Patch Manager prerequisites
Make sure that you have met the required prerequisites before using Patch Manager, a capability of AWS Systems Manager.
Topics
SSM Agent version
Version 2.0.834.0 or later of SSM Agent is running on the managed node you want to manage with Patch Manager.
Note
An updated version of SSM Agent is released whenever new capabilities are added to Systems Manager or
updates are made to existing capabilities. Failing to use the latest version of the agent can prevent your managed node
from using various Systems Manager capabilities and features. For that reason, we recommend that you automate
the process of keeping SSM Agent up to date on your machines. For information, see Automating updates to SSM Agent. Subscribe to the SSM Agent
Release Notes
Python version
For macOS and most Linux operating systems (OSs), Patch Manager currently supports Python versions 2.6 - 3.10. The AlmaLinux, Debian Server, Raspberry Pi OS, and Ubuntu Server OSs require a supported version of Python 3 (3.0 - 3.10).
Connectivity to the patch source
If your managed nodes don't have a direct connection to the Internet and you're using an Amazon Virtual Private Cloud (Amazon VPC) with a VPC endpoint, you must ensure that the nodes have access to the source patch repositories (repos). On Linux nodes, patch updates are typically downloaded from the remote repos configured on the node. Therefore, the node must be able to connect to the repos so the patching can be performed. For more information, see How security patches are selected.
CentOS and CentOS Stream: Enable the EnableNonSecurity
flag
CentOS 6 and 7 managed nodes use Yum as the package manager. CentOS 8 and CentOS Stream nodes use DNF as the package manager. Both package managers use the concept of an update notice. An update notice is simply a collection of packages that fix specific problems.
However, CentOS and CentOS Stream default repos aren't configured with an update
notice. This means that Patch Manager doesn't detect packages on default CentOS and
CentOS Stream repos. To allow Patch Manager to process packages that aren't contained in an
update notice, you must turn on the EnableNonSecurity
flag in the patch
baseline rules.
Windows Server: Ensure connectivity to Windows Update Catalog or Windows Server Update Services (WSUS)
Windows Server managed nodes must be able to connect to the Windows Update Catalog
or Windows Server Update Services (WSUS). Confirm that your nodes have
connectivity to the Microsoft Update
Catalog
S3 endpoint access
Whether your managed nodes operate in a private or public network, without access to the required AWS managed Amazon Simple Storage Service (Amazon S3) buckets, patching operations fail. For information about the S3 buckets your managed nodes must be able to access, see SSM Agent communications with AWS managed S3 buckets and Improve the security of EC2 instances by using VPC endpoints for Systems Manager.
Permissions to install patches locally
On Windows Server and Linux operating systems, Patch Manager assumes the Administrator and root user accounts, respectively, to install patches.
On macOS, however, for Brew and Brew Cask, Homebrew doesn't support its commands
running under the root user account. As a result, Patch Manager queries for and runs
Homebrew commands as either the owner of the Homebrew directory, or as a valid user
belonging to the Homebrew directory’s owner group. Therefore, in order to install
patches, the owner of the homebrew
directory also needs
recursive owner permissions for the /usr/local
directory.
Tip
The following command provides this permission for the specified user:
sudo chown -R
$USER
:admin /usr/local
Supported operating systems for Patch Manager
The Patch Manager capability doesn't support all the same operating systems versions that are supported by other Systems Manager capabilities. For example, Patch Manager doesn't support CentOS 6.3 or Raspberry Pi OS 8 (Jessie). (For the full list of Systems Manager-supported operating systems, see Supported operating systems for Systems Manager.) Therefore, ensure that the managed nodes you want to use with Patch Manager are running one of the operating systems listed in the following table.
Note
Patch Manager relies on the patch repositories that are configured on a managed node, such as Windows Update Catalog and Windows Server Update Services for Windows, to retrieve available patches to install. Therefore, for end of life (EOL) operating system versions, if no new updates are available, Patch Manager might not be able to report on the new updates. This can be because no new updates are released by the Linux distribution maintainer, Microsoft, or Apple, or because the managed node does not have the proper license to access the new updates.
Patch Manager reports compliance status against the available patches on the managed node. Therefore, if an instance is running an EOL operating system, and no updates are available, Patch Manager might report the node as Compliant, depending on the patch baselines configured for the patching operation.
Operating system | Details |
---|---|
Linux |
|
macOS |
11.3.1; 11.4–11.7 (Big Sur) 12.0–12.6 (Monterey) 13.0–13.5 (Ventura) 14.x (Sonoma) macOS OS updatesPatch Manager doesn't support operating system (OS) updates or
upgrades for macOS, such as from 12.x to 13.x or 13.1 to 13.2. To perform OS version
updates on macOS, we recommend using Apple's built-in OS
upgrade mechanisms. For more information, see Device Management Homebrew supportThe Homebrew open-source software package management system has discontinued support for macOS 10.14.x (Mojave) and 10.15.x (Catalina). As a result, patching operations on these versions are not currently supported. Region supportmacOS is not supported in all AWS Regions. For more information about Amazon EC2 support for macOS, see Amazon EC2 Mac instances in the Amazon EC2 User Guide. macOS edge devicesSSM Agent for AWS IoT Greengrass core devices is not supported on macOS. You can't use Patch Manager to patch macOS edge devices. |
Windows |
Windows Server 2008 through Windows Server 2025, including R2 versions. NoteSSM Agent for AWS IoT Greengrass core devices is not supported on Windows 10. You can't use Patch Manager to patch Windows 10 edge devices. Windows Server 2008 supportAs of January 14, 2020, Windows Server 2008 is no longer supported for feature or security updates from Microsoft. Legacy Amazon Machine Images (AMIs) for Windows Server 2008 and 2008 R2 still include version 2 of SSM Agent preinstalled, but Systems Manager no longer officially supports 2008 versions and no longer updates the agent for these versions of Windows Server. In addition, SSM Agent version 3 might not be compatible with all operations on Windows Server 2008 and 2008 R2. The final officially supported version of SSM Agent for Windows Server 2008 versions is 2.3.1644.0. Windows Server 2012 and 2012 R2 supportWindows Server 2012 and 2012 R2 reached end of support on
October 10, 2023. To use Patch Manager with these versions, we
recommend also using Extended Security Updates (ESUs) from
Microsoft. For more information, see Windows Server 2012 and 2012 R2 reaching end of
support |