S2. Rebuild often to make patching unnecessary

Applications and operating systems that are not fully managed by the cloud provider must be kept current to address known or potential security vulnerabilities. Insofar as individual running resource instances in the public cloud should be immutable, this means that service owners should not patch resources in place, but rather should build new, updated resource instances to replace outdated instances.

This is a two-step process:

1. The act of rebuilding the non-managed resource must happen on a regular basis, and
2. The orchestration/deployment work must happen on a regular basis and in a manner that minimizes downtime and risk of error.

As described elsewhere in this document, CI/CD is an enabling technology that makes regular deployments possible, and integrates them with the build process. Release points should be sufficiently frequent to ensure that all components are kept up to date.