Patch Software Using AWS SSM
  • 25 May 2022
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Patch Software Using AWS SSM

  • Dark
    Light
  • PDF

The Patch Software Using AWS SSM action installs software patches on Amazon Web Services (AWS) instances that are the result of the saved query supplied as a trigger (or devices selected in the asset table).

To configure Patch Software Using AWS SSM, from the Action Library, click Manage AWS Services, and then click Patch Software Using AWS SSM.

Connection Settings

  1. Use stored credentials from the Amazon Web Services (AWS) adapter (required, default: False) - Select this option to use the first connected AWS adapter credentials.
NOTE
  • To use this option, you must successfully configure a AWS Amazon Web Services (AWS) adapter connection.
  • The user name and the password used for the adapter connection must have the Required Permissions to install software on assets.
  1. AWS Access Key ID (optional) - Provide AWS Access Key ID or choose to use EC2 instance attached IAM role.
  2. AWS Access Key Secret (optional) - Provide AWS Access Key Secret or choose to use EC2 instance attached IAM role.
  3. Use Attached IAM Role (optional) - Use the IAM Role configured for the Amazon Web Services (AWS) adapter.
  4. Role ARN to assume (optional) – A file with role-ARNs which the AWS Adapter will try to assume for cross-account access with the single IAM user. Two available formats:
    • List of comma-delimited role-ARNs
    arn:aws:iam::111111111111:role/axonius-role, arn:aws:iam::222222222222:role/axonius-role
    
    • JSON format - list of dictionaries that define each role.
      • external_id is only supported in the JSON format
      • The external_id can be different for every role in the list.
    [
        {"arn": "arn:aws:iam::111111111111:role/axonius-role"},
        {"arn": "arn:aws:iam::222222222222:role/axonius-role", "external_id": "MY-SECRET"}
    ]
    
  5. External ID (optional) - Use the External ID configured for the Amazon Web Services (AWS) adapter.
  6. MFA Serial Number (optional) - The AWS MFA Serial Number configured for the Amazon Web Services (AWS) adapter.
  7. MFA Secret Key (optional) - The The AWS MFA Secret Key configured for the Amazon Web Services (AWS) adapter.
  8. Verify SSL (required) - Verify the SSL certificate offered by the host supplied in Service Desk domain. For more details, see SSL Trust & CA Settings.
    • If enabled, the SSL certificate offered by the host will be verified against the CA database inside of Axonius. If it fails validation, the connection will fail with an error.
    • If disabled, the SSL certificate offered by the host will not be verified against the CA database inside of Axonius.
  9. HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in Host Name or IP Address.
    • When supplied, Axonius uses the proxy when connecting to the value supplied in Host Name or IP Address.
    • When not supplied, Axonius connects directly to the value supplied in Host Name or IP Address.
  10. HTTPS Proxy User Name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
    • When supplied, Axonius authenticates with this value when connecting to the value supplied in HTTPS Proxy.
    • When not supplied, Axonius does not perform authentication when connecting to the value supplied in HTTPS Proxy.
  11. HTTPS Proxy Password (optional) - The password to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.
    • When supplied, Axonius authenticates with this value when connecting to the value supplied in HTTPS Proxy.
    • When not supplied, Axonius does not perform authentication when connecting to the value supplied in HTTPS Proxy.

Action Settings

  1. Task (required, default: AWS-RunPatchBaseline) The task name (document) to run.
  2. Maintenance Window ID (required) Create using the AWS console or command linen interface (CLI).
  3. Operation (required, default: Scan) The operation to perform:
    • Scan - the instances are scanned without installing a patch.
    • Install - installs the new patch.
  4. Service Role ARN (optional) The Role ARN to use when executing the task.
  5. Patch Baseline Override (S3 Path) (optional) Overrides the patch baseline used when patching the instance. (The default patch baseline is determined by the patching group the instance belongs to or the default patching baseline for the relavant OS if the device is not a part of any patching group.) See Using the BaselineOverride Parameter.
    The value must be one of the following:
    • http link to an S3 object
    • S3 link (if the bucket is private)
  6. Priority (required, default: 100) The priority the task is run at. A lower number is higher priority.
  7. Restart Policy (required, default: No Reboot) Determines whether to restart an instance after patching.
    Select one of the following:
    • No Reboot - instance is not rebooted after patching
    • Reboot If Needed - reboot the instance after patching if necessary.
  8. Maximum number of errors (required, default: 1) The maximum number of errors allowed before stopping a task.
  9. Maximum number of concurrency (required, default: 5) The maximum number of concurrent executions of the configured task.

APIs

Axonius uses the Amazon SDK for Python (Boto3).

Required Ports

Axonius must be able to communicate with the value supplied in Connection Settings via the following ports:

  • TCP port 443

Required Permissions

The values supplied in AWS Access Key ID and AWS Access Key Secret or the EC2 instance (Axonius installed on) attached IAM role account must have permissions to install software on instances:

  • Register Task with Maintenance Window - Requires ssm:RegisterTaskWithMaintenanceWindow permission.

This permission must be added to a policy attached to relevant IAM user account.
For details on creating an IAM user and attaching policies, see Connecting the Amazon Web Services (AWS) Adapter.

Version Matrix

This adapter has only been tested with the versions marked as supported, but may work with other versions. Please contact Axonius Support if you have a version that is not listed and it is not functioning as expected.

Version Supported Notes
AWS SDK for Python (Boto3) Yes

To learn more about configuring Enforcement Sets, see Configuring Enforcement Sets.


First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.