aws-samples
diff --git a/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md
Lines changed: 57 additions & 12 deletions b/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/README.md
Lines changed: 57 additions & 12 deletions
diff --git a/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/missing-patch-summary.png
183 KB b/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/missing-patch-summary.png
183 KB
diff --git a/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/node-compliance.png
116 KB b/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/node-compliance.png
116 KB
diff --git a/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-deployment.png
62.1 KB b/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-deployment.png
62.1 KB
diff --git a/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-solution.png
45.6 KB b/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patch-mgr-solution.png
45.6 KB
diff --git a/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patchmgr.png
-44.3 KB b/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/documentation/patchmgr.png
-44.3 KB
diff --git a/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py
Lines changed: 6 additions & 3 deletions b/‎aws_sra_examples/solutions/patch_mgmt/patch_mgmt_org/lambda/src/app.py
Lines changed: 6 additions & 3 deletions
@@ -20,8 +20,8 @@ The SRA Patch Manager solution will automate enabling Systems Manager - Patch ma
 - Assumes a role in each member account to enable/disable the Patch Manager Solution.
 - Creates 3 Maintenance Windows:
    - One updates the SSM Agents on all Managed Instances.
-   - One scans for, or installs, missing patches on Managed Instances tagged as Windows.
-   - One scans for, or installs, missing patches on Managed Instances tagged as Linux.
+   - One scans for, or installs, missing **Security patches rated Critical or Important** and **Bugfixes** on Managed Instances tagged as Windows.
+   - One scans for, or installs, missing **Security patches rated Critical or Important** and **Bugfixes** on Managed Instances tagged as Linux.
 - Configures the [Default Host Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/quick-setup-default-host-management-configuration.html) feature.
 - Ability to disable Patch Manager within all accounts and regions via a parameter and CloudFormation update event.
 
@@ -39,25 +39,55 @@ The Patch Manager solution requires:
 
 ## Deployed Resource Details
 
-![Architecture](./documentation/patchmgr.png)
+![Architecture](./documentation/patch-mgr-deployment.png)
+
+## Solution Details
+
+![Solution](./documentation/patch-mgr-solution.png)
 
 ### 1.0 Organization Management Account<!-- omit in toc -->
 
-#### 1.1 AWS Patch Manager<!-- omit in toc -->
+#### 1.1 AWS CloudFormation<!-- omit in toc -->
 
-- All resources are deployed via AWS CloudFormation as a `StackSet` and `Stack Instance` within the `management account` or a CloudFormation `Stack` within a specific account.
+- All resources are deployed via AWS CloudFormation as a `StackSet` and `Stack Instance` within the management account or a CloudFormation `Stack` within a specific account.
 - The [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) solution deploys all templates as a CloudFormation `StackSet`.
 - For parameter details, review the [AWS CloudFormation templates](templates/).
 
-#### 1.2 IAM Roles<!-- omit in toc -->
+#### 1.2 AWS Lambda Function<!-- omit in toc -->
+
+- The Lambda function includes logic to enable and configure Patch Manager
+
+#### 1.3 Lambda Execution IAM Role<!-- omit in toc -->
 
 - The `Lambda IAM Role` is used by the Lambda function in the management account to enable the Patch Manager in the management account.
+
+#### 1.4 Lambda CloudWatch Log Group<!-- omit in toc -->
+
+- All the `AWS Lambda Function` logs are sent to a CloudWatch Log Group `</aws/lambda/<LambdaFunctionName>` to help with debugging and traceability of the actions performed.
+- By default the `AWS Lambda Function` will create the CloudWatch Log Group and logs are encrypted with a CloudWatch Logs service managed encryption key.
+
+#### 1.5 AWS Patch Manager<!-- omit in toc -->
+
+- Patch Manager is enabled for each existing active account and region during the initial setup.
+
+### 2.0 All Existing Active Accounts and Regions<!-- omit in toc -->
+
+#### 2.1 AWS CloudFormation<!-- omit in toc -->
+
+- All resources are deployed via AWS CloudFormation as a `StackSet` and `Stack Instance` within the management account or a CloudFormation `Stack` within a specific account.
+- The [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) solution deploys all templates as a CloudFormation `StackSet`.
+- For parameter details, review the [AWS CloudFormation templates](templates/).
+
+#### 2.2 IAM Roles<!-- omit in toc -->
+
 - The `Patch Management IAM Role` is assumed by the Lambda function in each of the member accounts to to configure Patch Manager.
 - The `SSM Automation Role` is used by the Maintenance Window to execute the task.
 - The `DefaultHostConfig Role` is used to enable the Default Host Configuration setting.
 - The `Patch Mgr EC2 Profile` is used if there are issue with the Default Host Configuration setting.
 
