patchmanagement-usecase

Multi-Org AWS Patch Management at Scale

A large energy company required a comprehensive AWS patching solution that would allow the owners of 2,500 AWS accounts across multiple AWS Organizations to efficiently view their EC2 instances’ patch statuses and schedule patching in bulk. The goal was to extend AWS Systems Manager (SSM) Patch Management to align with the company’s risk profile while providing comprehensive reporting and integration with existing enterprise tools.

5

AWS Organisations

2500+

AWS Accounts

6000+

EC2 Instances

1

Patching Solution

Challenges:

Managing patch visibility and scheduling across thousands of AWS accounts within multiple AWS Organizations.
Adapting SSM Patch status reporting to accommodate the company’s custom risk assessment criteria.
Automating patch scheduling for different workloads with minimal manual intervention.
Providing seamless integration with ServiceNow for incident tracking and compliance reporting.
Ensuring a scalable and cost-effective solution using native AWS services.

Solution Implemented: To meet the requirements, AWS native solutions were leveraged to enhance the existing SSM Patch Management capabilities:

Patch Visibility & Centralized Data Aggregation
AWS Systems Manager (SSM) Patch Manager was configured to align with the company’s risk profile.
A centralized logging account was utilized to aggregate multi-organizational patch compliance data.
AWS Glue & Athena were used to process and analyze patch compliance data across multiple accounts and organizations.
SSM Automation for Patch Scheduling & Execution
AWS Step Functions orchestrated automated workflows.
AWS Lambda handled scheduling logic and reconciliation reports.
API Gateway provided a centralized API endpoint for triggering patch jobs across multiple accounts and organisations.
EventBridge was used in conjunction with SSM Automation and Step Functions to provide real-time feedback to the ServiceNow UI.
ServiceNow integration allowed IT teams to track patching activities, incidents, and compliance requirements.
Amazon SNS & EventBridge ensured stakeholders received real-time notifications of patch status updates.

Results & Benefits:

✅ Centralized Patch Visibility – All AWS account owners could view real-time EC2 patch status across organizations.
✅ Automated & Risk-Based Patching – Patch scheduling aligned with corporate risk policies, reducing security exposure.
✅ Improved Compliance & Reporting – Automated dashboards and ServiceNow integration streamlined compliance tracking.
✅ Scalable & Cost-Effective – The solution leveraged AWS-native services, reducing operational overhead.

Conclusion:

By utilizing AWS Systems Manager Patch Manager, alongside AWS Glue, Athena, Step Functions, EventBridge, and ServiceNow integration, the company automated and improved patch compliance across 2,500 AWS accounts. This scalable, risk-aligned approach enhanced security posture, reduced manual effort, and ensured regulatory compliance at scale.

Multi-Org AWS Patch Management at Scale

5

2500+

6000+

1

Challenges:

Conclusion:

Let’s get in touch!