Automated & Safe EC2 Patching with SSM, Lambda & Cloudformation.

Hello All,

Our infrastructure relies heavily on Amazon EC2, making patching a critical part of our ongoing operations. While EC2 offers built-in patching support via AWS Systems Manager, managing 100+ instances across multiple AWS accounts and environments became a serious challenge.

Manual patching is time-consuming, error-prone, and hard to scale — especially across dev, staging, and production workloads.

Solution Overview:

This automation document provides a robust, repeatable, and safe solution for patching Amazon EC2 instances. It begins by creating an Amazon Machine Image (AMI) backup of the target instance to ensure rollback capability. Patching operations proceed only after the AMI is successfully created and in an 'available' state, reducing risk. Once patching is complete, an AWS Lambda function performs a post-patch sanity check, followed by a notification sent via Amazon SNS with detailed status and results. The entire workflow is fully automated, minimizes manual effort, ensures compliance, and is easily deployable across environments using AWS CloudFormation.

Here's how it works:

1️⃣ Pre-Patch Backup: Before patching begins, the workflow automatically creates an AMI of the target EC2 instance. This ensures a reliable rollback point in case anything goes wrong.

2️⃣ Conditional Execution: Patching only proceeds after the AMI is successfully created, preventing unintentional risk.

3️⃣ Patch Execution with SSM Patch Manager: SSM applies critical and security updates based on a defined patch baseline.

4️⃣ Post-Patch Sanity Check via Lambda: A Lambda function runs sanity checks (e.g., health check, service availability) post-patching.

5️⃣ Real-Time Notifications via SNS: Results are published via Amazon SNS, instantly notifying the team of patching success or failure.

Fully Replicable with CloudFormation: This entire stack is defined as a CloudFormation template, allowing it to be deployed in any AWS account within minutes — enabling standardisation across dev, test, and prod environments.

✅ Outcome: Improved patching compliance, reduced manual effort, and built-in safety checks with automated rollback options. No more guesswork or overnight patch windows.

📊 Drop a comment if you'd like the architecture diagram or CloudFormation snippet!