Profile Applicability:

Level 1

Description:

Windows Server-based Lightsail instances are critical for running various applications and services. To ensure the security of these instances, it is essential to keep them updated with the latest security patches. Regular patching helps protect against known vulnerabilities and exploits, ensuring that your instances are resilient against cyber threats.

Rationale:

Keeping your Windows Server-based Lightsail instances updated ensures that:

  • Security vulnerabilities are patched promptly to prevent exploitation.

  • The system remains secure against the latest threats and exploits.

  • Compliance with security best practices and regulatory standards is maintained.

Default Value:

By default, Windows Server-based Lightsail instances do not automatically install security patches unless configured to do so. Manual updates or configuration adjustments are required to ensure regular patching.

Impact:

  • Pros:

    • Enhanced security by reducing the risk of exploitation from unpatched vulnerabilities.

    • Compliance with internal security policies and industry regulations.

    • Improved system stability and performance by addressing known issues and vulnerabilities.

  • Cons:

    • Requires regular manual intervention or scheduling to ensure updates are applied.

    • Updates may cause temporary service interruptions or require system reboots.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to Lightsail under Compute.

  3. Go to the Instances tab and select the Windows Server instance you want to update.

  4. Click on the Networking tab to ensure that the instance has internet access for downloading updates.

  5. Use Remote Desktop (RDP) to connect to the Windows Server instance.

  6. Once logged in, open Windows Update from the Start menu and check for updates.

  7. Apply any critical and security updates, and ensure that the instance is up-to-date.

  8. Restart the instance if required for the updates to take effect.

Using AWS CLI:

  1. Run the following command to list all your Lightsail instances:

    aws lightsail get-instances

  2. Identify the Windows Server instance to update and connect to it via RDP.

  3. Once connected, open Windows Update and check for the latest security updates.

  4. Apply the updates and reboot the instance as needed.

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to Lightsail and select Instances.

  3. Choose the Windows Server instance that needs updating.

  4. Use RDP to connect to the instance and apply the latest security patches via Windows Update.

  5. Restart the instance to complete the update process.

Using AWS CLI:

  1. Connect to the Windows Server instance using RDP.

  2. Open Windows Update and check for available security patches.

  3. Install the updates and reboot the instance as necessary.

Backout Plan:

Using AWS Console:

  1. If any issues arise after the updates, log in to the AWS Console.

  2. Navigate to Lightsail and choose the affected Windows Server instance.

  3. If necessary, revert to a previous snapshot of the instance to restore the state before updates.

  4. Reapply updates selectively, ensuring that they do not cause further disruptions.

Using AWS CLI:

  1. Revert to a previous snapshot of the instance if issues arise after the update.

  2. Run the following command to restore from a snapshot:

    aws lightsail create-instance-snapshot --instance-name <instance-name> --snapshot-name <snapshot-name>

References:

CIS Controls:

Version

Control ID

Control Description

v8

3.4

Ensure Windows Server instances are regularly updated with the latest security patches to mitigate security risks.

v7

14.1

Apply security patches and updates to Windows Server instances to maintain a secure and compliant environment.