In this exercise we will perform vulnerability scanning and patching on a pre-install EC2 instance, Microsoft based Windows Operating System using Amazon Inspector and AWS Systems Manager respectively.
Note: For this lab, it is assumed that Microsoft Windows based EC2 instance is already created. For instructions to create EC2 Instance please follow the link.
From the AWS console, click Services and select Amazon Inspector.
On the Inspector console click on Get started.
Click Advanced Setup on the welcome page with default options.
One ‘Define an assessment target’ page, leave the values as is and click Next.
On ‘Define an assessment template’ page leave the default values as is and click Next.
On the ‘Review’ page click on Create.
A success notification will appear once the template is created.
Wait till the ‘Last run’ status shows Analysis complete (it may take 5 -10 minutes). Click the refresh icon to view the latest status.
Click on Dashboard on the menu at the left side of the console.
Then click on Important findings, which will show the list of important issues i.e., missing patches (if the EC2 instance is from the latest AMI then you may not get the findings as the AMI is fully patched).
Now let’s patch our machine.
From the AWS console, click Services and select AWS Systems Manager.
Click on Quick setup on menu at the left side of the console.
Make sure that correct region is selected on the top right corner of the console. Click on Get started.
On the Quick Setup page click on Create.
On the ‘Customize Host Management configuration options’ page leave the default values as is and click on Create.
Notification will appear on screen once the host management setup is completed successfully (may take up to 5 minutes).
One the menu at the left side, scroll down and click on the Compliance under Node Management.
One the ‘Compliance resources summary’ page the non-compliance status against Patch will be visible if the systems manager detects missing patches within the EC2 instance. Click on the number showing against the missing patches.
For patching the Operating System, click on Patch Manager under Node Management.
Click on Patch now on the upper right side.
On ‘Patch instances now’ page select Scan and install. Leave the remaining options as is, scroll down and click Patch now.
On ‘Association execution summary’ page the Status of the operation will become success after few minutes.
Now go back to ‘Compliance’ section under Node Management on the left side menu.
On the ‘Compliance resources summary’ section, the Patch Compliance type will now show as Compliant.
For more information please read the AWS User Guide: https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html