OPS05-BP05 Perform patch management

Perform patch management to gain features, address issues, and remain compliant with governance. Automate patch management to reduce errors caused by manual processes, scale, and reduce the level of effort to patch.

Patch and vulnerability management are part of your benefit and risk management activities. It is preferable to have immutable infrastructures and deploy workloads in verified known good states. Where that is not viable, patching in place is the remaining option.

Amazon EC2 Image Builder provides pipelines to update machine images. As a part of patch management, consider Amazon Machine Images (AMIs) using an AMI image pipeline or container images with a Docker image pipeline, while AWS Lambda provides patterns for custom runtimes and additional libraries to remove vulnerabilities.

You should manage updates to Amazon Machine Images for Linux or Windows Server images using Amazon EC2 Image Builder. You can use Amazon Elastic Container Registry (Amazon ECR) with your existing pipeline to manage Amazon ECS images and manage Amazon EKS images. Lambda includes version management features.

Patching should not be performed on production systems without first testing in a safe environment. Patches should only be applied if they support an operational or business outcome. On AWS, you can use AWS Systems Manager Patch Manager to automate the process of patching managed systems and schedule the activity using Systems Manager Maintenance Windows.

Desired outcome: Your AMI and container images are patched, up-to-date, and ready for launch. You are able to track the status of all deployed images and know patch compliance. You are able to report on current status and have a process to meet your compliance needs.

Common anti-patterns:

• You are given a mandate to apply all new security patches within two hours resulting in multiple outages due to application incompatibility with patches.

• An unpatched library results in unintended consequences as unknown parties use vulnerabilities within it to access your workload.

• You patch the developer environments automatically without notifying the developers. You receive multiple complaints from the developers that their environment cease to operate as expected.

• You have not patched the commercial off-the-shelf software on a persistent instance. When you have an issue with the software and contact the vendor, they notify you that version is not supported and you have to patch to a specific level to receive any assistance.

• A recently released patch for the encryption software you used has significant performance improvements. Your unpatched system has performance issues that remain in place as a result of not patching.

• You are notified of a zero-day vulnerability requiring an emergency fix and you have to patch all your environments manually.

Benefits of establishing this best practice: By establishing a patch management process, including your criteria for patching and methodology for distribution across your environments, you can scale and report on patch levels. This provides assurances around security patching and ensure clear visibility on the status of known fixes being in place. This encourages adoption of desired features and capabilities, the rapid removal of issues, and sustained compliance with governance. Implement patch management systems and automation to reduce the level of effort to deploy patches and limit errors caused by manual processes.

Level of risk exposed if this best practice is not established: Medium

Implementation guidance

Patch systems to remediate issues, to gain desired features or capabilities, and to remain compliant with governance policy and vendor support requirements. In immutable systems, deploy with the appropriate patch set to achieve the desired result. Automate the patch management mechanism to reduce the elapsed time to patch, to avoid errors caused by manual processes, and lower the level of effort to patch.

Implementation steps

For Amazon EC2 Image Builder:

1. Using Amazon EC2 Image Builder, specify pipeline details:

   1. Create an image pipeline and name it

   2. Define pipeline schedule and time zone

   3. Configure any dependencies

2. Choose a recipe:

   1. Select existing recipe or create a new one

   2. Select image type

   3. Name and version your recipe

   4. Select your base image

   5. Add build components and add to target registry

3. Optional - define your infrastructure configuration.

4. Optional - define configuration settings.

5. Review settings.

6. Maintain recipe hygiene regularly.

For Systems Manager Patch Manager:

1. Create a patch baseline.

2. Select a pathing operations method.

3. Enable compliance reporting and scanning.

Resources

Related best practices:

• OPS06-BP04 Automate testing and rollback

Related documents:

• What is Amazon EC2 Image Builder

• Create an image pipeline using the Amazon EC2 Image Builder

• Create a container image pipeline

• AWS Systems Manager Patch Manager

• Working with Patch Manager

• Working with patch compliance reports

• AWS Developer Tools

Related videos:

• CI/CD for Serverless Applications on AWS

• Design with Ops in Mind

  Related examples:

• Well-Architected Labs - Inventory and Patch Management

• AWS Systems Manager Patch Manager tutorials