Multi-Account patch compliance with Patch Manager and Security Hub

Update 10/2020 – Viewing patch compliance findings across AWS accounts in AWS Security Hub is supported natively. For more information please see What’s new announcement here.

Introduction

In this blog post, I discuss how to import critical patch compliance findings into Security Hub. Security Hub is a service that provides customers with a comprehensive view of their security and compliance status across their AWS accounts. Customers use Security Hub as a single place that aggregates, organizes, and ranks their security findings. Security Hub gets these findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. A critical finding that customers monitor are OS patches compliance and use a separate AWS Systems Manager compliance console to monitor the same.

Additionally, you can view aggregated patch compliance data across accounts by aggregating Security Hub findings across accounts. I’m going to go through the setup manually in addition to going to set it up using AWS CloudFormation. This blog provides an alternative way to AWS Systems Manager explorer.

Prerequisites

This blog requires a patch baseline with compliance level set to critical.

Overview

The solution creates a maintenance window with two tasks.

1. Run AWS-RunPatchBaseline in scan mode to report the patch results to compliance
2. Run AWS Lambda function to pull the non-compliance patch information for each Amazon EC2 instance. This function pulls data from compliance and reports it to Security Hub. Following is the overview of the setup.

Tutorial

Manual setup

This approach follows a console-based approach to set up patch compliance export.

There are four steps involved for exporting patch compliance findings to Security Hub.

Step 1: Set up IAM rules and permissions
AWS Lambda function requires permission to call Systems Manager compliance API operations and Security Hub to import and export data respectively. Following three steps create the IAM role with right policies.

1. Create a new IAM policy to import findings into Security Hub.
   • Go to the IAM console and create a new policy for importing findings into Security Hub.
   • Choose JSON tab and copy the following mentioned policy.

   • {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "VisualEditor0",
                 "Effect": "Allow",
                 "Action": [
                     "securityhub:EnableSecurityHub",
                     "securityhub:EnableImportFindingsForProduct",
                     "securityhub:BatchImportFindings"
                 ],
                 "Resource": "*"
             }
         ]
     }
     

   • Name the policy. I have used the name “Import-Into-Security-Hub” for the purpose of this blog.
2. Policy to export findings from Systems Manager Compliance.
   • Go to the IAM console and create a new policy for listing compliance from Systems Manager.
   • Choose JSON tab and copy the following mentioned policy.

   • {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Sid": "VisualEditor0",
                 "Effect": "Allow",
                 "Action": [
                     "ssm:ListComplianceItems",
                     "ssm:ListComplianceSummaries",
                     "ssm:ListResourceComplianceSummaries"
                 ],
                 "Resource": "*"
             }
         ]
     }
     

   • Name the policy. I have used the name “List-Compliance-Items” for the purpose of this blog.
3. Create a New role and attach these 2 policies.
   • Go to IAM console and “Create Role”.
   • Choose “Lambda” as the service that will use the role and click Next.
   • Select the 2 policies you created in the previous steps.

• • Review the role and provide a name. I have named it “Import-From-SSM-To-Security-Hub” for the purpose of the blog.

Step 2: Setup Lambda

1. Go to lambda console and click “Create Function”.
2. Provide an appropriate name to the Lambda starting with SSM. I have used the name “SSMImportPatchComplianceToSecurityHub” for the purpose of the blog. Choose use an existing role in execution role and select the role as “Import-From-SSM-To-Security-Hub”.
3. Build Lambda deployment package based on index.js following the Lambda deployment package documentation. Note that AWS SDK is needed for the deployment package. You can also find more information about the folder structure by following Lambda developer guide. For this blog, the package is named as “SSMExportFromSecHub.zip”.
4. In the function code, select “Upload a .zip file”, Runtime as “Node.js 10.x” and Handler “index.handler”. Upload the “SSMExportFromSecHub.zip” package and click “Save”.

