[SEO Subhead]
This Guidance helps you set up centralized patching and compliance management for your VMware virtual machines (VMs) both on-premises and in the cloud. Using AWS Systems Manager, you can establish a secure maintenance and compliance system for patching and controls. By collecting all security findings in a single location, you can reduce the administrative burden around patching and compliance while also gaining operational efficiencies and improving observability.
Please note: [Disclaimer]
Architecture Diagram
[Architecture diagram description]
Step 1
This Guidance requires an inventory and data collection from the workloads. AWS Systems Manager uses an agent (SSM Agent). Install the SSM Agent into the VMware Cloud on AWS or on-premises nodes to manage. The SSM Agent requires communication with the AWS API over standard HTTPS ports. Because the SSM Agent always starts the communication, allowing any inbound rules is not necessary (egress tcp ports 443 and 80).
Step 2
Systems Manager is the operations hub for your AWS applications and resources and is broken into four core feature groups: Operations Management, Application Management, Change Management, and Node Management.
Step 3
AWS Security Hub enables automated checks for standard best practices, such as AWS Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0, and Payment Card Industry Data Security Standard (PCI DSS).
Note: At the time of publication of this Guidance, Security Hub reports the resource type of all managed nodes as “Amazon Elastic Compute Cloud (Amazon EC2) instance.” This includes on-premises servers and VMs that you have registered for use with Systems Manager.
Step 4
Support teams log in to Systems Manager to perform administrative tasks, such as hybrid activations and patch policy creation.
Step 1
This Guidance requires an inventory and data collection from the workloads. AWS Systems Manager uses an agent (SSM Agent). Install the SSM Agent into the VMware Cloud on AWS or on-premises nodes to manage. The SSM Agent requires communication with the AWS API over standard HTTPS ports. Because the SSM Agent always starts the communication, allowing any inbound rules is not necessary (egress tcp ports 443 and 80).
Step 2
Systems Manager is the operations hub for your AWS applications and resources and is broken into four core feature groups: Operations Management, Application Management, Change Management, and Node Management.
Step 3
AWS Security Hub enables automated checks for standard best practices, such as AWS Foundational Security Best Practices (FSBP), Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0, and Payment Card Industry Data Security Standard (PCI DSS).
Note: At the time of publication of this Guidance, Security Hub reports the resource type of all managed nodes as “Amazon Elastic Compute Cloud (Amazon EC2) instance.” This includes on-premises servers and VMs that you have registered for use with Systems Manager.
Step 4
Support teams log in to Systems Manager to perform administrative tasks, such as hybrid activations and patch policy creation.
Well-Architected Pillars
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
-
Operational ExcellenceRead the Operational Excellence whitepaper
Patch Manager, a capability of Systems Manager, allows you to deploy software patches automatically across on-premises or cloud instances. You can set a patch baseline with rules that state which patches should automatically be installed, or you can choose to have Patch Manager show you a report of all missing patches.
-
SecurityRead the Security whitepaper
Security Hub offers a centralized view of your security findings. Once established, other services will automatically send security findings to Security Hub so you can easily check whether or not your services are in compliance. Security Hub acts on security findings by either alerting you, raising the finding on a dashboard, or kicking off an automation to resolve the finding. This helps you to discover vulnerabilities as soon as they occur and remediate them once discovered.
-
ReliabilityRead the Reliability whitepaper
VMware Cloud on AWS is the preferred service for AWS for all vSphere-based workloads. VMware Cloud on AWS includes vSphere High Availability (HA) which restarts VMs automatically in the event of a failed ESXi host. Distributed Resource Scheduler (DRS) is also enabled, which can be used along with vMotion to live migrate running VMs off of hosts before maintenance is performed. VMware Cloud on AWS helps you avoid or minimize downtime for VMware workloads running on AWS.
-
Performance EfficiencyRead the Performance Efficiency whitepaper
VMware Cloud on AWS allows you to provision ESXi hosts dynamically using a feature called Elastic Distributed Resource Scheduler (eDRS). eDRS will grow or shrink the VMware Cloud on AWS clusters based on the workloads running on top of those clusters. eDRS accomplishes this by responding to the total CPU and memory load within the VMware Cloud on AWS cluster.
-
Cost OptimizationRead the Cost Optimization whitepaper
The Guidance doesn’t require additional servers or OS licensing, minimizing overall costs. With the exclusion of the servers being patched, this Guidance is fully serverless and uses managed services. Patching is automated, which can reduce operational costs compared to manual patching.
The main service costs to consider are:
- Systems Manager (specifically, Systems Manager licensing and on-premises instance management; you will need to update account- and Region- level settings from “standard” to “advanced” to use Patch Manager for patching applications hosted on-premises).
- Security Hub (for security checks, finding ingestions, and automation rules with criteria).
-
SustainabilityRead the Sustainability whitepaper
VMware Cloud on AWS with eDRS can shut down extra capacity, which saves on resource consumption, such as power and cooling. eDRS also allows you to design for the smallest possible footprint and dynamically scale to meet your workload demands.
Additionally, Security Hub and Systems Manager are managed and operated by AWS. As such, you do not need to deploy additional servers and infrastructure to accomplish your compliance and patching requirements.
Implementation Resources
A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.
Related Content
[Title]
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.
References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.