Glad it helped

Welcome!

glad you like it !!

Thanks for feedback !!!

You too!! Thanks..

Thanks... Appreciate the feedback..

Great !!!

Glad you think so!

When it comes to role attachment to EC2 you just have to give SSM permission to make use of any SSM related command. For run command you have multiple ways , either you directly choose run command from Maint window or select explicit and use..

there us multi account multi region option within SSM.. Select that and it will help u to manage..

sure will try to implement your suggestion. Thanks for feedback..

Updates are being installed on EC2 instance only , its just the mechanism of SSM which deals with the latest snapshot in background for updates from microsoft.

Its already been discussed on Linkedin..

Yes we can

You can do that using SSM agent install on DC servers.. Then you can manage patching from SSM as well

If your tagging if diff , then you can create multiple tags and patch groups to define your patching systems.. Its not necessary that only one patch baseline is required , i just showed the concept on how it works.. This can be tweak as per your req,.

Most of time we use CLI with defined parameter to provision infrastructure , we have lot of cli module of CloudFormation which you can convert into script as per your requirement. AWS CLI:- docs.aws.amazon.com/cli/latest/reference/cloudformation/index.html

you can run a cron job which will stop services before patch and start after activity gets completed.

Glad you liked it

You can use AWS-PatchASGInstance to patch ASG groups along with AMI patch.

While configuring the patch you get option to NOReboot..

SSM talks to internet outbound where it download patches into SSM inventory and from there patches gets installed on ur machine...

Use migration tool like cloud endure or App Migration Service from AWS. OS upgrade is diff activity cannot be done during migration as there is no tool present in market..

If you are talking regards to permission i would always prefer to run this as admin , create account and assign that with admin privileges . AmazonSSMManagedInstanceCore is use when you want to have explicit permission to use Systems Manager core service functionality It provides minimum permissions which allow the instance to: Register as a managed instance Send heartbeat information Send and receive messages for Run Command and Session Manager Retrieve State Manager association details Read parameters in Parameter Store

in terms of CU , if AWS SSM inventory has that update it will download and install on server , generally it takes few patches in terms of CU to come into inventory and then AWS SSM pushes the patch on server and update the server. You can find the patches installed on server from output section of run command which you can send to S3 and from there create report.. Somehow reporting system is not direct in SSM and you have to integrate few other services if you need it into ur mail or some other places.

Terraform is more of a infra provision tool from IAC category, you can integrate terraform with ansible to do this job. As of now i dont have video on that end.

Thanks..Yes, you can apply the same patch across environments , thats why we have SSM patch using patchbaseline

Downtime depends upon the reboot section...

Sorry for Delay response as i was out and not. working on YT.. You can patches servers within private. subnets having no access to internet with help of endpoints.. Please go through.. Its good article from AWS. aws.amazon.com/blogs/mt/how-to-patch-windows-ec2-instances-in-private-subnets-using-aws-systems-manager/

AWS SSM has almost touches all services , so you name it you will get it..

@@Cloud4DevOps may I know what services does it touches?

Check the permission please.

Thanks.. Its not handy as i create as per my usage..

You can trigger SSM to take AMI before patch and while configuring the patch you get option to reboot or no reboot option..

Will try to cover soon.

You need to instal SSM agent and IAM role to make it managed instances.

Thanks.. You have to specify patch group just to make backend configuration understand that these are the servers has to be patched. Again there are multiple way of doing the configuration.

Sorry for Delay response as i was out and not. working on YT.. You can create patch baseline of your own with the OS you are part of and application or software you want to update time to time with SSM.. Its on the configuration video of patch manger

@@Cloud4DevOps thanks man appreciated ❤️

You have to use MAINT WINDOW IN SSM to schedule patch. In terms of which patch needs to be updated as per your application dependency, thats something you/team need to decide as few patches are application dependent..

@@Cloud4DevOps You means the team has to decide which type of update or patch needs to be installed? i have performed all the steps ok now tell me how do i verify that patch has been done on my machine or not ? i have windows OS only Please help me thanks

@@SayyedJuned When SSM Patch the system you can either apply SNS notification which all patches are deployed on system , or you can integrate AWS config for better reporting.. Unfortunately SSM reporting is not that good where you get all detail at one place. Another way of finding out the report is SSM inventory..

its already there in SSM playlist. Please checkout

Are you referring to build update from AWS SSM for application??

You will see that in SSM logs on SSM dashboard or on server

Thanks, but can we export any report for audit point of you regarding list of patches installed on servers ??

@@maheshd5841 Till date reporting system is not good for SSM , if you need to check out reports then send out logs. to S3 buckets or integrate AWS Config to do the reporting. You can check the patches as well in compliance section of SSM.

@@Cloud4DevOps Thanks for your information and appreciated...