- Newest
- Most votes
- Most comments
AWS Systems Manager (SSM) Patch Manager does not patch instances that are in a "Stopped" state. Patch Manager can only manage and apply patches to instances that are running.
You can use an Automation document to start instances before the patch window and stop them afterward.
{
"description": "Starts EC2 instances",
"schemaVersion": "0.3",
"assumeRole": "{{ AutomationAssumeRole }}",
"parameters": {
"InstanceIds": {
"type": "StringList",
"description": "List of EC2 Instance IDs to start"
}
},
"mainSteps": [
{
"action": "aws:changeInstanceState",
"name": "startInstances",
"inputs": {
"InstanceIds": "{{ InstanceIds }}",
"State": "started"
}
}
]
}
{
"description": "Stops EC2 instances",
"schemaVersion": "0.3",
"assumeRole": "{{ AutomationAssumeRole }}",
"parameters": {
"InstanceIds": {
"type": "StringList",
"description": "List of EC2 Instance IDs to stop"
}
},
"mainSteps": [
{
"action": "aws:changeInstanceState",
"name": "stopInstances",
"inputs": {
"InstanceIds": "{{ InstanceIds }}",
"State": "stopped"
}
}
]
}
Configure Maintenance Window:
Task 1: Schedule the automation document to start instances.
Task 2: Run the SSM Patch Manager task to patch instances.
Task 3: Schedule the automation document to stop instances.
You can start all instances before patching, and those that were already running would keep runnng. Stopping is bit more complex as you”d not want to stop all of them, but only those that were stopped before you started. Here is a link to Cloud Custodian that tags originally stopped instances by tagging them with specific tag.
https://cloudcustodian.io/docs/usecases/ec2poweronstoppedforpatching.html
Relevant content
- asked 3 years ago
- Accepted Answerasked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 years ago
- How do I use the Microsoft KB number in Patch Manager to install a specific patch or set of patches?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago