Patch baselines in AWS Systems Manager Patch Manager are essential configurations that define which patches should be approved or rejected for automatic deployment to your managed instances. As a SysOps Administrator, understanding patch baselines is crucial for maintaining security and compliance …Patch baselines in AWS Systems Manager Patch Manager are essential configurations that define which patches should be approved or rejected for automatic deployment to your managed instances. As a SysOps Administrator, understanding patch baselines is crucial for maintaining security and compliance across your AWS infrastructure.
A patch baseline contains rules that automatically approve patches based on specific criteria such as product, classification, and severity. For example, you can create a baseline that auto-approves all critical security patches for Windows Server 2019 after a 7-day waiting period.
AWS provides predefined patch baselines for each supported operating system, including Amazon Linux, Ubuntu, RHEL, SUSE, CentOS, and Windows. These default baselines approve all operating system patches classified as Critical or Important with a 7-day auto-approval delay. However, you can create custom patch baselines tailored to your organization's requirements.
Key components of a patch baseline include:
1. **Approval Rules**: Define automatic approval criteria based on patch properties like classification (Security, Bugfix, Enhancement) and severity levels (Critical, Important, Moderate, Low).
2. **Auto-Approval Delay**: Specifies the number of days to wait before patches are automatically approved, allowing time for testing.
3. **Approved Patches**: A list of explicitly approved patches that override baseline rules.
4. **Rejected Patches**: Patches that should never be installed, regardless of other rules.
5. **Patch Sources**: For Linux instances, you can specify alternative patch repositories.
To implement patch baselines effectively, you associate them with patch groups using tags. Instances tagged with specific patch group values will use the corresponding baseline during patching operations.
Patch baselines work alongside maintenance windows and patch compliance reporting to provide comprehensive patch management. This automation capability reduces manual effort, ensures consistent patching across your fleet, and helps maintain security compliance standards required for production environments.
Patch Baselines - AWS Systems Manager Patch Manager
What are Patch Baselines?
A patch baseline is a set of rules that defines which patches should be automatically approved for installation on your managed instances. Patch baselines are a core component of AWS Systems Manager Patch Manager, allowing you to control the patching process across your fleet of EC2 instances and on-premises servers.
Why are Patch Baselines Important?
Patch baselines are critical for several reasons:
• Security Compliance: They ensure your instances receive critical security updates in a timely and controlled manner • Operational Stability: They prevent untested patches from being deployed, reducing the risk of system instability • Audit Requirements: They provide documented proof of your patching policies for compliance audits • Standardization: They allow consistent patching policies across your entire infrastructure
How Patch Baselines Work
Components of a Patch Baseline:
• Operating System: Each baseline is specific to an OS (Amazon Linux, Windows, Ubuntu, etc.) • Approval Rules: Define which patches are auto-approved based on classification (Critical, Important, etc.) and severity • Auto-approval Delay: Number of days after a patch release before it becomes approved • Approved Patches: Explicitly approved patches by ID • Rejected Patches: Patches that should never be installed • Patch Sources: Repositories from which patches are obtained
Default vs Custom Baselines:
AWS provides predefined default baselines for each supported operating system. These approve all critical and security patches with a 7-day delay. You can create custom baselines to meet specific organizational requirements.
Patch Groups:
Patch groups allow you to associate instances with specific patch baselines using tags. An instance can only be in one patch group, and a patch group can only be registered to one patch baseline per operating system.
Key Concepts for the Exam
• AWS-DefaultPatchBaseline: The predefined baseline that approves all OS patches classified as Critical or Security • AWS-AmazonLinux2DefaultPatchBaseline: Default baseline specifically for Amazon Linux 2 • AWS-WindowsPredefinedPatchBaseline-OS: Default baseline for Windows that includes only OS updates • Compliance Levels: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED • Patch States: Installed, Missing, Failed, NotApplicable
Exam Tips: Answering Questions on Patch Baselines
1. Remember the Tag Key: To associate instances with patch groups, use the tag key Patch Group (case-sensitive)
2. One-to-One Relationship: Each patch group can be associated with only ONE patch baseline per operating system
3. Custom vs Default: When questions mention specific patch approval requirements or compliance needs, think custom patch baselines
4. Maintenance Windows: Patch baselines work with maintenance windows to schedule when patching occurs - these are separate concepts
5. Cross-Platform Understanding: Know that Linux and Windows have different default baselines and patch classifications
6. Rejected Patches Action: Understand the two options - ALLOW_AS_DEPENDENCY (allows rejected patch if its a dependency) and BLOCK (blocks installation entirely)
7. Compliance Reporting: Patch Manager provides compliance data that integrates with AWS Config for compliance tracking
8. Scenario Recognition: Questions about controlling which patches get installed, meeting compliance requirements, or standardizing patching across environments typically involve patch baselines
9. SSM Agent Requirement: Remember that SSM Agent must be installed and running on instances for Patch Manager to work
10. IAM Permissions: Instances need an IAM instance profile with appropriate permissions (AmazonSSMManagedInstanceCore policy) to communicate with Systems Manager