Daily Automated Patching
EC2 instances are checked daily by AWS Patch Manager (under AWS Systems Manager) and receive security-related updates, if available, to installed software and operating system files. Patches are sourced from Ubuntu repositories and apply to software packages that were previously installed as part of the base operating system and through the "apt" package management system.
Automatic Rebooting of Virtual Machine
If a reboot is necessary for the patch to take effect, AWS will do so after patches have been successfully installed. Ensure your applications are resilient and can automatically restart upon reboot.
EC2 instances are divided into two patching groups - "A" or "B" - which correlate to two different patching windows (00:00 midnight and 00:30 based on the region's local time). This strategy can minimize downtime associated with reboots, assuming your architecture consists of at least two instances for each type of server and a load balancer.
Accessing Patch Logs
A history of patching tasks is available in Patch Manager (under the Reporting tab) for up to two weeks. In addition, long term results are retained for up a year in a CloudWatch Logs group named patching.