Cyscale
Back to controls

Ensure compute instances use supported operating system versions

Compute workloads depend on the operating system lifecycle just as much as they depend on cloud service lifecycle dates. When a VM image or installed OS release reaches end of standard support, end of maintenance, or end of life, the workload may stop receiving security patches and can become incompatible with cloud agents, backup tools, EDR sensors, package repositories, and compliance baselines.

Category

Controls

Medium

Applies to

Alibaba CloudAWSGoogle CloudKubernetesMicrosoft Azure

Coverage

2 queries

Asset types

2 covered

Overview

Compute workloads depend on the operating system lifecycle just as much as they depend on cloud service lifecycle dates. When a VM image or installed OS release reaches end of standard support, end of maintenance, or end of life, the workload may stop receiving security patches and can become incompatible with cloud agents, backup tools, EDR sensors, package repositories, and compliance baselines.

This control tracks VM and compute instance OS versions that are already unsupported or have a known lifecycle deadline. It uses provider image metadata and Cyscale's OS-outdated signal where available, then attaches the matched OS lifecycle context to each failed asset.

Remediation guidance

Remediation

Upgrade or replace the affected compute instance with an image whose operating system is still in standard support or covered by an approved extended security maintenance program.

Recommended rollout

  1. Identify the OS lifecycle context on each failed asset and group assets by OS family and version.
  2. Confirm whether the workload is covered by an extended security maintenance subscription such as Ubuntu Pro/ESM, Red Hat ELS, Windows Server ESU, or an equivalent provider program.
  3. Prefer migration to a current OS image over relying on extended support indefinitely.
  4. Rebuild immutable images, launch templates, scale sets, managed instance groups, and IaC modules so new compute instances do not reintroduce unsupported OS versions.
  5. For stateful servers, create backups and test application compatibility before in-place upgrades or replacement.
  6. Re-run assessment and track exceptions with owner, business reason, and expiry date.

Provider guidance

  • AWS: migrate Amazon Linux 2 instances to Amazon Linux 2023 before the Amazon Linux 2 end-of-support date, and replace old AMIs in launch templates and Auto Scaling groups.
  • Azure: update VM image references, VM scale set models, and Azure Compute Gallery images to supported OS releases.
  • Google Cloud: replace deprecated public images and custom images with supported image families.
  • Alibaba Cloud: migrate ECS instances created from unsupported public or custom images to a supported OS release.

References

  • https://ubuntu.com/security/esm
  • https://www.centos.org/centos-linux/
  • https://access.redhat.com/articles/7005471
  • https://www.debian.org/News/2024/20240615
  • https://aws.amazon.com/amazon-linux-2/faqs/
  • https://learn.microsoft.com/en-us/lifecycle/announcements/windows-server-2012-r2-end-of-support
  • https://learn.microsoft.com/en-us/lifecycle/products/windows-server-2016

Service-wide remediation

Use approved golden images, image pipelines, cloud image catalogs, IaC policy checks, and CI/CD guardrails to prevent unsupported OS versions from being deployed. Treat OS lifecycle deadlines as part of vulnerability and asset lifecycle management.

Query logic

These are the stored checks tied to this control.

Compute assets with unsupported operating system versions

Connectors

Alibaba CloudAWSGoogle CloudMicrosoft Azure

Covered asset types

VM

Expected check: eq []

{
  vms(
    where: {
      OR: [
        { cyscaleOSIsOutdated: { eq: true } }
        { imageName_MATCHES: "(?i).*(ubuntu.*(18[._-]?04|20[._-]?04|bionic|focal)|centos.*7|rhel.*7|red hat.*7|debian.*10|buster|amazon linux 2|amzn2|amazon linux ami|windows.*server.*2012|windows.*server.*2016).*" }
        { osImage_MATCHES: "(?i).*(ubuntu.*(18[._-]?04|20[._-]?04|bionic|focal)|centos.*7|rhel.*7|red hat.*7|debian.*10|buster|windows.*server.*2012|windows.*server.*2016).*" }
        { osNameEn_MATCHES: "(?i).*(ubuntu.*(18[._-]?04|20[._-]?04|bionic|focal)|centos.*7|rhel.*7|red hat.*7|debian.*10|buster|amazon linux 2|windows.*server.*2012|windows.*server.*2016).*" }
        { storageProfileImageReferenceSku_MATCHES: "(?i).*(18[_-]?04|20[_-]?04|2012|2016).*" }
      ]
    }
  ) {
    ...AssetFragment
    cyscaleOSIsOutdated
    osType
    imageName
    platformName
    platformVersion
    osImage
    osName
    osNameEn
    osVersion
    imageId
    storageProfileImageReferencePublisher
    storageProfileImageReferenceOffer
    storageProfileImageReferenceSku
    storageProfileImageReferenceVersion
    storageProfileImageReferenceExactVersion
  }
}
Kubernetes nodes with unsupported operating system versions

Connectors

Kubernetes

Covered asset types

Node

Expected check: eq []

{
  kubernetesNodes(
    where: {
      osImage_MATCHES: "(?i).*(ubuntu.*(18[._-]?04|20[._-]?04|bionic|focal)|centos.*7|rhel.*7|red hat.*7|debian.*10|buster|windows.*server.*2012|windows.*server.*2016).*"
    }
  ) {
    ...AssetFragment
    osImage
    kernelVersion
    containerRuntimeVersion
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon