AWS Systems Manager (SSM) Patch Manager automates security patching across Windows and Linux EC2 instances in your SAP landscape, ensuring compliance without manual intervention. Tag-based targeting, scheduled maintenance windows, and centralized reporting minimize downtime while maintaining audit trails for SAP HANA, application servers, Active Directory DCs, and supporting infrastructure.
Key Benefits
Zero-Touch: Automatic patch approval and deployment.
Environment-Specific: Prod (monthly), Dev (weekly) schedules.
Compliance: Real-time dashboards + S3 audit exports.
SAP-Safe: Pre/post patch hooks + controlled reboots.
Objective
Automated patching ensuring:
Critical/security patches within 7 days of release.
Maintenance windows outside SAP business hours.
95%+ compliance across all environments.
Detailed audit reporting for compliance reviews.
Patch Scope & Baselines
Environment OS Baseline Schedule Reboot Policy
Production Windows/Linux Critical+Security Monthly (1st Sun 02:00 UTC) If required, max 30min window
QA/Pre-Prod Windows/Linux All Updates Bi-weekly Always
Development Windows/Linux All Updates Weekly Always
Sandbox Windows/Linux All Updates Daily Always
Technical Implementation Steps
Step 1: SSM Prerequisites
IAM Instance Profile (attach to all SAP EC2):
AmazonSSMManagedInstanceCore
+ Custom: ssm-patching-sap (ssm:SendCommand, logs:CreateLogStream)
SSM Agent Verification:
# Linux
sudo systemctl status amazon-ssm-agent
rpm -qa | grep amazon-ssm-agent
# Windows PowerShell
Get-Service AmazonSSMAgent
Step 2: Create Patch Baselines
Systems Manager → Patch Manager → Create patch baseline:
Windows Baseline (SAP-Windows-Critical-Security):
Setting Value
Classification CriticalUpdates, SecurityUpdates
Approval Auto-approve 7 days after release
Reboot If required (30min timeout)
Exclude None
Linux Baseline (SAP-Linux-Security):
RHEL/SUSE: security,bugfix
Amazon Linux: security
Ubuntu: security
Auto-approve: 7 days
CLI:
aws ssm create-patch-baseline \
--name "SAP-Windows-Critical-Security" \
--operating-system WINDOWS \
--approval-rules 'PatchRules=[{PatchFilterGroup={PatchFilters=[{Key=CLASSIFICATION,Values=[CriticalUpdates,SecurityUpdates]}]},ComplianceLevel=CRITICAL,ApproveAfterDays=7}]' \
--description "SAP Windows Critical+Security"
Step 3: Tag-Based Instance Targeting
Standard Tags (applied to all SAP EC2):
Environment: Production|QA|Dev|Sandbox
PatchGroup: SAP-Critical|SAP-All
Tier: ASCS|AppServer|HANA|AD-DC
Owner: SAP-Team
Step 4: Maintenance Windows
Systems Manager → Maintenance Windows → Create:
Production Window:
Name: SAP-Prod-Monthly-Patching
Schedule: cron(0 2 ? 1 SUN *) # 1st Sunday 02:00 UTC
Duration: 4 hours
Stop initiating after: 3 hours
Targets: tag:Environment=Production
Tasks:
├── AWS-RunPatchBaseline (PatchGroup=SAP-Critical)
└── AWS-RunCommand (Custom: sap-patch-complete-hook)
Step 5: Pre/Post Patch Automation
Lambda Function (sap-patch-pre-hook):
def lambda_handler(event, con):
instance_id = event['instanceId']
# Pre-patching: SAP graceful shutdown
ssm_client.send_command(
InstanceIds=[instance_id],
DocumentName='AWS-RunShellScript',
Parameters={'commands': ['sapcontrol -nr 00 -function Stop', 'sleep 30']}
)
return {'status': 'SAP stopped, ready for patching'}
Step 6: Compliance Dashboard
Systems Manager → Fleet Manager → Patch Compliance:
Weekly Report:
- Production: 98.7% compliant (3/248 instances pending)
- QA: 100% compliant
- Development: 95.2% compliant
Non-compliant: i-0a1b2c3d (SAP-HANA-01), Reason: Reboot pending
Step 7: Notifications & Audit
SNS Topic (SAP-Patching-Alerts):
Subscribers:
├── SAP Ops Team (email)
├── PagerDuty (HTTP)
└── Slack webhook
S3 Audit Export (weekly):
s3://sap-compliance-reports/YYYY/MM/patch-compliance-YYYY-MM-DD.csv
Columns: InstanceId, PatchGroup, ComplianceLevel, LastScanDate
Validation & Testing
Pre-Production Dry Run:
# Scan compliance (no patching)
aws ssm scan-compliance --filters Key=PatchBaseline,Values=SAP-Windows-Critical-Security
# Test maintenance window (single instance)
aws ssm create-maintenance-window \
--name "SAP-Test-Patching" \
--schedule "cron(0 22 * * ? *)" \
--duration 1 \
--cutoff 0 \
--allow-unassociated-targets
Patching Flow
SAP-Specific Considerations
HANA Patching Sequence:
1. Stop HANA secondary node
2. Patch primary → Reboot
3. Failover → Patch secondary
4. Validate cluster health (hdbsql landscapeHostConfiguration)
AD DC Patching:
1. Patch non-GC DC → Reboot → Verify replication
2. Patch GC → Reboot → Verify FSMO roles
3. `dcdiag /test:replications` validation
Production Reboot Windows (per geography):
APAC: Sunday 02:00-06:00 UTC (Mon 07:30-11:30 IST)
EMEA: Sunday 08:00-12:00 UTC
US-East: Sunday 14:00-18:00 UTC
Compliance Reporting (Monthly Executive Summary):
Patch Compliance: 98.5% (Mar 2026)
Critical Patches: 12 applied / 0 pending
Reboot Compliance: 100% completed within SLA
Risk Exposure: LOW (1 instance reboot-pending)
Cost: ~$0.10/instance/month (SSM + CloudWatch Logs)
No comments:
Post a Comment