AWS systems-manager high security documentation change
Summary
Added guidance to enforce repository update verification for YUM/DNF package managers
Security assessment
Introduces configuration to prevent skipping updates when repositories are unreachable, directly addressing a potential security gap in patch management reliability. This mitigates the risk of missing critical security patches due to connectivity issues.
Diff
diff --git a/systems-manager/latest/userguide/patch-manager-alternative-source-repository.md b/systems-manager/latest/userguide/patch-manager-alternative-source-repository.md index 46e5b02b7..9fcd2950b 100644 --- a//systems-manager/latest/userguide/patch-manager-alternative-source-repository.md +++ b//systems-manager/latest/userguide/patch-manager-alternative-source-repository.md @@ -45,0 +46,6 @@ Keep in mind the following points as you plan your patching strategy using alter +###### Enforce repo update verifications (YUM and DNF) + +A default configuration for a package manager on a Linux distribution might be set to skip an unreachable package repository if connection to the repository cannot be established. To enforce repository update verification, add `skip_if_unavailable=False` to the repository configuration. + +For more information about the `skip_if_available` option, see [Connectivity to the patch source](./patch-manager-prerequisites.html#source-connectivity). +