Control: 2 All EC2 instances managed by Systems Manager should be compliant with patching requirements
Description
This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager.
Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.
Remediation
To remediate this issue, install the required patches on your noncompliant instances.
To remediate noncompliant patches
- Open the AWS Systems Manager console.
- Under Instances & Nodes, chooseRun Commandand then chooseRun command.
- Choose the button next to AWS-RunPatchBaseline.
- Change the OperationtoInstall.
- Choose Choose instances manuallyand then choose the noncompliant instances.
- At the bottom of the page, choose Run.
- After the command is complete, to monitor the new compliance status of your patched instances, in the navigation pane, choose Compliance.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ssm_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ssm_2 --shareSQL
This control uses a named query:
select  id as resource,  case    when c.status = '' then 'skip'    when c.status = 'COMPLIANT' then 'ok'    else 'alarm'  end as status,  case    when c.status = '' then 'Patch is not applicable for instance ' || i.title || '.'    when c.status = 'COMPLIANT' then c.resource_id || ' patch ' || c.title || ' is compliant.'    else c.resource_id || ' patch ' || c.title || ' is non-compliant.'  end as reason  , c.region, c.account_idfrom  aws_ssm_managed_instance as i,  aws_ssm_managed_instance_compliance as cwhere  c.resource_id = i.instance_id  and c.compliance_type = 'Patch';