# Patch operating systems
****
- **Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.**
- **Implementation guidance:** [Theme 2: Manage immutable infrastructure through secure pipelines](theme-2.md): Implement AMI and container build pipelines / **AWS resources:** [Use EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html) and build in:[See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/essential-eight-maturity/patch-operating-systems.html)
[Share AMIs with the entire organization](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html)
[Make sure that application teams are referencing the latest AMIs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-lookup-amiids.html)
[Use your AMI pipeline for patch management](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-patch-management.html) / **AWS Well-Architected guidance:** [SEC01-BP05 Reduce security management scope](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_reduce_management_scope.html)
[SEC06-BP01 Perform vulnerability management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_vulnerability_management.html)
[SEC06-BP03 Reduce manual management and interactive access](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_reduce_manual_management.html)
- **Implementation guidance:** [Theme 1: Use managed services](theme-1.md): Enable patching
[Theme 3: Manage mutable infrastructure with automation](theme-3.md): Automate patching / **AWS resources:** [Enable Patch Manager in all accounts in your AWS organization](https://docs.aws.amazon.com/prescriptive-guidance/latest/patch-management-hybrid-cloud/design-standard.html) / **AWS Well-Architected guidance:** [SEC06-BP01 Perform vulnerability management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_vulnerability_management.html)
[SEC06-BP05 Automate compute protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.html)
- **Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release, or within 48 hours if an exploit exists.**
- **Implementation guidance:** [Theme 2: Manage immutable infrastructure through secure pipelines](theme-2.md): Implement AMI and container build pipelines / **AWS resources:** [Use EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html) and build in:[See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/essential-eight-maturity/patch-operating-systems.html)
[Share AMIs with the entire organization](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html)
[Make sure that application teams are referencing the latest AMIs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-lookup-amiids.html)
[Use your AMI pipeline for patch management](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-patch-management.html) / **AWS Well-Architected guidance:** [SEC01-BP05 Reduce security management scope](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_reduce_management_scope.html)
[SEC06-BP01 Perform vulnerability management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_vulnerability_management.html)
[SEC06-BP02 Provision compute from hardened images](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_hardened_images.html)
- **Implementation guidance:** [Theme 1: Use managed services](theme-1.md): Enable patching
[Theme 3: Manage mutable infrastructure with automation](theme-3.md): Automate patching / **AWS resources:** [Enable Patch Manager in all accounts in your AWS organization](https://docs.aws.amazon.com/prescriptive-guidance/latest/patch-management-hybrid-cloud/design-standard.html) / **AWS Well-Architected guidance:** [SEC06-BP01 Perform vulnerability management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_vulnerability_management.html)
[SEC06-BP05 Automate compute protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_auto_protection.html)
- **A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.**
- **Implementation guidance:** [Theme 1: Use managed services](theme-1.md): Scan for vulnerabilities
[Theme 2: Manage immutable infrastructure through secure pipelines](theme-2.md): Implement vulnerability scanning
[Theme 3: Manage mutable infrastructure with automation](theme-3.md): Implement vulnerability scanning
- **AWS resources:** [Enable Amazon Inspector in all accounts in your organization](https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html)
[Configure enhanced scanning for Amazon ECR repositories by using Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html#configure-ecr)
[Build a vulnerability management program to triage and remediate security findings](https://docs.aws.amazon.com/prescriptive-guidance/latest/vulnerability-management/)
- **AWS Well-Architected guidance:** [SEC01-BP05 Reduce security management scope](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_reduce_management_scope.html)
[SEC06-BP01 Perform vulnerability management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_vulnerability_management.html)
[SEC06-BP02 Provision compute from hardened images](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_hardened_images.html)
- **A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.**
- **The latest release, or the previous release, of operating systems are used for workstations, servers and network devices.**
- **Implementation guidance:** [Theme 2: Manage immutable infrastructure through secure pipelines](theme-2.md): Implement vulnerability scanning
- **AWS resources:** [Use EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html) and build in:[See the AWS documentation website for more details](http://docs.aws.amazon.com/prescriptive-guidance/latest/essential-eight-maturity/patch-operating-systems.html)
[Share AMIs with the entire organization](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html)
[Make sure that application teams are referencing the latest AMIs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-lookup-amiids.html)
[Use your AMI pipeline for patch management](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-patch-management.html)
- **AWS Well-Architected guidance:** [SEC01-BP05 Reduce security management scope](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_securely_operate_reduce_management_scope.html)
[SEC06-BP01 Perform vulnerability management](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_vulnerability_management.html)
[SEC06-BP02 Provision compute from hardened images](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_protect_compute_hardened_images.html)
- **Operating systems that are no longer supported by vendors are replaced.**