Set Up Scheduled EC2 Instance Patching

This guide provides a walkthrough for setting up the necessary configuration for AWS Systems Manager Patch Manager to automatically scan and/or apply patches to EC2 instances in an AWS environment. The following is included:

  • Maintenance Window to define the schedule for running the patch operations.
  • Optional Logging and Notification settings to track the patch operations.
  • Optional Custom Patch Baseline to set custom rules for which patches are applied, as well as Patch Groups to control which instances are associated with the new baseline.

 This configuration requires EC2 instances to be configured to use AWS Systems Manager. See below for full details on prerequisites.


Scheduling and Automation

AWS Systems Manager Maintenance Windows let you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, or installing software or patches.

The main configuratin items for a Maintenance Window: 

  • Schedule: Define the recurring schedule, start time, duration, and cutoff time for the window. 
  • Targets: Define the target EC2 instances associated with this window (Based on Tags).
  • Tasks: Define the tasks that are run during the window.

Maintenance Window Schedule


The main items to configure for a Systems Manager Maintenance Window are: 

  • Name and Description to identify the Maintenance Window configuration.
  • A schedule to specify what day/time that the maintenance window starts. (Default: Saturday at 00:00)
  • A duation for the Maintenance Window which should be configured to accomodate the number of EC2 instances that will be included in the operation. (Default: 4 hours)
  • A cutoff period where no new tasks are started when approaching the end of the duration of the window. (Default: 1 hour)

Define Targets


Specify the Targets for the Maintenance Window. The targets are specified using Amazon EC2 tags that are assigned to the instances.

Enter Tag Key/Value pairs to specify which EC2 instances the Maintenance Window performs actions on. Multiple tag values are supported for the same tag key

Default is Tag Key:Automatic Patches, Tag Value:True 

Define Task Settings

Systems Manager provides a predefined document AWS-RunPatchBaseline to trigger the patch operations. It can be configured to Scan only (and provide a report in the Systems Manager console), or Install missing patches.

Instance concurrency sets how many instances receive the command at the same time.

Enable Logging (Optional)


Enable the Write command output to an Amazon S3 bucket feature to save the patch operations output to a file on S3. Type the bucket and prefix (folder) names in the boxes.

Enable Notifications (Optional)


SNS notifications can be enabled to send notifications about the status of the command execution. You can specify an existing SNS topic or create a new one.

Notifications can be set to send on a certain type of events, as well as per Invocation or per Command.

Patch Baseline

A patch baseline defines which patches are approved for installation on your instances. You can specify approved or rejected patches one by one. You can also create auto-approval rules to specify that certain types of updates (for example, critical updates) should be automatically approved.

Predefined Patch Baselines

Patch Manager provides predefined patch baselines for each of the operating systems supported by Patch Manager. You can use these baselines as they are currently configured (you can't customize them) or you can create your own patch baselines if you want greater control over which patches are approved or rejected for your environment.

The following table provides a quick description for each predefined baseline and its patch rules

Approves all operating system patches that are classified as "Security" and that have a severity level of "Critical" or "Important". Patches are auto-approved seven days after release. Also auto-approves all patches with a classification of "Bugfix" seven days after release.

Custom Patch Baseline (Optional)


Custom Patch Baselines allow custom rules for selecting which patches are applied to instances and operating systems. Patches to be installed are defined based on rules (up to 10), which include the following options:

  • Operating System: Windows, Amazon Linux, Ubuntu Server, and so on.
  • Product: For example, RHEL 6.5, Amazon Linux 2014.09, Windows Server 2012, Windows Server 2012 R2, and so on.
  • Classification: For example, critical updates, security updates, and so on.
  • Severity: For example, critical, important, and so on.
  • Auto-approval delay: The number of days to wait after the patch was released, before the patch is automatically approved for patching

Patch Groups

Patch groups are used to associate instances with a specific patch baseline. Patch groups help ensure that you are deploying the appropriate patches, based on the associated patch baseline rules, to the correct set of instances.

Patch groups are Tags assigned to Instances, but must have the key Patch Group. The values can be anything. (Default configuration has the value custom-patch-group)

Optionally, enable Set as Default Patch Baseline to make the new Patch Baseline the default one for all instances. It is recommended to review the patch rules carefully before selecting this option. (A CloudFormation custom resource is included to enable this option)

Review and Deploy


A premium subscription is required for this content
You can browse related configuration such as patch baselines in our repository for free! Go to Library

2.5 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
    Type: 'AWS::SSM::MaintenanceWindow'
      Name: Patch-Manager-Maintenance-Window
      Description: SSM Maintenance Window to automate AWS Patch Manager tasks
      Duration: '4'
      Cutoff: '1'
      Schedule: cron(00 00 ? * SAT *)
      AllowUnassociatedTargets: false
    Type: 'AWS::SSM::MaintenanceWindowTarget'
      Name: Target-For-Patch-Manager-Maintenance-Window
      Description: 'Defines the EC2 Instance Targest for Maintenance Window: Patch-Manager-Maintenance-Window'
      ResourceType: INSTANCE
        Ref: MaintenanceWindow
        - Key: 'tag:Automatic Patches'
            - 'True'
    Type: 'AWS::SSM::MaintenanceWindowTask'
      Name: Task-For-Patch-Manager-Maintenance-Window
      Description: 'Defines the Task for Maintenance Window: Patch-Manager-Maintenance-Window'
          - MaintWindowIamRole
          - Arn
      Priority: 1
      MaxErrors: 1
      MaxConcurrency: 2
        - Key: WindowTargetIds
            - Ref: MaintenanceWindowTarget
      TaskType: RUN_COMMAND
        Ref: MaintenanceWindow
      TaskArn: AWS-RunPatchBaseline
              - Install
              - MaintWindowIamRole
              - Arn
    Type: 'AWS::IAM::Role'
      RoleName: MaintWindowIamRoleAre
        Version: '2012-10-17'
          - Effect: Allow
              - 'sts:AssumeRole'
        - 'arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole'
    Type: 'AWS::IAM::Policy'
      PolicyName: taskRolePermissions
        Version: '2012-10-17'
          - Effect: Allow
            Action: 'iam:PassRole'
                - MaintWindowIamRole
                - Arn
        - Ref: MaintWindowIamRole
Parameters: {}
Metadata: {}
Conditions: {}