Stop Worrying About EC2 Patching – Automate It Like a Pro!

Introduction

Let's be real—manually patching EC2 instances is about as fun as debugging a production outage on a Friday night. If you've ever had to SSH into dozens of instances just to run yum update -y or apt upgrade, you know the pain is real. But what if I told you there's a better way?

AWS Systems Manager (SSM) Quick Setup and Custom Documents can automate this process, ensuring your Linux EC2 instances stay up to date without manual intervention. In this blog, I’ll walk you through setting up automated OS patching using AWS SSM and we would also look into creating custom patch baselines. Let's dive in!

Step 1: Setting Up AWS SSM Quick Setup for OS Patching

AWS SSM Quick Setup provides a hassle-free way to manage patching at scale. Here’s how you can set it up:

1. Go to the AWS Console and navigate to Systems Manager > Quick Setup.
2. Click Create and choose Host Management.
3. Select AWS-DefaultPatchBaseline under Patch Manager.
4. Choose a schedule for automatic patching (e.g., weekly, daily).
5. Ensure that SSM Agent is installed and running on all instances (it’s pre-installed on Amazon Linux, Ubuntu, and Windows Server AMIs).
6. Click Create, and you're done! 🎉

With this setup, AWS will handle OS patching on a schedule, reducing the risk of security vulnerabilities without you lifting a finger.

Step 2: Creating a Custom Patch Baseline for a selected OS Type

While AWS-DefaultPatchBaseline under Patch Manager covers only necessary updates, you might also want to update all installed packages (think security patches, bug fixes, and new features). Let’s create a custom SSM Patch Baseline to handle this:

1. Create an SSM Patch Baseline

Go to AWS Systems Manager > Patch Manager > Patch baselines and click Create Patch baseline.

Click on Create Patch Baseline to create it.

2. Include the Custom Patch Baseline

1. Run a CLI Command to set the created Patch Baseline as default for the resp. OS Type aws ssm register-default-patch-baseline --baseline-id baseline-id-or-ARN
2. Select the newly created Patch Baseline in the Quick Setup -> Custom patch baseline.

Boom! Your instances will now update all installed packages automatically.

And that's it! You’ve now automated EC2 package updates without having to log in ever again. 🏆

Conclusion

With AWS SSM Quick Setup and a custom document, you can automate OS patching and package updates across your EC2 instances like a pro. No more SSHing into instances or dealing with outdated software vulnerabilities. Set it up once, sit back, and let AWS do the work for you!

Got any cool automation tricks for AWS EC2? Drop them in the comments below! 🚀

Contributed By: Raj Shah