2.2.3.3. Automating System Inventory, Configuration, Patch Management (Systems Manager, Config)

2.2.3.3. Automating System Inventory, Configuration, Patch Management

Patch management at scale is a compliance requirement — manual patching guarantees some instances will be missed.

SSM Inventory collects metadata from managed instances: installed applications, OS version, network config, Windows updates. Data syncs to S3 for fleet-wide analysis with Athena.

SSM Patch Manager automates OS and application patching:

1. Patch baseline: Defines which patches to approve (auto-approve security patches within 7 days)
2. Patch group: Tag-based instance grouping (e.g., PatchGroup: Production-Linux)
3. Maintenance window: Scheduled patching time
4. Compliance reporting: Patch status per instance

# Create a patch baseline for critical security patches
aws ssm create-patch-baseline \
  --name "ProdLinuxBaseline" \
  --operating-system "AMAZON_LINUX_2" \
  --approval-rules '{
    "PatchRules": [{
      "PatchFilterGroup": {
        "PatchFilters": [
          {"Key": "SEVERITY", "Values": ["Critical", "Important"]},
          {"Key": "CLASSIFICATION", "Values": ["Security"]}
        ]
      },
      "ApproveAfterDays": 7,
      "ComplianceLevel": "CRITICAL"
    }]
  }'

Patching workflow: Maintenance Window triggers → Patch Manager scans → downloads and installs approved patches → reports compliance → optionally reboots.

Exam Trap: Patch Manager can scan without installing (Scan vs Install). Use Scan first to understand the compliance gap before scheduling installation. Also, Patch Manager doesn't support container images — use ECR scanning and Image Builder for containers.