Introduction

Need to upgrade Windows Server on an EC2 instance to a newer version? AWS Systems Manager has an automation document called AWSEC2-CloneInstanceAndUpgradeWindows that handles the in-place upgrade and creates an AMI backup. Total runtime: 2-3 hours, almost all of it hands-off.

The automation creates a backup AMI of the source, performs the in-place upgrade on a clone, and produces a new AMI with the upgraded OS. You then launch a fresh instance from the new AMI, verify it works, and terminate the original. There's a manual upgrade path too, but for fleets it's worth letting SSM do the work. I'll cover the manual path in another post.

Prerequisites

Source Server

Make sure you have more than 10 GB of free space on root drive of the server you are upgrading.

Install Systems Manager agent (run the below in PowerShell as administrator):

[System.Net.ServicePointManager]::SecurityProtocol = 'TLS12'
$progressPreference = 'silentlyContinue'
Invoke-WebRequest `
    https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe `
    -OutFile $env:USERPROFILE\Desktop\SSMAgent_latest.exe
Start-Process `
    -FilePath $env:USERPROFILE\Desktop\SSMAgent_latest.exe `
    -ArgumentList "/S"
restart-service AmazonSSMAgent

AWS

Create EC2 Role for SSM Service

1. Sign in to the AWS Management Console - Open your browser, navigate to the AWS Management Console, and sign in with your AWS account.
2. Open the IAM Dashboard - Search or navigate to the "IAM" service.
3. Create a New Role - In the left sidebar, click on "Roles", then click "Create role".
4. Select Trusted Entity Type - Choose "AWS service", then select "EC2" from the list. This allows EC2 instances to call AWS services on your behalf. Click "Next: Permissions".
5. Attach the Required Policy - Search for "AmazonSSMManagedInstanceCore", check the box next to it, and click "Next: Tags".
6. (Optional) Add Tags - Add any key-value pair tags to help manage the role, then click "Next: Review".
7. Review and Create the Role - Name your role ssmEC2Role, verify settings are correct, and click "Create role".
8. Verify the Policy is Attached - Click on the role name ssmEC2Role in the list and confirm the AmazonSSMManagedInstanceCore policy appears in the "Permissions" tab.

Attach Role to EC2 Instance

1. Navigate to EC2 - From the AWS Management Console, go to the "EC2" service.
2. Locate Your Instance - In the left sidebar, click "Instances", find the instance you want to upgrade, and select it by clicking the checkbox.
3. Attach the IAM Role - Click "Actions" from the top menu, navigate to "Security", then click "Modify IAM role". Select ssmEC2Role from the dropdown and click "Apply".
4. Verify the Role Attachment - Select your instance and open the "Security" tab. Confirm the role is listed under "IAM role".

Systems Manager

1. Navigate to Systems Manager - From the AWS Management Console, go to the "Systems Manager" service.
2. Open Automation - Under Change Management, click on "Automation", then click "Execute automation".
3. Select the Automation Document - Search for "AWSEC2-CloneInstanceAndUpgradeWindows" and select it.
4. Click Next - Verify "Simple execution" is selected.
5. Configure Input Parameters:
   • Select the EC2 instance you want upgraded
   • Enter ssmEC2Role for IamInstanceProfile
   • Enter the same subnet ID as the source EC2 for SubnetId
   • Select your target OS version for TargetWindowVersion
   • Set KeepPreUpgradeImageBackup to True (you can manually delete the AMI after confirming tests pass)
   • Keep RebootInstanceBeforeTakingImage as False if you do not want the server to reboot during image creation
6. Execute - Click "Execute". The process takes 2-3 hours and creates an AMI named AWSEC2_UPGRADED_AMI_TO_2022_FOR_INSTANCE_xxx (where xxx is the source instance ID).

Create New Server

1. Document Source Server Configuration - Note the subnet, EC2 instance type/family, and all security groups associated with the source server.
2. Stop or Terminate the Original Server
   • If you want to keep the same IP address, you must terminate the original server
   • Before terminating, verify an AMI was created during the upgrade (look for images named AWSEC2_ImageFromOriginalInstance_xxx)
3. Launch New EC2 Instance - Use the upgraded AMI (AWSEC2_UPGRADED_AMI_TO_2022_FOR_INSTANCE_xxx) with:
   • Same instance type as the source server
   • Same subnet as the source server
   • Same security groups as the source server
4. Connect - Once fully booted, connect to your upgraded OS server.

Troubleshooting

Running into issues? Here are the most common problems and their solutions:

• Instance not showing in Systems Manager - Verify the SSM agent is running (Get-Service AmazonSSMAgent), the IAM role is attached, and your security group allows outbound HTTPS (port 443) to SSM endpoints.
• Automation fails at "createImage" step - Usually means insufficient disk space. Ensure at least 10 GB free on the root volume before starting.
• Upgrade completes but instance won't boot - Check the backup AMI (AWSEC2_ImageFromOriginalInstance_xxx) was created. You can launch from this to restore to pre-upgrade state.
• SSM agent won't install - Make sure you're running PowerShell as Administrator and that TLS 1.2 is enabled (the script handles this, but older systems may have issues).
• Timeout errors during automation - The automation has built-in timeouts. If your instance is particularly large or slow, consider upgrading the instance type temporarily for faster processing.