cerf
AWS Systems Manager Patch Manager

AWS Systems Manager Patch Manager

Automated patch and compliance management with Systems Manager

How to patch a whole fleet on a schedule, prove it stayed compliant, and never SSH into a box to run an update again.

The problem: patching does not scale by hand

Logging into servers to run updates works for three instances and collapses at three hundred. Patches drift, some boxes get missed, and when an auditor asks 'which hosts are missing the latest critical update,' nobody can answer quickly.

AWS Systems Manager Patch Manager solves this by treating patching as a fleet-wide, scheduled, reportable operation. Any server it can reach becomes a managed node: an EC2 instance or an on-premises server running the SSM Agent, with permission to talk to Systems Manager. Once a node is managed, Patch Manager can scan it, patch it, and report its compliance without anyone opening a shell.

From manual patching to a managed-node fleet
From manual patching to a managed-node fleetAWS CloudCorporate data centerus-east-1Application VPCPrivate subnetsmanage fleet centrallyregister via SSM Agentregister via SSM Agentregister via SSM Agenthybrid registerhybrid registerrecord state per nodemetrics & logsquery missing patchesCloudOpsengineermanages fleet, no S…AWS SystemsManagerFleet Manager + Pat…EC2 web tierSSM AgentEC2 app tierSSM AgentEC2 batch fleetSSM AgentData-center VMSSM Agent (hybrid)Bare-metal hostSSM Agent (hybrid)Patchcompliancestate per managed n…CloudWatchfleet metrics & logsAuditorwhich hosts are mis…
Trace
Manual SSH patching collapses at scale. Instead every EC2 instance and on-prem server runs the SSM Agent and registers with AWS Systems Manager, forming one managed-node fleet. A single engineer drives it, per-node patch compliance is recorded centrally, and an auditor can answer 'which hosts are missing critical updates?' without touching a box.

The building blocks: baselines, patch groups, and maintenance windows

A patch baseline is the rulebook: it defines which patches are approved for install, using approval rules based on product, classification, and severity, plus an auto-approval delay so a patch is only auto-approved after it has been available for a set number of days. AWS provides predefined baselines per operating system, and you can create custom baselines when you need tighter control.

A patch group ties nodes to a baseline. You tag a node with the key 'Patch Group' and a value like prod or dev; Patch Manager maps that value to a specific baseline, so production can run a conservative baseline while development runs a more aggressive one, all in the same account.

A maintenance window controls when patching happens. Instead of patching at random, you schedule a recurring window that runs the patch task against a target set of nodes, which bounds the blast radius and keeps reboots inside an approved change slot.

Baselines, patch groups, and maintenance windows
Baselines, patch groups, and maintenance windowsPatch baselines (the rulebook)Maintenance window (the schedule)Managed nodes (patch groups)define schedule + baselineslonger auto-approval delayshorter auto-approval delayclone AWS defaultPatch Group tag maps herePatch Group tag maps hereon schedule, run taskagainst target setresolve by tagresolve by tagCloudOpsengineerauthors baselines &…Approval rulesproduct / classific…PredefinedbaselinesAWS-provided per OSProd baselineconservativeDev baselineaggressiveProd nodestag Patch Group = p…Dev nodestag Patch Group = d…Maintenancewindowcron schedule + dur…Registered taskAWS-RunPatchBaselineWindow targetsselected by tag
Trace
The three building blocks work together: a patch baseline is the rulebook of approved patches, a patch group is a tag that maps a node to a specific baseline, and a maintenance window schedules when the patch task runs against its targets. This lets prod run a conservative baseline and dev an aggressive one in the same account, with reboots confined to an approved slot.

Scan versus install, and proving compliance

Patch Manager runs the AWS-RunPatchBaseline document with one of two operations. Scan only reports what is missing and updates each node's compliance state; it installs nothing and never reboots. Install actually applies approved patches and can reboot when required. A common pattern is to scan continuously for visibility and install only inside a maintenance window.

The results become patch compliance data in Systems Manager: every node is marked compliant or non-compliant against its baseline. That state can be exported to Amazon S3 for reporting, evaluated by an AWS Config managed rule so drift shows up as a config violation, and wired to Amazon SNS so operators are notified when nodes fall out of compliance. This is the same Config-plus-remediation loop the exam expects for any 'detect and correct drift' scenario.

Scan vs Install and the compliance loop
Scan vs Install and the compliance loopSystems Manager Patch ManagerManaged nodesCompliance & reportingrun operation=Scanrun operation=InstallScanInstallassess patch stateapply + rebootreport compliance stateexport reportevaluate managed rulenon-compliantnotifyContinuous scanscheduleEventBridge / State…Maintenancewindowapproved install sl…AWS-RunPatchBaselineSSM documentScan operationreport only, no reb…Installoperationapply + reboot if r…Managed nodeSSM Agent executes …Patchcompliancecompliant / non-com…Amazon S3compliance export /…AWS Config ruledrift = config viol…Amazon SNSnon-compliant alertsOperatorsnotified of drift
Trace
Patch Manager runs AWS-RunPatchBaseline in one of two operations. Scan (typically continuous) only reports what is missing and updates compliance state, installing nothing and never rebooting. Install (only inside a maintenance window) applies approved patches and can reboot. Either way the node reports compliance, which is exported to S3, evaluated by an AWS Config managed rule, and drift is pushed to operators through SNS.

What this teaches for the exam

A node cannot be patched until it is a managed node, which means the SSM Agent plus an IAM instance profile granting the AmazonSSMManagedInstanceCore permissions (or the newer Default Host Management Configuration). If patching 'does nothing,' the missing piece is almost always that permission or agent, not the baseline.

Hybrid is first-class: on-premises servers register through the SSM Agent and join the very same fleet, so one patch process covers cloud and data center together. And when a question asks how to separate environments, the answer is patch groups mapping to different baselines, scheduled through maintenance windows, not one-off manual runs.

How a node becomes managed (cloud + hybrid)
How a node becomes managed (cloud + hybrid)AWS CloudCorporate data centerIdentity & enrollmentus-east-1AWS Systems ManagerApplication VPCPrivate subnetgrants ManagedInstanceCoreor enroll account-wideagent calls SSM privatelyreach Systems Manageror via NATpublic endpointsactivation code + IDgrants SSM permissionsregister (mi-xxxx)node joins fleeteligible for patchingEC2 instanceSSM Agent preinstal…IAM instanceprofileAmazonSSMManagedIns…Default HostManagement…account-wide altern…Interface VPCendpointsssm / ssmmessages /…NAT gatewayalt path to public …Systems Managerendpointregistration + comm…Hybridactivationactivation code + IDIAM serviceroleSSM managed-instanc…On-prem serverSSM Agent + activat…Managed-nodefleetone fleet, cloud + …Patch Managernow eligible to sca…
Trace
A node cannot be patched until it is a managed node. In the cloud that means the SSM Agent, an IAM instance profile granting AmazonSSMManagedInstanceCore (or account-wide Default Host Management Configuration), and a network path to Systems Manager via interface VPC endpoints or NAT. On-prem servers use a hybrid activation plus a service role. Both paths join the same fleet and only then become eligible for Patch Manager.

Sources

Practice what you just read

6 questions from this architecture

Loading…