AWS instances patch updates for multiple instances

Question 1

For this situation you might be more or less forced to do this by hand, but in the future a design makeover would be in order to make your life easier for dealing with stuff like this. I would recommend that you look into puppet or Chef as they enable you to script your infrastructure and when you have updates/changes that need to occur, you apply them to the systems in question or just rebuild the system over again.

For this scenario if you were to use Chef, you would just update your scripts and tell chef to update all of your systems.

Granted, I know that this bit of information doesn't help your current predicament, but it's a recommendation for future environments to alleviate issues like these.

Question 2

Check out AWS Systems Manager (SSM).

This is a nice walk though of running patches with SSM. SSM allows you to:

Choose maintenance windows
White-List or Black-List patches
Determine a patch acceptance level (e.g. High vs Critical)
Delay patch acceptance by a specified period (want to wait a day in case a patch turns out to be bad?)
Apply patches to specifically tagged instances (you could run multiple patch groups if you like)

It's a bit of trouble to set up though.

Option 2

Depending on your needs you might simply want to install and configure yum-cron (on Ubuntu You'd use unattended-upgrades). I've been doing that for years and I have literally seen zero counts of a security patch causing a breaking regression. I'd far rather have every host automatically patched and deal with the fallout if it ever breaks rather than have unpatched hosts. One note is that I disable automatic reboots so kernel updates don't take effect till I reboot.

Option 3 If you just want to do something on all hosts "fire and forget" style you could explore dsh (distributed ssh, you can probably guess everything you need to know about it ;- ). I've used that with some success. I've also used Ansible and Chef (both require a bit of setup and learning curve)