AWS SSM Patch Manager Overview

Key Concepts

Patch Manager is used to automate the patching process for managed instances, including OS, applications, and security updates.
It supports EC2 instances as well as on-premises servers across Linux, MacOS, and Windows.
Patching can be performed on-demand or scheduled using a maintenance window.
Patch Manager scans instances and generates a patch compliance report, which can be sent to S3.

Patch Baseline
- Defines which patches should or should not be installed.
- Allows creation of custom patch baselines to specify approved or rejected patches.
- Patches can be auto-approved after a certain number of days post-release.
- Default behavior is to install only critical and security-related patches.
Patch Groups
- Associates a set of instances with a specific patch baseline.
- Useful for segregating environments like dev, test, and prod.
- An instance can only be part of one patch group, and a patch group can only be registered with one patch baseline.

Predefined Patch Baselines: Managed by AWS for different operating systems and cannot be modified.
Custom Patch Baselines: User-defined baselines to control which patches are auto-approved, allowed, or rejected.

Use the SSM document AWS-RunPatchBaseline to apply patches.
Can be initiated from the AWS Console, SDK, or during a maintenance window.
The SSM agent on instances queries Patch Manager to determine which patches to apply based on the patch baseline.

Define a schedule for performing actions on instances, such as patching or software installation.
Contains a schedule, duration, registered instances, and tasks to run.