Patch operating systems

Essential Eight control	Implementation guidance	AWS resources	AWS Well-Architected guidance
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.	Theme 2: Manage immutable infrastructure through secure pipelines: Implement AMI and container build pipelines	Use EC2 Image Builder and build in: AWS Systems Manager Agent (SSM Agent) Security tools for application control, such as Security Enhanced Linux (SELinux) (GitHub), File Access Policy Daemon (fapolicyd) (GitHub), or OpenSCAP Amazon CloudWatch Agent Share AMIs with the entire organization Make sure that application teams are referencing the latest AMIs Use your AMI pipeline for patch management	SEC01-BP05 Reduce security management scope SEC06-BP01 Perform vulnerability management SEC06-BP03 Reduce manual management and interactive access
	Theme 1: Use managed services: Enable patching Theme 3: Manage mutable infrastructure with automation: Automate patching	Enable Patch Manager in all accounts in your AWS organization	SEC06-BP01 Perform vulnerability management SEC06-BP05 Automate compute protection
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists.	Theme 2: Manage immutable infrastructure through secure pipelines: Implement AMI and container build pipelines	Use EC2 Image Builder and build in: AWS Systems Manager Agent (SSM Agent) Security tools for application control, such as Security Enhanced Linux (SELinux) (GitHub), File Access Policy Daemon (fapolicyd) (GitHub), or OpenSCAP Amazon CloudWatch Agent Share AMIs with the entire organization Make sure that application teams are referencing the latest AMIs Use your AMI pipeline for patch management	SEC01-BP05 Reduce security management scope SEC06-BP01 Perform vulnerability management SEC06-BP02 Provision compute from hardened images
	Theme 1: Use managed services: Enable patching Theme 3: Manage mutable infrastructure with automation: Automate patching	Enable Patch Manager in all accounts in your AWS organization	SEC06-BP01 Perform vulnerability management SEC06-BP05 Automate compute protection
A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.	Theme 1: Use managed services: Scan for vulnerabilities Theme 2: Manage immutable infrastructure through secure pipelines: Implement vulnerability scanning Theme 3: Manage mutable infrastructure with automation: Implement vulnerability scanning	Enable Amazon Inspector in all accounts in your organization Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector Build a vulnerability management program to triage and remediate security findings	SEC01-BP05 Reduce security management scope SEC06-BP01 Perform vulnerability management SEC06-BP02 Provision compute from hardened images
A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.
The latest release, or the previous release, of operating systems are used for workstations, servers and network devices.	Theme 2: Manage immutable infrastructure through secure pipelines: Implement vulnerability scanning	Use EC2 Image Builder and build in: AWS Systems Manager Agent (SSM Agent) Security tools for application control, such as Security Enhanced Linux (SELinux) (GitHub), File Access Policy Daemon (fapolicyd) (GitHub), or OpenSCAP Amazon CloudWatch Agent Share AMIs with the entire organization Make sure that application teams are referencing the latest AMIs Use your AMI pipeline for patch management	SEC01-BP05 Reduce security management scope SEC06-BP01 Perform vulnerability management SEC06-BP02 Provision compute from hardened images
Operating systems that are no longer supported by vendors are replaced.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Restrict administrative privileges

Multi-factor authentication