Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.3.3. Automating System Inventory, Configuration, Patch Management (Systems Manager, Config)

2.2.3.3. Automating System Inventory, Configuration, Patch Management

Patch management at scale is a compliance requirement — manual patching guarantees some instances will be missed.

SSM Inventory collects metadata from managed instances: installed applications, OS version, network config, Windows updates. Data syncs to S3 for fleet-wide analysis with Athena.

SSM Patch Manager automates OS and application patching:

  1. Patch baseline: Defines which patches to approve (auto-approve security patches within 7 days)
  2. Patch group: Tag-based instance grouping (e.g., PatchGroup: Production-Linux)
  3. Maintenance window: Scheduled patching time
  4. Compliance reporting: Patch status per instance
# Create a patch baseline for critical security patches
aws ssm create-patch-baseline \
  --name "ProdLinuxBaseline" \
  --operating-system "AMAZON_LINUX_2" \
  --approval-rules '{
    "PatchRules": [{
      "PatchFilterGroup": {
        "PatchFilters": [
          {"Key": "SEVERITY", "Values": ["Critical", "Important"]},
          {"Key": "CLASSIFICATION", "Values": ["Security"]}
        ]
      },
      "ApproveAfterDays": 7,
      "ComplianceLevel": "CRITICAL"
    }]
  }'

Patching workflow: Maintenance Window triggers → Patch Manager scans → downloads and installs approved patches → reports compliance → optionally reboots.

Exam Trap: Patch Manager can scan without installing (Scan vs Install). Use Scan first to understand the compliance gap before scheduling installation. Also, Patch Manager doesn't support container images — use ECR scanning and Image Builder for containers.

Alvin Varughese
Written byAlvin Varughese•Founder•15 professional certifications