AWS Cloud Operations Blog

Manage AMI updates for AWS Auto Scaling groups with AWS Lambda and AWS Systems Manager

Keeping Amazon Machine Image (AMI) up-to-date with the latest patches and updates is a critical task for organizations using AWS Auto Scaling group . However, manually patching AMIs and updating Auto Scaling groups can be time-consuming for your teams and error-prone. This blog post presents a solution to automate the process of updating AMIs for Auto Scaling groups using AWS services like AWS Systems Manager, AWS Lambda, and Parameter Store, a capability of AWS Systems Manager.

The key challenge is ensuring that Auto Scaling groups always launch new instances from the latest, patched AMI. This solution leverages Systems Manager Automation to patch the current “golden” AMI, create a new AMI from the patched instance, and update the AMI ID stored in Parameter Store. Auto Scaling groups can then reference this updated AMI ID parameter to launch new instances from the latest patched AMI.

By combining Automation runbooks, Lambda functions, and Parameter Store, you can establish an automated pipeline to keep your AMIs consistently up-to-date with minimal manual effort. This solution provides a scalable and repeatable approach to maintaining a secure and compliant AWS infrastructure.

Solution Overview:
The architecture of the solution can be broken down into six steps. Which are outlined in Figure 1.

  1. Launch an instance from Source AMI mentioned in SSM Parameter Store
  2. Executes SSM Run Command that applies the vendor updates to the instance
  3. Stops the instance
  4. Creates a new AMI
  5. Terminates the original instance
  6. Update the parameter store using Lambda

Figure 1 – Architecture Diagram for updating AMI ID using SSM and lambda

Prerequisites:

  • You need to have an AWS account.
  • You should have an existing Auto Scaling group that you want to update with new AMIs.
  • Your EC2 managed nodes must be configured with the AWS Systems Manager Agent (SSM Agent). For more information, see Setting up AWS Systems Manager.
  • AWS Identity and Access Management (IAM) roles for Lambda and Automation.
  • (Optional) SSM VPC endpoints for managing private EC2 instances without internet access

Note:
The IAM roles for automation will be deployed by the AWS Cloudformation template.

Solution Setup Steps

Task 1: Deploy Cloudformation template.

  1. Download the UpdateMyLatestASGAmi.yml CloudFormation template from the GitHub repository.
  2. Sign in to the AWS Management Console and open the CloudFormation service.
  3. Click Create stack and then choose With new resources (standard).
  4. Under Prerequisite – Prepare template, select Template is ready.
  5. Under Specify template, select Upload a template file.
  6. Click Choose file and select the UpdateMyLatestASGAmi.yml file you downloaded from GitHub.
  7. Click Next.
  8. On the Specify stack details page, provide a Stack name (e.g., UpdateMyLatestASGAmi).
  9. Click Next.
  10. On the Configure stack options page, leave the defaults and click Next.
  11. On the Review page, scroll down, check the box to acknowledge that CloudFormation might create IAM resources, and click Create stack.

Wait for the CloudFormation stack to reach the “CREATE_COMPLETE” status, which may take a few minutes.

IMPORTANT:
The CloudFormation template uses the Amazon Linux 2023 image as an example in the us-east-1 region. To find the AMI ID for this image in another region, please follow these steps.

Task 2: Create a Parameter in SSM Parameter Store for the AMI ID

Create a string parameter in Parameter Store that uses the following information:

  • Name: latestAmi
  • Value: An AMI ID. For example: ami-0f9fc25dd2506cf6d
  • Data Type: aws:ec2:image

An example is displayed, in Figure 2.

Enter the Parameter store details as shown.

Figure 2: Create a parameter in SSM parameter store

Task 3: Create an AWS Lambda function

  1. Sign in to the AWS Management Console and open the AWS Lambda console at https://console.thinkwithwp.com/lambda/.
  2. Choose Create function.
  3. On the Create function page, choose Author from scratch.
  4. For Function name, enter Automation-UpdateSsmParam.
  5. For Runtime, choose Python 3.12.
  6. For Architecture, select the type of computer processor for Lambda to use to run the function, x86_64 or arm64.
  7. In the Permissions section, expand Change default execution role.
  8. Choose Use an existing role, and then choose the service role for Lambda that was created in the CloudFormation template, amiLambdaRole.
  9. Choose Create function.
  10. In the Code source area, on the lambda_function tab, delete the pre-populated code in the field, and then paste the code sample from this GitHub link.
  11. Choose File, Save.
  12. To test the Lambda function, from the Test menu, choose Configure test event.
  13. For Event name, enter a name for the test event, such as MyTestEvent.
  14. Replace the existing text with the following JSON. Replace AMI ID with your own information to set your latestAmi parameter value. 
    {
   "parameterName":"latestAmi",
   "parameterValue":"AMI ID"
}
  15. Choose Save.
  16. Choose Test to test the function. On the Execution result tab, the status should be reported as Succeeded, along with other details about the update.

