AWS Security ChangesHomeSearch

AWS systems-manager documentation change

Service: systems-manager · 2025-08-28 · Documentation low

File: systems-manager/latest/userguide/patch-manager-installing-patches.md

Summary

Removed references to deprecated Amazon Linux 1, Amazon Linux 2022, CentOS, SLES, and older Ubuntu/Debian versions. Simplified documentation to focus on currently supported OS versions (Amazon Linux 2/2023, Debian Server).

Security assessment

The changes remove documentation for end-of-life systems (e.g., Amazon Linux 1, CentOS) but do not directly address a specific security vulnerability. This appears to be routine maintenance of supported platforms rather than a response to a security incident. No new security features or mitigations are added.

Diff

diff --git a/systems-manager/latest/userguide/patch-manager-installing-patches.md b/systems-manager/latest/userguide/patch-manager-installing-patches.md
index d4adbfa90..491e675a7 100644
--- a//systems-manager/latest/userguide/patch-manager-installing-patches.md
+++ b//systems-manager/latest/userguide/patch-manager-installing-patches.md
@@ -15 +15 @@ Choose from the following tabs to learn how Patch Manager installs patches on an
-Amazon Linux 1, Amazon Linux 2, Amazon Linux 2022, and Amazon Linux 2023
+Amazon Linux 2 and Amazon Linux 2023
@@ -18 +18 @@ Amazon Linux 1, Amazon Linux 2, Amazon Linux 2022, and Amazon Linux 2023
-On Amazon Linux 1, Amazon Linux 2, Amazon Linux 2022, and Amazon Linux 2023 managed nodes, the patch installation workflow is as follows:
+On Amazon Linux 2 and Amazon Linux 2023 managed nodes, the patch installation workflow is as follows:
@@ -38 +38 @@ If nonsecurity updates are included, patches from other repositories are conside
-  7. The YUM update API (Amazon Linux 1, Amazon Linux 2) or the DNF update API (Amazon Linux 2022, Amazon Linux 2023) is applied to approved patches as follows:
+  7. The YUM update API (Amazon Linux 2) or the DNF update API (Amazon Linux 2023) is applied to approved patches as follows:
@@ -48 +48 @@ If nonsecurity updates are included, patches from other repositories are conside
-For Amazon Linux 1 and Amazon Linux 2, the equivalent yum command for this workflow is:
+For Amazon Linux 2, the equivalent yum command for this workflow is:
@@ -52 +52 @@ For Amazon Linux 1 and Amazon Linux 2, the equivalent yum command for this workf
-For Amazon Linux 2022 and Amazon Linux 2023, the equivalent dnf command for this workflow is:
+For Amazon Linux 2023, the equivalent dnf command for this workflow is:
@@ -58 +58 @@ If the **Include nonsecurity updates** check box is selected, patches in `update
-For Amazon Linux 1 and Amazon Linux 2, if a baseline with **Include nonsecurity updates** is selected, has a SEVERITY list of `[Critical, Important]` and a CLASSIFICATION list of `[Security, Bugfix]`, the equivalent yum command is:
+For Amazon Linux 2, if a baseline with **Include nonsecurity updates** is selected, has a SEVERITY list of `[Critical, Important]` and a CLASSIFICATION list of `[Security, Bugfix]`, the equivalent yum command is:
@@ -62 +62 @@ For Amazon Linux 1 and Amazon Linux 2, if a baseline with **Include nonsecurity
-For Amazon Linux 2022, and Amazon Linux 2023, the equivalent dnf command is:
+For Amazon Linux 2023, the equivalent dnf command is:
@@ -70 +70 @@ New packages that replace now-obsolete packages with different names are install
-###### Additional patching details for Amazon Linux 2022 and Amazon Linux 2023
+###### Additional patching details for Amazon Linux 2023
@@ -75 +75 @@ Support for severity level 'None'
-Amazon Linux 2022 and Amazon Linux 2023 also support the patch severity level `None`, which is recognized by the DNF package manager. 
+Amazon Linux 2023 also supports the patch severity level `None`, which is recognized by the DNF package manager. 
@@ -80 +80 @@ Support for severity level 'Medium'
-For Amazon Linux 2022 and Amazon Linux 2023, a patch severity level of `Medium` is equivalent to a severity of `Moderate` that might be defined in some external repositories. If you include `Medium` severity patches in the patch baseline, `Moderate` severity patches from external patches are also installed on the instances.
+For Amazon Linux 2023, a patch severity level of `Medium` is equivalent to a severity of `Moderate` that might be defined in some external repositories. If you include `Medium` severity patches in the patch baseline, `Moderate` severity patches from external patches are also installed on the instances.
