50

StackZone - Baseline Services

Last Update 3 dagen geleden

StackZone Feature: RDS EBS Optimizer How to Enable Instance Scheduler with StackZone How to Configure Budget Alert and Notifications How To Enable Cost Anomaly Detections How To Enable Savings Plans Notifications

StackZone EC2 Patch Management

Patch By Tag Feature Article

Ryan Ware

Last Update 10 maanden geleden

Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed nodes with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications

Patching is a necessary but important factor in the world of cloud computing. It is part of the AWS Shared Responsibility Model that you perform all of the needed security config & management tasks in order to keep your instances patched - as often as possible.


Patching manually is a thing of the past however. How do you patch at scale though, for a Business or Organization with multiple accounts, and machines in multiple regions? Automation is the answer and by leveraging AWS SSM - we can help with this task.

AWS SSM

AWS Systems Manager (formerly known as SSM) is an AWS service that you can use to view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. Systems Manager helps you maintain security and compliance by scanning your managed nodes and reporting on (or taking corrective action on) any policy violations it detects.


For a more in-depth explanation of AWS Systems Manager, head on over to the AWS Official Documentation here.


StackZone's EC2 Patch Management makes use of the SSM Agent which gets installed on any tagged EC2 Instances. The SSM Agent will be able to scan your Instance for missing patches and apply them within a window which you specify within your StackZone configuration.

EC2 Prerequisites

Before we tag, complete these steps. So SSM can see EC2


Your EC2 Instance will need internet access through Internet Gateway and Security Groups, however if you have Instances which do not require internet access or are within a Private Subnet, you will need to create the following VPC Endpoints in your VPC:


  • com.amazonaws.region.ssm - The endpoint for the Systems Manager service.
  • com.amazonaws.region.ec2messages - Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service.
  • com.amazonaws.region.ec2 - If you're using Systems Manager to create VSS-enabled snapshots, you need to ensure that you have an endpoint to the EC2 service. Without the EC2 endpoint defined, a call to enumerate attached EBS volumes fails, which causes the Systems Manager command to fail.
  • com.amazonaws.region.ssmmessages - This endpoint is required only if you are connecting to your instances through a secure data channel using Session Manager. For more information, see AWS Systems Manager Session Manager and Reference: ec2messages, ssmmessages, and other API operations


  • com.amazonaws.region.s3 - Systems Manager uses this endpoint to update SSM Agent and for tasks like uploading output logs you choose to store in S3 buckets, retrieving scripts or other files you store in buckets, and so on.


Tag Your Instance

With the pre-requisites in place, all that is left is to tag your EC2 Instance to add it to a patching cycle. Currently StackZone supports two patch cycles, denoted by 2 different tags;


AutoPatchProd = True

AutoPatch = True


Two cycles are used in case you want to install Patches automatically overnight on Tuesday for example, so you can check the result on Wednesday. You can then schedule Production instances to be on the AutoPatchProd cycle - which patches overnight on a Wednesday. You can just use one cycle if this suits you better.

View Results

How do we know if the above process has worked? Let's head on over to the AWS Systems Manager dashboard in the region you have tagged instances in. On the left hand side panel, choose Fleet Manager.


Inspect one of your instances which is available from the list of SSM Managed Instances and choose the Patch tab. You should now see results like this which informs you of how many patches were installed, how many errors & when these were last applied to the machine.


You can view this summary for each Managed Instance in the SSM Fleet Manager.

New! Added in v4.37.0

v4.37.0 Release of StackZone added some updates to the Patch Management Feature. Previously when you tagged instances they had to be on during the maintenance window to receive patches from AWS SSM.


Now, this is no longer the case! You can save money with instances being in the "off" state if you only turn them on for work hours, or set hours per day. StackZone Patch Management Feature can handle instances which are off when the desired window schedule approaches.


The Automation will spin up any instances in the stopped state but more importantly will only spin down instances it found in the stopped state to begin with. 


Note: Instances managed by Patch Management & Instance Scheduler by StackZone will conflict currently.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us