Profile Applicability:

  • Level 1

Description:

To ensure that applications running in AWS Lightsail instances are secure and up-to-date, you must apply regular updates. These updates include operating system patches, application updates, and security fixes. Timely application of updates helps maintain the security and performance of your applications.

Rationale:

Outdated applications and systems are vulnerable to security risks and performance degradation. By applying updates regularly, you can reduce the risk of exploitation, enhance system stability, and ensure compliance with security policies. It also ensures that applications benefit from new features, improvements, and optimizations.

Impact:

Pros:

  • Improved Security: Applying updates addresses known vulnerabilities, enhancing the security posture of the application.

  • Enhanced Performance: Updates may include performance improvements, bug fixes, and new features.

  • Compliance: Regular updates help meet compliance requirements for security and data protection.

  • Operational Consistency: Ensures consistent functionality and reduces the risk of operational issues caused by outdated software.

Cons:

  • Downtime: Some updates may require application restarts, causing temporary downtime.

  • Compatibility Risks: Updates may introduce compatibility issues with other software or configurations.

  • Testing Requirements: It may be necessary to test updates in a staging environment before applying them to production.

Default Value:

By default, AWS Lightsail instances do not automatically apply updates to the applications. Updates need to be applied manually based on a maintenance schedule or when critical updates are available.

Pre-requisites:

  • Access to the AWS Lightsail Console or AWS CLI with sufficient permissions.

  • SSH access to Lightsail instances for applying updates.

  • Backup of the application or instance (preferably through Lightsail snapshots) before applying updates.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Lightsail Console.

  2. In the Lightsail dashboard, click Networking to ensure that your application is reachable and functional after the update.

  3. Navigate to Instances to view all running Lightsail instances.

  4. Click on the instance running the application you want to update.

  5. Ensure that the instance is backed up (take a snapshot if necessary).

  6. Connect to the instance via SSH using the Connect button.

  7. Check for any pending updates by running the following command: sudo apt update

  8. Apply available updates using the following command: sudo apt upgrade

Using AWS CLI:

  1. Run the following command to list all your Lightsail instances: 

    aws lightsail get-instances

  2. Identify the instance you want to update.

  3. Connect to the instance via SSH using the Lightsail instance’s public IP: 

    ssh -i your-key.pem ubuntu@<instance-public-ip>

  4. Once connected, run the following command to check for updates:

    • For Ubuntu/Debian-based systems:

       sudo apt update sudo apt upgrade

    • For RHEL/CentOS-based systems:

       sudo yum update

  5. After applying updates, restart the services or instance if necessary to apply the updates.

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Lightsail Console.

  2. Navigate to Instances and select the instance running the application you wish to update.

  3. Ensure that a snapshot backup is taken for disaster recovery purposes.

  4. Connect to the instance using the Connect button to establish an SSH session.

  5. In the SSH session, run the appropriate commands to update the OS and application packages.

  6. Once updates are complete, verify that the application functions correctly.

  7. If any issues occur, restore from the snapshot backup and investigate the cause of failure.

Using AWS CLI:

  1. List all instances using: 

    aws lightsail get-instances


  2. SSH into the instance using the public IP address and private key: 

    ssh -i your-key.pem ubuntu@<instance-public-ip>


  3. Run the necessary commands to check for updates, apply updates, and verify that the app is functioning as expected after the updates.

  4. If any issues arise after updating, restore the instance from a snapshot backup.

Backout Plan:

Using AWS Console:

  1. If updates cause issues, you can revert to a previous state by restoring the instance from the backup (snapshot).

  2. In the Lightsail Console, navigate to Snapshots, select the snapshot taken before the update, and click Restore.

  3. Verify that the application is restored and functioning as expected.

Using AWS CLI:

  1. If the update process causes issues, you can roll back to a snapshot:

     aws lightsail restore-instance-from-snapshot --instance-name <instance-name> --snapshot-name <snapshot-name>

  2. Once restored, verify that the application is functioning as expected.

References:

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Establish and maintain an inventory of enterprise assets, including EC2 instances, and ensure they are updated regularly for security and compliance.

v7

6.5

Ensure regular patching and updating of systems to mitigate security vulnerabilities and maintain system integrity.