AWS systems-manager medium security documentation change
Summary
Added documentation about external reboot limitations during patching
Security assessment
Documents a scenario where external reboots (e.g., for SecureBoot/firmware updates) can cause false patching failure reports. This directly impacts security operations by potentially masking successful patch installations, leading to inaccurate compliance reporting. The explicit mention of SecureBoot (security feature) and workaround guidance qualifies as security documentation.
Diff
diff --git a/systems-manager/latest/userguide/patch-manager-ssm-documents.md b/systems-manager/latest/userguide/patch-manager-ssm-documents.md index 416da6e62..71072f742 100644 --- a//systems-manager/latest/userguide/patch-manager-ssm-documents.md +++ b//systems-manager/latest/userguide/patch-manager-ssm-documents.md @@ -5 +5 @@ -SSM documents recommended for patching managed nodesLegacy SSM documents for patching managed nodes +SSM documents recommended for patching managed nodesLegacy SSM documents for patching managed nodesKnown limitations of the SSM documents for patching managed nodes @@ -56,0 +57,2 @@ Refer to the following sections for more information about using these SSM docum + * Known limitations of the SSM documents for patching managed nodes + @@ -256,0 +259,8 @@ To achieve the same result that you would from this legacy SSM document, use the +## Known limitations of the SSM documents for patching managed nodes + +### External reboot interruptions + +If a reboot is initiated by the system on the node during patch installation (for example, to apply updates to firmware or features like SecureBoot), the patching document execution may be interrupted and marked as failed even though patches were successfully installed. This occurs because the SSM Agent cannot persist and resume the document execution state across external reboots. + +To verify patch installation status after a failed execution, run a `Scan` patching operation, then check the patch compliance data in Patch Manager to assess the current compliance state. +