Step 4

Step 4 - Patch the EC2 instance using aws:RunCommand

Now that our Automation document launches an EC2 instance, waits for the instance status check to be returned as ok, and creates an S3 bucket, we will add another step to the document that will patch the instance to ensure the instance has the latest security updates installed.

Tip: If you copy and paste values from this walkthrough into Document Builder, such as parameter names and handler names, make sure to delete any leading or trailing spaces added to the text value you enter.

Update the Custom Automation Document

  • Open the AWS Systems Manager console at

  • In the navigation pane, choose Documents.

  • On the Documents page, select the Owned by me tab and then choose the document you created in Step 1 - Launch an EC2 Instance using aws:runInstances, such as LaunchEC2Instance.

  • Select Actions and then Create new version.

  • For Assume role, enter {{ assumeRole }}. This allows us to pass in the Automation service role using the parameter assumeRole which will be created in subsequent steps.

  • For Outputs, replace the existing value with the following.

["launchEc2Instance.OutputPayload", "PatchInstance.CommandId", "PatchInstance.Output"]
  • Expand Input parameters and do the following.

    • Important: Do not modify the existing six parameters, imageId, tagValue, instanceType, instanceIAMrole, assumeRole, s3BucketName.
  • Choose Add a parameter to create the seventh parameter, Operation, and enter the following.

    • For Parameter name, enter Operation.
    • For Type, choose String.
    • For Required, choose No.
    • For Default value, enter Install. This performs the Install operation for patching on the instance launched.
    • For Description, enter the following.
(Required) The update or configuration to perform on the instance. The system checks if patches specified in the patch baseline are installed on the instance. The install operation installs patches missing from the baseline.
  • Below the third step, choose Add step to add a fourth step to the Automation document. The fourth step executes the Command document AWS-RunPatchBaseline on the instance which will be used to install the latest available security updates.

  • In the Step 4 section, do the following.

    • For Step name, enter PatchInstance.
    • For Action type, choose Run a command on a managed instance (aws:runCommand).
    • For Description, enter a description for the automation step, such as the following.
**About This Step**

This step runs the Command document ```AWS-RunPatchBaseline``` on the managed instance launched in Step 1.
  • For Document name, enter AWS-RunPatchBaseline.
  • For InstanceIds, enter the following.
- '{{ launchEc2Instance.InstanceId }}'
  • Expand Additional inputs.
  • For Input name, choose Parameters. For Input value, enter the following data.
Operation: '{{Operation}}'
  • Choose Add optional input.
  • For Input name, choose OutputS3BucketName. For Input value, enter the following data.
'{{ s3BucketName }}'
  • Choose Add optional input.
  • For Input name, choose OutputS3KeyPrefix. For Input value, enter patching.

  • Select Set new version as default.

  • Choose Create new version to save the document.