This chapter covers AWS Systems Manager Patch Manager, a key feature for automating OS patch management across EC2 instances and on-premises servers. Patch Manager is heavily tested on the SOA-C02 exam, appearing in approximately 8-12% of questions related to Deployment and Operations. You will learn how to define patch baselines, configure maintenance windows, use patch groups, and troubleshoot common issues — all essential for the SysOps Administrator role.
Jump to a section
Imagine a large office building with hundreds of rooms, each containing a piece of equipment (a server). The building manager wants to ensure every piece of equipment runs the latest firmware. Instead of sending a technician to each room manually, the manager installs a smart agent in every room. The agent can talk to a central control system via a secure intercom. The manager creates a 'patch job' — a work order that lists which firmware version to apply, a schedule (e.g., 2 AM Sunday), and a rollback plan if something breaks. At the scheduled time, the control system sends a command to each agent: 'Update to version 6.2.1'. The agent downloads the firmware from a secured supply closet (S3 bucket or patch baseline). It applies the update and reports back: success or failure. If the update fails, the agent automatically rolls back to the previous version using a local backup. The manager can track progress on a dashboard. If a room's equipment is critical (like an MRI machine), the manager can set a maintenance window — the agent will only update during that window, and if the update would exceed the window, it stops and waits for the next window. This is exactly how SSM Patch Manager works: agents (SSM Agent) on EC2 instances or on-premises servers receive commands from the AWS Systems Manager service, apply patches from predefined or custom baselines, report status, and can automatically roll back on failure.
What is SSM Patch Manager?
AWS Systems Manager Patch Manager automates the process of patching managed nodes with security-related updates and other types of updates. You can use Patch Manager to scan for missing patches and apply them on a schedule using maintenance windows. It supports both Windows and Linux operating systems on EC2 instances and on-premises servers (via hybrid activations).
Why Patch Manager Exists
Manual patching is error-prone, time-consuming, and inconsistent. Patch Manager centralizes patch compliance reporting and enforcement, ensuring all nodes meet your organization's security baseline. It integrates with AWS Identity and Access Management (IAM) for permissions, Amazon CloudWatch for monitoring, and AWS Config for compliance tracking.
How It Works Internally
Patch Manager operates through the SSM Agent installed on each managed node. The agent communicates with the AWS Systems Manager service over HTTPS (port 443). When you initiate a patching operation (either on-demand or via a maintenance window), the following occurs:
Service sends a Run Command – AWS Systems Manager sends a AWS-RunPatchBaseline document to the SSM Agent on the target instances.
Agent downloads patch baseline – The agent retrieves the patch baseline configuration from the service. The baseline defines which patches are approved (e.g., all Critical and Important security updates for Windows, or specific severity levels for Linux).
Agent scans and applies – The agent uses the OS-native update mechanism (Windows Update API on Windows, yum/apt/zypper on Linux) to identify missing patches. It then downloads and installs the approved patches from the configured patch sources (e.g., Windows Update, Amazon Linux repos, or your own repository).
Agent reports compliance – After installation, the agent sends a compliance report back to the service. This report includes which patches were installed, which failed, and the overall patch status (Compliant, NonCompliant, InstalledPendingReboot, Failed).
Reboot if needed – Patch Manager can automatically reboot the instance if required by the patch. You can configure reboot behavior: NoReboot, RebootIfNeeded, or AlwaysReboot.
Key Components
Patch Baseline – Defines which patches are approved for installation. You can use predefined baselines (e.g., AWS-DefaultPatchBaseline) or create custom baselines. Each baseline includes:
- Approval rules (e.g., approve all patches with classification 'Critical' within 7 days of release)
- Approved and rejected patch lists (by patch ID, product, classification, severity)
- Source repositories for Linux (e.g., Amazon Linux 2 default repo)
- Patch Group – A logical group of nodes that share a common patch baseline. You tag instances with a tag key Patch Group and assign a value (e.g., Production). Patch Manager uses this tag to determine which baseline to apply.
