AWS systems-manager documentation change
Summary
Updated documentation to remove references to Amazon Linux 1 and 2022, consolidate Amazon Linux 2/2023 details, remove CentOS/SLES sections, add Debian Server focus, and update Ubuntu version listings. Clarified architecture support and package manager differences.
Security assessment
Changes primarily update supported OS versions and repository configurations without addressing specific vulnerabilities. No security patches or vulnerabilities are mentioned. The removal of CentOS/SLES and addition of Debian documentation reflects product support changes rather than security fixes. Clarification about package managers and repository handling is operational documentation.
Diff
diff --git a/systems-manager/latest/userguide/patch-manager-selecting-patches.md b/systems-manager/latest/userguide/patch-manager-selecting-patches.md index fc53f028d..a640af1ad 100644 --- a//systems-manager/latest/userguide/patch-manager-selecting-patches.md +++ b//systems-manager/latest/userguide/patch-manager-selecting-patches.md @@ -21,16 +21 @@ Choose from the following tabs to learn how Patch Manager selects security patch -Amazon Linux 1, Amazon Linux 2, Amazon Linux 2022, and Amazon Linux 2023 - - -Preconfigured repositories are handled differently on Amazon Linux 1 and Amazon Linux 2 than on Amazon Linux 2022 and Amazon Linux 2023. - -On Amazon Linux 1 and Amazon Linux 2, the Systems Manager patch baseline service uses preconfigured repositories on the managed node. There are usually two preconfigured repositories (repos) on a node: - -###### On Amazon Linux 1 - - * **Repo ID** : `amzn-main/latest` - -**Repo name** : `amzn-main-Base` - - * **Repo ID** : `amzn-updates/latest` - -**Repo name** : `amzn-updates-Base` +Amazon Linux 2 and Amazon Linux 2023 @@ -38,0 +24 @@ On Amazon Linux 1 and Amazon Linux 2, the Systems Manager patch baseline service +Preconfigured repositories are handled differently on Amazon Linux 2 than on Amazon Linux 2023. @@ -39,0 +26 @@ On Amazon Linux 1 and Amazon Linux 2, the Systems Manager patch baseline service +On Amazon Linux 2, the Systems Manager patch baseline service uses preconfigured repositories on the managed node. There are usually two preconfigured repositories (repos) on a node: @@ -56 +43 @@ On Amazon Linux 1 and Amazon Linux 2, the Systems Manager patch baseline service -`architecture` can be x86_64 or aarch64. +`architecture` can be x86_64 or (for Graviton processors) aarch64. @@ -60,2 +46,0 @@ When you create an Amazon Linux 2023 (AL2023) instance, it contains the updates -On Amazon Linux 2022, the preconfigured repositories are tied to _locked versions_ of package updates. When new Amazon Machine Images (AMIs) for Amazon Linux 2022 are released, they are locked to a specific version. For patch updates, Patch Manager retrieves the latest locked version of the patch update repository and then updates packages on the managed node based on the content of that locked version. - @@ -71,8 +56 @@ On AL2023, the preconfigured repository is the following: -On Amazon Linux 2022 (preview release), the preconfigured repositories are tied to _locked versions_ of package updates. When new Amazon Machine Images (AMIs) for Amazon Linux 2022 are released, they are locked to a specific version. For patch updates, Patch Manager retrieves the latest locked version of the patch update repository and then updates packages on the managed node based on the content of that locked version. - -On Amazon Linux 2022, the preconfigured repository is the following: - - * **Repo ID** : `amazonlinux` - -**Repo name** : Amazon Linux 2022 repository - +On Amazon Linux 2023 (preview release), the preconfigured repositories are tied to _locked versions_ of package updates. When new Amazon Machine Images (AMIs) for AL2023 are released, they are locked to a specific version. For patch updates, Patch Manager retrieves the latest locked version of the patch update repository and then updates packages on the managed node based on the content of that locked version. @@ -79,0 +58 @@ On Amazon Linux 2022, the preconfigured repository is the following: +###### Package managers @@ -81,6 +60 @@ On Amazon Linux 2022, the preconfigured repository is the following: - -###### Note - -All updates are downloaded from the remote repos configured on the managed node. Therefore, the node must have outbound access to the internet in order to connect to the repos so the patching can be performed. - -Amazon Linux 1 and Amazon Linux 2 managed nodes use Yum as the package manager. Amazon Linux 2022 and Amazon Linux 2023 use DNF as the package manager. +Amazon Linux 2 managed nodes use Yum as the package manager. Amazon Linux 2023 use DNF as the package manager. @@ -96,22 +70 @@ For more information about the **Include non-security updates** option, see [How -CentOS and CentOS Stream - - -On CentOS and CentOS Stream, the Systems Manager patch baseline service uses preconfigured repositories (repos) on the managed node. The following list provides examples for a fictitious CentOS 8.2 Amazon Machine Image (AMI): - - * **Repo ID** : `example-centos-8.2-base` - -**Repo name** : `Example CentOS-8.2 - Base` - - * **Repo ID** : `example-centos-8.2-extras` - -**Repo name** : `Example CentOS-8.2 - Extras` - - * **Repo ID** : `example-centos-8.2-updates` - -**Repo name** : `Example CentOS-8.2 - Updates` - - * **Repo ID** : `example-centos-8.x-examplerepo` - -**Repo name** : `Example CentOS-8.x – Example Repo Packages` - - +Debian Server @@ -120,16 +73 @@ On CentOS and CentOS Stream, the Systems Manager patch baseline service uses pre -###### Note - -All updates are downloaded from the remote repos configured on the managed node. Therefore, the node must have outbound access to the internet in order to connect to the repos so the patching can be performed. - -CentOS 6 and 7 managed nodes use Yum as the package manager. CentOS 8 and CentOS Stream nodes use DNF as the package manager. Both package managers use the concept of an update notice. An update notice is simply a collection of packages that fix specific problems. - -However, CentOS and CentOS Stream default repos aren't configured with an update notice. This means that Patch Manager doesn't detect packages on default CentOS and CentOS Stream repos. To allow Patch Manager to process packages that aren't contained in an update notice, you must turn on the `EnableNonSecurity` flag in the patch baseline rules. - -###### Note - -CentOS and CentOS Stream update notices are supported. Repos with update notices can be downloaded after launch. - -Debian Server and Raspberry Pi OS - - -On Debian Server and Raspberry Pi OS (formerly Raspbian), the Systems Manager patch baseline service uses preconfigured repositories (repos) on the instance. These preconfigured repos are used to pull an updated list of available package upgrades. For this, Systems Manager performs the equivalent of a `sudo apt-get update` command. +On Debian Server, the Systems Manager patch baseline service uses preconfigured repositories (repos) on the instance. These preconfigured repos are used to pull an updated list of available package upgrades. For this, Systems Manager performs the equivalent of a `sudo apt-get update` command. @@ -139,6 +76,0 @@ Packages are then filtered from `debian-security `codename`` repos. This means t - * Debian Server 8: `debian-security jessie` - - * Debian Server 9: `debian-security stretch` - - * Debian Server 10: `debian-security buster` - @@ -152,4 +83,0 @@ Packages are then filtered from `debian-security `codename`` repos. This means t -###### Note - -On Debian Server 8 only: Because some Debian Server 8.* managed nodes refer to an obsolete package repository (`jessie-backports`), Patch Manager performs additional steps to ensure that patching operations succeed. For more information, see [How patches are installed](./patch-manager-installing-patches.html). - @@ -289,14 +216,0 @@ AlmaLinux 9, RHEL 9, and Rocky Linux 9 -SLES - - -On SUSE Linux Enterprise Server (SLES) managed nodes, the ZYPP library gets the list of available patches (a collection of packages) from the following locations: - - * List of repositories: `etc/zypp/repos.d/*` - - * Package information: `/var/cache/zypp/raw/*` - - - - -SLES managed nodes use Zypper as the package manager, and Zypper uses the concept of a patch. A patch is simply a collection of packages that fix a specific problem. Patch Manager handles all packages referenced in a patch as security-related. Because individual packages aren't given classifications or severity, Patch Manager assigns the packages the attributes of the patch that they belong to. - @@ -310,3 +224 @@ Packages are then filtered from ``codename`-security` repos, where the codename - * Ubuntu Server 14.04 LTS: `trusty-security` - - * Ubuntu Server 16.04 LTS: `xenial-security` + * * Ubuntu Server 16.04 LTS: `xenial-security` @@ -318,9 +230 @@ Packages are then filtered from ``codename`-security` repos, where the codename - * Ubuntu Server 20.10 STR: `groovy-security` - - * Ubuntu Server 22.04 LTS (`jammy-security`) - - * Ubuntu Server 23.04 (`lunar-security`) - - * Ubuntu Server 23.10 (`mantic-security`) - - * Ubuntu Server 24.04 LTS (`noble-security`) + * * Ubuntu Server 22.04 LTS (`jammy-security`) @@ -328 +232 @@ Packages are then filtered from ``codename`-security` repos, where the codename - * Ubuntu Server 24.10 (`oracular-security`) + * * * Ubuntu Server 24.04 LTS (`noble-security`) @@ -330 +234 @@ Packages are then filtered from ``codename`-security` repos, where the codename - * Ubuntu Server 25.04 (`plucky-security`) + * * Ubuntu Server 25.04 (`plucky-security`)