修补

通过使用 AWS Systems Manager Patch Manager 和 AWS Lambda，组织可以自动执行针对可变计算环境的修补策略，并使可变实例与该应用环境中定义的补丁基准保持一致。通过将上述实例分配到补丁组和维护窗口，可以管理这些环境中可变实例的标记策略。有关开发 → 测试 → 生产拆分，请参阅以下示例。可变实例的补丁管理有 AWS 规范性指导。

表 10 — 操作标签可能因环境而异

开发	生产前调试	生产
{ "Tags": [ { "Key": "Maintenance Window", "ResourceId": "i-012345678ab9ab111", "ResourceType": "instance", "Value": "cron(30 23 ? * TUE#1 *)" }, { "Key": "Name", "ResourceId": "i-012345678ab9ab222", "ResourceType": "instance", "Value": "WEBAPP" }, { "Key": "Patch Group", "ResourceId": "i-012345678ab9ab333", "ResourceType": "instance", "Value": "WEBAPP-DEV-AL2" } ] }	{ "Tags": [ { "Key": "Maintenance Window", "ResourceId": "i-012345678ab9ab444", "ResourceType": "instance", "Value": "cron(30 23 ? * TUE#2 *)" }, { "Key": "Name", "ResourceId": "i-012345678ab9ab555", "ResourceType": "instance", "Value": "WEBAPP" }, { "Key": "Patch Group", "ResourceId": "i-012345678ab9ab666", "ResourceType": "instance", "Value": "WEBAPP-TEST-AL2" } ] }	{ "Tags": [ { "Key": "Maintenance Window", "ResourceId": "i-012345678ab9ab777", "ResourceType": "instance", "Value": "cron(30 23 ? * TUE#3 *)" }, { "Key": "Name", "ResourceId": "i-012345678ab9ab888", "ResourceType": "instance", "Value": "WEBAPP" }, { "Key": "Patch Group", "ResourceId": "i-012345678ab9ab999", "ResourceType": "instance", "Value": "WEBAPP-PROD-AL2" } ] }

也可以通过定义标签来管理未修补漏洞，以补充修补策略。有关详细指导，请参阅使用 S AWS ystems Manager 进行当天安全修补以避免未修补漏洞。