Jul 23, 2024
Renowned security expert Bruce Schneier once said, "Security is a process, not a product." Automating security updates is a crucial part of that process, and more so in an AWS-based environment, as it saves time, reduces errors, and ensures consistent updates.
In this post we’ll explain how to achieve Windows security updates automation.
Automating security updates with AWS SSM Patch Manager and Maintenance Windows
Patch Manager, an AWS Systems Manager capability, automates patching managed nodes with security-related updates and other types of updates.
Maintenance Windows, another AWS Systems Manager capability, helps you define a schedule for when to perform potentially disruptive actions on your nodes.
Essentially, the automation process orchestrates Patch Manager and Maintenance Windows in these three steps:
-
Create a Patch Baseline that matches your machines' Windows version.
-
Create a Patch Group with your target EC2 Windows Instances.
-
Register it in a Maintenance Windows that fits your schedule.
Extracted from: AWS Cloud Operations & Migrations Blog
Patch Baselines
Inside the AWS Console, go to AWS Systems Manager and Locate Patch Manager under Node Management.
From there, go to the Patch Baselines tab.
Patch Manager has a predefined patch baseline that approves all patches classified as critical updates or security updates with a severity of Critical or Important. This baseline automatically approves these patches seven days after Microsoft releases them.
Custom Patch Baseline
Patch Manager empowers you to create custom patch baselines, letting you define which updates receive automatic approval. These baselines give you granular control by allowing you to target patches based on:
-
Operating System: Focus on specific OSes like Windows, Amazon Linux, or Ubuntu Server.
-
Product Version: Drill down further by specifying the exact product version (e.g., Windows Server 2012 R2 or RHEL 6.5).
-
Update Type: Prioritize critical updates or focus on security patches specifically.
-
Severity Level: Target patches based on their severity (critical, important, etc.).
Fine-Tuning Approvals with Auto-Approval Delay
For each rule you create, you can set an auto-approval delay. This delay acts as a waiting period after a patch is released before it's automatically approved for deployment. This buffer allows for additional testing or evaluation before wider implementation.
Example in Action:
Imagine you create a rule for critical updates with a 5-day auto-approval delay. A critical patch gets released on January 1st. Patch Manager will hold off on automatic approval and only approve the patch for deployment on January 6th.
Custom patch baselines offer a powerful way to automate your update process while maintaining control over which patches get applied automatically.
To create a custom Patch Baseline, go to the Create Patch Baseline page and fill in all the needed data.
-
Patch baseline details
-
Select custom name, description and Operating system (Windows)
-
-
Approval rules for operating systems
-
Most of the time when applying Windows security updates, we apply “Recommended updates”, this is the recipe to most accurately match that:
-
-
Approval rules for applications
-
In this case, we will not include approval rules for applications
-
-
Patch exceptions
-
This field is to fine tune the patches that you want approved or rejected. In our case we will leave it to default.
-
-
Manage tags
-
Create a tag to associate the Patch Baseline with.
-
Setting the baseline as a default
By default, the predefined patch baseline that ships with Patch Manager is designated as the default patch baseline. However, you can specify your own patch baseline as the default.
Patch Groups
Patch Manager uses patch groups to ensure the right updates go to the right machines. Think of them as labels for your AWS instances. You can group your instances based on factors like environment (Development, Test, Production) and then assign a specific patch baseline to each group.
Patch baselines define which updates are automatically approved. By linking patch groups to baselines, you control which updates are deployed to which environments. This helps avoid accidentally deploying untested updates to critical systems.
A patch group must be defined with the tag key Patch Group. Select the machines you want to be in the group and add the tag with a significant Value name. (Production Servers, Front-End Servers, etc)
Now, go to the custom patch baseline, select it, go to the Actions button and click on “Modify patch groups”.
Write the Value of the tag previously created on the machines and write it in the “Patch Groups” text-box, and press “Add”.
You have successfully linked the custom Patch Baseline with the Patch Group.
Maintenance Windows
While patching your AWS instances is crucial for security, it can sometimes disrupt operations. AWS Systems Manager Maintenance Windows are the perfect option. They allow you to define a schedule for performing potentially disruptive actions, like OS patching, driver updates, or software installations.
