Quick Setup lets you create a patch policy that defines the schedule and baseline for automatic patching of ECS or Elastic Desktop Service (EDS) instances. A single patch policy can cover one region or span multiple regions within an account.
Patch compliance scanning methods – OOS supports multiple methods to scan managed nodes for patch compliance. Only the most recent scan results are retained. If different methods use different patch baselines with different approval rules, your compliance information may change unexpectedly.
Create a patch policy
-
Log on to the OOS console.
-
In the navigation pane, choose Quick Setup.
-
On the Patch Management tab, choose Create.
-
In the Cross account configuration section, select Current Account or Across Accounts (Resource Directory).
-
Current Account: Default. Uses resources in the current account.
-
Cross-account (Resource Directory): Manages resources across multiple accounts. Enable Resource Directory first and complete setup with an administrator or delegated administrator account. Set Resource Orchestration Service (ROS) as a trusted service when enabling trusted access. Manage delegated administrator accounts.
-
-
In the Configuration Description field, enter a description for the patch policy.
-
For Scheduled Task Type, select a schedule for the scan: Execute Now, Executed Once at the Specified Time, or Executed Periodically.
-
Execute Now: Runs the scan immediately after you create the policy.
-
Executed Once at the Specified Time: Specify a time to run the scan.
-
To run the task periodically, set the frequency with Quick Selection or a custom CRON expression. Enter the schedule as a CRON expression. Using Cron expressions.
-
-
Choose whether to scan only or scan and install patches.
-
Select whether to create a system disk snapshot. Disabled by default.
-
Select whether to reboot instances after patching. Disabled by default. Recommended, but may interrupt running services.
-
In the Select Instances section, specify the region, resource type, and target instances.
NoteYou can apply this configuration to the current region or to selected regions.
-
Region:
-
Current region: Applies the policy to nodes in the currently selected console region.
-
Select regions: Choose specific regions for the patch policy.
-
-
Resource type:
-
ECS instance
-
Elastic Desktop Service (EDS) instance
-
-
Target instances:
-
Current region: Select instances manually, by tag, by Resource Group, or select all.
-
Other regions: Select instances by tag or select all.
-
-
-
In the Advanced Options section:
-
For Rate control, choose Concurrency control or Batch control.
-
Concurrency control: Enter the number or percentage of nodes to patch simultaneously.
-
Batch control: Set the number or percentage of nodes per batch. Choose to run continuously, pause after each batch, or pause after the first batch only.
-
-
For Error threshold, set the maximum number or percentage of allowed errors. Default is 0 (the task fails on the first error). At 100%, the task is marked as successful regardless of errors.
-
-
Click Create. The new policy appears on the Quick Setup page.