Solution Components - Server Fleet Management at Scale

Solution Components

Systems Manager Associations

The ManageInspectorAgent association runs weekly to ensure that the Inspector agent is installed on the targeted managed instances.

The GatherSoftwareInventory association runs daily to gather the software inventory of the targeted managed instances. You can view a list of the managed instance’s application in the Managed Instance Console Inventory tab.

To verify that your Amazon Elastic Compute Cloud (Amazon EC2) instances meet AWS Systems Manager requirements and currently supported Operating Systems, review the prerequisites listed here.

Maintenance Window

A maintenance window allows you to define tasks that will be run against a set of instances on a given schedule. This gives you flexibility and control for how you perform routine tasks. The solution’s created maintenance window is scheduled to run weekly in a two-hour window, contains a Run Command task that uses the document AWS-RunPatchBaseline to perform patching, and updates the targets defined by the Patch Group tag key and the Environment value supplied in the Managed Instances Tag Value parameter.

To verify that your Amazon EC2 instances are supported by AWS Systems Manager Patch Manager, review the Operating Systems Supported by Patch Manager listed here.

Amazon Inspector Rules Packages

Amazon Inspector compares the behavior and the security configuration of the assessment targets to selected security rules packages. Currently, this solution uses the following rules packages:

To verify that your Amazon EC2 instances meet Amazon Inspector requirements, review the Amazon Inspector Supported Operating Systems and Regions listed here.