Step 3: Setup maintenance window

1. On the Systems Manager console maintenance window tab, create a new maintenance window with an appropriate name and schedule. I have named the maintenance window “Patch-Management” for the purpose of the tutorial.
2. Add the required targets to be patched by registering a target to the maintenance windows.
3. Add a patch scan task to the maintenance window by registering a Run command task with the following settings:
   
   • AWS-RunPatchBaseline in “Command document” section.
   • Priority such that it is the first task in the window (I kept it the default value 1).
   • Set the “Operation” to “Scan” under “Parameters” section.
4. To execute the Lambda function as a task, select the window, select “Actions”, and then “Register Lambda task” with the following settings:
   • Set the function in Lambda parameters to “SSMImportPatchComplianceToSecurityHub”.
   • Priority such that it is the last task in the window (I set it as 10).
   • Payload

     {"instanceid": "{{TARGET_ID}}"}

• • Rate control and error threshold as appropriate (I have set to 10 targets and 10 errors respectively).
  • IAM service role as “Use the service-linked role for Systems Manager”.

Step 4: Set up cross account sync in Security Hub

By going through the instructions hosted in GitHub package, you can gather the information from multiple accounts under Security Hub of one account. Note that Security Hub is regionally isolated, findings for each member account roll up to the corresponding Region in the master account.

Set up using AWS CloudFormation

1. Build Lambda deployment package based on index.js following the Lambda deployment package documentation. Note that AWS SDK is needed for the deployment package. You can also find more information about the folder structure by following Lambda developer guide. For this blog, the package is named as “SSMExportFromSecHub.zip”.
2. Upload the SSMExportFromSecHub.zip to an Amazon S3.
3. Go to AWS CloudFormation console and select create a new stack.
4. Use “Upload a template file” options and upload the AWS CloudFormation template.
5. Provide an appropriate stack name, for this blog I call it “Patch-Export-Stack”. Provide parameters based on the following guidance.
   • ExistingLambdaExecutionRole: The role should have list permissions on Systems Manager compliance and import permission in Security Hub. This parameter is optional. If no role is provided, the template creates a new role and policy in the account with the permissions listed under the “Manual setup” section 1.
   • S3BucketParam: Amazon S3 bucket of the file uploaded in step 2. This is a required.
   • S3KeyParam: Amazon S3 object key of the file uploaded in step 2. This is a required.
   • TargetTagKey: The tag key of instances that would be targets of maintenance window created. This is a required.
   • TargetTagValue: The tag value of instances that would be targets of maintenance window created. This is a required.
6. Fill appropriate “Configure Stack Options” and select next.
7. Review the stack and select “Create Stack”.
8. Set up cross account sync in Security Hub by referencing the guide at GitHub package. This provides the ability to gather the information from multiple accounts under Security Hub of one account. Note that Security Hub is regionally isolated, findings for each member account roll up to the corresponding Region in the master account.

Summary

After the execution of the maintenance window task, we can navigate to Security Hub to view all patch compliance findings.

Cleanup

To remove all resources created as a part of this blog, check through the following steps.

1. Disable Security Hub on both master and linked accounts followings the instructions under section 2b in GitHub package.
2. Using the manual setup, you would remove the following manually:
   • Delete Lambda function “SSMImportPatchComplianceToSecurityHub”.
   • Delete created IAM role and two policies “Import-From-SSM-To-Security-Hub”, “List-Compliance-Items” and “Import-Into-Security-Hub”.
   • Delete the maintenance window “Patch-Management”.
3. If AWS CloudFormation being used, to clean up all the resource, do the followings:
   • Delete AWS CloudFormation stack to remove the following items
     • Lambda function “SSMImportPatchComplianceToSecurityHub”.
     • IAM role and two policies.
     • maintenance window “Patch-Management”.
   • File from S3 buckets “SSMExportFromSecHub.zip”.

Conclusion

In this post, I demonstrated a solution that gathers the status of missing critical patching to Security Hub console for multiple accounts under AWS Organizations. This is helpful for a new or existing setup that customers use with Security Hub to monitor high priority security alerts and compliance status across AWS accounts.  To learn more about Patch Manager, go to the product documentation.

About the Author

Ali Alzand is a Cloud Support Engineer in AWS Premium Support. He specializes in AWS Systems Manager, Amazon EC2 Windows, and PowerShell. Outside of work, Ali enjoys barbecuing, outdoor activities, and trying all kinds of food.