Profile Applicability
- Level 2
Description
AWS Systems Manager Patch Manager automates the process of scanning and patching managed EC2 instances. It ensures compliance with predefined patch baselines that include rules for auto-approving critical and security updates. Regular compliance checks ensure that the infrastructure remains secure and up-to-date, mitigating vulnerabilities effectively.
Rationale
Enhanced Security: Prevents exploitation of vulnerabilities by applying critical patches in a timely manner.
Compliance: Ensures alignment with security best practices, governance frameworks, and regulatory requirements.
Risk Mitigation: Reduces the risk of data breaches or downtime due to known vulnerabilities.
Impact
Pros:
Keeps EC2 instances secure against vulnerabilities.
Automates patching tasks, reducing operational overhead.
Improves visibility into the compliance status of managed instances.
Cons:
May require downtime for applying updates or reboots.
Initial configuration of patch baselines and maintenance windows can take time.
Default Value
By default, EC2 instances are not automatically patched or monitored for compliance. Patch compliance must be explicitly configured through AWS Systems Manager.
Pre-Requisite
IAM Permissions Required:
ssm:DescribeInstanceInformation
ssm:ListComplianceSummaries
ssm:CreatePatchBaseline
ssm:StartComplianceScan
Remediation
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Systems Manager > Compliance.
Under the Patch Compliance section, review non-compliant instances and identify gaps.
Using AWS CLI:
List all managed instances:
aws ssm describe-instance-information --query "InstanceInformationList[*].{InstanceId:InstanceId,ManagedBy:PingStatus}"Check compliance summaries:
aws ssm list-compliance-summaries --query "ComplianceSummaryItems[*].{ResourceId:ResourceId,Status:Status}"
Implementation Steps:
Using AWS Console:
Create a Patch Baseline:
Go to Patch Manager in Systems Manager.
Create a custom patch baseline with rules for auto-approving critical/security updates and rejection parameters for unwanted patches.
Assign the Baseline:
Link the patch baseline to instances using tags or instance IDs.
Schedule Patching:
Define maintenance windows to automate patch installations and scans.
Assign tasks for patch compliance evaluations and installations.
Monitor Compliance:
Navigate to Compliance to monitor the patching status of managed instances.
Using AWS CLI:
Create a Custom Patch Baseline:
aws ssm create-patch-baseline --name <baseline-name> --operating-system <os-type> --approval-rules file://rules.json
Assign the Baseline to a Patch Group:
aws ssm register-patch-baseline-for-patch-group --baseline-id <baseline-id> --patch-group <patch-group>
Trigger Compliance Scans:
aws ssm start-compliance-scan --instance-ids <instance-ids>
Monitor Compliance Status:
bashaws ssm list-compliance-summaries
Backout Plan
Using AWS Console:
If patching causes issues, sign in to the AWS Management Console.
Navigate to Systems Manager, go to Patch Manager, and remove the current patch baseline.Revert to an earlier version of the patch baseline or modify the baseline to exclude the problematic patches.
Monitor the EC2 instances to ensure they return to a compliant state.
Using AWS CLI:
To revert changes to the patch baseline, delete the current baseline:
aws ssm delete-patch-baseline --baseline-id <BASELINE_ID> --region <REGION>
Create a new baseline with the required patches:
aws ssm create-patch-baseline --name "RevertedBaseline" --approved-patches <PATCH_IDS> --region <REGION>