VOOZH about

URL: https://repost.aws/questions/QUlZI2Jxs8T3qiK1l4nHgWKQ/ec2-image-builder-why-update-linux-aws-managed-component-doesn-t-result-into-compliant-state-after-creating-new-ami-version

⇱ EC2 Image Builder - Why "update-linux" aws managed component doesn't result into compliant state after creating new AMI version | AWS re:Post


Skip to content

EC2 Image Builder - Why "update-linux" aws managed component doesn't result into compliant state after creating new AMI version

0

We've detected that new AMIs versions created by EC2 ImageBuilder doesn't have the COMPLIANT state on patch manager after being scanned (AWS-RunPatchBaseline document) despite the "update-linux" component is include into recipes (Amazon Linux and RHEL). We want to keep the new versions on compliant following the same (or similar) criteria as "default patch-baseline" that we're using with patch policies on quick setup for other infra already deployed (not managed by ASG).

2 Answers
  • Newest
  • Most votes
  • Most comments
Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.
0

The “update-linux” managed component in EC2 Image Builder runs yum update -y (or equivalent for RHEL) during the image build phase, which applies all currently available patches at that moment. However, AWS Systems Manager Patch Manager compliance reports are based on the patch baseline defined in your account and evaluated against the instance’s patch inventory collected by the SSM agent. —Taz

answered 7 months ago

0

is there any way or native solution to keep the new versions align with "default-patch baseline"?

answered 7 months ago