chanciturnervgt2

Streamline Patch Management Across Your AWS Organization Using Systems Manager Quick Setup

by

VGT2 Las Vegas
in

Streamline Patch Management Across Your AWS Organization Using Systems Manager Quick SetupLearn About Amazon VGT2 Learning Manager Chanci Turner

Organizations utilizing Amazon Web Services (AWS) need robust solutions to safeguard compliance and security for their resources and applications. In the past, users could perform daily scans for missing patches on instances through the Host Management Quick Setup Configuration. Additionally, they had the option to implement patching using standard patch baselines within specific patch groups.

We are pleased to introduce Quick Setup Patch Policies, powered by Patch Manager, which simplifies the establishment of patch management across your AWS Organization. These patch policies allow users to scan and plan patch installations for various baselines across multiple AWS accounts and regions.

You can apply either AWS’s default patch baselines or your custom baselines to different operating systems. The system supports targeting Amazon Elastic Compute Cloud (EC2) instances and hybrid managed nodes throughout the entire AWS Organization or to specific Organizational Units (OUs) and regions. This flexibility also includes the ability to select all managed nodes or filter based on specific resource tags. You can create and oversee numerous patch policies concurrently, allowing for more nuanced control over patching operations for different instance sets.

With the introduction of patch policies and Quick Setup, scanning and applying patches to managed nodes can now be accomplished with enhanced control. Previously, users might have had to log into multiple accounts to track patch compliance and perform updates. Now, customers can enforce a patch policy organization-wide for various operating systems across multiple accounts and regions, while easily reviewing compliance data for targeted managed nodes.

In this article, we will guide you through the process of creating a patch policy using the Quick Setup Patch Manager configuration type, as well as how to assess the compliance of your managed nodes against these policies.

Overview of Quick Setup

Quick Setup is a feature of Systems Manager that allows for rapid configuration of commonly used AWS services and features based on recommended best practices. It automates routine or recommended tasks to simplify service setups. You can use Quick Setup within a single AWS account or across multiple accounts and regions by integrating with AWS Organizations.

Implementing Quick Setup across various accounts ensures that your organization maintains uniform configurations. Furthermore, Quick Setup regularly checks for any configuration drift and attempts to rectify it. Configuration drift occurs when a user modifies a service or feature in a way that conflicts with the selections made through Quick Setup.

To create a consistent configuration, Quick Setup leverages AWS CloudFormation StackSets to deploy configurations throughout your organization.

Here’s how the process works for the Patch Manager configuration:

  1. You create the patch policy using Quick Setup, and the selected parameters are sent to CloudFormation.
  2. CloudFormation generates a stack set with the defined parameters and targeted accounts and regions.
  3. Stack instances are created in each target account and region.
  4. These instances generate a Systems Manager State Manager association for the specified patch scan and an additional association for patch installation if chosen. These associations follow the schedules set when creating the patch policy.

Architecture for creating patch policies using the Patch Manager configuration within Systems Manager Quick Setup.

Besides the resources mentioned above, other resources are created by Quick Setup. In the Organization management account, the following resources are established:

  • An Amazon Simple Storage Service (S3) bucket to house the patch baselines specified as a JSON file.
  • An AWS Lambda function to evaluate changes to custom patch baselines specified within Quick Setup. If modifications occur, Quick Setup disseminates these changes across the target accounts and regions.
  • A Systems Manager Automation runbook to invoke the Lambda function.
  • A Systems Manager State Manager association to trigger the Automation runbook hourly.
  • AWS Identity and Access Management (IAM) roles for Lambda and Automation.

In the target accounts and regions, the following resources are established:

  • An Automation runbook and State Manager association to create and attach the Quick Setup IAM role to EC2 and hybrid managed nodes.
  • A State Manager association to enable Systems Manager Explorer.
  • A State Manager association to rectify Quick Setup related tags on managed nodes.

Prerequisites

To ensure successful patching, Amazon EC2 instances, AWS Internet of Things (IoT) Greengrass core devices, on-premises servers, edge devices, and VMs must be Systems Manager managed nodes. This means your nodes must satisfy specific prerequisites and be configured with the AWS Systems Manager Agent (SSM Agent). For more details, see Setting up AWS Systems Manager.

If you plan to use custom patch baselines within a patch policy, those baselines must exist in the same account and region prior to utilizing Quick Setup. For more information, refer to Working with custom patch baselines (console).

Walkthrough

In this section, we will guide you step-by-step through the creation of a patch policy using Systems Manager Quick Setup, examining the various configuration options for scanning, patching, and targeting managed instances.

Create a Quick Setup Patch Manager Configuration

  1. Open the AWS Systems Manager console.
  2. In the navigation pane, select Quick Setup.
  3. On the Library tab, click Create for Patch Manager.
  4. For Configuration name, provide a descriptive title, such as patch-policy-blog.
  5. For Scanning and installation, follow these steps:
    • For Patch operation, select Scan and install.
    • For Scanning schedule, choose Recommended defaults to scan managed nodes daily at 01:00 AM UTC.
    • For Installation schedule, select Recommended defaults to install patches once a week at 02:00 AM UTC on Sundays. Alternatively, you can opt for a custom install schedule via a CRON expression, such as cron(30 23 ? * TUE#3 *). For additional information, see Reference: Cron and rate expressions for Systems Manager.
    • For Reboot if needed, consider enabling this option to reboot the nodes after patch installation. While rebooting is advisable, it may lead to availability issues. If you prefer, you can leave this option disabled to postpone reboots.

Final Thoughts

By utilizing Systems Manager Quick Setup, organizations can effectively streamline patch management and maintain compliance across their AWS environments. This approach not only enhances security but also saves time and resources. For further insights, consider exploring this excellent resource on best practices in AWS management.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *