AWS, Cloud Computing, DevOps

4 Mins Read

Centralized Amazon EC2 Patching Across AWS Accounts with SSM and Terraform

Voiced by Amazon Polly

Overview

Managing patch compliance across multiple AWS accounts is a growing challenge in large-scale cloud environments. This blog explores how to centrally manage and automate EC2 patching across AWS accounts using AWS Systems Manager (SSM) and Terraform.

By adopting a centralized patching architecture, organizations can:

  • Enforce consistent security policies from a master account
  • Share AWS-managed patch baselines across child accounts.
  • Automate patch deployment via SSM Associations and Maintenance of Windows
  • Maintain compliance visibility across accounts using native AWS tools
  • Scale seamlessly with modular, Terraform-based infrastructure

This guide walks through the prerequisites, AWS IAM configuration, tagging strategy, terraform implementation steps, and architecture design needed to implement this solution. Whether you’re a security engineer or a DevOps professional, this approach provides a scalable, secure, and auditable way to manage patching across AWS environments.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Introduction

As organizations scale their AWS infrastructure, managing consistent patching policies across multiple accounts becomes crucial for security and compliance. AWS Systems Manager (SSM) simplifies patching automation and allows for the sharing of patching baselines from a central account to multiple child accounts.

In this blog, we walk through how to implement cross-account SSM patching using Terraform, enabling centralized control while allowing distributed execution across accounts.

Why We Are Doing This?

  • Centralized Control: Manage and enforce patch compliance policies from a single security or DevOps account.
  • Scalability: Easily extend the patching solution across dozens or hundreds of AWS accounts without manual setup.
  • Security and Compliance: Ensure consistent patching of vulnerabilities to meet regulatory standards (e.g., CIS, HIPAA).
  • Cost Optimization: Avoid redundant configuration and tool sprawl using AWS-native features like SSM.
  • Audit Readiness: Maintain visibility and traceability of patching operations across your organization.

Prerequisites

Before getting started, ensure you have the following:

  • Terraform (>=1.0.0) installed on your local machine
  • AWS CLI configured for both central (master) and child accounts
  • IAM permissions to create and manage SSM and Amazon EC2 resources
  • Tags applied to Amazon EC2 instances to group them for patching (e.g., Patch Group)
  • A proper role in child accounts allowing SSM to run patching commands
  • Cross-account trust relationship configured if assuming roles between accounts

Terraform Checklist

Before you begin writing infrastructure code, consider the following:

  • Understand the Use Case
    • Define the objective (e.g., centralized patching using AWS-managed patch baselines)
    • Identify participating AWS accounts and their roles (master and child)
  • Identify Required Services
    • AWS Systems Manager (SSM)
    • AWS Identity and Access Management (IAM)
    • Amazon EC2 (for tagging and patching targets)
  • Design the Architecture
    • Master account uses AWS default patch baseline
    • Child accounts associate Amazon EC2 tags and automate patching
  • Define AWS IAM Requirements
    • AWS Systems Manager (SSM) execution role for patching in child accounts
    • Role assumption policies between accounts
  • Write and Organize Terraform Code
    • Separate files/modules for patch group and automation
    • Use variables.tf, main.tf, and outputs.tf for modular structure
    • Include tagging, versioning, and logging where possible
  • Testing & Validation
    • Ensure Amazon EC2 instances are tagged correctly
    • Simulate patch execution via manual association run or maintenance window

Step-by-Step Implementation

Step 1: Use Default Patch Baseline in Master Account

step1

step1b

Step 2: Use Patch Baseline in Child Account

step2

Patch baselines for Child account created same as Master account

step2b

This ensures all Amazon EC2 instances tagged with Patch Group = Child-Prod-Group are patched automatically every week.

Step 3 (Optional): Automate Patching with Maintenance Window

step3

Once you run the terraform code, the Configuration of the Master Account SSM looks like this:

step3b

Target as selected:

step3c

After the AWS Systems Manager (SSM) Patching is done, it looks like this in the Child Account

step3d

Benefits

table

Use Case

A central AWS account (Security or DevOps account) maintains patching standards and compliance requirements. Multiple child accounts host workloads that must adhere to the same patching standards.

The goal:

  • Define and manage patch baselines centrally
  • Automate patch application via SSM Associations and optionally Maintenance Windows Conclusion

Cross-account SSM patching helps enforce uniform security policies at scale. With Terraform, you can automate the setup of patch baselines and patch enforcement through SSM Associations or Maintenance Windows. This approach ensures security compliance and reduces manual overhead in managing multi-account environments.

Conclusion

Implementing cross-account SSM patching with Terraform allows organizations to centralize patch compliance, automate updates across environments, and maintain security standards at scale.

By leveraging AWS-native services like AWS Systems Manager, Resource Access Manager, and AWS IAM roles, teams can enforce uniform patch baselines from a single account and ensure consistent operations across multiple child accounts. This improves security and audit readiness and reduces manual overhead, enabling DevOps and security teams to focus on higher-value tasks.

Drop a query if you have any questions regarding SSM patching and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

  • Reduced infrastructure costs
  • Timely data-driven decisions
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery PartnerAmazon CloudFront Service Delivery PartnerAmazon OpenSearch Service Delivery PartnerAWS DMS Service Delivery PartnerAWS Systems Manager Service Delivery PartnerAmazon RDS Service Delivery PartnerAWS CloudFormation Service Delivery PartnerAWS ConfigAmazon EMR and many more.

FAQs

1. What is cross-account SSM patching?

ANS: – Cross-account SSM patching refers to using AWS Systems Manager (SSM) to automate the patching of Amazon EC2 instances across multiple AWS accounts from a centralized (master) account. It shares patch baselines and enables centralized control with distributed execution.

2. Why should I centralize patch management?

ANS: – Centralizing patch management provides better governance, enforces consistent security policies, reduces duplication of effort, and simplifies auditing. It also helps in scaling patching practices across multiple AWS accounts securely and efficiently.

WRITTEN BY Abhiram Konidena

Share

PREV

NEXT

Comments

    Click to Comment

Related Resources

AWS

Optimizing IAM Role Permissions for External Access Using IAM

By Avinash Singh Bundela

Jun 19, 2025

AWS, Cloud Computing, Data Analytics

Simplifying AI Integration with the Model Context Protocol and

By Parth Sharma

Jun 19, 2025

Cloud Computing, Data Analytics

Understanding Apache Spark Architecture for Scalable Data Processing

By Aritra Das

Jun 19, 2025

Cloud Computing, DevOps

Building Scalable CI/CD Pipelines with Jenkins

By Riyazuddin

Jun 19, 2025

AWS, Cloud Computing

Securing Your AWS Resources with AWS WAF

By subhashree

Jun 19, 2025

AI/ML, Cloud Computing, Data Analytics

Automating Neural Network Design with Reinforcement Learning and NAS

By Abhishek Mishra

Jun 18, 2025

AWS, Cloud Computing

Migrating MongoDB to a Multi-Node Replica Set on Amazon

By Dhruv Rajeshbhai Patel

Jun 18, 2025

AWS, Cloud Computing, Data Analytics

Exporting Filtered AWS CloudTrail Lake Events to Amazon S3

By Rachana Kampli

Jun 18, 2025

AI/ML, AWS, Cloud Computing

Turning Sales Calls and Strategy Sessions into Actionable Intelligence

By Akanksha Choudhary

Jun 18, 2025

AWS

Authenticated Access with AWS Cognito Identity Pools: Create a

By Siddiq Pasha

Jun 18, 2025

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!