EC2 managed instance is compliant with Systems Manager patching requirements
ssm_managed_compliant_patching
SSM-managed EC2 instances report patch compliance against defined baselines. This evaluates each managed node's compliance status from Patch Manager to determine whether required security updates are applied according to policy.
Risk
Unpatched instances expose known CVE vulnerabilities, enabling remote code execution, privilege escalation, and lateral movement.
This threatens confidentiality (data exfiltration), integrity (unauthorized changes), and availability (ransomware, crypto-mining, outages).
prowler aws --checks ssm_managed_compliant_patching
Recommendation
Adopt automated patch management with Systems Manager: enroll EC2 as managed nodes, define strict patch baselines, run frequent compliance scans, and install critical updates promptly.
Apply defense in depth: least-privileged roles for patching, staged rollouts, maintenance windows, and centralized compliance reporting with alerting.
Remediation
aws ssm send-command --instance-ids <INSTANCE_ID> --document-name AWS-RunPatchBaseline --parameters Operation=Install
- Open AWS Console > Systems Manager > Run Command
- Click Run command
- Select document: AWS-RunPatchBaseline
- In Parameters, set Operation = Install
- In Targets, select the non-compliant instance
- Click Run; wait for command to complete and verify Compliance shows COMPLIANT
Source Code
Resource Type
AwsSsmPatchCompliance
References
- https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html
- https://support.icompaas.com/support/solutions/articles/62000233554-ensure-ec2-instances-managed-by-systems-manager-are-compliant-with-patching-requirements
- https://docs.aws.amazon.com/systems-manager/latest/userguide/compliance-fixing.html