Here's how Maintenance Windows work:
-
IAM Role with Permissions: Ensure a designated IAM role has the necessary permissions to execute the tasks.
-
Define Your Schedule: Choose a time that minimizes impact on your organization, like off-peak hours or weekends. Specify how long the maintenance window will last to ensure enough time for updates.
-
Targets: Using the previously created tag, we will register the specific machines to be updated.
-
Assign Tasks: Define the actions to be performed during the window, such as installing the patches.
And now let’s see how to accomplish it:
IAM Role
To assign the right policies to the Role, we first create a policy.
In AWS Console, go to Identity and Access Management (IAM), select Policies, create policy.
In Specify permissions window, select JSON and paste the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ssm.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ssm:CancelCommand",
"ssm:SendCommand",
"ssm:GetAutomationExecution",
"ssm:StartAutomationExecution",
"ssm:ListCommands",
"tag:GetResources",
"ssm:ListTagsForResource",
"resource-groups:ListGroupResources",
"resource-groups:ListGroups",
"ssm:GetParameters",
"ssm:ListCommandInvocations",
"ssm:GetCommandInvocation"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"states:DescribeExecution",
"states:StartExecution"
],
"Resource": [
"arn:aws:lambda:*:*:function:*",
"arn:aws:states:*:*:execution:*:*",
"arn:aws:states:*:*:stateMachine:*"
]
}
]
}
Click Next, Review and Save changes.
Now, we create the Role based on this Policy:
-
Go to IAM > Roles > Create Role:
-
Select AWS Service as Trusted entity type, and select Systems Manager in Use case, click Next.
-
-
In Add permissions, select your created Permission policy, click Next.
-
Insert a Role name and a Description, optionally add a Tag and finally Create the Role.
We are ready to create the Maintenance Window now:
Schedule
Go to AWS Systems Manager > Change Management > Maintenance Windows > Create maintenance window.
Provide a Name and a Description, keep Allow unregistered targets checkbox active.
In the Schedule section, add a CRON / Rate expression as follows:
cron(0 30 1 ? * SAT *)
A Suggested Duration is
4 hours
For Stop initiating tasks select
1 hour
Leave window start date and end date empty, and select a schedule timezone accordingly, in our case:
(GMT-05:00) America / Guayaquil
Click Create maintenance window.
Targets
Select your newly created Maintenance window, and go to the Targets tab > Register target
Insert Target name, Description and Owner information, and in the Targets section, select Specify instance tags, insert the Tag we created before Tag key: Patch Group, Tag value: Production Servers. Click Register target.
Tasks
Commands are provided for creating or applying patch baselines, registering patch baselines for patch groups, and creating Maintenance Windows.
Navigate to the newly created maintenance window panel and click Register tasks > Register Run command task.
Insert Name and Description for the task.
In Command Document, select AWS-ApplyPatchBaseline
In the Targets section, select your registered target group “Production Servers”
In the Rate control section, select the concurrency, this will be based on the error range limit you want the maintenance window to run with.
For concurrency, it is suggested to go 1 target at a time, and for the Error threshold, it will depend on the number of targets you have. We have selected 1 and 1 for the example.
Select the previously created IAM service Role.
Leave SNS notifications unchecked.
In Parameters, select the Install operation and optionally fill in Snapshot Id, Comment and Timeout.
Click Register Run command task.
We have successfully created the Maintenance Window for our Patch Group (early bound with the Patch Baseline)
Automated Security with Confidence
Automating security updates with AWS Systems Manager Patch Manager offers a powerful and efficient way to keep your Windows EC2 instances secure. By leveraging Patch Manager's capabilities like custom patch baselines, patch groups, and Maintenance Windows, you can achieve a balance of automation and control.
This approach ensures your instances receive critical updates promptly while minimizing the risk of deploying untested updates to critical environments. Remember, consistent security patching is a cornerstone of a secure AWS infrastructure. Take advantage of Patch Manager and empower your cloud security posture!
For additional information on this please visit AWS Systems Manager Documentation and related blogs:
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.