can i use patch manager to patch my ec2 instances which are in no internet environment

0

Hi, So I have a Government environment where my ec2 instances can not have the internet at all they all are in an intranet environment. There is no NAT gateway for internet access. Now i want to mange patching of my instances for security updates,etc, i see there is patch manager available but i am not sure whether it will work in such environment where internet is not available? if it is possible please help me to understand how can i do it , if not, is there any alternate solution available to patch my instances?

can anyone pls help me to figure out the issue and suggest any possible resolution?

3 Answers
1

Hello, Amazon Linux can be patched without internet. AWS SSM uses internal repo for patches. So you just need to meet the prerequisites: S3, SSM, SSM messages, EC2 messages VPC endpoints to have internal connections. (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html)

For other OS versions - yes, unfortunately AWS does not have patches for them internally. I'm guessing that an improvement to AWS could be done by creating DNS records on the backbone network to direct patch mirrors and be accessed from the customer's network via an EC2 endpoint.

But for now as it is not implemented you must setup local repository that will have access to the internet to receive regular updates (https://kc.jetpatch.com/hc/en-us/articles/360052181591-Setting-Up-Local-Repositories-Ubuntu#heading-0) and define it in a new source (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-alternative-source-repository.html), and customize patches (https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-create-a-patch-baseline-for-linux.html).

Proof:

I have run 2 EC2 instances: Ubuntu (ubuntu-focal-20.04-amd64-server-20231025 ) and AmazonLinux 2 (amazon/amzn2-ami-kernel-5.10-hvm-2.0.20240131.0-x86_64-gp2) in private VPC with S3, SSM, SSM messages and EC2 messages endpoints. Enabled patch policies with default configurations and run it.

According to the execution: Ubuntu failed. AmazonLinux success. Enter image description here

Command outputs:

As expected Ubuntu server could not reach patch server: Enter image description here

AmazonLinux worked fine: Enter image description here

AmazonLinux before patching:

Enter image description here

After patching:

Enter image description here

answered 10 months ago
0

Hello.

The following documents contain prerequisites for using Patch Manager.
By default, Patch Manager downloads security patches from the OS's remote repository.
Therefore, if nothing is configured and there is no route to access the remote repository using NAT Gateway etc., patch application will fail.
I think you need to configure it so that it can communicate with S3 (remote repository) using NAT Gateway or VPC endpoint.
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-installing-patches.html

profile picture
EXPERT
answered 10 months ago
  • Hi Riku, thanks for the reply, so as per your reply it is possible to use patch manager to patch no internet instances? just we need to add permission for s3 to fetch patches from aws managed public s3 buckets? is my understanding correct?

0

Your EC2 need access to a repository to download patches. As per https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-prerequisites.html#source-connectivity , you need to setup a remote repo.

This can be WSUS for Windows and Satellite or remote repo for RHEL

If your managed nodes don't have a direct connection to the Internet and you're using an Amazon Virtual Private Cloud (Amazon VPC) with a VPC endpoint, you must ensure that the nodes have access to the source patch repositories (repos). On Linux nodes, patch updates are typically downloaded from the remote repos configured on the node. Therefore, the node must be able to connect to the repos so the patching can be performed. For more information, see How security patches are selected.

Windows Server managed nodes must be able to connect to the Windows Update Catalog or Windows Server Update Services (WSUS). Confirm that your nodes have connectivity to the Microsoft Update Catalog through an internet gateway, NAT gateway, or NAT instance. If you are using WSUS, confirm that the node has connectivity to the WSUS server in your environment. For more information, see Issue: managed node doesn't have access to Windows Update Catalog or WSUS.

AWS
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions