The Challenge

A leading custom home building company based in the southeast has recently been acquired by a national company. Part of integrating into
the larger company came with new security compliance requirements. As such, the homebuilder requires a solution to ensure their security posture by maintaining operating systems patching remains up to date. Their ongoing security excellence and continued autonomy hinges on their ability to maintain their patching compliance.

The home builders user base consists primarily of field agents and remote workers that leverage a series of remote desktop servers. These servers, along with an assortment of infrastructure servers, all required a method of ensuring that patching was properly carried out. Additionally, there were extra servers, with specific, critical purposes, that would need to be excluded when necessary.

To complicate matters further, the remote desktop servers were often provisioned and deprovisioned as capacity required. The final issue was that the home builder does not have a robust cloud infrastructure team. Therefore, whatever solution provided would need to be easily managed and automated. 

The Solution

Reaching out to the Blue Sentry Cloud’s Managed Services team, the company asked how they could ensure patch compliance in an automated and reliable fashion without imposing large maintenance requirements on their already overworked staff. 

Blue Sentry’s Managed Services team in association with in-house AWS Enterprise Architects, designed and proposed a solution leveraging AWS Lambda. The lambda code would be written to query EC2 tags and determine a patching option. The tags would allow the instances to be separated into groups. Additionally, a boolean tag, set to either true or false, would determine if the instance would be patched. Finally, the solution would leverage the Simple Notification Service to generate an email to the Blue Sentry Managed Services team’s ticketing system with the patched instances for logging and auditing purposes. 

To ensure continued compliance with the company’s new security standards, the lambda code would also query all EC2 instances with the group tagging, to ensure that the boolean tag was present. The lambda would generate a list of all instances without the boolean set, identifying those instances by name and instance ids, and then leverage the Simple Notification Service once more to send an incident opening email to the Blue Sentry Managed Services team’s ticketing system with those identified instance names and ids so they could be properly tagged. 

The Benefit

Since the implementation of the solution, the home builder has been able to continue being focused on the bigger picture of their business by not having to worry about their security posture and the new corporate requirements. Their patching compliance has increased to over 97% of all EC2 instances. Furthermore, the tagging has allowed a more predictable schedule of when certain instances will be patched, allowing for more consistent delivery of remote desktop services and other services, such as active directory, file sharing, and accounting management.