It’s recommended to use vulnerability management services such as Amazon Inspector to identify vulnerabilities and deviations from the CIS OS hardening best practices on your instances.
Amazon inspector delivers continuous vulnerability management, leveraging the same AWS Systems Manager Agent.
You can use AWS Systems Manager Patch Manager to patch vulnerable instances, or the patch management software of your choice.
There are numerous solutions provided by our partners available on the AWS Marketplace:
https://www.xmind.net/m/22EXUr/