Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EC2 instances should be managed by AWS Systems Manager

Ensure AWS Systems Manager is used for managing EC2 instances

RuleEC2 instances should be managed by AWS Systems Manager
FrameworkAWS Foundational Security Best Practices
Severity
Medium

Rule Description:

The rule states that EC2 instances should be managed by AWS Systems Manager to ensure compliance with AWS Foundational Security Best Practices. AWS Systems Manager provides a centralized, unified way to automate operational tasks such as patch management, configuration management, and instance inventory in a secure and controlled manner.

By using AWS Systems Manager to manage EC2 instances, organizations can maintain better control over their infrastructure, ensure compliance with security policies, and respond quickly to security incidents or vulnerabilities.

Troubleshooting Steps:

If EC2 instances are not managed by AWS Systems Manager, follow these troubleshooting steps:

  2. 1.

    Verify Systems Manager Agent (SSM Agent) is installed:

    • Connect to the EC2 instance using SSH.
    • Run the command: 
      sudo systemctl status amazon-ssm-agent
    • If the agent is not installed, follow the official AWS documentation to install it.
  4. 2.

    Check Systems Manager association status:

    • Open the AWS Management Console and go to the Systems Manager service.
    • Navigate to "Run Command" -> "Managed Instances".
    • Verify that the EC2 instances in question are listed and have an associated state.
  6. 3.

    Verify IAM permissions:

    • Check if the IAM role associated with the EC2 instance has the necessary permissions to use Systems Manager.
    • Ensure the IAM role has the required policies attached, such as "AmazonSSMManagedInstanceCore" and "AmazonEC2RoleforSSM".
  8. 4.

    Update Systems Manager preferences:

    • Check if the EC2 instances have the necessary Systems Manager preferences correctly configured.
    • Verify that Systems Manager preferences, such as patch management, automation documents, and compliance baselines, are set up according to your organization's requirements.
  10. 5.

    Connectivity and networking checks:

    • Ensure that the EC2 instances have outbound internet access to the required AWS endpoints for Systems Manager.
    • Check if security groups, NACLs, or network configurations are blocking connectivity to Systems Manager endpoints.
    • If there are any issues, adjust the network configurations to allow necessary traffic to AWS Systems Manager.

Necessary Codes:

No code is required for this rule. However, you may need to run certain AWS CLI commands to troubleshoot and manage Systems Manager:

  • To install the SSM Agent: 

    sudo yum install -y amazon-ssm-agent
    (for Amazon Linux 2) 
    sudo apt-get install -y amazon-ssm-agent
    (for Ubuntu)

  • To check the status of the SSM Agent: 

    sudo systemctl status amazon-ssm-agent

  • To list managed instances: 

    aws ssm describe-instance-information

  • To attach required policies to the IAM role: 

    aws iam attach-role-policy --role-name [role_name] --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
    aws iam attach-role-policy --role-name [role_name] --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM

Step-by-step Guide for Remediation:

To remediate non-compliant EC2 instances and ensure they are managed by AWS Systems Manager, follow these steps:

  2. 1.

    Install the SSM Agent:

    • Connect to the non-compliant EC2 instance using SSH.
    • Install the SSM Agent by running the appropriate command for your operating system (Linux 2 or Ubuntu) mentioned earlier.
  4. 2.

    Verify SSM Agent installation:

    • Run the command: 
      sudo systemctl status amazon-ssm-agent
      .
    • Ensure that the agent is running and there are no errors or warnings.
  6. 3.

    Check Systems Manager association status:

    • Open the AWS Management Console and go to the Systems Manager service.
    • Navigate to "Run Command" -> "Managed Instances".
    • Verify that the EC2 instances are listed and have an associated state.
  8. 4.

    Verify IAM permissions:

    • Identify the IAM role associated with the EC2 instances.
    • Open the IAM service in the AWS Management Console.
    • Navigate to "Roles" and select the role associated with EC2 instances.
    • Ensure that the role has the required policies attached, such as "AmazonSSMManagedInstanceCore" and "AmazonEC2RoleforSSM". Attach them if not already done.
  10. 5.

    Update Systems Manager preferences (optional):

    • Configure Systems Manager preferences according to your organization's requirements.
    • Set up patch management, automation documents, and compliance baselines if needed.
  12. 6.

    Connectivity and networking checks:

    • Ensure that the EC2 instances have outbound internet access to the required AWS endpoints for Systems Manager.
    • Check the security groups, NACLs, or network configurations that could limit connectivity and allow necessary traffic to Systems Manager endpoints.

Once these steps are completed, your EC2 instances will be managed by AWS Systems Manager, ensuring compliance with AWS Foundational Security Best Practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now