Name: Systems Manager Maintenance
Uploaded: 2020-10-26T15:53:44Z
Duration: 40
Description: An important aspect of automation through AWS Systems Manager is utilizing the Maintenance Windows feature so that disruptive actions don't impact your availability.

Systems Manager Maintenance

Utilizing the Systems Manager Maintenance Windows Feature

An important aspect of automation through AWS Systems Manager is utilizing the Maintenance Windows feature so that disruptive actions don’t impact your availability. AWS explains, “Each maintenance window has a schedule, a maximum duration, a set of registered targets, and a set of registered tasks…You can also specify dates that a maintenance window should not run before or after, and you can specify the international time zone on which to base the maintenance window schedule.” These maintenance windows can also be for other AWS services like S3 or KMS.

For more information, visit the AWS documentation on the AWS Systems Manager Maintenance Windows feature.

Transcription

AWS Systems Manager allows you to execute automations such as patching of your EC2 instances. If you’re using AWS Systems Manager for patching of your EC2 instances, you should ensure that you have a maintenance window configured. This maintenance window will allow you to ensure you are applying patches on a defined period. This period should be no longer than 30 days to ensure critically-identified vulnerabilities are patched within an appropriate time frame. Systems Manager maintenance window should have a start time, it should have a time zone, and it should ensure that all instances that are in scope are patched appropriately.

Systems Manager Maintenance

Related Videos

AWS Controls for Implementing a DMZ

Authenticate and Authorize Users with Client Certificates

Avoid Using Default Service Account When Configuring Instances

Best Practices for Container Security

Best Practices for Secret Management

Configuring Network Border Controls

Consistently Manage User Accounts with OS Login

Create a Minimal Audit Policy for Logging

Do Not Enable Serial Ports for VM Instance

Do Not Use Project-Wide SSH Keys When Authenticating Instances

Do Not Use RSASHA1 for DNSSEC Key-Signing Keys

Enable DNSSEC to Protect DNS Protocols

Enable HTTPS Connections on App Engine Applications

Enable Shielded VM to Ensure Operating System is Trustworthy

Enable VPC Flow Logs for Every Subnet

Encrypt BigQuery Datasets with Customer Managed Encryption Key (CMEK)

Ensure BigQuery Datasets Are Not Publicly Accessible

Ensure Cloud Storage Buckets Are Not Publicly Accessible

Ensure Container Network Interfaces Support Network Policies

Ensure GKE Nodes are Configured Properly

Ensure Kubernetes Idle Timeout Parameter is Appropriately Set

Ensure No Weak SSL Cipher Suites Are Permitted

Ensure Only Authorized Users Can Create Security Groups

Ensure to Restrict SSH Access from the Internet

GKE Cluster Configuration Security Benchmarks

General Policies for Cluster Management

Harden Cloud SQL Database with Logging

House Accounts in CloudTrail

How To Configure Your Cluster Networks

How to Configure Kubelet Within Your Environment

How to Restrict Public Access to S3 Buckets

How to Use S3 Bucket Policies

IP Forwarding Should Not Be Enabled for Instances

Image Registry and Scanning Best Practices

Industry Best Practices for Configuration Standards

Introduction to AWS Network Firewall

Introduction to AWS WAF and Shield

Introduction to Amazon EKS

Introduction to PCI DSS Requirement 1

Introduction to PCI Requirement 2.mp4

Leverage Confidential Computing to Protect Data

Manage Access Securely Using Uniform Bucket-Level Access

Meeting Firewall and Router Configuration Standards

Migrate Away from RSASHA1 for DNSSEC Zone-Signing Keys

Migrate Legacy Networks to VPC Networks

Minimize Public IP Address on Compute Instances

Minimize Root and SA Account Access in Cloud SQL

Network Segmentation for AWS

Networking Configurations in Kubernetes Environment

Node MetaData Recommendations in GKE

PCI DSS Requirement 1.1.1 - Implementing a Change Control Program

PCI DSS Requirement 1.1.2 and 1.1.3 - Network Documentation Best Practices

PCI DSS Requirement 1.1.4 - Establishing a Firewall and DMZ

PCI DSS Requirement 1.1.5 Defining Roles and Responsibilities for Managing Network Components

PCI DSS Requirement 1.1.6 Documentation of Business Justification & Approval for use of all Services, Ports and Protocols

PCI DSS Requirement 1.1.7 - Review Firewall and Router Rule Sets

PCI DSS Requirement 1.2 Restrict Connections to Untrusted Networks

PCI DSS Requirement 1.2.1 Restrict Traffic to that which is Necessary

PCI DSS Requirement 1.2.2 Secure and Synchronize Router Configuration Files

PCI DSS Requirement 1.2.3 Install Firewalls Between all Wireless Networks and the CDE

PCI DSS Requirement 1.3.1 - Establishing a DMZ

PCI DSS Requirement 1.3.2 Limit Inbound Internet Traffic

PCI DSS Requirement 1.3.3 - Implement Anti Spoofing Measures

PCI DSS Requirement 1.3.4 - Deny Unauthorized Outbound Traffic

PCI DSS Requirement 1.3.5 - Permit Only Established Connections into the Network

PCI DSS Requirement 1.3.6 Segregate the CDE from the DMZ

PCI DSS Requirement 1.3.7 Do Not Disclose Private IP Addresses

PCI DSS Requirement 1.4 Install Personal Firewall Software

PCI DSS Requirement 1.5 Ensure Security Policies are Known to all Affected Parties

PCI Requirement 2.1 - Always Change Vendor-Supplied Defaults

PCI Requirement 2.1.1 - Change all Wireless Vendor Defaults

PCI Requirement 2.2 - Develop Configuration Standards for all System Components

PCI Requirement 2.2.1 - Implement Only One Primary Function Per Server

PCI Requirement 2.2.2 - Enable Only Necessary Services, Protocols and Daemons

PCI Requirement 2.2.3 - Implement Additional Security Features

PCI Requirement 2.2.4 - Configure System Security Parameters to Prevent Misuse

PCI Requirement 2.2.5 - Remove all Unnecessary Functionality

PCI Requirement 2.3 - Encryption