Rule: EC2 Instances Should be Managed by AWS Systems Manager
This rule ensures that all EC2 instances are managed effectively by AWS Systems Manager.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
Rule Description:
EC2 instances deployed in an AWS environment that is governed by the Federal Risk and Authorization Management Program (FedRAMP) Low Revision 4 framework should be managed using AWS Systems Manager. The use of Systems Manager ensures that the instances are properly secured, monitored, and maintained in compliance with the FedRAMP regulations.
Troubleshooting Steps (if applicable):
If your EC2 instances are not managed by AWS Systems Manager, you may encounter compliance issues and face difficulties in meeting the requirements for FedRAMP Low Revision 4. To troubleshoot and resolve this issue, follow the steps below:
- 1.Identify the EC2 instances that are not managed by AWS Systems Manager.
- 2.Ensure that you have the necessary permissions to manage EC2 instances using Systems Manager.
- 3.Ensure that the necessary Systems Manager agents are installed and running on the EC2 instances.
- 4.If the agents are missing or not functioning correctly, you may need to reinstall or update them.
- 5.Verify that the instances are properly registered to your Systems Manager account.
Necessary Codes/Configurations (if applicable):
To manage EC2 instances using AWS Systems Manager, you need to configure the following:
- 1.IAM Role: Create an IAM role with the necessary permissions to access and manage EC2 instances through Systems Manager. Ensure that the IAM role has the necessary permissions to interact with Systems Manager services like Amazon EC2 Systems Manager Run Command, Session Manager, and Automation.
- 2.Systems Manager Agent: Install and configure the Systems Manager agent on the EC2 instances. The agent enables communication between the instances and Systems Manager. You can install the agent manually or use an appropriate user data script while launching the instances.
Step-by-Step Guide for Remediation:
Follow the step-by-step guide below to manage your EC2 instances using AWS Systems Manager for FedRAMP Low Revision 4 compliance:
- 1.
Set up IAM Role:
a. Open the AWS Management Console and navigate to the Identity and Access Management (IAM) service. b. Click on "Roles" in the left navigation pane and then click on "Create Role." c. Select the appropriate service, "EC2," and click "Next: Permissions." d. Search for and select the necessary permissions for Systems Manager, such as "AmazonEC2RoleforSSM" and "AmazonEC2RoleforSessionManager." e. Click "Next: Tags" and add optional tags, then proceed to the next step. f. Provide a name and optional description for the role, and click "Create Role."
- 2.
Install Systems Manager Agent:
a. Open the EC2 Management Console and navigate to "Instances." b. Select the EC2 instances that need to be managed by Systems Manager. c. Click on "Actions" and then click on "Instance Settings" > "Attach/Replace IAM Role." d. Choose the IAM role created in Step 1 and click "Apply." e. Connect to the EC2 instances using the preferred method (SSH/RDP). f. Download and install the Systems Manager agent using the appropriate method for your operating system. g. Configure the agent with the necessary settings, such as the Systems Manager Region and IAM role ARN. h. Start the agent and verify that it is running.
- 3.
Verify and Manage Instances:
a. Go to the AWS Systems Manager Console. b. Navigate to "Managed Instances" in the left navigation pane. c. Verify that the instances you configured are listed as "Managed." d. Click on an instance to view detailed information and manage it using Systems Manager services such as Run Command, Session Manager, and Automation.
By following these steps, you can ensure that your EC2 instances are managed by AWS Systems Manager, meeting the compliance requirements for FedRAMP Low Revision 4.