Automate vulnerability management and remediation in AWS using Amazon Inspector and AWS Systems Manager

• you might not get results during class = watch the instructors machine, then do after class
• https://aws.amazon.com/blogs/mt/automate-vulnerability-management-and-remediation-in-aws-using-amazon-inspector-and-aws-systems-manager-part-1/

PreReq

• SSM agent
• S3 bucket

In AWS console: Services search S3: Choose Buckets Create Bucket Name patchman20240919-(yourAccount ID) Choose defaults

From Guac - WebLin

• Verify agent installed
• sudo systemctl status amazon-ssm-agent

From Guac - WebWin

• Verify agent installed
• Open powershell
• Get-Service AmazonSSMAgent

Enable System Manager Quick setup

• Click Complete onboarding

Enable Patch Management

• These setting are bad in real world deployment - we want it to go fast
• Open https://www.timeanddate.com/worldclock/timezone/utc

Record current UTC time ( you will add 15 minutes to current time to start a scan)

• Create configuration | Customize Patch Manager configuration options
• Node Mgr | Patch Mgr | Create Patch Policy

Policy name Scan-patch-now-daily Scann and install

• Custom | Daily | time is 5 from now
• Install schedule | Costume install schedule | daily 15 minute from now
• Reboot if needed
• Patch baseline| use recommended
• Patching log storage | Browse - find your named bucket
• Target | Current Account | Current region | All nodes
• Rate control 100%
• instance profile options | check add Add
• scroll to bottom, verify the time has not passed | click create

Enable Amazon Inspector

• please note Amazon Inspector is a Regional service

Activate with current Account ID

• Click Delegate

might have to click delegate twice

• Click activate inspector

AWS config deployment

• one click set up

Security hub deployment

• Enable AWS foundational security best practices
• Click enable security hub
• It will take a while for it to populate

Patch Windows Manually ( very bad)

• Patch Manager reports windows is up to date
• Inspector reveals not uptodate
• WHAT CAN WE DO:
• Connect via EC2
• Confirm latest patches

wmic qfe list

• Force PowerShell Windows Update step-by-step guide:
• Install the PSWindowsUpdate module:

Install-Module -Name PSWindowsUpdate -Force

• Import the module:

Import-Module PSWindowsUpdate* Check for updates: Get-WindowsUpdate -MicrosoftUpdate -AcceptAll

• Install updates:

Install-WindowsUpdate -MicrosoftUpdate -AcceptAll -AutoReboot

patch windows automation through system manager vulnerability manager

• https://aws.amazon.com/blogs/mt/patching-your-windows-ec2-instances-using-aws-systems-manager-patch-manager/