Free Training and Lab on AWS Systems Manager
Patch Manager

AWS Patch Management Hands-On Lab Guide


Objective: This lab guide will help you learn how to configure and manage AWS Patch Management to automate the patching of your EC2 instances.


  • An AWS account with administrative access.
  • At least one EC2 instance running (preferably in a non-production environment).
  • AWS Systems Manager Agent (SSM Agent) installed and running on the EC2 instance.
  • Appropriate IAM roles for Systems Manager attached to the instance.

Estimated Time: 30 minutes

Step 1: Access AWS Systems Manager

  1. Login to AWS Console:
  2. Open AWS Systems Manager:
    • Find Systems Manager under "Management & Governance" in the Services menu or use the search bar

Step 2: Configure IAM Roles and Permissions

  1. Verify IAM Roles:
    • Ensure that your EC2 instance is associated with an IAM role that has the AmazonSSMManagedInstanceCore policy attached.
  2. Modify/Add Role:
    • If necessary, add or modify an IAM role via the IAM console to include the required permissions.

Step 3: Create patch policy:

  1. Navigate to Patch Manager:
    • Within the Systems Manager dashboard, go to the "Patch Manager" service listed under Node Management.
  2. Create a Patch Policy:
    • Click on "Create patch policy" 
    • Name your baseline configuration and  select patch operation, scan or scan and install.
    • Select Scanning Schedule
  3. Assign Patch Baseline:
    • Choose your new patch baseline as the default for your operating system.
  4. Select  S3 bucket for log storage - We uncheck  that for this lab.
  5. Specify Targets
    • Select Region
    • Choose how to taget instances -> For this lab we use tags. Patch Group -> "LabTest"
  6. Specify Rate Control we go with default
  7. Instance Profile Options - This will go back and add required IAM roles

Step 4: Tagging EC2 Instances for Patch Groups

  1. Identify Your Instance:
    • Go to the EC2 dashboard and select the instance you want to manage.
  2. Add Tags:
    • Add a tag with the key Patch Group and a value that identifies the group, such as "Test" or "LabTest". *as indentified above

Additional Resources

AWS Systems Manager Documentation

AWS Security Best Practices


This lab is designed to give you practical experience with AWS Patch Management, helping you understand how to automate and manage patches in your AWS environment efficiently. Remember to clean up any resources you no longer need to avoid unnecessary charges.

James Phipps 24 April, 2024
Share this post
Sign in to leave a comment


Accelerating Cost Analysis with Amazon SageMaker Notebooks