Slide 1

Slide 1 text

Prevent Patching Problems (3P) with AWS SSM Darko Meszaros Developer Advocate - AWS @darkosubotica ln/darko-mesaros twitch.tv/ruptwelve youtu.be/ruptwelve

Slide 2

Slide 2 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Agenda • Patch Management • AWS Systems Manager • Manage patching with AWS Systems Manager • Demo

Slide 3

Slide 3 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Patch Management

Slide 4

Slide 4 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Not everything is a serverless workload

Slide 5

Slide 5 text

© 2020, Amazon Web Services, Inc. or its Affiliates. What is Patching? And why should we care?

Slide 6

Slide 6 text

© 2020, Amazon Web Services, Inc. or its Affiliates.

Slide 7

Slide 7 text

© 2020, Amazon Web Services, Inc. or its Affiliates.

Slide 8

Slide 8 text

© 2020, Amazon Web Services, Inc. or its Affiliates. What is Patch management?

Slide 9

Slide 9 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Why is Patch Management important?

Slide 10

Slide 10 text

© 2020, Amazon Web Services, Inc. or its Affiliates.

Slide 11

Slide 11 text

© 2020, Amazon Web Services, Inc. or its Affiliates. $(whoami) Darko Mesaroš / Darko Meszaros / Дарко Месарош @darkosubotica ln/darko-mesaros twitch.tv/ruptwelve youtu.be/ruptwelve

Slide 12

Slide 12 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Jerry

Slide 13

Slide 13 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers patch patch patch Jerry

Slide 14

Slide 14 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers Jerry

Slide 15

Slide 15 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers scale out scale out Jerry

Slide 16

Slide 16 text

© 2020, Amazon Web Services, Inc. or its Affiliates. AWS Systems Manager

Slide 17

Slide 17 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Management & Governance Optimize Analyze and reduce cost, improve efficiency and security posture Act Take operational action on resources Audit Audit resource configurations, user access, and policy enforcement Monitor Monitor resources and applications

Slide 18

Slide 18 text

© 2020, Amazon Web Services, Inc. or its Affiliates. AWS Management & Governance Monitor resources and applications Optimize to reduce cost and improve security posture Manage resources and take operational action Audit user activity and resource configurations Amazon CloudWatch AWS Trusted Advisor AWS Cost and Usage Report AWS Cost Explorer AWS Systems Manager AWS CloudTrail AWS Config

Slide 19

Slide 19 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Any environment Operate any AWS or external resource centrally Open Agent is open-sourced on GitHub Multi-platform Windows and Linux support Automated Multi-account, multi-Region automation AWS Systems Manager Centrally manage cloud resources at any scale

Slide 20

Slide 20 text

© 2020, Amazon Web Services, Inc. or its Affiliates. How it works AWS Systems Manager Systems Manager helps you safely manage and operate your resources at scale Group resources Create groups of resources across different AWS services, such as applications or different layers of an application stack Visualize data View aggregated operational data by resource group Take Action Respond to insights and automate operational actions across resource groups

Slide 21

Slide 21 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Patch Manager

Slide 22

Slide 22 text

© 2020, Amazon Web Services, Inc. or its Affiliates. So, what is this Patch Manager?

Slide 23

Slide 23 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Jerry

Slide 24

Slide 24 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers Jerry Write patch baseline patch

Slide 25

Slide 25 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers Jerry patch

Slide 26

Slide 26 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Select and deploy operating system and software patches automatically across large groups of Amazon EC2 or on-premises instances. • Automate patching • Use patch baselines to set rules for auto approval • Create exceptions to approve or reject patches • Schedule maintenance windows • Scan for compliance Patch Manager

Slide 27

Slide 27 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Patch Baselines • Patch your fleet to different levels • Set those exceptions • Use a custom Patch source (for Linux)

Slide 28

Slide 28 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Applying Patches Linux • Systems Manager evaluates patch baseline rules and every approved and denied patch on each managed instance; repository locally configured • OS and application patch repo are the same Windows • Systems Manager evaluates patch baseline rules and the list of approved and rejected patches directory in the service. Single repository for all patches • Supports Microsoft applications, such as Microsoft Word 2011 and Microsoft Exchange 2016

Slide 29

Slide 29 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Patch Groups • Patch groups can help you avoid deploying patches to the wrong set of instances (e.g. Dev, Test, Prod) • Install patches individually or to a fleet of EC2 Instances • Patch Group is associated per Patch Baseline • Tag Based

Slide 30

Slide 30 text

© 2020, Amazon Web Services, Inc. or its Affiliates. How does all that work now?