@@ -84 +84 @@ When you query for compliance data using the API action [DescribeInstancePatches
-Transitive dependency handling for Amazon Linux 2022 and Amazon Linux 2023
+Transitive dependency handling for Amazon Linux 2023
@@ -87 +87 @@ Transitive dependency handling for Amazon Linux 2022 and Amazon Linux 2023
-For Amazon Linux 2022 and Amazon Linux 2023, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). 
+For Amazon Linux 2023, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). 
@@ -96 +96 @@ For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of
-CentOS and CentOS Stream
+Debian Server
@@ -99,37 +99 @@ CentOS and CentOS Stream
-On CentOS and CentOS Stream managed nodes, the patch installation workflow is as follows:
-
-  1. If a list of patches is specified using an https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL using the `InstallOverrideList` parameter for the `AWS-RunPatchBaseline` or `AWS-RunPatchBaselineAssociation` documents, the listed patches are installed and steps 2-7 are skipped.
-
-Apply [GlobalFilters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#systemsmanager-CreatePatchBaseline-request-GlobalFilters) as specified in the patch baseline, keeping only the qualified packages for further processing. 
-
-  2. Apply [ApprovalRules](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-ApprovalRules) as specified in the patch baseline. Each approval rule can define a package as approved.
-
-Approval rules, however, are also subject to whether the **Include nonsecurity updates** check box was selected when creating or last updating a patch baseline.
-
-If nonsecurity updates are excluded, an implicit rule is applied in order to select only packages with upgrades in security repos. For each package, the candidate version of the package (which is typically the latest version) must be part of a security repo. 
-
-If nonsecurity updates are included, patches from other repositories are considered as well.
-
-  3. Apply [ApprovedPatches](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-ApprovedPatches) as specified in the patch baseline. The approved patches are approved for update even if they're discarded by [GlobalFilters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#systemsmanager-CreatePatchBaseline-request-GlobalFilters) or if no approval rule specified in [ApprovalRules](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-ApprovalRules) grants it approval.
-
-  4. Apply [RejectedPatches](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-RejectedPatches) as specified in the patch baseline. The rejected patches are removed from the list of approved patches and won't be applied.
-
-  5. If multiple versions of a patch are approved, the latest version is applied.
-
-  6. The YUM update API (on CentOS 6.x and 7.x versions) or the DNF update (on CentOS 8 and CentOS Stream) is applied to approved patches.
-
-###### Note
-
-For CentOS, Patch Manager might install different versions of transitive dependencies than the equivalent `dnf` commands install. Transitive dependencies are packages that are automatically installed to satisfy the requirements of other packages (dependencies of dependencies). 
-
-For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of transitive dependencies needed to resolve known security issues, while Patch Manager installs the _latest available versions_ of the same transitive dependencies.
-
-  7. The managed node is rebooted if any updates were installed. (Exception: If the `RebootOption` parameter is set to `NoReboot` in the `AWS-RunPatchBaseline` document, the managed node isn't rebooted after Patch Manager runs. For more information, see [Parameter name: RebootOption](./patch-manager-aws-runpatchbaseline.html#patch-manager-aws-runpatchbaseline-parameters-norebootoption).)
-
-
-
-
-Debian Server and Raspberry Pi OS
-    
-
-On Debian Server and Raspberry Pi OS (formerly Raspbian) instances, the patch installation workflow is as follows:
+On Debian Server instances, the patch installation workflow is as follows:
@@ -141,14 +104,0 @@ On Debian Server and Raspberry Pi OS (formerly Raspbian) instances, the patch in
-###### Important
-
-On Debian Server 8 only: Because some Debian Server 8.* managed nodes refer to an obsolete package repository (`jessie-backports`), Patch Manager performs the following additional steps to ensure that patching operations succeed:
-
-    1. On your managed node, the reference to the `jessie-backports` repository is commented out from the source location list (`/etc/apt/sources.list.d/jessie-backports`). As a result, no attempt is made to download patches from that location.
