How do I automate Linux updates on my EC2 instance using Systems Manager Patch Manager patch policies?

3 minute read

I want to automate OS-level package and security updates on my Amazon Elastic Compute Cloud (Amazon EC2) Linux instances using AWS Systems Manager Patch Manager patch policies.

Short description

The AWS Systems Manager Patch Manager patch policy feature automates scanning and installing patches to your EC2 instances.

By default, Patch Manager uses pre-defined patch policies to update the packages in your EC2 instance. For more granular control, use custom patch baselines.


Note: Before proceeding with this resolution, make sure that all Patch Manager pre-requisites have been met. Also, review the supported AWS Regions for patch policy configurations.

  1. Open the Systems Manager console.
  2. Select Patch Manager, then select Create patch policy.
  3. Enter a Configuration name.
  4. In Scanning and installation, choose from the following options:
    Scan: The policy will scan specified targets.
    Scan and install: The policy scans and installs patches on the specified targets.
  5. Under Scanning schedule, choose from the following options:
    Use recommended defaults: The default schedule scans targets daily at 1:00 AM UTC.
    Custom scan schedule: Create your own schedule for scanning and installing.
    Daily: Enter the UTC time that you want to scan your targets.
    Custom CRON expression: Enter the schedule as a CRON expression. The CRON schedule follows the format Minute | Hour | Day of the month | Month | Day of the week | Year. For example, to perform updates on the second of every month at 1:00 UTC, use the format "0 1 2 * * *"
    Note: To prevent the scan and updates to begin immediately after policy creation, select Wait to scan/install targets until first CRON interval on each schedule.
  6. For Patch Baseline, select the recommended defaults, or provide a custom baseline.
  7. (Optional) You can send your patching logs for storage or troubleshooting to an Amazon Simple Storage Service (Amazon S3) buckets. To do this, In the Patching log storage section, select Write output to S3 bucket and then specify the target S3 bucket.
  8. In the Targets section, select which accounts or Regions in your organization that you want to apply this patch policy to. Or, apply the policy to your entire organization.
  9. For Choose how you want to target instances, select the nodes that you want to apply this patch policy to. You can specify the instances manually, or on the basis of tags or resource groups. For example, to include all instances with the tag key-pair Production:YES in us-east-1 and us-east-2, specify the Regions. Then, enter the tag under Specify a node tag.
  10. The Rate control section applies when running the patch policy on multiple instances.
    For Concurrency, specify the number or percentage of nodes to run the patch policy at the same time
    For Error threshold, specify the number or percentage of nodes that are allowed to fail before the patch policy fails.
  11. Select the Add required IAM policies to existing instance profiles attached to your instance to add an instance profile if the instance doesn't already have one. This option applies to the following:
    Quick Setup
    Supported OS distributions that come with a pre-installed Amazon SSM agent.
  12. Review the summary to confirm your selections, and then select Create.

For detailed instructions on creating a patch policy, see Creating a patch policy.

Related information

Automate organization-wide patching using a Quick Setup patch policy

AWS OFFICIALUpdated 10 months ago