AWS Systems Manager for Patching Automation on Hybrid Cloud

[BabuDEVUDU]

Anyone implemented Patching Automation of servers on AWS & On-prem (preferrably) or just AWS, I'm thinking to do a POC and want to take inputs from someone who gone this route before I start working on it. We are migrating from On-Prem to cloud (some portion will still remain in on-prem). Archi wants to use Hashicorp Packer, creating pipelines for AMIs creations etc, I'm looking into Systems Manager as with this, we can simply handle the entire Org's Patch Management with ease (at least from what I learnt so far). Else they wanted to use Packer for creating base AMIs that includes basic stuff like SSM agent, crowdstrike etc and share the Golden AMIs and patching of those AMIs to what ever teams that uses them to create AMIs in their respective AWS accounts (each team has their seperate AWS accounts). I want to see if instead of giving the teams the responsibility to create AMIs and patching, what if our team can take the entire responsibility of AMI provision and Patching (for configuration I'm looking at asnible playbooks document to integrate with SSM for app configurations and other complex deployments. Please help with providing your valuable insights

[kevinUsa]

HashiCorp Packer and Golden AMI Pipeline

[Kalam_Youtheman]

I did this 3 years ago using AWS SSM.. it was easy because all our machines were in AWS
its simple run commands, schedules and all. AWS has pretty good documentation on it. 

[Khali_ista]

@AWSCloudArchitect @aws_help @AWS

[maverick19]

8 hours ago, BabuDEVUDU said:

Anyone implemented Patching Automation of servers on AWS & On-prem (preferrably) or just AWS, I'm thinking to do a POC and want to take inputs from someone who gone this route before I start working on it. We are migrating from On-Prem to cloud (some portion will still remain in on-prem). Archi wants to use Hashicorp Packer, creating pipelines for AMIs creations etc, I'm looking into Systems Manager as with this, we can simply handle the entire Org's Patch Management with ease (at least from what I learnt so far). Else they wanted to use Packer for creating base AMIs that includes basic stuff like SSM agent, crowdstrike etc and share the Golden AMIs and patching of those AMIs to what ever teams that uses them to create AMIs in their respective AWS accounts (each team has their seperate AWS accounts). I want to see if instead of giving the teams the responsibility to create AMIs and patching, what if our team can take the entire responsibility of AMI provision and Patching (for configuration I'm looking at asnible playbooks document to integrate with SSM for app configurations and other complex deployments. Please help with providing your valuable insights

I would say it is best to use packer to create  base AMI and use that ami to create application images and deploy on  regular basis. this is one time setup if the applications are immutable in nature. If applications are not immutable and hosts are static you have to do in place patching through SSM.