- Architecture Diagram
- Deployment Instructions
- Resources
- Usage
- Patching Process
- Maintenance Window
- Exception-Management
- Tag-Monitoring
- Compliance Reporting
- Tear-down Instructions
- Referrences
- Pricing
- AWS Organization setup
- AWS Config enabled in the child accounts
- Delegated Administrator account for AWS CloudFormation (If you are deploying this solution in any other account than Management account).
-
Clone the repository.
-
Upload the zip versions of the .py files from the Lambdas folder in the repository, patching_window.yml and crhelper.zip file to an existing or a new Amazon Simple Storage Service (Amazon S3) bucket. Make sure that you update the bucket policy as per the policy json provided in the code repository.
-
Follow these instructions and deploy the CloudFormation template in the central account that you have designated for patching solution. This can be a delegated administrator for CloudFormation
- Navigate to CloudFormation in the AWS Console.
- Click on Create stack and click “with new resources(standard)”
- Under the Specify template section, click on Upload a template file
- Click on Choose file and select patching-stack.yml
- Provide a stack name(example: “self-service-patching-stack”)
- Specify the bucket, where you have uploaded the code as per Deployment Steps.2
- Specify the Organization id. Navigate to the organization from your AWS Console, and you’ll see the Organization Id at the organization dashboard.
- Select Next.
- Select Next and check “I acknowledge that AWS CloudFormation might create IAM resources with custom names”.
- Select “Create Stack”.
- Once the stack is in CREATE_COMPLETE state, select the stack and open the Outputs tab. Note all of the Keys and Values, as you will need it while deploying the StackSets
-
Deploy patching-stackset.yml in child accounts as stackset
-
Navigate to CloudFormation in the AWS console and click on StackSets
-
Click on Create StackSet and click on “Service-managed permissions”
-
Under the Specify template section, click on Upload a template file
-
Click on Choose file and select patching-stackset.yml
-
Enter a name for the StackSet (example: self-service-patching-stackset)
-
Provide the requested information.Look for the values that you noted in the Deployment Steps.3.k.For the Artifact bucket: mention the name of the bucket that you have uploaded zip files in Deployment Steps.2.
-
In WorkloadRegions: Specify the regions separated by comma, in which you have the EC2 workload.
-
Click Next
-
Click Next
-
Select Deployment target as “Deploy to organization”
-
Select all the regions you want to cover (please make sure to include the region in which the CloudFormation stack is deployed in Deployment Step.3)
-
Click on Next.
-
Scroll down and select the check box “I acknowledge that AWS CloudFormation might create IAM resources with custom names”.
-
Click on Submit and navigate to the Stack instances tab in the StackSet
-
Monitor the status column and wait till Status of all the Stack instances change to CURRENT
-
There are two CloudFormation templatein the repository
-
patching-stack.yml to be deployed in the central account Resources created by this CloudFormation Template are listed below
- PatchingPortfolio: AWS Service Catalog Portfolio for patching
- AWS S3 Bucket for storing the managed instance inventory details
- AWS S3 Bucket for storing the patching execution logs from all the instances in the child accounts
- AWS S3 Bucket for storing patch list for InstallOverrideList functionality of Emergency patching
- AWS Customer managed keys for encrypting the S3 bucket
- AWS Glue database and crawler
- AWS Step function state machine and lambda function for Emergency Patching
- Amazon Athena Queries for extracting the compliance information
-
patching-stackset.yml to be deployed across all the child accounts within the organization Resources created by this CloudFormation Template are listed below
- Default Patch maintenance window
- AWS Lambda function to carry out patching for standalone EC2 instances
- AWS Lambda function to carry out patching of EC2 instances part of an AutoScaling Group
- AWS Lambda function to initiate tagging for the relevant EC2 instance and AutoScaling Group
- AWS System manager automation document to orchestrate patching of standalone EC2 instances
- AWS System manager automation document to orchestrate patching of EC2 instances part of an AutoScaling Group
- AWS System manager Patch baselines for different OS such as Amazon Linux2, windows, ubuntu, RedHat.
