lacework-global-396
Amazon EC2 instances managed by Systems Manager (SSM) should have a patch compliance status of COMPLIANT after a patch installation (Manual)
Description
Patching your EC2 instances as required by your organization reduces the attack surface of your AWS accounts.
Remediation
From the AWS console:
- Log in to the AWS Management Console.
- Click Services.
- Select Management & Governance > Systems Manager.
- In the navigation pane, under Node Management, click Run Command.
- Click Run a Command.
- Select AWS-RunPatchBaseline.
- Under Command parameters, update the Operation to Install.
- Under Target selection, select Choose instances manually and choose any non compliant instances.
- Click Run.
From CLI:
aws ssm patch-instance --instance-ids <instance_id> --patch-group <patch_group_name>
References
https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-2
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-policies.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-ssm-documents.html