- Maintenance Window – A schedule (cron expression) that defines when patching can occur. It includes a duration and a set of target nodes. You can also specify a cutoff time so that patching stops if it cannot complete within the window.
- Run Command – Used for on-demand patching. You can send the AWS-RunPatchBaseline document to instances immediately.
- State Manager – Can be used to enforce a patch baseline on a recurring schedule, ensuring continuous compliance.
Configuration and Verification
Creating a Custom Patch Baseline (AWS CLI):
aws ssm create-patch-baseline \
--name "Production-Windows-Baseline" \
--operating-system WINDOWS \
--approval-rules 'PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=["Critical","Important"]},{Key=MSRC_SEVERITY,Values=["Critical"]}]},ApproveAfterDays=7}]' \
--description "Baseline for production Windows servers"Registering a Patch Group:
aws ssm register-patch-baseline-for-patch-group \
--baseline-id pb-0123456789abcdef0 \
--patch-group "Production"Running a Patch Scan (without installing):
aws ssm send-command \
--document-name "AWS-RunPatchBaseline" \
--targets Key=tag:Environment,Values=Production \
--parameters '{"Operation":"Scan"}' \
--timeout-seconds 600Checking Patch Compliance:
aws ssm describe-instance-patch-states-for-patch-group \
--patch-group "Production"Interaction with Related Technologies
IAM – Requires permissions like ssm:SendCommand, ssm:CreatePatchBaseline, etc. The instance profile must allow the SSM Agent to communicate with the service.
Amazon S3 – Patch Manager can optionally store patch reports in an S3 bucket via AWS Config or direct output.
AWS Config – Can record patch compliance as a configuration item.
Amazon CloudWatch – Metrics and logs for command execution and patch compliance.
AWS Systems Manager Inventory – Collects patch information as part of inventory.
VPC Endpoints – For instances in private subnets, you need an interface VPC endpoint for SSM (com.amazonaws.region.ssm) and optionally for S3 (gateway endpoint) to download patches.
Defaults and Timers
Default patch baseline for Windows: AWS-DefaultPatchBaseline – approves all Windows Server updates classified as Critical or Important within 7 days.
Default patch baseline for Amazon Linux 2: AWS-AmazonLinux2DefaultPatchBaseline – approves security updates with severity Critical or Important within 7 days.
Maintenance window duration: You set this when creating the window (minimum 1 hour, maximum 24 hours).
Timeout for Run Command: Default 3600 seconds (1 hour), but you can set a custom timeout.
Reboot behavior: Default is RebootIfNeeded.
Trap Patterns
Wrong assumption: Patch Manager patches all instances automatically. Reality: You must configure maintenance windows or run commands explicitly.
Wrong assumption: Patch Manager works without internet access. Reality: Instances need outbound HTTPS access to SSM endpoints and patch repositories (or VPC endpoints).
Wrong assumption: Patch Manager patches applications. Reality: It patches the OS only, not custom applications (use AWS Systems Manager Distributor for that).
Wrong assumption: Patch groups are required. Reality: They are optional but recommended for targeting different baselines to different environments.
Define Patch Baseline
Create a patch baseline either via AWS Console, CLI, or CloudFormation. Specify the operating system type (WINDOWS, AMAZON_LINUX, UBUNTU, etc.). Define approval rules: for example, approve all patches with classification 'Critical' and 'Important' within 7 days of release. Optionally add explicit approved or rejected patches by their KB IDs or CVE IDs. For Linux, you can specify alternative patch sources (repositories). Each baseline must have at least one approval rule. The baseline is stored as an SSM document with a unique ID (e.g., pb-0123456789abcdef0).
Assign Patch Group via Tags
Tag each EC2 instance (or on-premises server) with the key `Patch Group` and a value that matches the group name (e.g., `Production`). This tag is read by Patch Manager when determining which baseline to apply. An instance can belong to only one patch group. If no patch group tag exists, the instance uses the default patch baseline for its OS. You can also use other tags for targeting (e.g., `Environment:Production`) but the `Patch Group` tag is the primary mechanism for baseline assignment.
