Patch Manager

What is Patch Manager?

Patch Manager automates the process of patching managed instances with security updates and other types of updates.

Automated Patching: Schedule and automate patch deployment

Compliance Reporting: Track patch compliance status

Maintenance Windows: Control when patches are applied

Patch Baselines

Predefined Baselines

AWS-managed baselines for each OS

Custom Baselines

Define your own approval rules

Patch Filters

Filter by severity, classification, product

Linux

Amazon Linux
Ubuntu
RHEL
CentOS
SUSE

Windows

Windows Server 2012+
Windows 10/11
Security updates
Critical updates
Service packs

Severity Levels

Critical
Important
Medium
Low
Unspecified

Classifications

Security
Bugfix
Enhancement
Recommended
Newpackage

Maintenance Windows

Schedule Options

Cron/Rate: Define recurring schedules

Duration: Set window length (1-24 hours)

Cutoff: Stop new tasks before window ends

Task Configuration

Priority: Order task execution (0-999)

Max Concurrency: Parallel task execution limit

Max Errors: Stop after threshold reached

Compliance

Patch compliance dashboard
Missing patches report
Non-compliant instances
Compliance history tracking

Patch Groups

Tag-based grouping
Different baselines per group
Staged rollout support
Test before production

Notifications

SNS integration
EventBridge rules
Patch success/failure alerts
Compliance status changes

Exam Strategy Tip

Remember: Patch Manager uses Patch Baselines to define which patches to install. Maintenance Windows control when patches are applied. Use Patch Groups (via tags) to apply different baselines to different instance groups. Compliance reporting is built-in.

Back to Run Command Next: Parameter Store