Tag-Based Patching¶

Automatically tag EC2 instances to orchestrate patch groups, schedules, and maintenance windows using AMS Patch Orchestrator or AWS Systems Manager.

Overview¶

AMS Patch Orchestrator and AWS Systems Manager Patch Manager use tags (for example, PatchGroup) to determine which instances belong to a patch group and which maintenance window applies to them. TagOps can automatically apply and maintain these patch tags so that your patch configuration stays accurate even as new instances are created or existing ones change ownership [^1].

What TagOps Can Do¶

TagOps can automatically tag instances with the metadata required for tag-based patching:

• Patch Group Tagging: Apply PatchGroup, PatchBaseline, or PatchWindow tags based on environment, application, or compliance tier.
• Schedule Alignment: Tag instances with maintenance window identifiers (for example, PatchWindow: Weekday-02UTC) so Patch Orchestrator runs during the correct window.
• Dynamic Coverage: Ensure every new instance launched in a given account, OU, or region inherits the right patch tags without manual intervention.
• Custom Baselines: Tag subsets of instances that need custom patch baselines (e.g., critical-only updates) to align with AMS custom patch baseline CTs.
• Compliance Visibility: Use tags to drive reporting—instances missing PatchGroup tags can be surfaced for remediation.

Example TagOps Rule¶

Create a TagOps rule to automatically tag production EC2 instances for nightly patching:

• Condition: Resource type is ec2:instance and tag Environment equals Production.
• Action: Add tags:
  • PatchGroup: ProdLinux
  • PatchWindow: Nightly-03UTC
  • PatchBaseline: CriticalSecurity

These tags allow AMS Patch Orchestrator or AWS Systems Manager Maintenance Windows to include the instance in the correct patch group and schedule, ensuring patches install during the defined window with the desired baseline.

Additional Resources¶

• AMS Patch Orchestrator: a tag-based patching model
• AWS Systems Manager Patch Manager

[1]AMS Patch Orchestrator applies patch configurations based on tags such as PatchGroup, letting you target anything from a single instance to your entire fleet using tag-driven maintenance windows.