Profile Applicability:

Level 1

Description:

Enabling Managed Platform Updates for AWS resources ensures that the platform’s underlying components, such as operating systems and software packages, are automatically updated with security patches and updates. This reduces the risk of vulnerabilities and ensures that your environment remains secure and up-to-date without manual intervention.

Rationale:

Automatic platform updates are essential for maintaining the security and stability of your environment. By ensuring that Managed Platform Updates are configured, you are reducing the risk of running outdated or insecure software, which could lead to security vulnerabilities and non-compliance with industry regulations. Automated updates provide peace of mind and reduce the manual overhead associated with keeping your platform updated.

Impact:

Pros:

  • Improved Security: Ensures that security patches and updates are applied automatically, reducing the window of exposure to known vulnerabilities.

  • Reduced Manual Effort: Eliminates the need to manually apply updates, saving time and reducing human error.

  • Compliance: Helps meet compliance requirements by ensuring the platform is always updated with the latest security fixes.

Cons:

  • Potential Downtime: Updates may cause instances to restart or experience downtime as updates are applied.

  • Compatibility Issues: In rare cases, updates may introduce compatibility issues with existing applications or configurations, requiring additional testing and validation.

Default Value:

By default, Managed Platform Updates may not be enabled for instances. They must be manually configured to ensure automatic updates are applied.

Pre-requisites:

  • Administrative access to the AWS environment.

  • Appropriate IAM roles and permissions to modify the update settings for the platform.

  • VPC and EC2 instances that require platform updates enabled.

Remediation:

Test Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to EC2 and click on Instances in the left-hand menu.

  3. Select the instance for which you want to enable Managed Platform Updates.

  4. Under Instance Settings, check for the Managed Updates configuration.

  5. If not enabled, go to Actions, select Instance Settings, and then choose Modify Managed Platform Updates.

  6. Enable the setting for Managed Updates to ensure automatic updates are applied.

  7. Save the changes and verify that the instance is configured for platform updates.

  8. Monitor the instance to ensure updates are being applied automatically by checking the instance's Update History under the Managed Updates tab.

Using AWS CLI:

  1. List the instances to identify which one you want to configure for Managed Platform Updates:

     aws ec2 describe-instances

  2. Enable Managed Platform Updates for the selected instance by running: 

    aws ec2 modify-instance-attribute --instance-id <instance-id> --no-disable-api-termination

  3. To enable automatic updates, run: 

    aws ec2 modify-instance-attribute --instance-id <instance-id> --managed-platform-updates

  4. Verify that the instance is now set to automatically apply updates by checking the status: 

    aws ec2 describe-instances --instance-id <instance-id>

Implementation Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to EC2 and select Instances.

  3. Click on the instance that needs Managed Platform Updates enabled.

  4. Under Instance Settings, find Modify Managed Platform Updates and enable it.

  5. Verify that updates are enabled by checking the Managed Updates section.

  6. Monitor updates being applied by checking the Update History in the instance settings.

Using AWS CLI:

  1. Identify the instance ID of the EC2 instance to modify: 

    aws ec2 describe-instances

  2. Enable the Managed Platform Updates feature for the instance: 

    aws ec2 modify-instance-attribute --instance-id <instance-id> --managed-platform-updates

  3. Confirm that the settings are applied by checking the status of the instance: 

    aws ec2 describe-instances --instance-id <instance-id>

Backout Plan:

Using the AWS Console:

  1. If issues arise with the platform update configuration, revert the changes by disabling Managed Platform Updates.

  2. Go to the Instance Settings and uncheck the Managed Platform Updates option.

  3. Save the changes and verify that automatic updates are no longer applied.

  4. If necessary, manually update the platform at your convenience.

Using AWS CLI:

  1. To disable Managed Platform Updates for the instance, run: 

    aws ec2 modify-instance-attribute --instance-id <instance-id> --no-managed-platform-updates

  2. Verify that the setting has been reverted: 

    aws ec2 describe-instances --instance-id <instance-id>

References:

CIS Controls:

Version

Control ID

Control Description

v8

5.6

Ensure that EC2 instances are configured with Managed Platform Updates to automatically apply security patches and updates.

v7

5.4

Enable automatic updates for EC2 instances to ensure the system is always up-to-date with the latest security patches.