Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Managing EC2 Instances with AWS Systems Manager Rule

This rule ensures compliance by managing EC2 instances with AWS Systems Manager.

RuleEC2 instances should be managed by AWS Systems Manager
FrameworkFedRAMP Moderate Revision 4
Severity
High

Rule Description

According to the AWS Systems Manager Compliance Pack for FedRAMP Moderate Revision 4, all EC2 instances within the AWS environment should be managed and monitored using AWS Systems Manager. This requirement ensures that proper security and compliance controls are in place to protect the sensitive data and resources hosted on EC2 instances.

Troubleshooting Steps

If you encounter any issues while implementing this rule, consider the following troubleshooting steps:

  2. 1.

    Missing AWS Systems Manager - Ensure that the AWS Systems Manager service is enabled in your AWS account. If not, you need to enable this service before proceeding.

  4. 2.

    Missing SSM Agent - Check if the SSM Agent is installed and running on your EC2 instances. The SSM Agent is responsible for enabling communication between EC2 instances and AWS Systems Manager.

  6. 3.

    IAM Policy Permissions - Verify that the IAM roles or user policies associated with your EC2 instances have the necessary permissions to interact with AWS Systems Manager. Missing or insufficient permissions may cause issues.

  8. 4.

    Network Connectivity - Ensure that the EC2 instances have proper network connectivity to the AWS Systems Manager service. Check if there are any security group rules or network ACLs blocking the required communication.

  10. 5.

    SSM Agent Version - Confirm that you are using the latest version of the SSM Agent on all EC2 instances. Outdated versions may lack certain capabilities or bug fixes.

Necessary Codes

In order to comply with this rule, you need to implement the following steps and codes:

  2. 1.
    Code to enable AWS Systems Manager on an EC2 instance
aws ssm create-association --name "AWS-ConfigureAWSPackage" --targets "Key=InstanceIds,Values=<instance-id>" --parameters '{"action":["Install"]}'
  2. 1.
    Code to verify if an EC2 instance is managed by AWS Systems Manager
aws ssm describe-instance-information --instance-information-filter-list "Key=InstanceIds,Values=<instance-id>" --query "InstanceInformationList[].PingStatus"
  2. 1.
    Code to determine the SSM Agent version on EC2 instances
aws ssm describe-instance-information --instance-information-filter-list "Key=InstanceIds,Values=<instance-id>" --query "InstanceInformationList[].AgentVersion"
  2. 1.
    Code to update the SSM Agent to the latest version on an EC2 instance
aws ssm update-ssm-agent --instance-id <instance-id> --region <region>

Step-by-Step Guide for Remediation

Follow these steps to remediate any EC2 instances that are not managed by AWS Systems Manager:

  2. 1.

    Check EC2 instance's status: Identify the EC2 instances that are not managed by AWS Systems Manager. You can use the AWS Management Console, AWS CLI, or SDKs to retrieve the list of instances.

  4. 2.

    Enable AWS Systems Manager: Run the following AWS CLI command to enable AWS Systems Manager on an EC2 instance:

aws ssm create-association --name "AWS-ConfigureAWSPackage" --targets "Key=InstanceIds,Values=<instance-id>" --parameters '{"action":["Install"]}'

Replace 

<instance-id>
with the ID of the specific EC2 instance you want to enable.

  2. 1.
    Verify AWS Systems Manager: After enabling AWS Systems Manager, use the following AWS CLI command to verify if the EC2 instance is now managed:
aws ssm describe-instance-information --instance-information-filter-list "Key=InstanceIds,Values=<instance-id>" --query "InstanceInformationList[].PingStatus"

Check if the response shows "Online" for the specified EC2 instance, indicating that it is managed.

  2. 1.
    Check SSM Agent version: Run the following AWS CLI command to determine the SSM Agent version on the EC2 instance:
aws ssm describe-instance-information --instance-information-filter-list "Key=InstanceIds,Values=<instance-id>" --query "InstanceInformationList[].AgentVersion"

Verify that the response shows the latest version of the SSM Agent. If not, proceed to the next step.

  2. 1.
    Update SSM Agent: Update the SSM Agent on the EC2 instance to the latest version by running the following AWS CLI command:
aws ssm update-ssm-agent --instance-id <instance-id> --region <region>

Replace 

<instance-id>
with the ID of the EC2 instance and 
<region>
with the appropriate AWS region.

  2. 1.
    Verify SSM Agent update: Run the SSM Agent version check command again to confirm that the agent has been successfully updated.

By following these steps, you can ensure that all your EC2 instances are managed by AWS Systems Manager, meeting the requirements of the AWS Systems Manager Compliance Pack for FedRAMP Moderate Revision 4.

Is your System Free of Underlying Vulnerabilities?
Find Out Now