Lambda job in Python to automatically patch EC2 instances when an inspector assessment generates a CVE finding
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
lambda-auto-remediate.py

README.md

AmazonInspectorAutoRemediation

This script is designed to run in AWS Lambda and will not work elsewhere.

This is an AWS Lambda job, written in Python, to automatically patch EC2 instances when an inspector assessment generates a CVE finding.

The job requires that the EC2 instance to be patched have the SSM (EC2 Simple System Manager) agent installed, and the agent must have a role attached with necessary SSM permissions. For details on this, see https://docs.aws.amazon.com/ssm/latest/APIReference/Welcome.html.

The job is triggered by an SNS notification of a new finding from Inspector. The job checks to make sure that the finding is a CVE missing patch finding, and if so, it checks to ensure tha the SSM agent is running. It then uses SSM to issue the appropriate patch-and-reboot commands to either Ubuntu or Amazon Linux.