4.2.4. Automated Patching and Continuous Validation

First Principle: Manual patching is too slow and error-prone for production environments. Automated patching with continuous validation ensures vulnerabilities are remediated within hours (not weeks) while confirming patches don't break applications.

Systems Manager Patch Manager:

• Define patch baselines specifying which patches to auto-approve (critical, security)
• Create maintenance windows for scheduled patching
• Use patch groups (tag-based) to apply different baselines to different workloads
• Report compliance status to Systems Manager dashboard and Config

Amazon Inspector for Continuous Validation:

• After patching, Inspector rescans to verify vulnerabilities are actually remediated
• Provides a feedback loop: patch → scan → verify → report
• Integrates with Security Hub for centralized compliance visibility

Patch Management Pipeline:

⚠️ Exam Trap: Patch Manager applies patches. Inspector validates they worked. Config ensures patching compliance stays continuous. Know the three-service pattern: Patch Manager → Inspector → Config.

Scenario: A Config rule (ec2-managedinstance-patch-compliance-status-check) detects that 15 instances across 3 accounts are non-compliant. Patch Manager automatically patches them during the next maintenance window. Inspector confirms the CVEs are remediated. Config marks them compliant.

Reflection Question: Why does a complete patching strategy require three services (Patch Manager, Inspector, Config) rather than just one?