Register Patch Group with Baseline
Use the AWS CLI command `register-patch-baseline-for-patch-group` to associate the patch group with the custom baseline. This step is crucial; without it, instances in the group will use the default baseline. You can register multiple patch groups to the same baseline. For example, you might have separate baselines for Development, Staging, and Production environments, each with different approval rules (e.g., Development approves patches immediately, Production waits 7 days).
Schedule Maintenance Window
Create a maintenance window in AWS Systems Manager. Define the schedule using a cron expression (e.g., every Sunday at 2 AM). Set the duration (e.g., 2 hours) and optionally a cutoff time (e.g., stop if not complete by 3:30 AM). Assign targets (instances by tag) and a task (the `AWS-RunPatchBaseline` document). The task configuration includes parameters: Operation (Scan or Install), RebootOption (NoReboot, RebootIfNeeded, or AlwaysReboot). The maintenance window ensures patching occurs only during approved times.
Execute Patching and Monitor
When the maintenance window triggers, SSM sends the command to the SSM Agent on each target instance. The agent downloads the patch baseline, scans for missing patches, installs approved ones, and reboots if needed. The agent reports status back to the service. You can monitor progress in the AWS Console under Systems Manager -> Patch Manager -> Patch Compliance. Use CloudWatch metrics and logs for detailed tracking. If a patch fails, the agent attempts rollback (on supported OS). After completion, you can view compliance summary per instance or per patch group.
Enterprise Scenario 1: Multi-Environment Patching
A large enterprise runs hundreds of EC2 instances across Development, Staging, and Production environments. They need different patch approval timelines: Development patches are applied immediately upon release, Staging waits 3 days, Production waits 7 days after testing. The SysOps team creates three custom patch baselines: Dev-Baseline (ApproveAfterDays=0), Staging-Baseline (ApproveAfterDays=3), Prod-Baseline (ApproveAfterDays=7). They tag instances with Patch Group: Dev, Patch Group: Staging, or Patch Group: Prod. Each baseline is registered with its respective patch group. Maintenance windows are created for each environment: Dev window runs nightly at 2 AM, Staging window runs Tuesday and Thursday at 1 AM, Production window runs Sunday at 3 AM. The team uses AWS Config rules to ensure all instances have the Patch Group tag and are compliant. Common issues include instances missing the tag (they fall back to default baseline, which may not match the desired policy) and maintenance window duration too short for large patch sets (e.g., Windows Server 2012 R2 with many updates). The team sets the duration to 4 hours for Production and monitors CloudWatch alarms for failed commands. They also use SSM Run Command for emergency patching (e.g., zero-day vulnerability) outside maintenance windows.
Enterprise Scenario 2: Hybrid On-Premises Patching
A company has 50 on-premises servers running Windows Server and Amazon Linux 2. They use AWS Systems Manager Hybrid Activations to register these servers as managed instances. The servers do not have direct internet access; they connect via a VPC endpoint for SSM and an S3 gateway endpoint for patch downloads. The SysOps team creates a single patch baseline for all Windows servers (approving Critical updates within 7 days) and another for Linux servers (approving security updates with severity Critical within 7 days). They tag all on-premises servers with Patch Group: OnPrem. Maintenance windows are scheduled for weekends to minimize impact. A common issue is that on-premises servers may not have the correct SSM Agent version or network connectivity problems. The team uses the AWS-RunPatchBaseline document with Operation: Scan first to verify connectivity and baseline assignment. They also configure CloudWatch Logs to capture patch failure details. Performance considerations: patching on-premises servers over a VPN or Direct Connect can be slower due to latency; the team sets a longer timeout (1800 seconds) for the Run Command.
What Goes Wrong When Misconfigured
Missing Patch Group Tag – Instances use the default baseline, which may not match the desired patching policy. This leads to non-compliance.
