AWS Systems Manager - Automate Patching for Amazon EC2 Instances | Concept | Demo

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone Shashank this side I hope you are doing well today and safe at home as you can see on my screen today we'll be going to learn on how to automate our patching stuff with the help of aw Systems Manager again a SS Systems Manager gives us a visibility and control over a SS infrastructure and it provides hell lot of functionality to automate our stuff related to application deployment related to infrastructure provisioning out of that one of the functionality that it provides is to automate your patching stuff instead of doing our manual patching on your operating systems automate that stuff right away again I have created one video on how to use a SS Systems Manager to automate your ami where you can just configure a few steps and that will going to automate all the paths update all the agent update in background with the help of systems manager I'll share the link just to give you a clearer understanding what aww systems manager can do with the help of automation so let's review some point and I'll jump away right quickly to my idealist management console to show you how it this works so a double Systems Manager patch manager automates the process of patching manage instance with both security-related and other type of updates again so a double a Systems Manager has a different modules integrated with it one of that is called patch manager so patch manager helped us to automate our patching stuff and again all the instances that needs to be patched with Systems Manager has to be assigned as a managed instance so for that you have to create a rule that's a prerequisite where we have to create a Systems Manager I am role assign that role to my ec2 instance so that that instance can be get inserted into or considered as manage instance from there onward we can take actions as per our requirement with the help of Systems Manager and we can do all other stuff related to perish or deployments you can patch you can use patch manager to apply patches for both operating systems and applications on windows server application support is limited to update for Microsoft applications again as I said this is regardless of the OS platform we can do the passing of our applications as well we can do patching of our operating systems as well patch manager uses patch baselines so we create a baseline with patch manager where we basically based upon our requirement what kind of patches needs to be rolled out to our servers we select that we approve that that is kind of an auto approval we create a rule that has an auto approval that these are the patches within few days of release just upload it to my Windows server or Linux server as well as we can reject certain number of patches which are not required for our systems so this is how the patch manager works in background so they are like few prerequisites of patch manager one is you have to use a system agent the version is need at least two point zero point eight three four or latter without SSM agent you won't be able to perform any kind of action with Systems Manager so I'll be sharing this link of a prerequisite with you guys so that you can go through that so let's jump to our a SS management console I will show you how to read the configuration I'm into Systems Manager if we go to services and search for SSM you will get systems manager that's the dashboard again to do up automation of the patch update we need some instances so I already have few instances these are two Windows boxes I'll quickly provision few Linux box as well let's go with Amazon Linux and t2 Micro come on configure I'll go with two instance with this V PC and public subnet this is the row that I have created I'll show you the iron console how to create a role tagging Linux SSN so on will be on launch launch launch and instance few instances so before going into systems manager there is a prerequisite to create or give a permission that I have used a roll call Amazon ec2 role for SSM how to create that so go to services I am so we are trying to create a role that will give permission to perform all the actions and operations by Systems Manager on ec2 instance right so go to roles click on create role so we are trying to give permissions on ec2 so easy to select ec2 and search for SSM so we'll be using Amazon ec2 role for SSM next tag review and give the name that's what I have done with my role section so I'll show you the role that I have created search for SSM this is the role that I have created so if we expand this and see the summary this has cloud watch because that will be logging all the locks in the cloud watch easy to s3 SSM and systems management ok let's go back to our ec2 instance now to check whether my instances are present as part of managing strengths or SSM has been installed properly or not where we can check so in instances and notes section we have something called manage instance click on manage instance and I can see the two windows instance are already listed over here as I said SSM works on SSM agents so I have used 2016 Windows Server 2016 by default Windows Server 2016 comes with SSM agent installed on it and we have given a roll permission as well sooner we'll be seeing the Linux instance as well over here so these are two managed instance that we have to do automation of the patching what we have to do we have to go to patch manager it's on the left on the same section click on patch manager now a double Systems Manager patch manager automates our patching with a native aw solution it's a centralized management for patching of your fleet AC to Windows and Linux instances or your on-premise servers with the virtual machines we can do that as well how it works use the default patch baseline or create your own you can so Amazon has provided us a list of default patch baselines as well or we can create our own I'll show you both organize the instances into the patch crook and automate the patching by scheduling your maintenance window and monitor the patch status so here we have something called predefined patch baselines click on that so these are the few defined patch baselines for Windows you can see SUSE Linux Red Hat Windows Amazon Linux and all those things so let's click on default patch baseline for Windows view details now if you see this the classification has been done only first critical and the security updates severity is critically important and auto approval is required wait seven days before approving