The best practice when deploying an AWS linux instance is to run sudo yum update. This downloads and patches the OS and any applications with the latest updates. I put this to the test by deploying two standard AMI instances. One of the instances I updated, the other I did not.
I ran a vulnerability scan against both instances using the CVE 1-1, AWS Security Best Practices, and CIS Operating system security configuration. To my surprise, the patched instance still contained 150 high priority security issues, the unpatched, 222.
When deploying instances, make sure to use a hardened linux AMIs from the AWS marketplace and keep on top of automated scanning of deployed instances.
This is the patched version !
Leave a Comment