It’s recommended to use vulnerability management services such as Amazon Inspector to identify infrastructure vulnerabilities and deviations from the CIS OS hardening best practices on your instances.
Amazon inspector delivers continuous vulnerability management, leveraging the same AWS Systems Manager Agent.
Scanning your cloud resources with network sweeps as you would on-prem can be challenging on the cloud due to short-lived resources that dissapear quickly and the network segmentation that provides using multi-account, and vpcs, therefore an agent-based scan is preferred.
Inspector also supports agentless scans of the EBS volumes (Hybrid scan) which is useful for virtual appliances, or other instances where you can’t install the SSM Agent, but the agent based scan is preferred as it provides more near real time information.
You can use AWS Systems Manager Patch Manager to patch vulnerable instances, or the patch management software of your choice, and it’s free to patch aws cloud resources.
There are also numerous solutions provided by our partners available on the AWS Marketplace:
https://www.xmind.net/m/22EXUr/