AWS Patching across several OS's
I have been tasked with setting up patching and automation for a little over 100 servers with a mix of various flavors of linux, and some windows as well. Keep in mind, that this project was dumped on me and i am having to self teach AWS as I go, so if there are some major gaps in my knowledge, that is why, and I apologize in advance for any\all facepalms i cause. I am starting with the Windows servers. Here is what I have done so far, all of these are EC2 servers:
-
Maintenance windows (Windows1 and Windows2) some are clustered so I am not going to patch and reboot both nodes at once
-
Patch Baselines (Windows-Patching)
-
In the server instances, I have added Patch Groups to my EC2 instances in the TAGS section (NOTESTWINDOWS, WINDOWS1, WINDOWS2)
-
In Patch Manager, made a new patch baseline, and in it I added tags for the patch groups (NOTESTWINDOWS, WINDOWS1)
-
In Maintenance Windows, made a new maintenance window, in the TAGS section added a Patch Group that matched one of the Patch groups i used in Instances and Patch Manager (NOTESTWINDOWS).
So when the time in the maintenance window is reached, it uses the tag to search for matching tags in EC2 Instances, and Patch Manager. This is my understanding, am i right, close, miles off?
I have read a few things that are either good info but don't cover the procedure, they cover the procedure with UIs and Menus that no longer exist, and plenty are either vague or contradictory, so am I getting this right? Am I missing anything? Am I miles from where I should be?
Sorry, if this seems obvious, but I am new to AWS.
Eagerly awaiting some info here. THANKS in advance!
Solution 1:
You can use Systems Manager for many of these tasks. There's already "documents" defined for keeping a patch baseline on EC2 instances with both Windows and Linux and you can define your own as needed as well. It's definitely worth a look.
You should check that all your instances (that you intend to manage) have the SSM agent installed, and the instances have the AmazonSSMManagedInstanceCore policy assigned in their role.
SSM also has a Calendar that you can define for maintenance windows, and you have the option of selecting if the events defined in your calendar are when you have maintenance windows and can apply changes, or when you can't.
I'm not saying it's the ultimate solution. You might need to do some extra legwork, but it will help a lot.
https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html