AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-05-22 · Documentation low

File: systems-manager/latest/userguide/patch-manager.md

Summary

Added new sections detailing Patch Manager benefits, target users, and key features including security-focused updates and compliance reporting

Security assessment

The changes highlight security-related features like default focus on security updates, compliance reporting, and integration with Security Hub, but do not address specific vulnerabilities or incidents

Diff

diff --git a/systems-manager/latest/userguide/patch-manager.md b/systems-manager/latest/userguide/patch-manager.md
index b3d8bba41..de8e77292 100644
--- a//systems-manager/latest/userguide/patch-manager.md
+++ b//systems-manager/latest/userguide/patch-manager.md
@@ -5 +5 @@
-What is compliance in Patch Manager?Primary components
+How can Patch Manager benefit my organization?Who should use Patch Manager?What are the main features of Patch Manager?What is compliance in Patch Manager?Primary components
@@ -20,0 +21,65 @@ For Linux-based operating system types that report a severity level for patches,
+## How can Patch Manager benefit my organization?
+
+Patch Manager automates the process of patching managed nodes with both security-related updates and other types of updates. It provides several key benefits:
+
+  * **Centralized patching control** –Using patch policies, you can set up recurring patching operations for all accounts in all Regions in your organization, specific accounts and Regions, or a single account-Region pair.
+
+  * **Flexible patching operations** – You can choose to scan instances to see only a report of missing patches, or scan and automatically install all missing patches.
+
+  * **Comprehensive compliance reporting** – After scanning operations, you can view detailed information about which managed nodes are out of patch compliance and which patches are missing.
+
+  * **Cross-platform support** – Patch Manager supports multiple operating systems including various Linux distributions, macOS, and Windows Server.
+
+  * **Custom patch baselines** – You can define what constitutes patch compliance for your organization through custom patch baselines that specify which patches are approved for installation.
+
+  * **Integration with other AWS services** – Patch Manager integrates with AWS Organizations, AWS Security Hub, AWS CloudTrail, and AWS Config for enhanced management and security.
+
+  * **Deterministic upgrades** – Support for deterministic upgrades through versioned repositories for operating systems like Amazon Linux 2023.
+
+
+
+
+## Who should use Patch Manager?
+
+Patch Manager is designed for the following:
+
+  * IT administrators who need to maintain patch compliance across their fleet of managed nodes
+
+  * Operations managers who need visibility into patch compliance status across their infrastructure
+
+  * Cloud architects who want to implement automated patching solutions at scale
+
+  * DevOps engineers who need to integrate patching into their operational workflows
+
+  * Organizations with multi-account/multi-Region deployments who need centralized patch management
+
+  * Anyone responsible for maintaining the security posture and operational health of AWS managed nodes, edge devices, on-premises servers, and virtual machines
+
+
+
+
+## What are the main features of Patch Manager?
+
+Patch Manager offers several key features:
+
+  * **Patch policies** – Configure patching operations across multiple AWS accounts and Regions using a single policy through integration with AWS Organizations.
+
+  * **Custom patch baselines** – Define rules for auto-approving patches within days of their release, along with approved and rejected patch lists.
+
+  * **Multiple patching methods** – Choose from patch policies, maintenance windows, or on-demand "Patch now" operations to meet your specific needs.
+
+  * **Compliance reporting** – Generate detailed reports on patch compliance status that can be sent to an Amazon S3 bucket in CSV format.
+
+  * **Cross-platform support** – Patch both operating systems and applications across Windows Server, various Linux distributions, and macOS.
+
+  * **Scheduling flexibility** – Set different schedules for scanning and installing patches using custom CRON or Rate expressions.
+
+  * **Lifecycle hooks** – Run custom scripts before and after patching operations using Systems Manager documents.
+
+  * **Security focus** – By default, Patch Manager focuses on security-related updates rather than installing all available patches.
+
+  * **Rate control** – Configure concurrency and error thresholds for patching operations to minimize operational impact.
+
+
+
+