Centralized multi-account and multi-region patching with aws systems manager automation
This blog shows how to manage patch compliance reports across the AWS organization accounts. If you're looking at how to do/install patching across accounts in the Organization, you can review this blog below. Show
AWS Systems Manager Automation now supports multi-account and multi-Region actions enabling you to centrally manage your AWS resources. You're right that it will give you abilities to patch by resource groups to logically group your managed instances across the Organization. You will need to create the required IAM service roles used by Automation in the management and target accounts. After you created your IAM roles, create a custom Automation Document for executing patch baseline operations. Then you can execute Automation Documents that targeted your managed instances via resource groups in target accounts. You can also customize your workflow further by creating your own Automation Document based on the document AWS-PatchInstanceWithRollback, across the fleets/groups in the Organization. https://aws.amazon.com/blogs/mt/centralized-multi-account-and-multi-region-patching-with-aws-systems-manager-automation/ Operating System Patching has always been a management overhead. AWS Systems Manager is considered a better option for patching different types of machines. The OS patching process can be automated. Organizations these days have multiple AWS Accounts that need to centralize the patching process to reduce time required overhead for enterprise-wide configuration, operational actions, and compliance remediation. This blog illustrates in a step-by-step manner that how to use AWS Systems Manager Automation to patch managed instances across multiple AWS accounts and Regions. We are using the capability of Resource Groups, and IAM assumes the Role to patch the machine from a Central Account.
What is Operating System Patching?Patches are operating systems and software updates that are released in periodical intervals to ensure any vulnerabilities prevalent in the operating systems or software are eliminated. Also, software patches are released by companies to ensure security enhancements and fix performance bugs. What is AWS Systems Manager Patch Manager?Updating patches manually is a laborious process. AWS Systems Manager Patch Manager automates the process of updating Windows and Linux-managed instances. Patches can be installed individually or to a large group of instances by using Amazon EC2 tags. AWS Systems Manager follows the following 4 step process to ensure Centralized Multi-Account OS Patching: Step 1: Creating resource groupsResource groups makes simultaneous management and automation of large numbers of resources easier. These resource groups can be created based on a server function, for example, web servers and databases. In addition, resource groups can help you avoid deploying patches to the wrong set of instances. After opening the AWS Systems Manager console, select “Find Resources” from the left navigation pane. The group of instances that we want to patch have been tagged in the example that follows. I am providing the below values to Resource Groups and Tags, Resource Group Name: RG-Linux-SSM ResourceGroup Tag Key: ssm-linuxpatching ResourceGroup Tag Value: True A fleet of instances with these tags can be patched using this approach. Go to AWS Console and open “Resource Groups & Tag Editor” from the service list, Click on “Create resource group,” Select Group Type as Tag-based and Resource Type as AWS::EC2::Instance, Provide the Tag name based on the use case; once you add the tag, you can click on the Preview group resources option. So, you can view that the Instances come under Resource Groups. We need to create Resource Groups in all Accounts (Managed and Target Accounts). Step 2: Set up the required IAM rolesFirst, log in to the Master Account and create the following IAM Roles,
Attach AmazonSSMAutomationRole(AWS Managed Policy) and add ExecutionPolicy as Inline.
Then Edit “Trust Relationships” and provide the following policy,
Add below Inline Policies,
Note: Make sure to replace Now we need to log in to Our Target Accounts and create the following IAM Roles,
Attach AmazonSSMAutomationRole(AWS Managed Policy) and add below Inline policies,
Edit trust relationships and add the following,
Add below Inline policies,
Step 3: Patch Baselines ConfigurationThe patch baselines define which patches are approved for installation on your instances based on approval rules. AWS Systems Manager Patch Manager provides predefined patch baselines for each supported operating system. Go to “System Manager” in the management account and select “Patch Manager” from the menu, then click on view predefined patch baselines. Then click on “Create Patch Baseline,” Provide Patch Baseline Name as “ssm-patchbaselineforlinux” and description as “Patch Baseline for Linux Machines.” Select OS, (Here I am taking Amazon Linux 2). Select Product as your OS. Severity and classification as per your requirement, Then Click on Create patch baseline option, Each patch baselines should be associated with Patch Group. A patch group is created using Amazon EC2 tags and must be defined with the tag key Patch Group. The patch group is used to associate instances with a specific patch baseline. In this scenario, I created a patch group named “ssmlinux-prod” and associated it with the custom patch baseline. Go to the Patch Manager and select the patch baseline which we created earlier, click on Actions and Modify patch groups, Provide Patch Group Name and click on Add. Step 4:Create an Automation Document to execute patch baseline operationsI have created a custom Automation Document in the management account, which will execute the Command Document AWS-RunPatchBaseline. From the AWS Systems Manager console of the management account, select “Documents” from the left navigation pane. Choose Create document.
{ “outputs”: [ “runPatchBaseline.Output” ], “description”: “Automation document to execute the Command document AWS-RunPatchBaseline”, “schemaVersion”: “0.3”, “assumeRole”: “{{AutomationAssumeRole}}”, “parameters”: { “AutomationAssumeRole”:
{
“description”: “(Required) The update or configuration to perform on the instance. The system checks if patches specified in the patch baseline are installed on the instance. The install operation installs patches missing from the baseline.”, “SnapshotId”:
{ “mainSteps”: [ Step 5: Execute Automation to patch resources in target accountsIn the management account AWS Systems Manager console, select Automation from the left navigation pane and select Execute Automation.
Step 6:MonitoringOnce the automation document is executed, you can monitor the execution status We have learned how to Patch EC2 Instances from a Central Account. Please share your valuable feedback in the comment section. About CloudThatCloudThat is a house of All-Encompassing IT Services on Cloud offering Multi-Cloud Security & Compliance, Cloud Enablement Services, Cloud-Native Application Development, OTT-Video Tech Delivery Services, Training & Development, and System Integration Services. Explore our consulting and expert advisory services here. Referenceshttps://aws.amazon.com/blogs/mt/centralized-multi-account-and-multi-region-patching-with-aws-systems-manager-automation/ What is AWS patch management?Patch Manager, a capability of AWS Systems Manager, automates the process of patching managed nodes with both security related and other types of updates. You can use Patch Manager to apply patches for both operating systems and applications.
Which AWS service lets you manage AWS resources across all AWS accounts and regions through a single operation?Managing AWS resources across multiple accounts and Regions using AWS Systems Manager Automation. AWS Systems Manager Automation simplifies common administrative and maintenance tasks of AWS resources.
What is Ami patching in AWS?AMI-replacement patching is done on immutable infrastructures by updating the AMI ID that is configured to deploy new Amazon EC2 instances in an Auto Scaling group. Amazon Machine Images (AMIs) are released on a regular basis for the supported operating systems.
How do I create an AWS patch group?You can register a patch group with a patch baseline in one of two ways. You can use the register-patch-baseline-for-patch-group AWS Command Line Interface (AWS CLI) command, or you can view a patch baseline in the Systems Manager console and select Modify patch groups from the Actions menu.
|