Control: AWS > PCI v3.2.1 > SSM > 1 Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the instance.
It only checks instances that are managed by AWS Systems Manager Patch Manager.
It does not check whether the patch was applied within the 30-day limit prescribed by PCI DSS requirement 6.2.
It also does not validate whether the patches applied were classified as security patches.
Remediation
This rule checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or NON_COMPLIANT. To find out more about patch compliance states, see the AWS Systems Manager User Guide.
1. Open the AWS Systems Manager console 2. In the navigation pane, under Instances & Nodes, choose Run Command. 3. Choose Run command. 4. Choose the radio button next to AWS-RunPatchBaseline and then change the Operation to Install. 5. Choose Choose instances manually and then choose the noncompliant instance(s). 6. Scroll to the bottom and then choose Run. 7. After the command has completed, to monitor the new compliance status of your patched instances, in the navigation pane, choose Compliance.
PCI requirement(s): 6.2
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
Category
In Your Workspace
Developers
- tmod:@turbot/aws-pciv3-2-1#/control/types/ssmManagedInstanceCompliancePatchCompliant
- tmod:@turbot/turbot#/control/categories/compliancePci
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/ssmManagedInstanceCompliancePatchCompliant"
Get Controls