Patch applications

Essential Eight control	Implementation guidance	AWS resources	AWS Well-Architected guidance
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.	Theme 1: Use managed services: Scan for vulnerabilities Theme 2: Manage immutable infrastructure through secure pipelines: Implement vulnerability scanning Theme 3: Manage mutable infrastructure with automation: Implement vulnerability scanning	Enable Amazon Inspector in all accounts in your organization Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector Build a vulnerability management program to triage and remediate security findings	SEC06-BP01 Perform vulnerability management SEC06-BP05 Automate compute protection
	Theme 7: Centralise logging and monitoring: Centralise logs	Receive CloudTrail logs from multiple accounts Send logs to a log archive account Centralise CloudWatch Logs in an account for auditing and analysis (AWS blog post) Centralize management of Amazon Inspector Create an organisation-wide aggregator in AWS Config (AWS blog post) Centralise management of Security Hub CSPM Centralise management of GuardDuty Consider using Security Lake	SEC04-BP02 Capture logs, findings, and metrics in standardized locations
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.	Theme 1: Use managed services: Scan for vulnerabilities Theme 2: Manage immutable infrastructure through secure pipelines: Implement vulnerability scanning Theme 3: Manage mutable infrastructure with automation: Implement vulnerability scanning	Enable Amazon Inspector in all accounts in your organization Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector Build a vulnerability management program to triage and remediate security findings	SEC06-BP01 Perform vulnerability management SEC06-BP05 Automate compute protection
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.	See Technical example: Patch applications (ACSC website)	Not applicable	Not applicable
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications.	Theme 1: Use managed services: Scan for vulnerabilities Theme 2: Manage immutable infrastructure through secure pipelines: Implement vulnerability scanning Theme 3: Manage mutable infrastructure with automation: Implement vulnerability scanning	Enable Amazon Inspector in all accounts in your organization Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector Build a vulnerability management program to triage and remediate security findings	SEC06-BP01 Perform vulnerability management SEC06-BP05 Automate compute protection
Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.	Theme 1: Use managed services: Scan for vulnerabilities Theme 2: Manage immutable infrastructure through secure pipelines: Implement vulnerability scanning Theme 3: Manage mutable infrastructure with automation: Implement vulnerability scanning	Enable Amazon Inspector in all accounts in your organization Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector Build a vulnerability management program to triage and remediate security findings	SEC06-BP01 Perform vulnerability management
	Theme 3: Manage mutable infrastructure with automation: Automate patching	Enable Patch Manager in all accounts in your AWS organization	SEC06-BP01 Perform vulnerability management SEC06-BP05 Automate compute protection
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release, or within 48 hours if an exploit exists.	See Technical example: Patch applications (ACSC website)	Not applicable	Not applicable
Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month of release.	Theme 1: Use managed services: Scan for vulnerabilities Theme 2: Manage immutable infrastructure through secure pipelines: Implement vulnerability scanning Theme 3: Manage mutable infrastructure with automation: Implement vulnerability scanning	Enable Amazon Inspector in all accounts in your organization Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector Build a vulnerability management program to triage and remediate security findings	SEC06-BP01 Perform vulnerability management
	Theme 3: Manage mutable infrastructure with automation: Automate patching	Enable Patch Manager in all accounts in your AWS organization	SEC06-BP01 Perform vulnerability management SEC06-BP05 Automate compute protection
Applications that are no longer supported by vendors are removed.	Theme 8: Implement mechanisms for manual processes: Implement mechanisms to review and address compliance gaps	Consider using AWS Systems Manager Inventory to gain visibility into which instances are running software required by your software policy	SEC06-BP02 Provision compute from hardened images

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Application control

Configure Microsoft Office macro settings