Patching Spectre and Meltdown is Easy with AWS Systems Manager | Skeddly

Skeddly Blog

Skeddly news and announcements...

Patching Spectre and Meltdown is Easy with AWS Systems Manager

Most likely you have heard about Spectre and Meltdown by now. It’s all over the news. As an IT or DevOps engineer, it’s now your job to patch your EC2 instance operating systems.

This task can be “fun” if you need to SSH/RDP into every EC2 instance and apply patches. Or, it can be truly fun if you decide to use AWS Systems Manager to apply patches to your OS.

AWS Systems Manager, previously known as Amazon System Service Manager (SSM), is a sub-service of AWS where you can manage tasks on your AWS infrastructure, such as executing commands on your EC2 instances. You can use this system to apply patches to your OS and install software.

AWS has provided a detailed document regarding the AWS state of Spectre and Meltdown. In this document, it includes instructions on how to update various operating systems with necessary kernel patches.

For example, you can apply the following command to your Amazon Linux EC2 instance to update the kernel:

sudo yum update kernel

If you want to SSH into every EC2 instance you have, be my guest. But it will be much easier to use AWS Systems Manager. Just spin up a shell and execute the following AWS CLI command:

aws ssm send-command \
    --document-name AWS-RunShellScript \
    --instance-ids i-xxxx \
    --parameters commands="yum install -y kernel"

Here, we’re adding the -y parameter to assume “yes” to any prompts because yum will confirm if we want to apply the updates and we won’t have keyboard access to press y.

After you execute the above command, you’ll need to wait a few minutes for the update to complete on the EC2 instance. Once complete, you’ll see the something like the following in the command log:

Loaded plugins: priorities, update-motd, upgrade-helper
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:4.9.75-25.55.amzn1 will be installed
--> Finished Dependency Resolution
--> Running transaction check
---> Package kernel.x86_64 0:4.9.51-10.52.amzn1 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

 Package      Arch         Version                     Repository          Size
 kernel       x86_64       4.9.75-25.55.amzn1          amzn-updates        18 M
 kernel       x86_64       4.9.51-10.52.amzn1          @amzn-main          71 M

Transaction Summary
Install  1 Package
Remove   1 Package

Total download size: 18 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : kernel-4.9.75-25.55.amzn1.x86_64                             1/2 
  Cleanup    : kernel-4.9.51-10.52.amzn1.x86_64                             2/2 
  Verifying  : kernel-4.9.75-25.55.amzn1.x86_64                             1/2 
  Verifying  : kernel-4.9.51-10.52.amzn1.x86_64                             2/2 

  kernel.x86_64 0:4.9.51-10.52.amzn1                                            

  kernel.x86_64 0:4.9.75-25.55.amzn1                                            


If you happen to see some warnings “No such file or directory”, don’t worry about it.

You can do this individually for each EC2 instance from the same shell, or you can script it.

Other operating systems (Ubuntu, Windows) will require other commands, but using the same send-command CLI command will make it easier.

Automate This Using Skeddly

Using Skeddly, you can automate this even further. Using Skeddly’s “Send SSM Command” action, you can easily send these commands to all your EC2 instances at once (or a subset if needed).

About Skeddly

Skeddly is the leading managed scheduling service for your AWS account. Using Skeddly, you can:

  • Reduce your AWS costs,
  • Schedule snapshots and images, and
  • Automate many DevOps and IT tasks.

Sign-up for our 30 day free trial or sign-in to your Skeddly account to get started.