Incorrect IAM Permissions – The instance profile (for EC2) or service role (for on-premises) must have permissions for SSM and S3. Missing permissions cause the agent to fail silently.
Maintenance Window Cutoff Too Aggressive – If the cutoff time is set too early, patching may be interrupted, leaving instances in an inconsistent state (e.g., partially patched).
Network Restrictions – Without proper VPC endpoints or internet access, the agent cannot communicate with SSM or download patches. The command times out.
What SOA-C02 Tests
The SOA-C02 exam (Domain 3: Deployment, Provisioning, and Automation) includes Patch Manager in objective 3.2: 'Implement and manage patching for EC2 instances and on-premises systems using AWS Systems Manager Patch Manager.' Expect scenario-based questions where you must choose the correct combination of patch baseline, patch group, maintenance window, and IAM permissions. Also, questions on troubleshooting failed patching (e.g., network issues, missing tags, incorrect permissions).
Common Wrong Answers and Why Candidates Choose Them
'Use AWS Config to patch instances' – Candidates confuse AWS Config (compliance monitoring) with Patch Manager (patching). AWS Config can record patch compliance but cannot apply patches.
'Patch Manager patches all instances in the account by default' – Candidates assume automatic patching. Reality: You must explicitly configure maintenance windows or run commands.
'Patch Manager requires a NAT Gateway or Internet Gateway' – While internet access works, the correct answer often involves VPC endpoints (SSM and S3) for private subnets. Candidates choose the more expensive NAT option.
'Patch Manager can patch custom applications' – Candidates think it patches any software. Reality: It only patches the OS. For custom apps, use Distributor or third-party tools.
'Patch groups are defined in the patch baseline' – Candidates confuse the direction. Patch groups are tags on instances, not defined in the baseline. The baseline is associated with a patch group via registration.
Specific Numbers and Values on the Exam
Default approval delay: 7 days for predefined baselines.
Patch group tag key: Patch Group (case-sensitive).
Supported OS: Windows Server (2008 R2 and later), Amazon Linux, Amazon Linux 2, Ubuntu Server (16.04, 18.04, 20.04), CentOS (6, 7, 8), Red Hat Enterprise Linux (6, 7, 8), SUSE Linux Enterprise Server (12, 15).
Operation values: Scan and Install.
Reboot options: NoReboot, RebootIfNeeded, AlwaysReboot.
Maintenance window duration: 1-24 hours.
Command timeout default: 3600 seconds.
Edge Cases and Exceptions
On-premises instances – Require a hybrid activation and a service role for SSM. The exam may ask about IAM roles for on-premises patching.
Patch baseline for Linux – You can specify alternative patch repositories. If the repository is unreachable, patching fails.
Multiple patch groups per baseline – One baseline can be associated with many patch groups. But one instance can only belong to one patch group.
Running Scan vs Install – The exam may ask you to first scan before installing to assess compliance without making changes.
How to Eliminate Wrong Answers
Understand the mechanism: Patch Manager uses a document (AWS-RunPatchBaseline) sent via Run Command or Maintenance Window. The agent on the instance does the work. If the question involves private subnets, look for VPC endpoints. If it involves multiple environments, look for patch groups and custom baselines. If it involves scheduling, look for maintenance windows. Eliminate answers that suggest direct SSH or manual patching.
Patch Manager automates OS patching using the AWS-RunPatchBaseline document.
Patch baselines define which patches are approved; custom baselines can override defaults.
Patch groups (tag key 'Patch Group') map instances to specific baselines.
Maintenance windows schedule patching; you must set duration and optionally a cutoff.
Operation can be 'Scan' (report only) or 'Install' (apply patches).
Reboot options: NoReboot, RebootIfNeeded (default), AlwaysReboot.
Instances need outbound HTTPS access to SSM endpoints and patch repositories.
On-premises servers require hybrid activation and a service role.
