maintenance windows, and initiating patching operations, you can ensure that your EC2 instances and on-premises servers remain up-to-date and secure.

The following five SSM documents are recommended for use in your managed node patching operations.

About predefined and custom patch baselines

Patch Manager, a capability of AWS Systems Manager, provides predefined patch baselines for each of the operating systems supported by Patch Manager. You can use these baselines as they are currently configured (you can't customize them) or you can create your own custom patch baselines. Custom patch baselines allows you greater control over which patches are approved or rejected for your environment. Also, the predefined baselines assign a compliance level of Unspecified to all patches installed using those baselines. For compliance values to be assigned, you can create a copy of a predefined baseline and specify the compliance values you want to assign to patches. For more information, see About custom baselines and Working with custom patch baselines (console).

About custom baselines

If you create your own patch baseline, you can choose which patches to auto-approve by using the following categories.

  • Operating system: Windows Server, Amazon Linux, Ubuntu Server, and so on.

  • Product name (for operating systems): For example, RHEL 6.5, Amazon Linux 2014.09, Windows Server 2012, Windows Server 2012 R2, and so on.

  • Product name (for applications released by Microsoft on Windows Server only): For example, Word 2016, BizTalk Server, and so on.

  • Classification: For example, critical updates, security updates, and so on.

  • Severity: For example, critical, important, and so on.

Keep the following in mind when you create a patch baseline:

  • Patch Manager provides one predefined patch baseline for each supported operating system. These predefined patch baselines are used as the default patch baselines for each operating system type unless you create your own patch baseline and designate it as the default for the corresponding operating system type.

  • For on-premises servers and virtual machines (VMs), Patch Manager attempts to use your custom default patch baseline. If no custom default patch baseline exists, the system uses the predefined patch baseline for the corresponding operating system.

  • If a patch is listed as both approved and rejected in the same patch baseline, the patch is rejected.

  • A managed node can have only one patch baseline defined for it.

  • The formats of package names you can add to lists of approved patches and rejected patches for a patch baseline depend on the type of operating system you're patching.

    For information about accepted formats for lists of approved patches and rejected patches, see About package name formats for approved and rejected patch lists.

  • If you are using a patch policy configuration in Quick Setup, updates you make to custom patch baselines are synchronized with Quick Setup once an hour.

For information about creating a patch baseline, see Working with custom patch baselines (console) and Tutorial: Patch a server environment (AWS CLI).

Workshop exercise

Here's a basic workshop exercise to help you test the concept of working with AWS Systems Manager Patch Manager via the AWS Management Console:


  • An active AWS account.

  • Necessary IAM permissions to access SSM Patch Manager, EC2, and associated resources.

  • At least one running EC2 instance (preferably a test instance to avoid any potential disruptions).

    To launch EC2 instance use the following guide: How to launch a single EC2 instance via AWS CLI

Run Patch Manager via Console:

  1. Access AWS Systems Manager:

    • Log in to the AWS Management Console.

    • Navigate to the Services dropdown and select Systems Manager under Management & Governance.

  2. Navigate to Patch Manager:

    • On the left-hand navigation pane, under Node Management, select Patch Manager.

  3. Define a Patch Baseline:

    • Click on Patch now.

    • Provide a name for the baseline.

    • (Optional) Set a description.

    • Choose the operating system of your instance.

    • Under Auto approval, choose how soon after release you'd like patches to be auto-approved (e.g., 7 days).

    • (Optional) Manually approve or reject specific patches under the respective sections.

    • Click on Create patch baseline.

  4. Configure Patch:

    • Set the required configuration options for your patch. When finished click on Patch now button

  5. Clean-Up (Optional):

    • To avoid any unwanted costs, consider stopping or terminating any additional EC2 instances you might have launched.

    • Remove any created resources in Systems Manager, like custom patch baselines.

This exercise provides a basic introduction to using Patch Manager in the AWS Console. In a real-world scenario, you'd often incorporate additional configurations like maintenance windows, deeper patch rules, and integration with other AWS services for monitoring and logging.


  1. Patch Manager