AWS Cloud Operations & Migrations Blog
TCS hybrid cloud patch management at scale using AWS Systems Manager
By Giridharan Varatharajan, Cloud Delivery Platform Architecture lead at TCS and Madhavan Ananthachari, Cloud Delivery Platform Engineering lead at TCS
Now that multitenancy in the cloud is driving IT operation costs down, large enterprises are seeking seamless service delivery methods that address day-to-day activities in your cloud environment. AWS partner Tata Consultancy Services (TCS) has developed a Centralized Multi-Tenant Cloud Delivery Platform to help enterprises implement a default service mechanism to remove duplication of IT services and achieve agility for their cloud operations.
The TCS platform provides cloud service delivery addressing key functionalities such as monitoring, incident, change, release, and problem management along with cost management and security operations, including patch management. To support enterprises this platform manages your cloud services across multiple operating systems, and it addresses the need for an integrated and automated patch management solution.
Hybrid cloud patch management
Typically, OEMs release timely patches for security, bug fixes, or feature enhancements. However, an enterprise that doesn’t have a standardized approach to patch management can be exposed to cyber risks and non-optimized operating environments. Patch management in a hybrid cloud environment is either carried out manually or might be fully or partially automated to enable full or partial patch management. Tools often operate in silos to manage the patching needs within an organization.
The following figure shows a typical process for deploying security and patch updates. The frequency of patch management and the timelines for these deployments varies from customer to customer.
The solution, which includes configuration approval and review steps, must be tailored to each customer. Process steps will be tested before the solution is rolled out to the production environment.
Patch management solution using AWS System Manager
The market offers a multitude of patch management solutions for different operating systems, with each solution operating through an independent console. AWS System Manager provides a unified console to manage patch management on multiple operating systems.
TCS decided to build a patch management solution in Cloud Delivery Platform for hybrid cloud scenarios by utilizing AWS Systems Manager. These are the key value propositions for using AWS Systems Manager Patch Manager:
- Easy deployment of centralized patch management is available as a service in AWS.
- Controlled access using defined AWS Identity and Access Management (IAM) roles.
- A highly scalable solution that is managed by AWS and consumed as a service.
- Cost efficient patch management solution for hybrid cloud.
We used the following components to achieve a patch management solution using AWS Systems Manager:
- AWS Systems Manager Patch Manager.
- AWS Systems Manager Maintenance Windows.
- Windows Server Update Services (WSUS).
- Red Hat Satellite server.
- Integration with an enterprise’s IT service management (ITSM) for change approvals.
- Integration with an enterprise’s vulnerability management systems.
Patch management workflow using AWS Systems Manager
During deployment, the automated workflow collects the Amazon EC2 instance Patch Group and the Maintenance Window. After the machine build, IT assets automatically become a part of our Patch Management Lifecycle based on the Patch Group. Security and Update patches are applied, followed by the approval workflow.
Deployment of patches using AWS Systems Manager
In the following steps, we take you through how to achieve centralized Patch Management.
- Obtain the maintenance schedule for application servers from the application owners by doing the following:
a. Make a service request while requesting servers and resources to be deployed.
b. Perform a vulnerability assessment discovering the patch compliance.
- After you define the maintenance schedule for the managed systems, configure the schedule in Maintenance Windows of AWS Systems Manager.
- Group the managed systems based on the maintenance schedule and tag them appropriately by group.
- Install the AWS Systems Manager agent on the clients to facilitate connectivity to the service.
- AWS Systems Manager Maintenance Windows will trigger the patching process on clients based on tags and approved patches.
- Download the list of patches from the patch repository. Deploy patches on every client based on approved patch list. The clients do not require an internet connection.
- Servers are rebooted during the schedule.
- The application team/server owners validate the deployed patches by visualizing the compliance reports in AWS Systems Manager console.
- To restrict internet access to all systems that require security/patch updates, the patch repository needs to be configured, for example Windows Server Update Service for Windows (WSIS), or for Red Hat Satellite for Linux. Client systems will get the patches from patch repository via the internal network.
- Set up an Amazon VPC endpoint for private connection between managed clients and AWS Systems Manager.
- For On-premises – Use AWS Direct Connect for any AWS Systems Manger traffic.
By using AWS Systems Manager at TCS in our hybrid cloud infrastructure that consists of both Windows and Linux based operating systems, we were able to gain the following:
- Enable a consistent patch management operation for hybrid cloud environment.
- Automate the Patch Management life cycle.
- Gain a consolidated view of patch release, update, approved, and rejected patches.
- Reduce operational efforts on patch management and thereby reduce human efforts.
- Exponentially Increase patch management efficiency through automation.
About Tata Consultancy Services Ltd (TCS)
Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT, BPS, infrastructure, engineering and assurance services.