AWS systems-manager documentation change
Summary
Added new sections detailing Patch Manager benefits, target users, and key features including security-focused updates and compliance reporting
Security assessment
The changes highlight security-related features like default focus on security updates, compliance reporting, and integration with Security Hub, but do not address specific vulnerabilities or incidents
Diff
diff --git a/systems-manager/latest/userguide/patch-manager.md b/systems-manager/latest/userguide/patch-manager.md index b3d8bba41..de8e77292 100644 --- a//systems-manager/latest/userguide/patch-manager.md +++ b//systems-manager/latest/userguide/patch-manager.md @@ -5 +5 @@ -What is compliance in Patch Manager?Primary components +How can Patch Manager benefit my organization?Who should use Patch Manager?What are the main features of Patch Manager?What is compliance in Patch Manager?Primary components @@ -20,0 +21,65 @@ For Linux-based operating system types that report a severity level for patches, +## How can Patch Manager benefit my organization? + +Patch Manager automates the process of patching managed nodes with both security-related updates and other types of updates. It provides several key benefits: + + * **Centralized patching control** –Using patch policies, you can set up recurring patching operations for all accounts in all Regions in your organization, specific accounts and Regions, or a single account-Region pair. + + * **Flexible patching operations** – You can choose to scan instances to see only a report of missing patches, or scan and automatically install all missing patches. + + * **Comprehensive compliance reporting** – After scanning operations, you can view detailed information about which managed nodes are out of patch compliance and which patches are missing. + + * **Cross-platform support** – Patch Manager supports multiple operating systems including various Linux distributions, macOS, and Windows Server. + + * **Custom patch baselines** – You can define what constitutes patch compliance for your organization through custom patch baselines that specify which patches are approved for installation. + + * **Integration with other AWS services** – Patch Manager integrates with AWS Organizations, AWS Security Hub, AWS CloudTrail, and AWS Config for enhanced management and security. + + * **Deterministic upgrades** – Support for deterministic upgrades through versioned repositories for operating systems like Amazon Linux 2023. + + + + +## Who should use Patch Manager? + +Patch Manager is designed for the following: + + * IT administrators who need to maintain patch compliance across their fleet of managed nodes + + * Operations managers who need visibility into patch compliance status across their infrastructure + + * Cloud architects who want to implement automated patching solutions at scale + + * DevOps engineers who need to integrate patching into their operational workflows + + * Organizations with multi-account/multi-Region deployments who need centralized patch management + + * Anyone responsible for maintaining the security posture and operational health of AWS managed nodes, edge devices, on-premises servers, and virtual machines + + + + +## What are the main features of Patch Manager? + +Patch Manager offers several key features: + + * **Patch policies** – Configure patching operations across multiple AWS accounts and Regions using a single policy through integration with AWS Organizations. + + * **Custom patch baselines** – Define rules for auto-approving patches within days of their release, along with approved and rejected patch lists. + + * **Multiple patching methods** – Choose from patch policies, maintenance windows, or on-demand "Patch now" operations to meet your specific needs. + + * **Compliance reporting** – Generate detailed reports on patch compliance status that can be sent to an Amazon S3 bucket in CSV format. + + * **Cross-platform support** – Patch both operating systems and applications across Windows Server, various Linux distributions, and macOS. + + * **Scheduling flexibility** – Set different schedules for scanning and installing patches using custom CRON or Rate expressions. + + * **Lifecycle hooks** – Run custom scripts before and after patching operations using Systems Manager documents. + + * **Security focus** – By default, Patch Manager focuses on security-related updates rather than installing all available patches. + + * **Rate control** – Configure concurrency and error thresholds for patching operations to minimize operational impact. + + + +