Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: EC2 Instances should be managed by AWS Systems Manager

This rule specifies that EC2 instances must be managed using AWS Systems Manager.

RuleEC2 instances should be managed by AWS Systems Manager
FrameworkFedRAMP Low Revision 4
Severity
High

EC2 Instances Compliance with AWS Systems Manager for FedRAMP Low Revision 4

To comply with FedRAMP Low Revision 4 requirements, Amazon EC2 instances need to be managed by AWS Systems Manager (SSM). This helps ensure you have secure and efficient management capabilities. Below is a detailed guide on ensuring your EC2 instances comply with this policy, including troubleshooting steps, necessary codes, and CLI commands for remediation.

Requirement Details

FedRAMP Low Revision 4 mandates that all cloud service providers (CSPs) must use automated tools to manage their systems. AWS Systems Manager is an AWS service that allows you to view and control your infrastructure on AWS actively. Under this mandate, the following are required:

  • Patch management
  • Inventory management
  • Configuration compliance checking

Troubleshooting Steps

If your EC2 instances are not currently managed by SSM, you may encounter compliance and security issues. Here are steps to identify and resolve such issues:

  1. 1.

    Check SSM Agent Install: Ensure that the AWS Systems Manager Agent (SSMAgent) is installed on each EC2 instance.

  2. 2.

    Verify IAM Role Assignment: The EC2 instance must have an IAM Role with sufficient permissions to communicate with SSM.

  3. 3.

    Confirm Network Configuration: Ensure instances are within a VPC that can reach AWS Systems Manager endpoints, either through the internet or a VPC endpoint.

  4. 4.

    Diagnose SSM Agent Status: If the SSMAgent is installed but not working properly, check the status or logs of the agent on the instance.

  5. 5.

    Review Systems Manager Console: Check for any operational warnings or errors in the Systems Manager console which might indicate misconfigurations.

Remediation Steps with CLI Commands

Here is a step-by-step guide to remediate non-compliant instances using the AWS CLI:

Step 1: Ensure SSM Agent is Installed

Check if the SSM Agent is installed on the EC2 instance:

aws ssm describe-instance-information --output text --query 'InstanceInformationList[*].InstanceId'

Install the SSM Agent if it's not present:

# For Amazon Linux based instances:
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm

# For Ubuntu instances:
sudo snap install amazon-ssm-agent --classic

Step 2: Assign IAM Role to EC2 Instances

Create an IAM role with the

AmazonSSMManagedInstanceCore
policy attached and associate it with the EC2 instance:

aws iam create-role --role-name SSMRoleForCompliance --assume-role-policy-document file://trust-policy.json

aws iam attach-role-policy --role-name SSMRoleForCompliance --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMManagedInstanceCore

aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=SSMRoleForCompliance

Step 3: Setup Network Configuration

If your instance needs to communicate with SSM without internet access, create a VPC endpoint for SSM:

aws ec2 create-vpc-endpoint --vpc-id vpc-12345678 --service-name com.amazonaws.region.ssm --vpc-endpoint-type Interface

Step 4: Verify SSM Agent Status

To check if the SSM Agent is running, use:

sudo systemctl status amazon-ssm-agent

Or for older instances that do not use systemd:

sudo status amazon-ssm-agent

Step 5: Configuring SSM Agent for Auto Update

It’s important to enable auto-updating of the SSM Agent:

sudo amazon-ssm-agent -register -y -i instance_id -r region

Conclusion

By following the above guidelines, troubleshooting steps, and remediation instructions with the necessary CLI commands, your EC2 instances should comply with AWS Systems Manager requirements for FedRAMP Low Revision 4. Always ensure your security and compliance measures are up-to-date with federal regulations.

Please note that salary offers and job opportunities are typically subject to more extensive discussions and cannot be guaranteed solely based on compliance with a given list of requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now