Slide 31

Slide 31 text

© 2020, Amazon Web Services, Inc. or its Affiliates. AWS-RunPatchBaseLine (Window and Linux) • Document that enables you to control patch approvals using patch baselines. • Has a Scan Mode! • This is what installs patches • Windows – Uses PowerShell • Linux – Uses Python • Runs in a Maintenance Window

Slide 32

Slide 32 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Maintenance Window • Define one or more recurring windows of time during which it is acceptable for disruptive actions to occur • Built-in integration with Run Command and Patch Manager • Helps improve availability and reliability of your workloads by automatically performing tasks in a well-defined window of time • Targets specified by Patch Group and any other EC2 tag • Scan and Install patches

Slide 33

Slide 33 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Errors with Patching • Concurrency – number or percentage to run command at the same time • Error Threshold – specify when to stop running command on instances after fails, either number or percentages

Slide 34

Slide 34 text

© 2020, Amazon Web Services, Inc. or its Affiliates. All this to make sure you are compliant… Compliant?!

Slide 35

Slide 35 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Jerry

Slide 36

Slide 36 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers Jerry patch

Slide 37

Slide 37 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers Jerry patch Mike

Slide 38

Slide 38 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Compliance • Scan your fleet of managed instances for patch compliance and configuration inconsistencies (e.g. Snapshot ID) • Supports aggregating data from multiple AWS accounts and Regions • By default, displays Systems Manager Patch Manager patching and Systems Manager State Manager associations • Can customize the service and create your own compliance types based on your IT or business requirements • You can also port data to Amazon Athena and Amazon QuickSight to generate fleet-wide reports

Slide 39

Slide 39 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Compliance with Patch Manager Corp Data Center Individual instances not grouped Patch Group=WebServers Patch Group=SQLCluster Default Patch Baseline for the OS Web Server Patch Baseline Patch Manager Maintenance Window Compliance Notifications!

Slide 40

Slide 40 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Web Application BI Tooling Super Secure FTP Servers Jerry patch Mike

Slide 41

Slide 41 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Hey! I wanna patch my on-prem servers too!

Slide 42

Slide 42 text

© 2020, Amazon Web Services, Inc. or its Affiliates. IAM Service Role • Servers and virtual machines in hybrid require an IAM role to communicate with Systems Manager • Role grants AssumeRole trust to the Systems Manager Service • One IAM service role required per account • Required Trust Policy

Slide 43

Slide 43 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Managed-Instance Activation • Servers and virtual machines require a managed-instance activation • Consists of Activation Code and Activation ID • Similar to Access Key • Code/ID combination used in SSM Agent installation • Grants managed-instances secure access to Systems Manager • Activations expire – no impact to existing managed-instances • Create new activation when it expires

Slide 44

Slide 44 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Patch Manager Supported Operating Systems Linux • Amazon Linux 2012.03 - 2018.03 • Amazon Linux 2 2 - 2.0 • CentOS 6.5 - 7.8, 8.0-8.1 • Red Hat Enterprise Linux (RHEL) 6.5 - 8.2 • Debian 8.x and 9.x • Oracle Linux 7.5-7.8 • SUSE Linux Enterprise Server (SLES) 12.0 and later 12.x versions, 15.0 and 15.1 • Ubuntu Server 14.04 LTS, 16.04 LTS, and 18.04 LTS Windows • Windows Server 2008 through Windows Server 2019, including R2 versions

Slide 45

Slide 45 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Let’s see that in action …

Slide 46

Slide 46 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Getting started

Slide 47

Slide 47 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Getting Started 1. Create a Patch Baseline to define approved patches (Add Patch Group) 3. Maintenance Window executes patching 4. Audit results with Patch Compliance 2. Create a Maintenance Window to schedule patching for a set of instances

Slide 48

Slide 48 text

© 2020, Amazon Web Services, Inc. or its Affiliates. Resources Patch Manager Documentation: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-working.html Systems Manager Prerequisites: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html Supported Operating Systems: https://docs.aws.amazon.com/systems-manager/latest/userguide/prereqs-operating-systems.html Installing and Configuring SSM Agent on Windows Instance: https://docs.aws.amazon.com/systems- manager/latest/userguide/sysman-install-ssm-win.html Installing and Configuring SSM Agent on EC2 Linux Instances: https://docs.aws.amazon.com/systems- manager/latest/userguide/sysman-install-ssm-agent.html Multi-Account Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation- multiple-accounts-and-regions.html Multi-Account Patching: https://aws.amazon.com/blogs/mt/centralized-multi-account-and-multi-region-patching-with-aws- systems-manager-automation/ Regional Endpoints: https://docs.aws.amazon.com/general/latest/gr/rande.html#ssm_region Manually Install SSM Agent on EC2: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-manual-agent- install.html

Slide 49

Slide 49 text

Thank you! © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Darko Meszaros Developer Advocate - AWS @darkosubotica ln/darko-mesaros twitch.tv/ruptwelve youtu.be/ruptwelve