Investigate EC2 instances that are out of patch compliance, verify whether they are manageable through AWS Systems Manager, and identify likely causes of patching failures. This plan produces a prioritized remediation summary with root-cause classification, patch baseline mapping, Systems Manager manageability findings, and AWS-derived technical priority.
List non-compliant EC2 patch targets
Inventories EC2 instances reported as patch non-compliant and captures severity, missing patch counts, scan timestamps, account, Region, platform, and compliance data freshness.
Confirm Systems Manager manageability status
Verifies whether each instance is registered and reachable as a Systems Manager managed node, including SSM Agent, heartbeat, and connection status details.
Collect instance context and priority signals
Gathers instance metadata, tags, network exposure, IAM profile, grouping context, and technical priority clues from AWS records.
Map patch baselines and associations
Determines patch baseline, patch group, maintenance window, and Systems Manager association context for each non-compliant instance.
Confirm current compliance findings per instance
Re-checks current compliance and patch state records to determine whether findings are active, stale, changed, or inconclusive.
Review patch history and command results
Reviews Systems Manager patch operations, Run Command history, and maintenance window executions to understand whether patching failed, was skipped, or never ran.
Identify manageability and update blockers
Classifies evidence of Systems Manager reachability issues, agent problems, targeting gaps, baseline issues, pending reboot state, or operating-system patch failures.
Classify root cause and remediation path
Assigns a root-cause category and recommended AWS remediation path for each affected instance.
Rank instances by technical priority
Prioritizes instances using AWS-derived signals such as production tags, internet exposure, critical patch severity, failed patch counts, and duration of non-compliance.