- AWS System manager Resource data sync to collect inventory for managed instances and put it in central S3 bucket
- AWS Config rule for monitoring tags related to patching solution
- Amazon Event bridge rule to capture the tag non-compliance resulted from the config rule
- AWS lambda function to remediating tag non-compliance.
Note: You can navigate to Resources section in the deployed CloudFormation Template and check the exact names of the resources.
- Active EC2 instances in the child accounts with Systems manager agent installed
- Instance profile having access to Systems manager and central S3 bucket attached to the EC2 instances.An Instance Profile "InstanceProfileforPatching" is being created as part of the automation in all the child accounts with necessary privileges.
- environment=<Dev/Test/Prod> tag attached to the instance based on the workload
- Share the service catalog in the central account across the organization.
- If you are using any AWS account other than Organization root account as Central account for patching, please make sure to configure the central account as delegated administrator for Account management: https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html "Service Catalog": https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing_how-to-share.html#portfolio-sharing-organizations
- Provide permission to the necessary entities to consume the Service Catalog portfolio in the child accounts.
- Launch the service catalog to create patch maintenance window.
- Once the maintenance window starts in the designated schedule, it invokes the task lambda based on the target (Standalone Instance vs AutoScaling Group)
- The lambda function invokes the respective SSM automation document and provide all the necessary parameters.
- For Standalone Instance:
- SSM Automation document navigates to each designated regions.
- Applies AWS-RunPatchBaseline command to the instances with specific tags
- Reboot the instances, if selected by the user as post patching operation
- For Instances part of AutoScaling Group:
- SSM automation document navigates to each designated regions.
- Get the Autoscaling group names based on certain tags.
- Fetch the AMI id from the launch configuration/launch template.
- Follow series of steps to generate a patched AMI
- Create an intermediate instance from the AMI
- Applied AWS-RunPatchBaseline to the instance
- Stop the intermediate instance
- Create AMI
- Terminate the intermediate instance
- Update launch configuration with the patched AMI.
- Initiate Instance Refresh action based on the user input.
- Wait for the instance refresh action to complete and scan the instances.
There is an AWS Step function which provides the central team a platform to intervene the patching process and deploy ad-hoc patches in case of zero-day vulnerability fix or emergency patching situations.
- Central platform/operation team member initiates the Emergency patching process by triggering the AWS Step function and provide necessary parameters like environment to target, resources and a S3 path style url specifying the external file in case of any ad-hoc patches using installOverrideList : https://docs.aws.amazon.com/systems-manager/latest/userguide/override-list-scenario.html
Sample payload:
{
"env": "Default",
"include_asg": "Yes",
"retain_healthy_percentage": "90",
"refresh_asg_instances": "Yes",
"patching_operation": "Install",
"operation_post_patching": "RebootIfNeeded",
"run_patch_baseline_install_override_list": ""
}
Detail description of the parameters have been mentioned in Launch Service Catalog Product section
- The state machine triggers a lambda function in the central account which fetches the child account details in the organization, assumes a role into the child accounts and invokes the orchestrator lambda functions for patching.
Note: You can integrate a manual approval stage to the Step function as mentioned in the user guide doc: https://docs.aws.amazon.com/step-functions/latest/dg/tutorial-human-approval.html, AWS Step function will pause for an approval and proceed after the flow is approved.
This solution deploys a default maintenance window which covers the patching process for the instances which do not have any custom requirement for the patch maintenance window. The window triggers at every Friday 5:00AM UTC and installs patches by default in the standalone EC2 instance and EC2 instances part of AutoScaling Groups.
If there is a requirement for having a custom patch maintenance window, users can leverage service catalog product created as part of the implementation.
From the Central account follow the below steps to share the service catalog portfolio, if you are using an AWS account other than Organization root account than you may need to register the account as delegated administrator for AWS Service Catalog, more information on this can be found in the AWS Documentation: https://docs.aws.amazon.com/servicecatalog/latest/adminguide/catalogs_portfolios_sharing_how-to-share.html#portfolio-sharing-organizations Tip: AWS CLI command to register an account as delegated administrator for Service catalog
aws organizations register-delegated-administrator --account-id <provide-your-account-id> --service-principal servicecatalog.amazonaws.com
- Navigate to Service Catalog in the Central account
- Click on Portfolios and click on Patching portfolio
- Click on Share
- Select Organization Node and provide the Organization ID in the “Organization” Section.
