Rule: EC2 Instances Managed by AWS Systems Manager
This rule states that EC2 instances should be managed by AWS Systems Manager for improved security and compliance.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
EC2 Instances Managed by AWS Systems Manager for FedRAMP Moderate Revision 4
Description of the Rule
Under FedRAMP Moderate Revision 4 compliance requirements, all EC2 instances deployed in the AWS environment must be managed by AWS Systems Manager. This ensures that systems maintain compliance and security by centrally managing the EC2 instances. AWS Systems Manager provides visibility and control of infrastructure on AWS, enabling automated management tasks, patching, compliance monitoring, and resource configuration management.
Troubleshooting Steps
Step 1: Verify EC2 Instance Visibility in AWS Systems Manager
- 1.Go to the AWS Systems Manager console.
- 2.In the navigation pane, select "Managed Instances."
- 3.Check if the EC2 instance in question appears in the list.
If the EC2 instance is not listed:
- Ensure that the instance meets the AWS Systems Manager prerequisites:
- Appropriate IAM role attached to the instance.
- Necessary SSM Agent installed and running on the instance.
- Correct network configuration (VPC endpoints or internet access for SSM endpoints).
Step 2: Verify IAM Role And SSM Agent Installation
- 1.
Check the IAM role attached to the EC2 instance:
- It should have the
policy attached.AmazonSSMManagedInstanceCore
- 2.
Check if the SSM Agent is installed and running:
- Use the following command to check the status on the instance:
sudo systemctl status amazon-ssm-agent
Step 3: Check Network Configuration
- Ensure the EC2 instance has outbound internet access or a VPC endpoint for Systems Manager is set up within your VPC.
Necessary Codes and Commands
Step-by-Step Guide for Remediation
1. Attach IAM Role to EC2 Instance
Ensure your EC2 instances have an IAM role with the
AmazonSSMManagedInstanceCore- 1.Create a new IAM role:
aws iam create-role --role-name SSMRoleForEC2 --assume-role-policy-document file://trust-policy.json - 2.Attach the
policy:AmazonSSMManagedInstanceCoreaws iam attach-role-policy --role-name SSMRoleForEC2 --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - 3.Assign the IAM role to the EC2 instance:
aws ec2 associate-iam-instance-profile --instance-id i-xxxxxxxxxxxxxxxxx --iam-instance-profile Name=SSMRoleForEC2
2. Install and Configure SSM Agent on EC2 Instances
- 1.
Install the SSM Agent:
- For Amazon Linux-based instances:
sudo yum install -y amazon-ssm-agent sudo systemctl start amazon-ssm-agent - For Ubuntu-based instances:
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb sudo systemctl start amazon-ssm-agent
- 2.
Verify the SSM Agent is running:
sudo systemctl status amazon-ssm-agent
3. Configure Network for Systems Manager
For Internet Access:
Ensure the security group attached to EC2 instances allows outbound traffic to Systems Manager endpoints.
For VPC Endpoint:
- 1.Create a VPC endpoint for Systems Manager:
aws ec2 create-vpc-endpoint --vpc-id vpc-xxxxxxxx --service-name "com.amazonaws.region.ssm" --vpc-endpoint-type Interface
This comprehensive guide to enforcing Systems Manager management of EC2 instances will help maintain compliance with FedRAMP Moderate Revision 4 and improve infrastructure security and efficiency.