DEV Community

Thu Kha Kyawe
Thu Kha Kyawe

Posted on

How To Configure AWS Systems Manager Patch Manager

#aws #systemsmanager #patchmanager #tutorial

1. Create IAM Role for System Manager Permissions

  • Choose IAM from AWS Console

  • Click Create Role

  • Choose EC2

  • Choose EC2 Role for AWS Systems Manager
  • Click Next

  • Click Next

  • Set Role Name TKK-AmazonSSMManagedInstanceCore

  • Click Create role

  • Role is created.

2. Create Linux Instance

  • Create Linux Instance by using Ubuntu 22.04 and wait for finished creation.

3. Create Window Instance

  • Create Window Instance by using Window Server 2022 and wait for finished creation.

4. Attach IAM roles to Instances

  • Select Instance
    • Click Actions
      • Click Security
        • Click Modify IAM role

  • Select TKK-AmazonSSMManagedInstanceCore
    • Click Update IAM role

  • Click Stop Instance

  • Click Start Instance

  • Follow these steps to Linux Instance too.

5. Check Your Instances are appeared at System Manager

  • Go to Systems Manager

  • Go to Fleet Manager

  • Done, You can proceed next steps.

6. Create new patch baselines

  • In the navigation bar, type Systems Manager into the search box, and then select Systems Manager
  • In the navigation pane, select Patch Manager

  • In the navigation pane, select Patch Manager, and then select Patch baselines
  • In Patch baselines, select Create patch baseline

  • Name - Linux-Ubuntu-custombaseline-TKK
  • Description - Custom patch baseline for Ubuntu
  • Operating System - Select Ubuntu
  • Products - Select All
  • Compliance reporting - Select Critical
  • Section - Select All
  • Priority - Select Important
  • Click Create patch baseline

  • In Patch baselines, select Create patch baseline
  • Name - Win2022-DefenderAV-custombaseline-TKK
  • Description - Custom patch baseline for Window Server 2022
  • Operating System - Select Windows
  • Products - Select All
  • Approve patches after a specified number of days - 5
  • Classification - Select CriticalUpdates, DefinitionUpdates and SecurityUpdates
  • Compliance reporting - Select Critical
  • Severity - Select Critical, Important
  • Click Create patch baseline

  • Check that you have created custombaseline for both instances.

7. Enable amazon EC2 OpsData source in Explorer and set up recording in AWS Config

  • Click Get started

  • Click Enable Explorer

8. Enable AWS Config

  • Click Get started

  • Use Default Setting and Click Next

-Choose EC2 and Click checkbox to select all rules

  • Click Next

  • Click Confirm

  • Click Create

9. Add a patch group to a patch baseline

  • In Patch baselines, search for and select Linux-Ubuntu-custombaseline-TKK, and then on the Actions menu, select Modify patch groups.

How do you turn off AWS config

    1. Turn off Recording for that region using the console
    1. Delete the Rule by going to actions, delete rule
    1. Use the AWS CLI and delete the default recording by

aws configservice delete-configuration-recorder --configuration-recorder-name default --region <region-name>

  • 4. Delete the service linked role created for AWS Config

Repository: AWS Learning Labs

Top comments (0)