Automate Cloud Resource Remediation with OOS Timed Tasks - OOS

CloudOps Orchestration Service (OOS) patch management scans for and fixes system vulnerabilities on Elastic Compute Service (ECS) instances on a schedule. Use scheduled fix to keep software packages up to date, install low-priority patches based on the default patch baseline, or configure a custom patch baseline.

Prerequisites

Before you begin, make sure that you have the following permissions configured in the Resource Access Management (RAM) console:

{
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "oos:ListInstancePatchStates"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
}

Create a scheduled fix task

Log on to the OOS console. In the left-side navigation pane, click Quick Setup.
In the Patch Management section, click Create.
Set the TimerTrigger parameter to specify when the fix runs:
Option Description
Executed Once at the Specified Time Run the scheduled fix once at a specific time.
Executed Periodically Run the scheduled fix on a recurring schedule.

Option	Description
Executed Once at the Specified Time	Run the scheduled fix once at a specific time.
Executed Periodically	Run the scheduled fix on a recurring schedule.

Set the Action parameter to specify what the fix does:

Action	Description
Scan Only	Check ECS instances for system vulnerabilities without making changes.
Scan and Install	Scan for vulnerabilities and install patches. You can also specify whether to restart the instance and whether to create a snapshot.

> Warning: If you select RebootIfNeed when installing a patch, the system determines whether to restart the instance based on the patch information. The following table describes the three patch management modes: Action parameter options

Mode	Description
Scan	Check an ECS instance for system vulnerabilities without making changes.
Install without restart	Fix system vulnerabilities without restarting the ECS instance.
Install with restart	Fix system vulnerabilities and restart the ECS instance based on the patch requirement.

Select the ECS instance to patch.
Click Create. In the confirmation dialog box, click OK.

Verify the fix result

After the scheduled fix runs, check the patch status:

In the left-side navigation pane, choose Server Management > Patch Management.
View the fix status for each instance.