Building a scalable vulnerability management program on AWS

Anna McAbee and Megan O'Neil, Amazon Web Services (AWS)

October 2023 (document history)

Depending on the underlying technology you're using, a variety of tools and scans can generate security findings in a cloud environment. Without processes in place to handle these findings, they can begin to accumulate, often leading to thousands to tens of thousands of findings in a short amount of time. However, with a structured vulnerability management program and proper operationalization of your tooling, your organization can handle and triage a large number of findings from diverse sources.

Vulnerability management focuses on discovering, prioritizing, assessing, remediating, and reporting on vulnerabilities. Patch management, on the other hand, focuses on patching or updating software to remove or remediate security vulnerabilities. Patch management is just one aspect of vulnerability management. Generally, we recommend establishing both a patch-in-place process (also known as a mitigate-in-place process) to address critical, patch-now scenarios, and a standard process that you run on a regular cadence in order to release patched Amazon Machine Images (AMIs), containers, or software packages. These processes help prepare your organization to respond quickly to a zero-day vulnerability. For critical systems in a production environment, using a patch-in-place process can be faster and more reliable than rolling out a new AMI across the fleet. For regularly scheduled patches, such as operating system (OS) and software patches, we recommend that you build and test using standard development processes, as you would any software-level change. This provides better stability for standard operating modes. You can use Patch Manager, a capability of AWS Systems Manager, or other third-party products as patch-in-place solutions. For more information about using Patch Manager, see Patch management in AWS Cloud Adoption Framework: Operations Perspective. Also, you can use EC2 Image Builder to automate the creation, management, and deployment of customized and up-to-date server images.

Building a scalable vulnerability management program on AWS involves managing traditional software and network vulnerabilities in addition to cloud configuration risks. A cloud configuration risk, such as an unencrypted Amazon Simple Storage Service (Amazon S3) bucket, should follow a similar triage and remediation process as a software vulnerability. In both of these cases, the application team must own and be accountable for the security of their application, including the underlying infrastructure. This distribution of ownership is key for an effective and scalable vulnerability management program.

This guide discusses how to streamline the identification and remediation of vulnerabilities in order to reduce overall risk. Use the following sections to build and iterate on your vulnerability management program:

Building a cloud vulnerability management program often involves iteration. Prioritize recommendations in this guide and regularly revisit your backlog to stay current with technology changes and your business requirements.

Intended audience

This guide is intended for large enterprises that have three primary teams who are responsible for security related findings: a security team, a Cloud Center of Excellence (CCoE) or cloud team, and application (or developer) teams. This guide uses the most common enterprise operating models and builds upon those operating models to enable a more efficient response to security findings and improve security outcomes. Organizations using AWS might have different structures and different operating models; however, you can modify many of the concepts in this guide to fit different operating models and smaller organizations.

Objectives

This guide can help you and your organization: