Description:
AWS Systems Manager Patch Manager can be used to automate the patching of EC2 instances. This helps to ensure that instances are always up-to-date with the latest security patches, which helps to protect them from vulnerabilities.
Rationale:
Outdated software is a major security risk. Vulnerabilities in software can be exploited by attackers to gain access to systems. By keeping instances up-to-date with the latest patches, you can help to protect them from these vulnerabilities.
Impact:
If EC2 instances are not compliant with patching requirements, then they could be vulnerable to attack. This could lead to unauthorized access to data, financial losses, or even system downtime.
Default Value:
AWS Systems Manager Patch Manager does not enforce patching compliance by default. You must configure it to do so.
Pre-requisites:
- You must have an AWS account and be logged in to the AWS Management Console.
- You must have the AWS CLI installed and configured.
- You must have a Systems Manager Patch Manager policy configured.
Remediation Steps:
- Sign in to the AWS Management Console.
- Go to the AWS Systems Manager console.
- Click Patch Manager in the left navigation pane.
- On the Patch Manager page, click Compliance.
- In the Compliance page, you will see a list of instances that are not compliant with patching requirements.
- For each instance that is not compliant, you can view the list of patches that are missing.
- You can then manually install the missing patches on the instance.
Test Plan:
- Verify that the AWS Systems Manager Patch Manager policy is configured correctly.
- Verify that the list of instances that are not compliant with patching requirements is accurate.
- Verify that the missing patches are installed on the instances.
Implementation Plan:
- Configure the AWS Systems Manager Patch Manager policy to enforce patching compliance.
- Create a schedule for running the patch compliance check.
- Monitor the results of the patch compliance check to ensure that instances are always compliant.
AWS CLI Process:
- Run the following command to list the instances that are not compliant with patching requirements:
aws ssm describe-instance-patch-compliance --filters Name=ComplianceStatus,Values=NON_COMPLIANT
- Run the following command to install the missing patches on an instance:
aws ssm patch-instance --instance-ids my-instance-id --patch-group patch-group-name
Using AWS GUI:
- Go to the AWS Systems Manager console.
- Click Patch Manager in the left navigation pane.
- On the Patch Manager page, click Compliance.
- In the Compliance page, you will see a list of instances that are not compliant with patching requirements.
- For each instance that is not compliant, you can click Install Patches to install the missing patches.
Backout Plan:
- If you accidentally install the wrong patches, you can use the AWS Systems Manager Patch Manager to uninstall them.
- You can also roll back the AWS Systems Manager Patch Manager policy to its default settings.
Note:
- This policy only applies to EC2 instances that are managed by Systems Manager. Other EC2 instances may not be compliant with patching requirements.
- You can also use the AWS Systems Manager Patch Manager to automate the patching of other types of AWS resources, such as Amazon RDS databases and Amazon Elastic File Systems (EFS) file systems.
- For more information, see the AWS Systems Manager Patch Manager documentation: https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html.
Reference:
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager.html