it so let's say we have a patch released today so we have to wait for seven days to monitor that because as I said there is a mechanism where it uses a snapshot in background which has all the patch installed in it so we use that patch baseline to install the patches on the server so we have to wait for seven days that's an default rule provided by default patch baseline okay patch exceptions we don't have any we have only one like approve patches compliance level is unspecified reject patches action allow as dependency okay this is the windows patch baseline the default one again go to the default if we select Amazon Linux this is the default patch baseline for Amazon Linux and you cannot edit the default patch baseline provided by Amazon critical and important wait for seven days for approval bug fix again we have same functionality provided over here now how to use these patch baseline before that I'll just quickly check the manage instance whether my linux instances are there or not still not there that's taking a bit of time that's fine so go to patch manager now how you can use a default patch baseline first I will show you how to use a default patch baseline and second I will show you how to create your own so click on windows default patch baseline go to the actions modify patch group now here you have to do tagging before doing any kind of patch operations right to your ec2 instances now how we can do that go to your ec2 instances this is a dashboard go to the tag section here we have something called manage tag click on manage tag so you can see like my Windows instances are having a patch group of name called production I'll add that for Linux as well I'll overwrite that this will ask you that this is already there so this will going to override click continue and here we go we have a patch true for all my four systems now based upon this tagging we will be going to patch our systems you can select individually as well to patch your system but it's better to use a patch group again go to default because we have added it so that will going to reflect after a refresh actions modify patch Group duction add close so this this is something we have done with Windows I will do same for Linux actions modify patch group it's already really awesome no next again click on configure patching here we have three options enter the instance tag name you can whatever tag name you have defined like name and instance name you can give that or a common tag for all your instance group like for Linux we have one group for Windows you have one group so I have selected patch group which is production here you can select existing maintenance window or you can schedule a new maintenance window you can use a cron expression as well maintenance window run frequency is like every 30 minutes or based upon your requirement one hour or two are or every day let's say every Saturday and 200 dots maintenance window duration maximum number of hours allowed for the maintenance window as per your requirement you can change this number window name let's say weekly sorry weekly maintenance we have two options scan and install and scan only scan install will be going to scan the server first download all the patches and then it will going to install scan only will go only going to regenerate the list so let's configure patching okay we cannot have a space as for Amazon fine here we go we have a successfully configured patch deployment window like every Saturday with a cron expression of 200 hours this will go into a get executed now this is one way of doing your configuration on your patching site for every week second you can do like an on-demand patching as well how to do that I'll show you right away again we'll go to patch manager configure patching select the group its production skip the maintenance scan and install configure patching near the detail now what this will going to do as you can see we have two instances already there one with eight eight five and one with one zero seven so the best thing with this particular aw Systems Manager that whether you have created one tag like production for your Linux as well as your for Windows right so Windows instances will get only Windows patches let's say for example Windows patches Windows security patches are there if we have a Linux system for that it will going to skip the Linux system it will operate only on the Windows system that's the best part of our systems manager again this will going to take some time because these are fresh system and once that is done we will be able to see the output as of now it's flying because it's in progress and again it uses run command in background because run command is a model where you will be seeing every kind of automated module for example let's say if you click on run command you're going to see all the modules that we have listed over here it's almost like five or ten pages modules so for example install Windows Update run docker action run and civil playbook these are one-liner command which you can use to run your ansible playbook from systems manager to your Linux system or Windows system that totally depends how you are trying to focus on your environment so Amazon Systems Manager uses run command to perform most of your updates regardless of your deployments to the application regardless of your patching so let's go back to run command still going so I'll show you a one previously created run command this is for one of the windows instance that I have created so this is my Windows instance if we click on view output click on step one now downloading the patch baseline operations PowerShell module extracting the patch baseline as a zip format successfully downloaded install a PowerShell module you will going to see the operation type is installed every single detail with this particular installation of your patches so this is trying to gather all the information what kind of patches it's installing in background for all the systems and at what step it's failing as well we'll be getting that information too second its patched Linux so as I said step execution has been skipped because it's an incompatible platform with Linux because I have done only for the windows previously so that's why it's showing like this so you'll be getting two outputs one is step one and one is step two mostly it's one another step fine if you are executing in front of Linux then you will be getting all the Linux detail with step one and step two will be your windows yeah it will want to show you this execution has been skipped again