- Enable Tag Option and click on Share
In the child accounts, the servce catalog portfolio needs to be imported by the respective account/application owners.
- Navigate to Service Catalog in the correct region
- Click on Portfolios and Imported.
- Click on Patching portfolio
- Click on Group,roles and users
- Add groups,roles and users and select the relevant entity which you want to provide access to launch this product.
- Navigate to Service Catalog and click on Products
- Click on Patching maintenance window product and click on Launch Product
- Provide a Suitable name to the product.
- Select the appropriate version
- Fill in the parameters details in the respective section.
-
Select the environment tag attached to the instances: Choose the environment you are targetting to patch with this maintenance window It can take values such as Dev,Test or Prod
-
Select the frequency of patching applied: This represents the frequency of patching operation on your EC2 instances.Select from an enumerated list of frequency of the patching window.
-
Enter the day of the week of the patching window: Select the day of the week when you want the maintenance window to trigger
-
Enter the start time of the patching window: Select the time at which you want the maintenance window to start
-
Enter the duation of the patching window in hours: The duration of the maintenance window
-
Select the patching operation:
- Scan: Systems manager scans your instances or non-compliant patches
- Install: AWS Systems manager scans your instances for non-compliant patches and installs the patches if found non-compliant.
-
Select the instance operation post patching:
- RebootIfNeeded: Systems manager reboots the instance after installing the required patches, if it is needed.
- NoReboot: Systems manager will not reboot the instance after installing the required patches. If some patches requries reboot to finish installation, you need to make sure the instance is rebooted at your convinience to avoid non-compliance. The next section represents parameters for EC2 instances part of AutoScaling Group.
-
Select if to include AutoScaling Groups: Select 'Yes' if you want to include EC2 instances part of AutoScaling Group in this patching regime, else select 'No'
-
Enter the percentage of remaining healthy instances during patching: This option signifies the percentage of healthy instances you want to maintain at a time in the AutoScaling Group while the instance refresh action is being carried out by the patching automation.
-
Select if to refresh the instances in ASG after updating the launch configuration: Select 'Yes' if you want the automation to refresh your instances in the AutoScaling Group with instances launched from patched AMI, this takes consideration of the value you have provided in the previous parameter (percentage of remaining healthy instances during patching) and refreshes instances accordingly.
-
- Click on Launch Product.
Note: The service catalog product will create a patch maintenance window in your account in the designated region and also trigger a tagging lambda function which will look for environment tag on your EC2 instances/AutoScaling Groups and put the patching tags on it accordingly.
In case you want to update any inputs provided while creating the patch maintenance window, you can update the service catalog product and update the necessary parameters.
- Navigate to Service Catalog and click on Provisioned products
- Select your product and click on Actions
- Click on Update
- Update the required parameter and click on Update.
In case you want to delete the patch maintenance window, follow the steps to perform the deletion
- Navigate to Service Catalog and click on Provisioned products
- Select your product and click on Actions
- Click on terminate
- Type in terminate and click on Terminate provisioned product.
Note: Deleting the service catalog product will delete the patch maintenance window and all the EC2 instances/AutoScaling groups covered by the patch maintenance window will be tagged with Default tags and the patch management will be covered under Default Maintenance Window If you do not want to patch any EC2 instance, follow the process outlined in Exception-Management
This solution provides a way to exempt any EC2 instance or AutoScaling group from Patch management. You need to add an exception tag 'install_patch=no' to the respective resources to exempt from the patching regime. The automation will not create tags related to patching on those resources which has the exception tag.
Based on the environment tag on the EC2 instance/AutoScaling group below patching tags will be applied.
