Patch Management for Amazon EC2 Instances: Creating Patch Baselines

Amazon provides some tools for automating the patch management process -- here's how to do it.

One of the big ongoing maintenance tasks that datacenter admins have to deal with is patch management. Even so, the need for patch management doesn't go away simply because a workload gets moved to the cloud. Amazon Elastic Compute Cloud (EC2) instances need to be patched just like VMs that are running on-premises. Thankfully, Amazon provides some tools for automating the patch management process.

The first step in automating patch management for Amazon EC2 workloads is to create one or more patch baselines. Technically, there are several patch baselines that exist by default, but odds are that the default baselines aren't going to line up exactly with your patch management needs, and that you'll probably want to create some custom patch baselines instead. In case you're wondering, a patch baseline is just a collection of approval rules and exceptions that control how patches are applied to Amazon EC2 instances.

To get started, log into the Amazon EC2 dashboard, expand the Systems Manager Services section in the console tree, and then click on Patch Baselines. When you do, you'll see the default patch baselines that I mentioned a moment ago. If you look at Figure 1, you can see that there's a separate patch baseline for each OS. This is because each OS has its own unique patching requirements.

To create your own custom patch baseline, click on the Create Patch Baseline button, which you can see in Figure 1. When you do, you'll be taken to the Create Patch Baseline screen, which is shown in Figure 2.

[Click on image for larger view.] Figure 1. Several patch baselines exist by default.
[Click on image for larger view.] Figure 2. This is the Create Patch Baseline screen.

The first thing you need to do is come up with a name and a description for the patch baseline that you're creating. Remember that a patch baseline is a collection of rules, so your chosen name and description should somehow reflect the purpose of those rules.

The next step in the process is to choose the OS to which the patch baseline will apply. Patch baselines are OS-specific, so you might create a patch baseline for Windows, or Linux, or whatever OS you need to patch.

Now it's time to begin creating some approval rules. The interface used for this process varies a bit depending on what OS you choose. In most cases, however, the first step is to specify the product. You can think of the product as being the OS edition or version. For example, if you set the OS type to Windows, then the Product list will contain options for things like Windows 10, Windows Server 2016 and Windows Server 2012 R2. Although you cannot mix Windows and Linux approval rules within a common patch baseline, a patch baseline can include multiple versions of Windows.

Next, you need to choose a classification. The classification refers to the type of patch. This might include critical updates, definition updates, drivers, feature packs and other common types of patches. You'll need to select the patch classification to which you want the approval rule to apply.

Now you'll need to choose a severity level. For example, you can make the rule apply only to critical patches or important patches.

The next step in the process is to choose the number of days to wait before approving the patch for deployment. After that, you can assign a compliance level to the patch. For instance, you might consider the deployment of patches that meet the rule's criteria to be critical.

So to put this into prospective, imagine you wanted to deploy all critical Windows 10 patches without delay. In that situation, you would set the product to Windows 10, the Classification to All, and the Severity to Critical. You could then set the Auto Approval Delay to 0 and then pick a compliance level of your choosing (most likely Critical).

You can use the Add Rule button to create additional rules within the patch baseline. A single patch baseline can contain up to 10 rules. Once all of the rules are in place, you can click on the Create Patch Baseline button to create the patch baseline, unless you need to specify any exceptions first.

As you can see, setting up patch baselines is a relatively straightforward process. It is worth noting, however, that there's more to the patching process than just setting up a patch baseline. I'll show you the rest of the process in my next article.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


Subscribe on YouTube