go back to run command as I said this will going to take some time to to reflect in the console so as of now one instance has already been done so let's click on that instance and see the output this will going to show you the batch group that we have created baseline ID snapshot ID reboot required or not operation type is installed install counts Turrell and all those operations that has been performed by this patch baseline snapshot is written over here as an output ok so the second instance will gonna take some time the next step I just want to show you how to configure your own baseline so this is something we have used the default one provided by Amazon let's configure our own baseline so for that okay so patch manager again baseline create a patch baseline you can give this name as your company name like test one two sorry test baseline Windows or Linux you can select your operating system you can set this as your default baseline with all your restrictions and with all the values are allowed with this particular baseline which you can use for your environment now here are the products by default it is all you can select as per your requirement my environment is Windows 2016 with classifications what we want like critical updates then I want feature packs security updates updates all those things severity critical important moderate and low Auto approval specify how to select these Auto approval updates approve the patches after specified number of days or approve the patches release up to the specific date I would say let's use like twenty-one days again that totally depends upon your requirement how you want to give you approval once the patch has been released so let's say after 21 days this will going to apply patches to my operating system or the environment patch exceptions you can exclude your KB article since it is Windows you can exclude your KB article you can reject your KB article as well approve and reject are there allow on dependency or you want to block and just create patch baseline here we go this is our standard patch baseline that we have created again I have just showed it to you how to create your own baseline instead of using a default by Amazon because we don't know what are the things that Amazon is using in background or what are the KB articles that Amazon is pushing it to our service so that's how you can define your patch baseline and the same process use this patch baseline to configure your automation of the patching there is one important concept how the patching works in background just wanted to brief you on that so whenever patch operations perform on the server instance so instance required a snapshot right which has all the appropriate patch baseline from the systems managers snapshot consists of all your available updates in the patch baseline that have been approved for the deployment so for example you have created a patch baseline for your system now within that you are giving all your default deployment model like you want some security updates you do you don't want some service packs and all those things for your environment right so Amazon systems manager uses a snapshot it creates a snapshot in background uses that snapshot that has all your updated patch which is a proof for the deployment the list of that updates is sent to the Windows or Linux Update API which determines needs to be updated for the applicable in your instance so that's how this works in terms of the background mechanism of the patch manager as I showed it to you if you go to run command again come on oh this has been done okay it's failed White's failed we can check that as well view the output step downloading the patch baseline PowerShell module from this extracting blah blah blah so we are not getting any kind of patch grub it's not been defined with the patch to a baseline ID is not this not shot ID is not there it's all failed because of that again you can take a look why this has not been picked up with all this instance because one has already been done maybe there is a possibility that my tagging has not been reflected properly and I have done before that now as I said the snapshot ID this is the snapshot ID consisting of all your approved deployable patches so that's Amazon Systems Manager uses before it deployed to your system so I hope this clears a lot why to use Systems Manager and why this is useful to automate your patch environment because one of the headache part of doing a patching is the manual stuff you have let's say thousands of servers 500 Linux 500 windows and you cannot go ahead and write a script to do your deployments right of the patches so it's better we are getting an opportunity from Amazon that automates everything and it takes very less time to update all our systems with the patches so that's why it's useful to use Amazon Systems Manager again this is like pay-as-you-go model whatever the resources you are going to use you have to pay for that right the module is free so just try it out on your account and check what are the responses are coming into picture for your environment just place out a comment comment section and I will be there to help you if there is an issue have a nice day bye bye
Info
Channel: Let's Go Tech In a Cloudy Way
Views: 13,421
Rating: undefined out of 5
Keywords: aws ssm patch manager linux, aws ssm patch manager tutorial, aws systems manager tutorial, aws systems manager patch manager, aws systems manager demo, aws systems manager automation, aws systems manager architecture, aws systems manager managed instances, aws systems manager patch manager windows, aws systems manager windows patching, aws ssm
Id: Dm4id0FVhtc
Channel Id: undefined
Length: 24min 22sec (1462 seconds)
Published: Tue May 05 2020
Related Videos
Deep Dive with Amazon EC2 Systems Manager [ENT401]
Amazon Web Services
42K
Patch and manage your AWS Instances in MINUTES with AWS Systems Manager
Cloud Architects in Africa
1.1K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.3M
Patching for your Amazon EC2 Instances
Amazon Web Services
35K
AWS re:Invent 2018: Advanced VPC Design and New Capabilities for Amazon VPC (NET303)
Amazon Web Services
51K
Top 50 ITIL Interview Questions and Answers | ITIL® Foundation Training | Edureka
edureka!
137K
Why New York’s Billionaires’ Row Is Half Empty
The B1M
3.1M
AWS - SSM - Systems Manager (Part 1) - RUN Command DEMO - Execute commands remotely
KnowledgeIndia AWS Azure Tutorials
33K
AWS Systems Manager Demonstration
Chaturmanas Consultants
564
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.