-#### 1.3 Maintenance Windows<!-- omit in toc -->
+### 3.0 Patch Manager Solution<!-- omit in toc -->
+
+#### 3.1 Maintenance Windows<!-- omit in toc -->
 
 ##### Maintenance Windows Window
 
@@ -80,14 +110,12 @@ Three target groups are created and registered with each of the Maintenance Wind
 - `Windows_Scan`  which includes all instances with the tag InstanceOS:Windows
 - `Linux_Scan`  which includes all instances with the tag InstanceOS:Linux
 
-#### 1.4 Command Documents<!-- omit in toc -->
+#### 3.2 Command Documents<!-- omit in toc -->
 
 These AWS Managed SSM Documents are used by the tasks:
 - `AWS-UpdateSSMAgent`
 - `AWS-RunPatchBaseline`
 
-
-
 ## Implementation Instructions
 
 ### Prerequisites<!-- omit in toc -->
@@ -126,9 +154,26 @@ Choose to deploy the Patch Manager solution from within the chosen deployment ty
 
 ---
 
-#### Troubleshooting<!-- omit in toc -->
+## Viewing Results
+
+### Viewing Node Compliance<!-- omit in toc -->
+
+Navigate to `Systems Manager` then `Patch Manager`. From the Dashboard select the `Compliance Reporting` tab. This will show you all your managed instances, the Compliance Status, and the Non-Compliant Count of patches.
+
+![Node-Compliance](./documentation/node-compliance.png)
+
+### Viewing Missing Patches<!-- omit in toc -->
+
+Selecting the link on Non-Compliant Count will show you the missing patches for that Managed Instance. Selecting `Patch Now` at the top right of the window will allow you to plan the installation of the patches.
+
+![Missing-Patch-Summary](./documentation/missing-patch-summary.png)
+
+
+---
+
+## Troubleshooting<!-- omit in toc -->
 
-Q: Its been more than 24 hours and the Instances are still not appearing in Fleet Manager (and therefore not being scanned).
+Q: Its been more than 24 hours and the Instances are still not appearing in Fleet Manager (and therefore not being scanned).\
 A: Attach the `patch-mgr-ec2-profile` to the EC2 instances.
 
 ---
 
@@ -291,6 +291,7 @@ def define_maintenance_window_tasks(
         task_description = params.get("TASK1_DESCRIPTION", "")
         task_run_command = params.get("TASK1_RUN_COMMAND", "")
         task_operation = params.get("TASK1_OPERATION", "Scan")
+        task_rebootoption = params.get("TASK1_REBOOTOPTION", "NoReboot")
 
 
         for response2 in window_target_response['window1_targets']:
@@ -319,7 +320,7 @@ def define_maintenance_window_tasks(
                         "RunCommand": {
                             "Parameters": {
                                 "Operation": [task_operation],
-                                "RebootOption": ["RebootIfNeeded"],
+                                "RebootOption": [task_rebootoption],
                             },
                             "DocumentVersion": "$DEFAULT",
                             "TimeoutSeconds": 3600,
@@ -346,6 +347,7 @@ def define_maintenance_window_tasks(
         task_description = params.get("TASK2_DESCRIPTION", "")
         task_run_command = params.get("TASK2_RUN_COMMAND", "")
         task_operation = params.get("TASK2_OPERATION", "Scan")
+        task_rebootoption = params.get("TASK2_REBOOTOPTION", "NoReboot")
 
         for response2 in window_target_response['window2_targets']:
             LOGGER.info(response2)
@@ -373,7 +375,7 @@ def define_maintenance_window_tasks(
                         "RunCommand": {
                             "Parameters": {
                                 "Operation": [task_operation],
-                                "RebootOption": ["RebootIfNeeded"],
+                                "RebootOption": [task_rebootoption],
                             },
                             "DocumentVersion": "$DEFAULT",
                             "TimeoutSeconds": 3600,
@@ -400,6 +402,7 @@ def define_maintenance_window_tasks(
         task_description = params.get("TASK3_DESCRIPTION", "")
         task_run_command = params.get("TASK3_RUN_COMMAND", "")
         task_operation = params.get("TASK3_OPERATION", "Scan")
+        task_rebootoption = params.get("TASK3_REBOOTOPTION", "NoReboot")
 
         for response2 in window_target_response['window3_targets']:
             LOGGER.info(response2)
@@ -427,7 +430,7 @@ def define_maintenance_window_tasks(
                         "RunCommand": {
                             "Parameters": {
                                 "Operation": [task_operation],
-                                "RebootOption": ["RebootIfNeeded"],
+                                "RebootOption": [task_rebootoption],
                             },
                             "DocumentVersion": "$DEFAULT",
                             "TimeoutSeconds": 3600,