Rule: EC2 instances should be managed by AWS Systems Manager
Ensure AWS Systems Manager is used for managing EC2 instances
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
The rule states that EC2 instances should be managed by AWS Systems Manager to ensure compliance with AWS Foundational Security Best Practices. AWS Systems Manager provides a centralized, unified way to automate operational tasks such as patch management, configuration management, and instance inventory in a secure and controlled manner.
By using AWS Systems Manager to manage EC2 instances, organizations can maintain better control over their infrastructure, ensure compliance with security policies, and respond quickly to security incidents or vulnerabilities.
Troubleshooting Steps:
If EC2 instances are not managed by AWS Systems Manager, follow these troubleshooting steps:
- 1.
Verify Systems Manager Agent (SSM Agent) is installed:
- Connect to the EC2 instance using SSH.
- Run the command:
sudo systemctl status amazon-ssm-agent - If the agent is not installed, follow the official AWS documentation to install it.
- 2.
Check Systems Manager association status:
- Open the AWS Management Console and go to the Systems Manager service.
- Navigate to "Run Command" -> "Managed Instances".
- Verify that the EC2 instances in question are listed and have an associated state.
- 3.
Verify IAM permissions:
- Check if the IAM role associated with the EC2 instance has the necessary permissions to use Systems Manager.
- Ensure the IAM role has the required policies attached, such as "AmazonSSMManagedInstanceCore" and "AmazonEC2RoleforSSM".
- 4.
Update Systems Manager preferences:
- Check if the EC2 instances have the necessary Systems Manager preferences correctly configured.
- Verify that Systems Manager preferences, such as patch management, automation documents, and compliance baselines, are set up according to your organization's requirements.
- 5.
Connectivity and networking checks:
- Ensure that the EC2 instances have outbound internet access to the required AWS endpoints for Systems Manager.
- Check if security groups, NACLs, or network configurations are blocking connectivity to Systems Manager endpoints.
- If there are any issues, adjust the network configurations to allow necessary traffic to AWS Systems Manager.
Necessary Codes:
No code is required for this rule. However, you may need to run certain AWS CLI commands to troubleshoot and manage Systems Manager:
To install the SSM Agent:
(for Amazon Linux 2)sudo yum install -y amazon-ssm-agent
(for Ubuntu)sudo apt-get install -y amazon-ssm-agentTo check the status of the SSM Agent:
sudo systemctl status amazon-ssm-agentTo list managed instances:
aws ssm describe-instance-informationTo attach required policies to the IAM role:
aws iam attach-role-policy --role-name [role_name] --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCoreaws iam attach-role-policy --role-name [role_name] --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
Step-by-step Guide for Remediation:
To remediate non-compliant EC2 instances and ensure they are managed by AWS Systems Manager, follow these steps:
- 1.
Install the SSM Agent:
- Connect to the non-compliant EC2 instance using SSH.
- Install the SSM Agent by running the appropriate command for your operating system (Linux 2 or Ubuntu) mentioned earlier.
- 2.
Verify SSM Agent installation:
- Run the command:
.sudo systemctl status amazon-ssm-agent - Ensure that the agent is running and there are no errors or warnings.
- 3.
Check Systems Manager association status:
- Open the AWS Management Console and go to the Systems Manager service.
- Navigate to "Run Command" -> "Managed Instances".
- Verify that the EC2 instances are listed and have an associated state.
- 4.
Verify IAM permissions:
- Identify the IAM role associated with the EC2 instances.
- Open the IAM service in the AWS Management Console.
- Navigate to "Roles" and select the role associated with EC2 instances.
- Ensure that the role has the required policies attached, such as "AmazonSSMManagedInstanceCore" and "AmazonEC2RoleforSSM". Attach them if not already done.
- 5.
Update Systems Manager preferences (optional):
- Configure Systems Manager preferences according to your organization's requirements.
- Set up patch management, automation documents, and compliance baselines if needed.
- 6.
Connectivity and networking checks:
- Ensure that the EC2 instances have outbound internet access to the required AWS endpoints for Systems Manager.
- Check the security groups, NACLs, or network configurations that could limit connectivity and allow necessary traffic to Systems Manager endpoints.
Once these steps are completed, your EC2 instances will be managed by AWS Systems Manager, ensuring compliance with AWS Foundational Security Best Practices.