Skip to main content

AWS Solutions Library

Guidance for Security Compliance and Patching of VMware and Amazon EC2 Workloads

Open guide

Overview

This Guidance helps you set up centralized patching and compliance management for your VMware virtual machines (VMs) both on-premises and in the cloud. Using AWS Systems Manager, you can establish a secure maintenance and compliance system for patching and controls. By collecting all security findings in a single location, you can reduce the administrative burden around patching and compliance while also gaining operational efficiencies and improving observability.

How it works

These technical details feature an architecture diagram to illustrate how to effectively use this solution. The architecture diagram shows the key components and their interactions, providing an overview of the architecture's structure and functionality step-by-step.

Download the architecture diagram

Well-Architected Pillars

The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.

Patch Manager, a capability of Systems Manager, allows you to deploy software patches automatically across on-premises or cloud instances. You can set a patch baseline with rules that state which patches should automatically be installed, or you can choose to have Patch Manager show you a report of all missing patches.

Read the Operational Excellence whitepaper 

Security Hub offers a centralized view of your security findings. Once established, other services will automatically send security findings to Security Hub so you can easily check whether or not your services are in compliance. Security Hub acts on security findings by either alerting you, raising the finding on a dashboard, or kicking off an automation to resolve the finding. This helps you to discover vulnerabilities as soon as they occur and remediate them once discovered.

Read the Security whitepaper 

VMware Cloud on AWS is the preferred service for AWS for all vSphere-based workloads. VMware Cloud on AWS includes vSphere High Availability (HA) which restarts VMs automatically in the event of a failed ESXi host. Distributed Resource Scheduler (DRS) is also enabled, which can be used along with vMotion to live migrate running VMs off of hosts before maintenance is performed. VMware Cloud on AWS helps you avoid or minimize downtime for VMware workloads running on AWS.

Read the Reliability whitepaper 

VMware Cloud on AWS allows you to provision ESXi hosts dynamically using a feature called Elastic Distributed Resource Scheduler (eDRS). eDRS will grow or shrink the VMware Cloud on AWS clusters based on the workloads running on top of those clusters. eDRS accomplishes this by responding to the total CPU and memory load within the VMware Cloud on AWS cluster.

Read the Performance Efficiency whitepaper 

The Guidance doesn’t require additional servers or OS licensing, minimizing overall costs. With the exclusion of the servers being patched, this Guidance is fully serverless and uses managed services. Patching is automated, which can reduce operational costs compared to manual patching.

The main service costs to consider are:

  • Systems Manager (specifically, Systems Manager licensing and on-premises instance management; you will need to update account- and Region- level settings from “standard” to “advanced” to use Patch Manager for patching applications hosted on-premises).
  • Security Hub (for security checks, finding ingestions, and automation rules with criteria).
Read the Cost Optimization whitepaper 

VMware Cloud on AWS with eDRS can shut down extra capacity, which saves on resource consumption, such as power and cooling. eDRS also allows you to design for the smallest possible footprint and dynamically scale to meet your workload demands.

Additionally, Security Hub and Systems Manager are managed and operated by AWS. As such, you do not need to deploy additional servers and infrastructure to accomplish your compliance and patching requirements.

Read the Sustainability whitepaper 

Deploy with confidence

Dive deep into the implementation guide for additional customization options and service configurations to tailor to your specific needs.

Open guide

Disclaimer

The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.