AWS Security ChangesHomeSearch

AWS systems-manager medium security documentation change

Service: systems-manager · 2025-11-13 · Security-related medium

File: systems-manager/latest/userguide/patch-manager-installing-patches.md

Summary

Updated package manager details for Amazon Linux 2023 and added notes about repository configuration behavior. Documented how to enforce repository availability checks using skip_if_unavailable=False.

Security assessment

The change addresses a potential security gap where unreachable repositories could be silently skipped during patching, leaving systems unpatched. By documenting the default behavior and providing a mitigation (skip_if_unavailable=False), it directly relates to ensuring security updates are applied. This impacts security by preventing false-positive successful patching operations that miss critical updates.

Diff

diff --git a/systems-manager/latest/userguide/patch-manager-installing-patches.md b/systems-manager/latest/userguide/patch-manager-installing-patches.md
index bcfcc9c6a..c5b2cf7cc 100644
--- a//systems-manager/latest/userguide/patch-manager-installing-patches.md
+++ b//systems-manager/latest/userguide/patch-manager-installing-patches.md
@@ -9 +9 @@ AWS Systems Manager Change Manager is no longer open to new customers. Existing
-Patch Manager, a tool in AWS Systems Manager, uses the appropriate built-in mechanism for an operating system type to install updates on a managed node. For example, on Windows Server, the Windows Update API is used, and on Amazon Linux 2 the `yum` package manager is used.
+Patch Manager, a tool in AWS Systems Manager, uses the operating system built-in package manager to install updates on managed nodes. For example, it uses the Windows Update API on Windows Server and `DNF` on Amazon Linux 2023. Patch Manager respects existing package manager and repository configurations on the nodes, including settings such as repository status, mirror URLs, GPG verification, and options like `skip_if_unavailable`.
@@ -97,0 +98,6 @@ For example, `dnf upgrade-minimal --security` installs the _minimal_ versions of
+###### Note
+
+A default configuration for a package manager on a Linux distribution might be set to skip an unreachable package repository without error. In such cases, the related patching operation proceeds without installing updates from the repository and concludes with success. To enforce repository updates, add `skip_if_unavailable=False` to the repository configuration.
+
+For more information about the `skip_if_available` option, see [Connectivity to the patch source](./patch-manager-prerequisites.html#source-connectivity).
+
@@ -279,0 +286,6 @@ New packages that replace now-obsolete packages with different names are install
+###### Note
+
+A default configuration for a package manager on a Linux distribution might be set to skip an unreachable package repository without error. In such cases, the related patching operation proceeds without installing updates from the repository and concludes with success. To enforce repository updates, add `skip_if_unavailable=False` to the repository configuration.
+
+For more information about the `skip_if_available` option, see [Connectivity to the patch source](./patch-manager-prerequisites.html#source-connectivity).
+
@@ -354,0 +367,6 @@ New packages that replace now-obsolete packages with different names are install
+###### Note
+
+A default configuration for a package manager on a Linux distribution might be set to skip an unreachable package repository without error. In such cases, the related patching operation proceeds without installing updates from the repository and concludes with success. To enforce repository updates, add `skip_if_unavailable=False` to the repository configuration.
+
+For more information about the `skip_if_available` option, see [Connectivity to the patch source](./patch-manager-prerequisites.html#source-connectivity).
+