AWS re/Start Lab · Seguridad

Systems Hardening with Patch Manager via AWS Systems Manager

This lab uses AWS Systems Manager Patch Manager to automate the OS updating process. It covers configuring default and custom patch baselines, applying patches based on tags, and verifying organizational compliance.

Lab Summary

Utilized AWS Systems Manager to automate systems hardening. Verified managed nodes in Fleet Manager, created a custom Windows patch baseline, assigned instances using Patch Groups, and reported on fleet compliance.

Patch Baselines & Groups

Applied default baselines to Amazon Linux resources and configured a custom security baseline specifically for Windows instances via the Systems Manager console.

Compliance Reporting

Executed patch operations across the fleet based on assigned tags and utilized the compliance dashboard to verify that all deployed instances met software requirements.

Step-by-Step Walkthrough

Detailed documentation on configuring Patch Manager and applying system updates.

01

Patch Linux instances using default baselines

  • Navigated to Fleet Manager in Systems Manager to review the pre-configured Linux and Windows managed nodes.
  • Opened the details for the Linux-1 node to verify its platform properties and associated IAM roles.
Linux node overview in Fleet Manager
Fleet Manager: Validating instance details and IAM role configuration
  • Navigated to Patch Manager and executed a Patch now operation targeting the LinuxProd instances using the default Amazon Linux 2 baseline.
02

Create a custom patch baseline for Windows instances

  • Created a new patch baseline tailored for Windows Server 2019 focusing solely on Critical and Important security updates.
  • Set auto-approval conditions to 3 days post-release.
Custom Patch Baseline Configuration
Patch Manager: Creating a custom patch baseline rule for Windows
  • Associated the new baseline with the patch group WindowsProd to ensure that updates are appropriately scoped.
Patch Group Successfully Configured
Patch Manager: Binding the patch group WindowsProd to the custom baseline
03

Patching the Windows instances

  • Navigated to the EC2 console to append the Patch Group: WindowsProd tags to the corresponding Windows instances.
  • Executed a Patch now operation specifying the WindowsProd tag array.
  • Reviewed the Run Command execution tracking to ensure that the RunPatchBaseline SSM document correctly applied updates to the instances.
04

Verifying compliance

  • Assessed the organizational Compliance summary in Patch Manager to confirm all targeted instances achieved compliant status post-patching.
  • Verified node patching details verifying that critical or security noncompliant counts were cleared.
Compliant Summary Dashboard
Patch Manager: Compliance dashboard indicating all 6 instances as compliant

Key Learnings

What Was Actually Learned

How to apply Default Patch Baselines for Linux fleets programmatically.
How to configure custom Windows Patch Baselines based on patch severity criteria using AWS Systems Manager.
How to accurately target patching operations by utilizing resource tags like Patch Groups.
How to verify the security posture of an entire environment via the Compliance reporting dashboard.

Technical Conclusion

This lab highlighted the power of AWS Systems Manager to centralize operations for patching heterogenous server fleets. By abstracting OS-level interactions into Patch Groups and Baselines, the patching process transcends manual node-by-node updates.

The capability to combine Run Command with specific resource tagging means administrators can implement precise update schedules targeting specific environments (e.g., prod vs. dev), completely eliminating human error and immediately validating compliance at an organizational scale.