Patching
New bucketAV versions are released regularly, including OS security updates (check the release notes). New releases are tested extensively to ensure that the latest patches work well with bucketAV’s software.
The customer is responsible for updating the product.
If you require more timely patching, we integrate with AWS Systems Manager. You can use Patch Manager to install updates on your schedule. Learn how to configure Patch Manager.
We do not provide support for EC2 instances you modified.
The signatures database is updated ~ every 2 hours automatically.
We recommend patching bucketAV by updating to the latest version.
AWS Systems Manager Patch Manager configuration (#)
To configure AWS Systems Manager Patch Manager:
- Prepare bucketAV:
- Set the SystemsManagerAccess configuration parameter to
true
. - Expand the IAM permissions of the bucketAV Scan Fleet with a AWS managed policy by adding
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
to the ManagedPolicyArns configuration parameter. - If you have configured values (not
*
) for the S3BucketRestriction configuration parameter or S3ObjectRestriction configuration parameter, you must add the following buckets (replaceREGION
with AWS Region, e.g.,us-east-1
; get the value from the top right in the AWS UI):- S3BucketRestriction:
arn:aws:s3:::aws-ssm-REGION,arn:aws:s3:::patch-baseline-snapshot-REGION
- S3ObjectRestriction:
arn:aws:s3:::aws-ssm-REGION/*,arn:aws:s3:::patch-baseline-snapshot-REGION/*
- S3BucketRestriction:
- Set the SystemsManagerAccess configuration parameter to
- In AWS Systems Manager, create a new maintenance window.
- Set a name and schedule.
- Click Create maintenance window.
- Click on your created maintenance window.
- Register a new target.
- Set a name and target by tag. Use tag key
aws:cloudformation:stack-name
and set the value to the stack name of bucketAV (if you followed the docs, the name isbucketav
). Click Add. - Click Register target.
- Register a new Run command task.
- Set a name, select the command document
AWS-RunPatchBaseline
, add the targets defined in the previous step, set rate control concurrency to 1 targets and the error threshold to 1 errors, and set parameters Operation toInstall
and RebootOption toRebootIfNeeded
. - Click Register Run command task.
To configure AWS Systems Manager Patch Manager:
- Prepare AWS account:
- Create a IAM policy to grant access to S3 buckets required by AWS Systems Manager Patch Manager.
- Prepare bucketAV:
- Set the SystemsManagerAccess configuration parameter to
true
. - Expand the IAM permissions of the bucketAV Scan Fleet with the AWS managed policy by adding
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
to the ManagedPolicyArns configuration parameter as well as the customer managed IAM policy created earlier.
- Set the SystemsManagerAccess configuration parameter to
- In AWS Systems Manager, create a new maintenance window.
- Set a name and schedule.
- Click Create maintenance window.
- Click on your created maintenance window.
- Register a new target.
- Set a name and target by tag. Use tag key
aws:cloudformation:stack-name
and set the value to the stack name of bucketAV (if you followed the docs, the name isbucketav
). Click Add. - Click Register target.
- Register a new Run command task.
- Set a name, select the command document
AWS-RunPatchBaseline
, add the targets defined in the previous step, set rate control concurrency to 1 targets and the error threshold to 1 errors, and set parameters Operation toInstall
and RebootOption toRebootIfNeeded
. - Click Register Run command task.