AWS systems-manager-automation-runbooks documentation change
Summary
Added a markdown link and an important note clarifying that the AutoPatchInstanceInASG tag is not a patch compliance indicator and providing guidance on how to verify patch compliance
Security assessment
This change adds documentation about security best practices for verifying patch compliance. It clarifies that a tag used by the runbook is not a compliance indicator and directs users to proper methods (DescribeInstancePatchStates, ListComplianceItems) for verification. This helps prevent misconfiguration and ensures accurate security posture assessment, but does not address a specific security vulnerability.
Diff
diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-aws-patchasginstance.md b/systems-manager-automation-runbooks/latest/userguide/automation-aws-patchasginstance.md index 22bb2e286..235ee6035 100644 --- a//systems-manager-automation-runbooks/latest/userguide/automation-aws-patchasginstance.md +++ b//systems-manager-automation-runbooks/latest/userguide/automation-aws-patchasginstance.md @@ -0,0 +1,2 @@ +[View a markdown version of this page](automation-aws-patchasginstance.md) + @@ -12,0 +15,6 @@ Patch Amazon Elastic Compute Cloud (Amazon EC2) instances in an Auto Scaling gro +###### Important + +This runbook applies an `AutoPatchInstanceInASG` tag to the target instance during execution. This tag prevents the runbook from executing twice on the same instance simultaneously — it is not a patch compliance indicator. If the patching step fails, the tag value might still be set to `Completed` even though the runbook execution status reports `Failed`. + +To verify patch compliance on the instance, use [DescribeInstancePatchStates](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeInstancePatchStates.html) or [ListComplianceItems](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_ListComplianceItems.html) instead. +