Operating System Patching was always a management overhead. AWS Systems Manager is a better choice for patching different types machines. Automating the OS patching process is possible. Many organizations have multiple AWS Accounts and need to centralize the process of patching to reduce overhead for enterprise-wide configuration, operational actions, compliance remediation, and overhead. This blog demonstrates in a step by step manner how AWS Systems Manager Automation can patch managed instances across multiple AWS regions and accounts. We use the Resource Groups capability, and IAM assumes responsibility for patching the machine from a central account.
TABLE OF CONTENTS
What is Operating System Patching?
Patches are software updates and operating system updates that are periodically released to fix any vulnerabilities in the software or operating systems. Software patches are also released by companies to fix performance bugs and security enhancements.
What is AWS Systems Manager Patch Manager and how does it work?
Manually updating patches can be tedious. The AWS Systems Manager Patch Manager automates updating Windows and Linux-managed instances. Amazon EC2 tags allow for the installation of patches to individual instances or to a large number of instances.
AWS Systems Manager uses the following four steps to ensure that multi-Account OS patches are centralized:
Step 1: Creating resource group
Resource groups make it easier to manage large amounts of resources simultaneously and automate them. These resource groups can be based on a server function such as web servers or databases. Resource groups can also help you avoid deploying patches on the wrong instances.
After opening the AWS Systems Manager console click “Find Resources” in the left navigation pane. In the following example, you can see which instances we want to patch.
I am providing the following values to Resource Groups or Tags
Resource Group Name: RG-Linux-SSM
ResourceGroup Tag Key: SSM-linuxpatching
ResourceGroup Tag Value: True
This method can be used to patch a number of instances that have these tags.
Open AWS Console by selecting “Resource Groups and Tag Editor” from your service list.
Click on “Create a resource group”

Select Group Type as Tag Based and Resource Type AWS:EC2:Instance

You can choose to provide the Tag name according to the use case. Once you have added the tag, click on the Preview group resources option. You can see that the Instances are under Resource Groups.

We must create Resource Groups in all Accounts (Managed or Target Accounts).
Step 2: Create the IAM roles you need
Log in to your Master Account, then create the following IAM roles.
SSM-Automationexecution-role

Attach AmazonSSMAutomationRole(AWS Managed Policy) and add ExecutionPolicy as Inline.
ExecutionPolicy

Next, edit “Trust Relationships” to provide the following policy.

SSM-Automationadministration-role

Add the following Inline Policies
AssumeRole-AWSSystemsManagerAutomationExecutionRole

PassRole-AutomationAdministrationRole

Notice: Replace the account ID from the master account in the policy.
Now log in to our Target Accounts to create the following IAM roles.

SSM-Automationexecution-role

Attach AmazonSSMAutomationRole(AWS Managed Policy) and add below Inline policies,
cloudtrail

ExecutionPolicy

Edit trust relationships and include the follo