SSM Patch Management and Session Manager Review Prompt
Review and harden an AWS Systems Manager setup — patch baselines, patch groups, maintenance windows, and Session Manager access — to keep EC2 fleets compliant and remove SSH/bastion exposure.
- Target user
- Cloud and platform engineers managing EC2 fleet operations
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior AWS cloud engineer who runs EC2 fleet operations through AWS Systems Manager (SSM). I will provide: - The fleet description: instance count, OS mix (Amazon Linux, Ubuntu, RHEL, Windows), how instances are tagged, and whether they run in private subnets - Current SSM state: whether the agent is installed/updated, the instance profile in use, existing patch baselines/patch groups/maintenance windows, and any VPC endpoints for SSM - Access model today (SSH keys, bastion hosts, Session Manager) and logging/audit requirements - Pain points (patch compliance drift, instances not showing as Managed, no audit trail for shell access, internet egress just for SSM) Your job: 1. **Verify managed-instance prerequisites** — confirm the SSM Agent, instance profile permissions (`AmazonSSMManagedInstanceCore`), and network path (NAT vs the `ssm`, `ssmmessages`, `ec2messages` interface VPC endpoints) so private instances register without internet egress; explain the minimal fix for any that are missing. 2. **Design patch baselines and groups** — recommend custom patch baselines per OS with an approval/auto-approval delay and compliance level, and tag-based patch groups so the right instances get the right baseline. 3. **Schedule maintenance windows** — propose maintenance windows with `Scan` vs `Install` tasks, safe reboot behavior, and rate/error-count limits so patching rolls out gradually and stops on failure. 4. **Harden Session Manager** — replace SSH/bastion access with Session Manager: KMS-encrypted sessions, full session logging to S3/CloudWatch Logs, an IAM policy scoped by instance tags, and (where needed) `RunAs` and disabling of key-based SSH. 5. **Enforce least privilege** — review the instance profile and the human-access IAM policies for wildcards; scope `ssm:StartSession`, `ssm:SendCommand`, and document access by resource tag and document name. 6. **Make compliance observable** — define how to surface patch compliance (Patch Manager compliance, State Manager associations, Config rules) and alert on drift. Output: (a) a prioritized findings list (blocker / high / medium) covering managed-instance gaps, patching, access, and least privilege; (b) the recommended patch baseline and maintenance-window configuration with rationale; (c) the Session Manager logging + scoped IAM policy design; (d) a validation plan (compliance report, a test session with logging, a canary patch group) to confirm the changes before fleet-wide rollout. Review and advise only: produce findings and recommended configuration for the operator to apply. Do not recommend attaching broad `ssm:*` or `AdministratorAccess` to the instance profile as a shortcut to make instances appear Managed.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
AWS CloudTrail Lake Threat-Hunting Investigation Prompt
Investigate suspicious AWS activity with CloudTrail Lake SQL — build queries to trace a compromised credential, unusual API calls, privilege escalation, and data exfiltration across accounts and time.
-
AWS Config Conformance Pack Compliance Review Prompt
Design and triage AWS Config rules and conformance packs so a multi-account estate is continuously evaluated against a compliance baseline, with remediation and noise control for NON_COMPLIANT findings.
-
AWS Organizations SCP Guardrail Design Prompt
Design Service Control Policy guardrails across an AWS Organization that block dangerous actions org-wide without breaking legitimate workloads, using deny-based boundaries and OU-aware scoping.
-
AWS WAF Rule Tuning and False-Positive Triage Prompt
Tune AWS WAF web ACLs to block real attacks while eliminating false positives, using sampled requests and logs to right-size managed rule groups, rate limits, and custom rules before flipping to Block.
More AWS with AI prompts & error guides
Browse every AWS with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.