AWS Systems Manager Compliance
You can use Compliance, a capability of AWS Systems Manager, to scan your fleet of managed nodes for
patch compliance and configuration inconsistencies. You can collect and aggregate data from
multiple AWS accounts and Regions, and then drill down into specific resources that aren’t
compliant. By default, Compliance displays current compliance data about patching in
Patch Manager and associations in State Manager. (Patch Manager and State Manager are also both capabilities of
AWS Systems Manager.) To get started with Compliance, open the Systems Manager console
Patch compliance data from Patch Manager can be sent to AWS Security Hub. Security Hub gives you a comprehensive view of your high-priority security alerts and compliance status. It also monitors the patching status of your fleet. For more information, see Integrating Patch Manager with AWS Security Hub.
Compliance offers the following additional benefits and features:
-
View compliance history and change tracking for Patch Manager patching data and State Manager associations by using AWS Config.
-
Customize Compliance to create your own compliance types based on your IT or business requirements.
-
Remediate issues by using Run Command, another capability of AWS Systems Manager, State Manager, or Amazon EventBridge.
-
Port data to Amazon Athena and Amazon QuickSight to generate fleet-wide reports.
EventBridge support
This Systems Manager capability is supported as an event type in Amazon EventBridge rules. For information, see Monitoring Systems Manager events with Amazon EventBridge and Reference: Amazon EventBridge event patterns and types for Systems Manager.
Chef InSpec integration
Systems Manager integrates with Chef
InSpec
Pricing
Compliance is offered at no additional charge. You only pay for the AWS resources that you use.