- Patch Group = <Default/Dev/Test/Prod>
- maintenance_window = <Default/Dev/Test/Prod>_maintenance_window
Note: Default tags will be applied if the user forgets to apply right environment tag to the EC2 instance/AutoScaling Group based on the workload. the correspnding resource will be patched based on the enforced Default Maintenance Window.
An AWS config rule checks for the tag compliance in each of the child accounts. An Event bridge rule listens for compliance change and triggers lambda function. The lambda function does the following:
- For EC2 instances:
- It checks for the Autoscaling tag key (aws:autoscaling:groupName), EKS tag key (Alpha.eksctl.io/nodegroup-name/ OR k8s.io/* OR kubernetes.io/*), ECS tag key (AmazonECSManaged), exception tag (patch_install=no)
- If any of the tags found, the lambda function does not perform any action.
- If none of the tags found, the lambda function verifies the environment tag, patch maintenance window and applies the patch tags accordingly.
- For AutoScaling Group:
- It checks for the EKS tag (k8s.io/cluster-autoscaler/enabled OR kubernetes.io/*), ECS tag (AmazonECSManaged) and exception tag (patch_install=no)
- If any of the tags found, the lambda function does not perform any action.
- If none of the tags found, the lambda function verifies the environment tag, patch maintenance window and applies the patch tags accordingly.
Individual child accounts can view patch compliance status of their EC2 workload in the Systems manager patch manager dashboard. AWS resource data sync collects detailed inventory (https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html) of the EC2 instances in the child accounts and sends to the central S3 bucket, which then can be consumed with services like AWS Glue, Amazon Athena and Amazon Quicksight to create compliance dashboards for the central team.
- The State Manager Association triggers everyday to gather software inventory data.
- The Inventory data is reported to Systems Manager.
- The Resource Data Sync takes the Inventory data and sends to the central S3 bucket.
- AWS Glue crawlers runs everyday to create the correct partition and schema.
This solution deploys below Athena queries which will help customers extract the patch compliance information across different child accounts and various regions within it.
Saved Queries:
QueryNonCompliantPatch : Get the list of Non-Compliant Patches QueryInstanceList : Get the list of instances across different accounts and regions. PatchComplianceReport : Get list of compliant and non-complant patch inventory along with instance, account, region, platform details.
Steps:
- Navigate to Athena Console in the central account
- Select Saved queries and search for “PatchComplianceReport”
- Select the Database “managed_instances_database”.
- Click on Run
You can also download the report in csv format.
Amazon Quicksight helps you to visualize the data in dashboards. You can create compliance dashboards in Quicksight to view the patch compliance status across your organization. Steps:
-
Navigate to Quicksight
-
Click on create Dataset
-
Select Datasource as Athena
-
Provide a Datasource name
-
Click on Create Data source
-
Choose the Database “managed_instances_database”
-
Select patch_table
-
Click on “Import to SPICE for quicker analytics”
-
Click on Visualize
-
Prepare the view
- Select the Correct Dataset
- Drag platformtype to X axis
- Drag resourceid to Group/Color
-
Total managed instance count grouped by compliance status
- Select Dataset as patch_table
- Drag status to Group/Color
- Select Donut Chart
-
Patch Compliance status grouped by account id.
- Select Dataset as patch_table
- Drag accountid to X axis
- Drag status to Group/Color
- In the Central account, Navigate to CloudFormation console.
- Go to Stacksets
- Search for the Stackset deployed for patching
- Click on Actions
- Delete Stacks from Stacksets
- Provide AWS Organization Id
- Specify the regions from which you want to delete the stacksets
- Click Next and Click on Submit, this will delete the stacks from all the child accounts.
- To delete the stackset, search for the stackset in the Central accout
- Go to Action, delete stackset
- In the central account, empty the S3 buckets created as part of the deployment. You can get the S3 bucket details from the resources section in the CloudFormations Stack
- Navigate to CloudFormation console, Go to Stacks
- Select the stacks related to patching
- Click on delete
Centralized multi-account and multi-Region patching with AWS Systems Manager
About the SSM Document AWS-RunPatchBaseline
Recording Software Configuration for Managed Instances
Understanding AWS Systems Manager Inventory Metadata
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.