Regularly patching your instances with the right set of security patches is an important activity that can take up a lot of time and effort if performed manually on each individual instance. Luckily, AWS provides a really efficient and easy way of automating the patching of your managed instances using the concept of Patch Manager services, provided as an out-of-the-box capability with SSM.

As an administrator, all you need to do is scan your instances for missing patches and leverage Patch Manager to automatically remediate the issues by installing the required set of patches. You can, alternatively, even schedule the patching of your managed instance or group of instances with the help of SSM's maintenance window tasks.

In this section, we will explore a quick and easy way of creating a unique patch baseline for our Dev instances and later create and associate a maintenance window for this, all using the EC2 Management dashboard. So let's get started with this right away!

First up, you will need to ensure that your instance has the required set of IAM Roles as well as the SSM agent installed and functioning as described at the beginning of this chapter. With these basics out of the way, we first need to configure the patch baseline with our set of required patches:

1. To do so, launch your EC2 dashboard and select the Patch Baselines option from the Systems Manager Services section. Patch Manager includes a default patch baseline for each operating system supported by Patch Manager. This includes Windows Server 2003 to 2016, Ubuntu, RHEL, CentOS, SUSE, and even Amazon Linux as well. You can use these default patch baselines or alternatively you can create one based on your requirements. Here, let's quickly create a custom baseline for our Dev instances.
2. Select the Create Patch Baseline option to bring up the Create Patch Baseline dashboard. Here, provide a suitable Name for your custom baseline.
3. From the Operating System, select Ubuntu as the OS choice. You will notice the patching rules change accordingly based on the OS type you select.

4. Next, in the Approval Rules section, create suitable patch baseline rules depending on your requirements. For example, I wish to set the Python packages to an Important priority and with a High compliance level as well. Similarly, you can add up to 10 such rules for one baseline, as shown in the following screenshot:

5. In the final section, Patch Exceptions, you can optionally mention the Approved Packages, Rejected Packages, and the Compliance Level for these patches collectively. In this case, I've left these values as their defaults and selected the Create Patch Baseline option to complete the process.

With your new patch baseline created, you now have the option to promote the same as the Default Baseline by selecting the new baseline from the Patch Baselines dashboard and clicking on the Set Default Patch Baseline option from the Actions tab.

Moving on to the next part of this walkthrough, we will now go ahead and set up the maintenance window for our newly created patch baseline:

1. To do so, select the Maintenance Windows option from the Systems Manager Shared Resources section. Click on Create maintenance window to get started with the process.
2. In the Create maintenance window page, provide a suitable Name for your window as well as an optional Description.

3. Next, in the Specify schedule section, you can opt to either use a CRON scheduler or a rate expression to define the schedule for your maintenance window. For this scenario, I've opted for the Cron schedule builder option and provided a window that starts every Sunday at 12:00 UTC:

4. In the Duration as well as the Stop initiating tasks field, specify the timeline in hours that the maintenance window has to last for, as well as the number of hours before you want the system to stop initiating new tasks. Once all the required fields are populated, click on Create maintenance window to complete the creation process.

With the maintenance window created, we next need to add some targets for execution. Targets are individual EC2 instances or a group of EC2 instances that are identified by tags. To configure targets, select your newly created maintenance window then from the Actions tab and select the option Register targets:

1. In the Register targets page, provide a Target Name for your maintenance window's target with an optional Description.
2. Next, select the target EC2 instances you wish to associate with this target by either opting to Specify Tags or even by Manually Selecting Instances as shown in the following screenshot. For this scenario, I've already provided the tag OS:Linux to my Dev instances; alternatively, you can manually select your instances as well:

3. Once completed, select the Register targets option to complete the process.

With the target instances registered with our maintenance window, the final step left to take is associate the maintenance window with our patch baseline:

1. In order to do this, we need to select the newly created maintenance window; from the Actions tab, select the option Register run command task.
2. Here, in the Register run command task page, fill in the required details such as a name for your new Run Command followed by an optional Description.
3. Next, from the Command document section, select the AWS-RunPatchBaseline document. You will also see the targeted instance associated with this Run Command already, as we configured it in our earlier steps.
4. Finally, in the Parameters section, select the appropriate IAM Role, provide a suitable count for the Run Command to stop after receiving a certain amount of errors, and last but not least, don't forget to select whether you wish to Install or simply Scan the target instances for the required set of patches.
5. With all the fields completed, click on Register task to complete this configuration.

Awesome isn't it? With just a few simple clicks you have now set up an effective patch management solution for your Dev instances, and without the need for any specialized software or expertise! But before we wind up this chapter, let's look at one last simple and really useful service provided by Systems Manager, which helps collect and inventorize metadata about your AWS as well as on-premises instances.