-
-    2. A Stretch security update signing key is imported. This key provides the necessary permissions for the update and install operations on Debian Server 8.* distributions.
-
-    3. The `apt-get` operation is run at this point to ensure that the latest version of `python3-apt` is installed before the patching process begins.
-
-    4. After the installation process is complete, the reference to the `jessie-backports` repository is restored and the signing key is removed from the apt sources keyring. This is done to leave the system configuration as it was before the patching operation. 
-
-The next time Patch Manager updates the system, the same process is repeated.
-
@@ -171 +121 @@ If nonsecurity updates are included, patches from other repositories are conside
-For Debian Server and Raspberry Pi OS, patch candidate versions are limited to patches included in `debian-security`.
+For Debian Server, patch candidate versions are limited to patches included in `debian-security`.
@@ -367,30 +316,0 @@ New packages that replace now-obsolete packages with different names are install
-SLES
-    
-
-On SUSE Linux Enterprise Server (SLES) managed nodes, the patch installation workflow is as follows:
-
-  1. If a list of patches is specified using an https URL or an Amazon Simple Storage Service (Amazon S3) path-style URL using the `InstallOverrideList` parameter for the `AWS-RunPatchBaseline` or `AWS-RunPatchBaselineAssociation` documents, the listed patches are installed and steps 2-7 are skipped.
-
-  2. Apply [GlobalFilters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#systemsmanager-CreatePatchBaseline-request-GlobalFilters) as specified in the patch baseline, keeping only the qualified packages for further processing. 
-
-  3. Apply [ApprovalRules](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-ApprovalRules) as specified in the patch baseline. Each approval rule can define a package as approved.
-
-Approval rules, however, are also subject to whether the **Include nonsecurity updates** check box was selected when creating or last updating a patch baseline.
-
-If nonsecurity updates are excluded, an implicit rule is applied in order to select only packages with upgrades in security repos. For each package, the candidate version of the package (which is typically the latest version) must be part of a security repo. 
-
-If nonsecurity updates are included, patches from other repositories are considered as well.
-
-  4. Apply [ApprovedPatches](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-ApprovedPatches) as specified in the patch baseline. The approved patches are approved for update even if they're discarded by [GlobalFilters](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#systemsmanager-CreatePatchBaseline-request-GlobalFilters) or if no approval rule specified in [ApprovalRules](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-ApprovalRules) grants it approval.
-
-  5. Apply [RejectedPatches](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreatePatchBaseline.html#EC2-CreatePatchBaseline-request-RejectedPatches) as specified in the patch baseline. The rejected patches are removed from the list of approved patches and won't be applied.
-
-  6. If multiple versions of a patch are approved, the latest version is applied.
-
-  7. The Zypper update API is applied to approved patches.
-
-  8. The managed node is rebooted if any updates were installed. (Exception: If the `RebootOption` parameter is set to `NoReboot` in the `AWS-RunPatchBaseline` document, the managed node isn't rebooted after Patch Manager runs. For more information, see [Parameter name: RebootOption](./patch-manager-aws-runpatchbaseline.html#patch-manager-aws-runpatchbaseline-parameters-norebootoption).)
-
-
-
-
@@ -426,2 +345,0 @@ For each version of Ubuntu Server, patch candidate versions are limited to patch
-     * Ubuntu Server 14.04 LTS: `trusty-security`
-
@@ -434,2 +351,0 @@ For each version of Ubuntu Server, patch candidate versions are limited to patch
-     * Ubuntu Server 20.10 STR: `groovy-security`
-
@@ -438,4 +353,0 @@ For each version of Ubuntu Server, patch candidate versions are limited to patch
-     * Ubuntu Server 23.04 (`lunar-security`)
-
-     * Ubuntu Server 23.10 (`mantic-security`)
-
@@ -444,2 +355,0 @@ For each version of Ubuntu Server, patch candidate versions are limited to patch
-     * Ubuntu Server 24.10 (`oracular-security`)
-