Creating and managing patch groups
If you are not using patch policies in your operations, you can organize your patching efforts by adding managed nodes to patch groups by using tags.
Important
Patch groups are not used in patching operations that are based on patch policies. For more information about working with patch policies, see Patch policy configurations in Quick Setup.
To use tags in patching operations, you must apply the tag key Patch
Group
or PatchGroup
to your managed nodes. You must also
specify the name that you want to give the patch group as the value of the tag. You
can specify any tag value, but the tag key must be Patch Group
or
PatchGroup
.
PatchGroup
(without a space) is required if you have allowed tags in EC2 instance metadata.
After you group your managed nodes using tags, you add the patch group value to a patch baseline. By registering the patch group with a patch baseline, you ensure that the correct patches are installed during the patching operation. For more information about patch groups, see Patch groups.
Complete the tasks in this topic to prepare your managed nodes for patching using tags with your nodes and patch baseline. Task 1 is required only if you are patching Amazon EC2 instances. Task 2 is required only if you are patching non-EC2 instances in a hybrid and multicloud environment. Task 3 is required for all managed nodes.
Tip
You can also add tags to managed nodes using the Amazon CLI command
add-tags-to-resource
or the Systems Manager API operation
AddTagsToResource
.
Tasks
Task 1: Add EC2 instances to a patch group using tags
You can add tags to EC2 instances using the Systems Manager console or the Amazon EC2 console. This task is required only if you are patching Amazon EC2 instances.
Important
You can't apply the Patch Group
tag (with a space) to an
Amazon EC2 instance if the Allow tags in instance metadata
option is enabled on the instance. Allowing tags in instance metadata
prevents tag key names from containing spaces. If you have allowed tags in EC2 instance metadata, you must use the tag key
PatchGroup
(without a space).
Option 1: To add EC2 instances to a patch group (Systems Manager console)
Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/
. In the navigation pane, choose Fleet Manager.
-
In the Managed nodes list, choose the ID of a managed EC2 instance that you want to configure for patching. Node IDs for EC2 instances begin with
i-
.Note
When using the Amazon EC2 console and Amazon CLI, it's possible to apply
Key = Patch Group
orKey = PatchGroup
tags to instances that aren't yet configured for use with Systems Manager.If a managed node you expect to see isn't listed, see Troubleshooting managed node availability for troubleshooting tips.
-
Choose the Tags tab, then choose Edit.
-
In the left column, enter
Patch Group
orPatchGroup
. If you have allowed tags in EC2 instance metadata, you must usePatchGroup
(without a space). -
In the right column, enter a tag value to serve as the name for the patch group.
-
Choose Save.
-
Repeat this procedure to add other EC2 instances to the same patch group.
Option 2: To add EC2 instances to a patch group (Amazon EC2 console)
-
Open the Amazon EC2 console
, and then choose Instances in the navigation pane. -
In the list of instances, choose an instance that you want to configure for patching.
-
In the Actions menu, choose Instance settings, Manage tags.
-
Choose Add new tag.
-
For Key, enter
Patch Group
orPatchGroup
. If you have allowed tags in EC2 instance metadata, you must usePatchGroup
(without a space). -
For Value, enter a value to serve as the name for the patch group.
-
Choose Save.
-
Repeat this procedure to add other instances to the same patch group.
Task 2: Add managed nodes to a patch group using tags
Follow the steps in this topic to add tags to Amazon IoT Greengrass core devices and non-EC2 hybrid-activated managed nodes (mi-*). This task is required only if you are patching non-EC2 instances in a hybrid and multicloud environment.
Note
You can't add tags for non-EC2 managed nodes using the Amazon EC2 console.
To add non-EC2 managed nodes to a patch group (Systems Manager console)
Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/
. In the navigation pane, choose Fleet Manager.
-
In the Managed nodes list, choose the name of the managed node that you want to configure for patching.
Note
If a managed node you expect to see isn't listed, see Troubleshooting managed node availability for troubleshooting tips.
-
Choose the Tags tab, then choose Edit.
-
In the left column, enter
Patch Group
orPatchGroup
. If you have allowed tags in EC2 instance metadata, you must usePatchGroup
(without a space). -
In the right column, enter a tag value to serve as the name for the patch group.
-
Choose Save.
-
Repeat this procedure to add other managed nodes to the same patch group.
Task 3: Add a patch group to a patch baseline
To associate a specific patch baseline with your managed nodes, you must add the patch group value to the patch baseline. By registering the patch group with a patch baseline, you can ensure that the correct patches are installed during a patching operation. This task is required whether you are patching EC2 instances, non-EC2 managed nodes, or both.
For more information about patch groups, see Patch groups.
Note
The steps you follow depend on whether you first accessed Patch Manager before or after the patch policies release on December 22, 2022.
To add a patch group to a patch baseline (Systems Manager console)
Open the Amazon Systems Manager console at https://console.amazonaws.cn/systems-manager/
. -
In the navigation pane, choose Patch Manager.
-
If you're accessing Patch Manager for the first time in the current Amazon Web Services Region and the Patch Manager start page opens, choose Start with an overview.
-
Choose the Patch baselines tab, and then in the Patch baselines list, choose the name of the patch baseline that you want to configure for your patch group.
If you didn't first access Patch Manager until after the patch policies release, you must choose a custom baseline that you have created.
-
If the Baseline ID details page includes an Actions menu, do the following:
-
Choose Actions, then Modify patch groups.
-
Enter the tag value you added to your managed nodes in Task 2: Add managed nodes to a patch group using tags, then choose Add.
If the Baseline ID details page does not include an Actions menu, patch groups can't be configured in the console. Instead, you can do either of the following:
-
(Recommended) Set up a patch policy in Quick Setup, a capability of Amazon Systems Manager, to map a patch baseline to one or more EC2 instances.
For more information, see Using Quick Setup patch policies and Automate organization-wide patching using a Quick Setup patch policy.
-
Use the register-patch-baseline-for-patch-group command in the Amazon Command Line Interface (Amazon CLI) to configure a patch group.
-