Skip to main content

lacework-global-396

Amazon EC2 instances managed by Systems Manager (SSM) should have a patch compliance status of COMPLIANT after a patch installation (Manual)

Description

Patching your EC2 instances as required by your organization reduces the attack surface of your AWS accounts.

Remediation

From the AWS console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Management & Governance > Systems Manager.
  4. In the navigation pane, under Node Management, click Run Command.
  5. Click Run a Command.
  6. Select AWS-RunPatchBaseline.
  7. Under Command parameters, update the Operation to Install.
  8. Under Target selection, select Choose instances manually and choose any non compliant instances.
  9. Click Run.

From CLI:

aws ssm patch-instance --instance-ids <instance_id> --patch-group <patch_group_name>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-2
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-policies.html
https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-ssm-documents.html

Last updated on