Managing Security Issues: Maintenance of Images #356
Description
Description
An issue came up on MAAP SMCE where our pgbouncer instances were using versions of Ubuntu images that had flagged CVE issues. The SMCE admins emailed our account manager, notify us that our instances would be (essentially) torn down the next day if the issues weren't resolved.
Looking in the Security Hub, we tried to pinpoint the related CVEs but couldn't narrow it down. While searching for the pgbouncer related issues, I saw that the SM2A ecr image was also listed - after our most recent account clean up, it is the asset (service) with the most findings (found under "Assets with the most findings" on the Security Hub).
The main issue: Our instances just used the latest Ubuntu image, so redeploying the resources had no effect since there were no real code or infrastructure changes.
The question: Is there a way to easily update instances with known CVEs without deleting the resource and redeploying or triggering a code change? Systems Manager could help, there are several tools within the service which could be utilized to help with security on instances.
It looks like VEDA SMCE was at one point using System Manager / SSM Agent - is this still the case? I didn't see anything in the docs to configure this before the most recent deploy, but I see configured tooling in System Manager in VEDA SMCE