Patch Manager only patches the OS, not applications.
Default approval delay is 7 days for predefined baselines.
VPC endpoints (SSM and S3) are needed for private subnets without internet.
Monitor patch compliance via Systems Manager Patch Manager dashboard or AWS Config.
These come up on the exam all the time. Here's how to tell them apart.
Patch Manager
Automates patching (scan and install).
Uses patch baselines and maintenance windows.
Requires SSM Agent on instances.
Can reboot instances automatically.
Integrates with Run Command and State Manager.
AWS Config
Monitors compliance (including patch compliance via managed rules).
Does not apply patches; only records state.
Works with AWS Config agent or resource recording.
No reboot capability.
Can trigger remediation (e.g., via SSM Automation) but does not patch directly.
Mistake
Patch Manager automatically patches all EC2 instances in the account.
Correct
Patch Manager does nothing automatically. You must create a maintenance window or use Run Command to trigger patching. Instances are only patched when you explicitly schedule or run a patching operation.
Mistake
Patch Manager can patch any software on the instance.
Correct
Patch Manager only patches the operating system (Windows Server updates, Linux kernel and package updates). It does not patch custom applications, databases, or third-party software. Use AWS Systems Manager Distributor for distributing and installing custom software.
Mistake
Patch Manager requires an internet gateway for patching instances in private subnets.
Correct
Instances in private subnets can use VPC endpoints (interface endpoint for SSM and gateway endpoint for S3) to communicate with AWS services without internet access. Using a NAT Gateway is an alternative but not required.
Mistake
Patch groups are defined inside the patch baseline configuration.
Correct
Patch groups are not defined in the baseline. They are tags applied to instances (key 'Patch Group'). The baseline is associated with a patch group via the `register-patch-baseline-for-patch-group` API call.
Mistake
You cannot use Patch Manager for on-premises servers.
Correct
Patch Manager supports on-premises servers that are registered as managed instances via AWS Systems Manager Hybrid Activations. They require the SSM Agent installed and a service role for communication.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, tag the instances with the key 'Patch Group' and a value (e.g., 'Production'). Then create a custom patch baseline and register it with that patch group using the AWS CLI command `aws ssm register-patch-baseline-for-patch-group --baseline-id pb-12345 --patch-group Production`. Instances with that tag will now use your custom baseline when patching is triggered.
Yes, if the on-premises server is registered as a managed instance via AWS Systems Manager Hybrid Activations. You must install the SSM Agent on the server, create a managed instance activation (IAM role), and then the server appears in Systems Manager. You can then apply patch baselines and maintenance windows just like EC2 instances.
The 'Scan' operation checks for missing patches and reports compliance without making any changes. 'Install' actually downloads and applies the approved patches. You can run a Scan first to assess the patch status, then schedule an Install later. Both use the same `AWS-RunPatchBaseline` document.
This usually means the OS version is not supported by Patch Manager. Supported OSes include Windows Server 2008 R2 and later, Amazon Linux, Amazon Linux 2, Ubuntu 16.04+, CentOS 6+, RHEL 6+, and SLES 12+. Also ensure the SSM Agent is up to date and the instance has outbound connectivity to SSM endpoints.
Create VPC endpoints: an interface endpoint for Systems Manager (com.amazonaws.region.ssm) and a gateway endpoint for Amazon S3 (com.amazonaws.region.s3). The SSM Agent will communicate over these endpoints. Ensure your security groups allow HTTPS traffic to the endpoint network interfaces.
No, Patch Manager only patches the operating system. For distributing and installing custom applications, use AWS Systems Manager Distributor, which allows you to create and deploy packages. You can also use Run Command to run your own scripts.
Patch Manager can attempt to roll back the patch on supported operating systems (e.g., Windows Server). The instance status will show as 'Failed' in the compliance report. You can view the command output in the Systems Manager Run Command history or CloudWatch Logs for details. The instance remains in its previous state.
You've just covered SSM Patch Manager — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?