EC2 Image Builder - Why "update-linux" aws managed component doesn't result into compliant state after creating new AMI version
We've detected that new AMIs versions created by EC2 ImageBuilder doesn't have the COMPLIANT state on patch manager after being scanned (AWS-RunPatchBaseline document) despite the "update-linux" component is include into recipes (Amazon Linux and RHEL). We want to keep the new versions on compliant following the same (or similar) criteria as "default patch-baseline" that we're using with patch policies on quick setup for other infra already deployed (not managed by ASG).
- Language
- English
- Newest
- Most votes
- Most comments
The “update-linux” managed component in EC2 Image Builder runs yum update -y (or equivalent for RHEL) during the image build phase, which applies all currently available patches at that moment. However, AWS Systems Manager Patch Manager compliance reports are based on the patch baseline defined in your account and evaluated against the instance’s patch inventory collected by the SSM agent.
—Taz
answered 7 months ago
Relevant content
- Accepted Answer
asked 3 years ago
asked 3 years ago
