AWS systems-manager documentation change
Summary
Added detailed section explaining patch compliance definitions, clarified security vs compliance relationship, and expanded patch baseline documentation
Security assessment
Explicitly clarifies that compliance doesn't equate to security and references security considerations in Systems Manager, though no specific vulnerability is addressed
Diff
diff --git a/systems-manager/latest/userguide/patch-manager.md b/systems-manager/latest/userguide/patch-manager.md index 8853175b6..258f9e320 100644 --- a//systems-manager/latest/userguide/patch-manager.md +++ b//systems-manager/latest/userguide/patch-manager.md @@ -4,0 +5,2 @@ +What is compliance in Patch Manager?Primary components + @@ -9 +11 @@ Patch Manager, a tool in AWS Systems Manager, automates the process of patching -###### Important +###### Note @@ -15,2 +16,0 @@ You can use Patch Manager to apply patches for both operating systems and applic -###### Note - @@ -20,0 +21,37 @@ For Linux-based operating system types that report a severity level for patches, +## What is compliance in Patch Manager? + +The benchmark for what constitutes _patch compliance_ for the managed nodes in your Systems Manager fleets is not defined by AWS, by operating system (OS) vendors, or by third parties such as security consulting firms. + +Instead, you define what patch compliance means for managed nodes in your organization or account in a _patch baseline_. A patch baseline is a configuration that specifies rules for which patches must be installed on a managed node. A managed node is patch compliant when it is up to date with all the patches that meet the approval criteria that you specify in the patch baseline. + +Note that being _compliant_ with a patch baseline doesn't mean that a managed node is necessarily _secure_. Compliant means that the patches defined by the patch baseline that are both _available_ and _approved_ have been installed on the node. The overall security of a managed node is determined by many factors outside the scope of Patch Manager. For more information, see [Security in AWS Systems Manager](./security.html). + +Each patch baseline is a configuration for a specific supported operating system (OS) type, such as Red Hat Enterprise Linux (RHEL), macOS, or Windows Server. A patch baseline can define patching rules for all supported versions of an OS or be limited to only those you specify, such as RHEL 6.10, RHEL 7.8., and RHEL 9.3. + +In a patch baseline, you could specify that all patches of certain classifications and severity levels are approved for for installation. For example, you might include all patches classified as `Security` but exclude other classifications, such as `Bugfix` or `Enhancement`. And you could include all patches with a severity of `Critical` and exclude others, such as `Important` and `Moderate`. + +You can also define patches explicitly in a patch baseline by adding their IDs to lists of specific patches to approve or reject, such as `KB2736693` for Windows Server or `dbus.x86_64:1:1.12.28-1.amzn2023.0.1` for Amazon Linux 2023 (AL2023). You can optionally specify a certain number of days to wait for patching after a patch becomes available. For Linux and macOS, you have the option of specifying an external list of patches for compliance (an Install Override list) instead of those defined by the patch baseline rules. + +When a patching operation runs, Patch Manager compares the patches currently applied to a managed node to those that should be applied according to the rules set up in the patch baseline or an Install Override list. You can choose for Patch Manager to show you only a report of missing patches (a `Scan` operation), or you can choose for Patch Manager to automatically install all patches it find are missing from a managed node (a `Scan and install` operation). + +Patch Manager provides predefined patch baselines that you can use for your patching operations; however, these predefined configurations are provided as examples and not as recommended best practices. We recommend that you create custom patch baselines of your own to exercise greater control over what constitutes patch compliance for your fleet. + +For more information about patch baselines, see the following topics: + + * [Predefined and custom patch baselines](./patch-manager-predefined-and-custom-patch-baselines.html) + + * [Package name formats for approved and rejected patch lists](./patch-manager-approved-rejected-package-name-formats.html) + + * [Viewing AWS predefined patch baselines](./patch-manager-view-predefined-patch-baselines.html) + + * [Working with custom patch baselines](./patch-manager-manage-patch-baselines.html) + + * [Working with patch compliance reports](./patch-manager-compliance-reports.html) + + + + +## Primary components + +Before you start working with the Patch Manager tool, you should familiarize yourself with some major components and features of the tool's patching operations. +