Patch Installation Should Be Done On Systems Manager
More Info:
This rule checks if the compliance status of the AWS Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. The rule is compliant if the field status is COMPLIANT.Risk Level
MediumAddress
SecurityCompliance Standards
CBP,RBI_MD_ITF,RBI_UCBTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of patch installation not being done on Systems Manager for AWS EC2 instances, follow these steps using the AWS Management Console:
-
Access AWS Systems Manager Console:
- Log in to your AWS account and navigate to the AWS Management Console.
- Go to the Systems Manager service by typing “Systems Manager” in the search bar and selecting it.
-
Create a Patch Baseline:
- In the Systems Manager console, navigate to the left-hand menu and click on “Patch Manager” under the “Actions” section.
- Click on “Patch Baselines” in the left-hand menu and then click on the “Create patch baseline” button.
- Enter a name and description for the patch baseline, and configure the patch rules according to your requirements.
- Click on the “Create patch baseline” button to save the configuration.
-
Create a Patch Group:
- In the Systems Manager console, navigate to the left-hand menu and click on “Patch Manager” under the “Actions” section.
- Click on “Patch Groups” in the left-hand menu and then click on the “Create patch group” button.
- Enter a name for the patch group and select the instances that you want to include in this group.
- Click on the “Create patch group” button to save the configuration.
-
Schedule Patching:
- In the Systems Manager console, navigate to the left-hand menu and click on “Patch Manager” under the “Actions” section.
- Click on “Patch Manager” in the left-hand menu and then click on the “Patch now” button.
- Select the patch baseline and patch group that you created in the previous steps.
- Configure the schedule for patching according to your requirements and click on the “Patch now” button to initiate the patching process.
-
Monitor Patching Progress:
- In the Systems Manager console, navigate to the left-hand menu and click on “Patch Manager” under the “Actions” section.
- Click on “Patch Manager” in the left-hand menu to view the patching status of your instances.
- Monitor the progress of patch installation and ensure that all instances are successfully patched.
Using CLI
Using CLI
To remediate the misconfiguration of patch installation not being done on Systems Manager for AWS EC2 instances using AWS CLI, follow these steps:
-
Install and configure AWS CLI:
- If you haven’t already installed the AWS CLI, you can follow the instructions here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html
-
Identify the EC2 instances that need patching:
- You can list all EC2 instances in your AWS account using the following AWS CLI command:
- You can list all EC2 instances in your AWS account using the following AWS CLI command:
-
Attach an IAM role with the necessary permissions to the EC2 instances:
- Create an IAM role with the necessary permissions for Systems Manager. You can create a role with the
AmazonSSMManagedInstanceCoremanaged policy attached. - Attach this IAM role to the EC2 instances that need patching. You can do this by modifying the instance attributes using the AWS CLI:
- Create an IAM role with the necessary permissions for Systems Manager. You can create a role with the
-
Install the SSM Agent on the EC2 instances:
- The Systems Manager requires the SSM Agent to be installed on the EC2 instances. You can automate the installation process using AWS Systems Manager Run Command or manually install the agent on each instance. Here is an example of how to install the agent using AWS Systems Manager Run Command:
- The Systems Manager requires the SSM Agent to be installed on the EC2 instances. You can automate the installation process using AWS Systems Manager Run Command or manually install the agent on each instance. Here is an example of how to install the agent using AWS Systems Manager Run Command:
-
Configure Patch Baseline in Systems Manager:
- Create a patch baseline in AWS Systems Manager to define the patching schedule and rules for your EC2 instances. You can do this using the AWS Management Console or AWS CLI.
- Here is an example of how to create a patch baseline using AWS CLI:
-
Schedule patching for EC2 instances:
- You can schedule patching for your EC2 instances by creating a maintenance window in AWS Systems Manager and associating it with the patch baseline you created. You can do this using the AWS Management Console or AWS CLI.
- Here is an example of how to create a maintenance window using AWS CLI:
Using Python
Using Python
To remediate the misconfiguration of not having patch installations done on AWS EC2 instances using Systems Manager, you can use the following Python script to automate the process:
- Install the necessary Python libraries:
- Use the following Python script to create a patch baseline and schedule patch installations for your EC2 instances:
-
Replace the following placeholders in the script:
INSTANCE_ID_1,INSTANCE_ID_2: Replace these with the actual EC2 instance IDs for which you want to schedule patch installations.MAINTENANCE_WINDOW_ID: Replace this with the ID of the maintenance window in which you want to schedule the patch installations.MAINTENANCE_WINDOW_ROLE_ARN: Replace this with the ARN of the IAM role that has permissions to run Systems Manager tasks in the maintenance window.DOCUMENT_HASH: Replace this with the hash of the AWS-RunPatchBaseline document. You can get this from the Systems Manager Documents page in the AWS Management Console.
- Run the Python script to create a patch baseline, register the EC2 instances in a patch group, and schedule patch installations using Systems Manager.