- Newest
- Most votes
- Most comments
Hello, Amazon Linux can be patched without internet. AWS SSM uses internal repo for patches. So you just need to meet the prerequisites: S3, SSM, SSM messages, EC2 messages VPC endpoints to have internal connections. (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html)
For other OS versions - yes, unfortunately AWS does not have patches for them internally. I'm guessing that an improvement to AWS could be done by creating DNS records on the backbone network to direct patch mirrors and be accessed from the customer's network via an EC2 endpoint.
But for now as it is not implemented you must setup local repository that will have access to the internet to receive regular updates (https://kc.jetpatch.com/hc/en-us/articles/360052181591-Setting-Up-Local-Repositories-Ubuntu#heading-0) and define it in a new source (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-alternative-source-repository.html), and customize patches (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-create-a-patch-baseline-for-linux.html).
Proof:
I have run 2 EC2 instances: Ubuntu (ubuntu-focal-20.04-amd64-server-20231025 ) and AmazonLinux 2 (amazon/amzn2-ami-kernel-5.10-hvm-2.0.20240131.0-x86_64-gp2) in private VPC with S3, SSM, SSM messages and EC2 messages endpoints. Enabled patch policies with default configurations and run it.
According to the execution: Ubuntu failed. AmazonLinux success.
Command outputs:
As expected Ubuntu server could not reach patch server:
AmazonLinux worked fine:
AmazonLinux before patching:
After patching:
Hello.
The following documents contain prerequisites for using Patch Manager.
By default, Patch Manager downloads security patches from the OS's remote repository.
Therefore, if nothing is configured and there is no route to access the remote repository using NAT Gateway etc., patch application will fail.
I think you need to configure it so that it can communicate with S3 (remote repository) using NAT Gateway or VPC endpoint.
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-installing-patches.html
Hi Riku, thanks for the reply, so as per your reply it is possible to use patch manager to patch no internet instances? just we need to add permission for s3 to fetch patches from aws managed public s3 buckets? is my understanding correct?
Your EC2 need access to a repository to download patches. As per https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html#source-connectivity , you need to setup a remote repo.
This can be WSUS for Windows and Satellite or remote repo for RHEL
If your managed nodes don't have a direct connection to the Internet and you're using an Amazon Virtual Private Cloud (Amazon VPC) with a VPC endpoint, you must ensure that the nodes have access to the source patch repositories (repos). On Linux nodes, patch updates are typically downloaded from the remote repos configured on the node. Therefore, the node must be able to connect to the repos so the patching can be performed. For more information, see How security patches are selected.
Windows Server managed nodes must be able to connect to the Windows Update Catalog or Windows Server Update Services (WSUS). Confirm that your nodes have connectivity to the Microsoft Update Catalog through an internet gateway, NAT gateway, or NAT instance. If you are using WSUS, confirm that the node has connectivity to the WSUS server in your environment. For more information, see Issue: managed node doesn't have access to Windows Update Catalog or WSUS.
Relevant content
- asked 5 years ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
Hi, Thanks for reply How can I patch ubuntu instances then ? By Setting up private repo?
Hi, for ubuntu instances yes https://help.ubuntu.com/community/Repositories/Personal and have it resolvable to your instances and be internet connected to receive updates.