Posted On: Sep 22, 2020

You can now view all Amazon EC2 instances across all your accounts that are non-compliant with your configured patch rules in a single dashboard via AWS Security Hub. AWS Systems Manager Patch Manager now enables you to automatically send patch compliance findings generated by your patch rules to AWS Security Hub. This gives you the ability to centrally monitor your patch compliance along with other security findings in a single view. Security Hub gives you a comprehensive view of your security posture across your AWS accounts and aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services. Patch Manager is a feature of AWS Systems Manager. AWS Systems Manager enables visibility and control of your cloud and on-premises infrastructure.  

If Security Hub is already enabled for your AWS account, after running a patch scan in Patch Manager, patch compliance items generated based on your patch rules will automatically start showing up as findings in Security Hub. Customers who do not have Security Hub enabled can navigate to the Security Hub onboarding page or Patch Manager settings to enable it. When this feature is enabled, Patch Manager will create a finding for every instance found non-compliant against patch rules during patching. You can then aggregate findings across your accounts using Security Hub to view all instances not compliant with your configured patch rules in a single view. You can also take action on these findings from Security Hub by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.  

This feature is available in all commercial AWS Regions where AWS Systems Manager Patch Manager is supported, excluding AWS China (Beijing & Ningxia) regions. You can export patch compliance reports from Patch Manager to Security Hub for no extra charge. However, you will be charged for findings ingested into Security Hub that are beyond the free tier for findings ingestion. For more information, see Security Hub pricing. For more details about Patch Manager, visit the AWS Systems Manager product page and documentation

You can enable your 30-day free trial of AWS Security Hub with a single-click in the AWS Management console. Please see the AWS Regions page for all the regions where AWS Security Hub is available. To learn more about AWS Security Hub capabilities, see the AWS Security Hub documentation, and to start your 30-day free trial see the AWS Security Hub free trial page.