All Products
Search

This Product

    Elastic Compute Service:Update patches to improve the security of ECS instances

    Document Center

    Elastic Compute Service:Update patches to improve the security of ECS instances

    Last Updated:Jun 19, 2024

    Most organizations have compliance requirements for IT asset management. For example, system vulnerabilities must be fixed at the earliest opportunity to prevent attacks, and software packages must be up to date. To meet the compliance requirements, patch management is particularly important. CloudOps Orchestration Service (OOS) provides the Patch Management feature for Elastic Compute Service (ECS). The Patch Management feature allows you to scan for patches, install patches based on the default patch baseline, or specify a custom patch baseline.

    Background information

    The Patch Management feature can automatically update patches by using various types of updates such as security-related updates. Patch Management can manage patches in operating systems and applications. The Patch Management feature scans for or installs patches based on the default patch baseline of the operating system running on an instance that you select. For information about Patch Management and patch baselines, see How a patch manager works and Patch baseline.

    Patch Management supports the Immediate Fix and Scheduled Fix modes in the scenarios that are described in the following table.

    Patch management mode

    Scenario

    Immediate Fix

    • High-risk vulnerabilities: If detected vulnerabilities are determined as highly risky and may cause data breach or the system to be easily compromised, patches must be installed immediately to minimize the time when an instance is exposed to the risks.

    • Critical systems: For critical systems that run core businesses or process sensitive information, security updates must be implemented at the earliest opportunity to ensure that the systems can continuously and securely run.

    • Known exploits: To protect the system from a vulnerability that is widely exploited, you must take immediate actions.

    • Compliance requirements: In specific sectors or regions, laws and regulations may require specific types of vulnerabilities to be fixed within a specific period of time to meet compliance requirements.

    Scheduled Fix

    • Non-urgent vulnerabilities: Vulnerabilities that pose low risks and are unlikely to be exploited within a short period can be fixed on a schedule during off-peak hours or within a maintenance window to reduce the impact on business.

    • System stability: In specific large-scale or complex IT environments, installing patches without sufficient testing may cause incompatibility and system instability. When you install patches on a schedule within a maintenance window, you can reserve time for adequate testing and backup.

    • Resource optimization: If your organization has limited resources such as man power, you can batch install patches at specific points in time, such as during weekends or at night.

    Prerequisites

    • The ECS instances for which you want to update patches must run operating systems that support the Patch Management feature. For more information, see the Supported operating systems section of the "Overview" topic.

    • The account that is used to update patches must have the following permissions. For more information, see Use RAM to grant permissions to OOS. 

      {
    "Policy": {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:RebootInstance",
                    "ecs:DescribeInvocationResults",
                    "ecs:DescribeCloudAssistantStatus",
                    "ecs:DescribeInstances",
                    "ecs:DescribeInvocations",
                    "ecs:RunCommand"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
             },
             {
                 "Action": [
                     "oos:ListInstancePatchStates"
                 ],
                 "Resource": "*",
                 "Effect": "Allow"
              }
      ]
   }
}

    Procedure

    In this example, the Scheduled Fix mode is used to describe how to update patches. You can also update patches in Immediate Fix mode. For more information, see Immediate fix.

    1. Log on to the CloudOps Orchestration Service (OOS) console.

    2. In the left-side navigation pane, choose Server Management > Patch Management. On the Patch Management page, click Scheduled Fix.

      image

    3. In the Basic Information section, configure the parameters.

      Take note of the following parameters. For information about other parameters, see the parameter descriptions displayed on the Scheduled Fix page.

      • Scheduled Task Type: The mode in which OOS updates patches on a schedule. For example, a patch update task is executed at 0:00:00 every day.

      • Fix Operations:

        • Scan: scans each specified instance and generates a list of missing patches for review.

        • Scan and Install: scans each specified instance and compares the existing patches on the instance with the patches that match the rule specified by the patch baseline. Then, the system downloads and installs the missing approved patches on each involved instance.

      • Whether to Create Snapshot for System Disk: Select Yes and specify a snapshot retention period.

      • Allow Restart: specifies whether to restart instances on which patches are installed based on your business requirements.

        • Yes: restarts the instances when instance restart is required to allow patches to take effect.

        • No: does not restart the instances. In this case, if the instance restart is required to allow patches to take effect, the patches do not take effect and remain in the Pending state after being installed.

      • Permissions: Select Default Service-linked Role.

      image

    4. Click Select Instances, set Resource Type to ECS Instances, and then select the instances for which you want to update patches.

      image

    5. Retain the default values in the Advanced section and click Execute Now.

    6. In the Parameter Confirmation message, confirm the parameters and click OK.

      image

    7. View the details of a patch update task.

      1. On the Patch Management page, view the Task Status column of the patch update task. If Success is displayed, the patch update task is complete.

        image

      2. Click Execution ID or Details in the Actions column to view the details of the updated patches.

        image

    References

    OOS is a comprehensive, automated O&M service provided by Alibaba Cloud free of charge to help you manage and execute O&M tasks in the cloud. You can use OOS to manage repetitive, event-driven, scheduled, and cross-region O&M tasks. OOS helps you easily batch handle O&M tasks and manage approval requests. OOS also serves as a standardization platform for O&M tasks and allows you to create templates from O&M manuals, operation guides, and maintenance manuals based on best practices of Operations as Code. For more information, see What is OOS?