AWS Patch Management
by Gaurav Sharma in Cloud, General
Patching AWS Servers
A lot of us assume that once we are in AWS, Amazon will take care of all infrastructure needs, we just need to spin up resources and once spun up, they will be automatically kept up to date. This is so not true. As an example, when you set-up a server with say Windows Server, you are responsible for making sure that the OS is up to date. AWS makes it your responsibility as some of your applications might require a specific version or applying a patch might break something. This leaves the server open to vulnerabilities if not patched on time.
AWS provides a Patch Manager tool within the Systems Manager, which can automate the process of patching OS managed instances at scale. With Patch Manager, you can scan instances for missing patches, and install missing patches to individual instances or large groups of instances by using EC2 tags. Patch Manager can also be used with Windows Systems Manager Maintenance Windows, so you can create a schedule to perform patch operations on your instances within a customized maintenance schedule.
AWS Systems Manager includes support for Windows server, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES) and Amazon Linux. It also provides a scanning facility to get a report of missing patches. The process can be automated whereby System Manager will scan and automatically install all missing patches.
In our testing we found that OS patching was considerably faster with AWS Systems Manager. Our previous tools could take up to 90 minutes, while AWS Systems Manager completed the same tasks within 30 minutes on average. This translates into shorter maintenance windows. Overall, we feel that AWS System Manager is the perfect tool for patching servers in the AWS environment.