How Are Spinup Servers Patched?

Spinup servers are patched automatically using a centralized patching system built on AWS Systems Manager (SSM). This system ensures that all virtual machines across Spinup, Spinup (High-Risk), and Spinup Plus are regularly updated with the latest security and operating system patches, without requiring manual intervention by the user.

Patch management is implemented and maintained via Terraform using custom infrastructure-as-code modules.

Patch Schedule

Patches are applied monthly through a Maintenance Window, scheduled as follows:

Note: All schedules are timezone-aware (America/New_York), but defined in UTC under the hood.

What Gets Patched?

The patching process installs all approved updates from each system’s respective package manager:

• Linux (Ubuntu, Amazon Linux, AlmaLinux):

  • Security and non-security patches

  • Uses APT (Ubuntu) or DNF/YUM (Amazon Linux / AlmaLinux)

• Windows:

  • Critical and security updates via Windows Update service

If a patch requires a reboot, SSM handles this automatically during the maintenance window.

User Responsibilities

Most users do not need to take any action to receive patches.

However, users are expected to:

• Avoid disabling the SSM Agent
  (Patch tasks will fail if the agent is not running)

• Avoid removing IAM permissions from the instance role that would prevent patching

• Ensure sufficient disk space and system health so patches can be applied cleanly

• Avoid scheduling critical application changes during patch windows

Opting Out or Custom Scheduling

If your system has uptime requirements that conflict with monthly patching (e.g., clusters, batch jobs), contact the Spinup team to discuss:

• Exclusion from default patch groups

• Custom maintenance window registration

• Pre- or post-patch hooks

Need Help?

• Email spinup@yale.edu

• Post in the #spinup channel on Yale Slack