AWS - Patch Software Using SSM

Amazon Web Services (AWS) - Patch Software Using SSM installs software patches on Amazon Web Services (AWS) instances that are the result of the saved query supplied as a trigger (or devices selected in the asset table).

General Settings

Connection Settings

• Use stored credentials from the Amazon Web Services (AWS) adapter (required, default: False) - Select this option to use the first connected AWS adapter credentials.
  NOTE

  • To use this option, you must successfully configure a AWS Amazon Web Services (AWS) adapter connection.
  • The user name and the password used for the adapter connection must have the Required Permissions to install software on assets.

Required Fields

These fields must be configured to run the Enforcement Set.

• Task (required, default: AWS-RunPatchBaseline) - The task name (document) to run.
• Maintenance Window ID (required) - Create using the AWS console or command linen interface (CLI).
• Operation (required, default: Scan) - The operation to perform:
  • Scan - the instances are scanned without installing a patch.
  • Install - installs the new patch.
• Priority (required, default: 100) - The priority the task is run at. A lower number is higher priority.
• Restart Policy (required, default: No Reboot) - Determines whether to restart an instance after patching.
  Select one of the following:
  • No Reboot - Instance is not rebooted after patching.
  • Reboot If Needed - Reboot the instance after patching if necessary.
• Maximum number of errors (required, default: 1) - The maximum number of errors allowed before stopping a task.
• Maximum number of concurrency (required, default: 5) - The maximum number of concurrent executions of the configured task.

• Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.

Additional Fields

These fields are optional.

• AWS Access Key ID - Provide AWS Access Key ID or choose to use EC2 instance attached IAM role.

• AWS Access Key Secret - Provide AWS Access Key Secret or choose to use EC2 instance attached IAM role.

• Proxy - The proxy to use.

• Use instance profile (attached role) - The instance profile to use.

• Role ARN to assume - A file with role-ARNs which the AWS Adapter will try to assume for cross-account access with the single IAM user. Two available formats:

  • List of comma-delimited role-ARNs

  arn:aws:iam::111111111111:role/axonius-role, arn:aws:iam::222222222222:role/axonius-role
  

  • JSON format - list of dictionaries that define each role.
    • external_id is only supported in the JSON format
    • The external_id can be different for every role in the list.

  [
      {"arn": "arn:aws:iam::111111111111:role/axonius-role"},
      {"arn": "arn:aws:iam::222222222222:role/axonius-role", "external_id": "MY-SECRET"}
  ]
  

• External ID - Use the External ID configured for the Amazon Web Services (AWS) adapter.

• MFA Serial Number - The AWS MFA Serial Number configured for the Amazon Web Services (AWS) adapter.

• MFA Secret Key - The AWS MFA Secret Key configured for the Amazon Web Services (AWS) adapter.

• Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

• HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.

• HTTPS Proxy User Name - The user name to use when connecting to the server using the  HTTPS Proxy.

• HTTPS Proxy Password - The password to use when connecting to the server using the  HTTPS Proxy.

• Service Role ARN (optional) The Role ARN to use when executing the task.

• Patch Baseline Override (S3 Path) (optional) Overrides the patch baseline used when patching the instance. (The default patch baseline is determined by the patching group the instance belongs to or the default patching baseline for the relavant OS if the device is not a part of any patching group.) See Using the BaselineOverride Parameter.
  The value must be one of the following:
  * http link to an S3 object
  * S3 link (if the bucket is private)

APIs

Axonius uses the Amazon SDK for Python (Boto3).

Required Ports

Axonius must be able to communicate with the value supplied in Connection Settings via the following ports:

• TCP port 443

Required Permissions

The values supplied in AWS Access Key ID and AWS Access Key Secret or the EC2 instance (Axonius installed on) attached IAM role account must have permissions to install software on instances:

• Register Task with Maintenance Window - Requires ssm:RegisterTaskWithMaintenanceWindow permission.

This permission must be added to a policy attached to relevant IAM user account.
For details on creating an IAM user and attaching policies, see Connecting the Amazon Web Services (AWS) Adapter.

Version Matrix

This adapter has only been tested with the versions marked as supported, but may work with other versions. Please contact Axonius Support if you have a version that is not listed and it is not functioning as expected.