SSM.2: Instances are missing security patches

What does AWS Security Hub SSM.2 check?

SSM.2 reads the Patch Manager compliance summary for each managed instance and fails any whose patch status is NON_COMPLIANT — meaning at least one patch the assigned baseline considers required is missing or failed to install.

Why does SSM.2 matter?

Missing security patches are the single most common root cause of fleet-wide compromise — Equifax was unpatched Struts, WannaCry was unpatched SMB, Log4Shell was unpatched Log4j. The control is also a regulatory line: PCI DSS requires critical patches within one month (req 6.2), and HIPAA, FedRAMP, and CMMC inherit the same expectation through NIST 800-53.

How do I fix SSM.2?

1. Run AWS-RunPatchBaseline in Scan mode to see exactly which patches are missing.
2. Apply the missing patches with a Patch Manager Install run, or fix any install failures.
3. Re-run the baseline so Patch Manager reports the instance COMPLIANT again.
4. Schedule a recurring patch window via a maintenance window or State Manager association.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29