Deploying Security Patches on EC2 Instances
Automating Security Patching with Patch Manager
PCI Requirement 6.2 calls out the need to use security patches to protect system components from known vulnerabilities and develop a risk-ranking process for patching. In an AWS environment, compliance with PCI Requirement 6.2 looks like monitoring security updates and deploying security patches on your operating systems and applications running within your EC2 instances. By utilizing Patch Manager, you can simplify compliance with this requirement. Patch Manager is a component of AWS Systems Manager that automates the security patching process for operating systems and applications. The key features of Patch Manager include:
- Patch Manager uses patch baselines (rules for auto-approving patches within days of their release), and a list of approved/rejected patches.
- By running a Systems Manager maintenance window task, you can schedule patching on a regular basis.
- You can install patches individually or to large groups of instances by using Amazon EC2 tags.
- Patch Manager provides options to scan your instances and report compliance on a schedule, install available or missing patches on a schedule, and patch or scan instances manually.
- Patch Manager integrates with AWS IAM, AWS CloudTrail, and Amazon EventBridge.
To learn more about automating security patching, visit the User Guide for AWS Systems Manager Patch Manager.
Transcription
The PCI Requirement 6.2 requires that you have a way in your AWS environment to protect your EC2 instances against known vulnerabilities. You have to have a way to monitor for security updates that are released for not only operating systems, but applications that you have running within your instances. By monitoring these vulnerabilities as they’re released, it’s your responsibility to evaluate the criticality of those vulnerabilities because the requirement states that anything ranked as “critical” must be applied within one month of release. Other things that are not “critical” can be applied during an appropriate, reasonable timeframe as can be determined, but typically this is considered to be done within three months. So, as you are managing your AWS EC2 instances, you would use something like AWS Systems Manager’s Patch Manager in order to manage the application of any patches that have been released. If you have a vendor or a partner who is helping you manage your AWS environment, it’s still your responsibility to ensure that they are aware of the vulnerabilities that are released and ensure that they are applying those patches in a timely fashion.