v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2 All EC2 instances managed by Systems Manager should be compliant with patching requirements

Description

This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager.

Having your EC2 instances fully patched as required by your organization reduces the attack surface of your AWS accounts.

Remediation

To remediate this issue, install the required patches on your noncompliant instances.

To remediate noncompliant patches

  1. Open the AWS Systems Manager console.
  2. Under Instances & Nodes, choose Run Command and then choose Run command.
  3. Choose the button next to AWS-RunPatchBaseline.
  4. Change the Operation to Install.
  5. Choose Choose instances manually and then choose the noncompliant instances.
  6. At the bottom of the page, choose Run.
  7. After the command is complete, to monitor the new compliance status of your patched instances, in the navigation pane, choose Compliance.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ssm_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ssm_2 --share

SQL

This control uses a named query:

ssm_managed_instance_compliance_patch_compliant

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = detection_services
foundational_security_item_id = ssm_2
plugin = aws
service = AWS/SSM