Posted On: Aug 28, 2017
Amazon EC2 Systems Manager can now be used to report and take action on configuration compliance for Patch Manager, State Manager, and custom compliance types.
Previously, you could only view patch compliance information for instances patched using Patch Manager. Now, you can also view configuration compliance information for instances based on the defined state from a State Manager document and Association. For example, you can define a State Manager Association that tests for specific firewall port settings or the presence of an application, then run a report to check if your instances are in compliance with that defined configuration. Additionally, you can define custom configuration compliance types, such as when you want to report if specific registry settings have been disabled.
Compliance reports are available in single accounts. You can view compliance reports cross-account and cross-region by setting up a resource data sync to Amazon Simple Storage Service (Amazon S3). You can also visualize this data by using Amazon Athena and Amazon QuickSight.
Finally, you can auto-remediate your instances based on compliance reports. If instances are out of compliance, you can trigger an Amazon CloudWatch Events rule to bring them into compliance.