Task 4: Update the Launch Template for the ASG to point to SSM parameter store

To update a launch template that specifies a parameter for the AMI, use the following method:

    1. Open the Amazon EC2 console at https://console.thinkwithwp.com/ec2/.
    2. In the navigation pane, choose Launch Templates, and then choose the Launch Template ID that was deployed by the CloudFormation template and select Actions > Modify template.
    3. Under Application and OS Images (Amazon Machine Image), choose Browse more AMIs.Figure 3 – Browse more AMIs
    4.  Choose the arrow button to the right of the search bar, and then choose Specify custom value/Systems Manager parameter.Specify Systems Manager Parameter as the AMI to use. Figure 4 – choose Specify custom value/Systems Manager parameter.
    5. In the Specify custom value or Systems Manager parameter, enter “resolve:ssm:latestAmi” Specify custom value or systems manager parameterFigure 5 – Specify custom value or Systems Manager parameter
    6.  Save the changes and select “Create template version”.
    7.  Ensure you have the new version is the “default version”.
      select default version
      Figure 6 – Set the template to Default Version

Task 5: Create an Automation Runbook
Use the following procedure to create and run a runbook that patches the AMI you specified for the latestAmi parameter. After the automation completes, the value of latestAmi is updated with the ID of the newly-patched AMI. This approach ensures that new images are automatically made available to different computing environments that use Auto Scaling groups.

To create and run the runbook

  1. Navigate to the AWS Systems Manager console by visiting https://console.thinkwithwp.com/systems-manager/.
  2. In the left-hand navigation pane, select “Documents”.
  3. Click on “Create document” and then choose “Automation” from the options presented.
  4. In the visual editor that appears, locate the default name in the top left corner. Click on it and change it to “UpdateMyLatestAmi”.
  5. Look for a toggle switch that allows you to switch between “Design” and “Code” views. Switch it to “Code” view.
  6.  In the code editor that appears, you can input run book code from this link
  7.  Choose Create automation.
  8. In the navigation pane, choose Automation, and then choose Execute automation.
  9. In the Choose document page, choose the Owned by me tab.
  10. Search for the UpdateMyLatestAmi runbook, and select the button in the UpdateMyLatestAmi card.
  11. Choose Next.
  12. Choose Simple execution.
  13. Specify values for the input parameters.
  14. Choose Execute.
  15. After the automation completes, choose Parameter Store in the navigation pane and confirm that the new value for latestAmi matches the value returned by the automation. You can also verify the new AMI ID matches the Automation output in the AMIs section of the Amazon EC2 console.

Note:

When you specify aws:ec2:image as the data type for a parameter, Systems Manager doesn’t create the parameter immediately. It instead performs an asynchronous validation operation to ensure that the parameter value meets the formatting requirements for an AMI ID, and that the specified AMI is available in your AWS account.

A parameter version number might be generated before the validation operation is complete. The operation might not be complete even if a parameter version number is generated.

Optional: Setting up Notifications Based on Parameter Store Events

You can set up notifications to be alerted when a Parameter Store parameter is updated, deleted, or created. This can be useful for monitoring changes to the latestAmi parameter and receiving notifications when it is updated with a new AMI ID.

To set up notifications, you can configure AWS CloudWatch Events to capture Parameter Store events and send notifications to an Amazon SNS topic. Here’s a high-level overview of the process:

  1. Create an Amazon SNS topic that will receive the notifications.
  2. In the CloudWatch console, create a new event rule to capture Parameter Store events for the specific parameter(s) you want to monitor (e.g., latestAmi).
  3. Add the Amazon SNS topic you created as a target for the event rule.
  4. Configure subscribers (e.g., email addresses) to the SNS topic to receive notifications.

You can follow the detailed instructions in the AWS Systems Manager User Guide: Monitoring AWS Systems Manager Parameter Store Events.

You can automate and schedule the monitoring process using SSM Maintenance windows to ensure that checks are performed consistently without manual intervention. This setup provides a reliable way to keep track of changes in the Parameter Store, enhancing security and operational visibility. It also enhances security and operational visibility.

Cleanup
If you decide you no longer want to keep the Lambda and its associated resources, you can go to the CloudFormation section in the AWS Console, select the stack (named during deployment), and choose Delete. All resources will be deleted except for the Lambda function and SSM Parameters, which were created manually.

Summary

This blog demonstrates how to automatically keep AMIs up-to-date for Auto Scaling groups by leveraging AWS Systems Manager Automation, Lambda, and Parameter Store. You can schedule this automation to run routinely using AWS Systems Manager Maintenance Windows, ensuring your infrastructure consistently uses the latest, fully patched AMIs without manual effort. Instead of manually patching AMIs, you can set up an automated workflow to patch the current golden AMI, create a new patched AMI version, and update the AMI parameter referenced by your Auto Scaling groups.

While this use case focused on patching AMIs, the automation capabilities of AWS Systems Manager can be extended to consistently maintain other aspects of your AWS environment. To learn more about other AWS services and features that integrate, we recommend that you review SSM automations.

Terri Johnson

Terri is a Senior Solutions Architect supporting customers in the Transportation and Logistics industries. Terri is also an official AWS Mentor for junior Solution Architects and for members of the Amazon Military Apprentice Program. The Military Apprenticeship program at AWS helps members of the military community—veterans and their spouses—transition to careers in cloud computing. She has been with Amazon Web Services for over 6 years, and began her career in the AWS Public Sector (2018), as a Partner SA supporting large Global AWS Partners.

Tsega Tefera

Tsega Tefera is a Solutions Architect at AWS , supporting financial service customers. She specializes in cloud operations and AI/ML, helping customers streamline and optimize their cloud infrastructure and processes. In her free time, she likes to spend time with her family and friends. Tsega also enjoys studying apologetics as an intellectual pursuit.