Rule: EC2 Instances Managed by AWS Systems Manager
Ensure all EC2 instances are managed by AWS Systems Manager for enhanced security and compliance.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ High |
AWS Systems Manager and FedRAMP Moderate Revision 4 Compliance for EC2 Instances
AWS Systems Manager is a management service that helps you automatically collect software inventory, apply OS patches, create system images, and configure Windows and Linux operating systems. Its relevance to Amazon EC2 instances in the context of FedRAMP Moderate Revision 4 is significant, particularly for organizations operating within or servicing U.S. federal agencies.
Rule Description
Purpose
The objective is to establish a secure and auditable environment by ensuring AWS EC2 instances are managed by AWS Systems Manager, meeting FedRAMP Moderate Revision 4 compliance.
Scope
- All Amazon EC2 instances within an AWS account that is part of a FedRAMP environment.
- Instances must be configured to allow AWS Systems Manager to manage them.
Requirements
- EC2 instances should have the necessary IAM roles and permissions.
- AWS Systems Manager Agent (SSM Agent) must be installed on the EC2 instances.
- The environment must adhere to the FedRAMP Moderate baseline requirements.
Troubleshooting Steps
1. Verification of SSM Agent Installation
Check whether the AWS Systems Manager Agent is installed on the EC2 instances.
Command:
# For Linux systems sudo systemctl status amazon-ssm-agent # For Windows systems Get-Service -Name "AmazonSSMAgent"
2. Validate IAM Roles and Permissions
Ensure that the EC2 instance has an IAM role attached with the correct permissions for Systems Manager.
3. Network Configuration
Check the security group and network ACLs are not blocking the traffic to and from AWS Systems Manager endpoints.
4. Systems Manager Activation
Verify that the instance has been activated and is visible in the Systems Manager console.
Remediation Guide
Step-by-Step Compliance Enforcement:
Step 1: Attach the Required IAM Role
- 1.
Create the IAM role with the necessary permissions for Systems Manager.
aws iam create-role --role-name SSMRoleForEC2 --assume-role-policy-document file://TrustPolicyForSSM.json - 2.
Attach the policy to the role.
aws iam attach-role-policy --role-name SSMRoleForEC2 --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - 3.
Associate the IAM role with the EC2 instances.
aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=SSMRoleForEC2
Step 2: Install the SSM Agent
For systems not preinstalled with the SSM Agent:
- 1.
Download and install the SSM Agent.
# For Amazon Linux sudo yum install -y amazon-ssm-agent # For Ubuntu wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb - 2.
Start the agent service.
# For Linux systems sudo systemctl start amazon-ssm-agent # For Windows systems Start-Service AmazonSSMAgent
Step 3: Verify EC2 Instance Registration with Systems Manager
aws ssm describe-instance-information --output table
Check the output for your instance ID to confirm it is being managed by Systems Manager.
Step 4: Enforce FedRAMP Compliance Policies
- 1.Ensure patch compliance by configuring Systems Manager's Patch Manager.
- 2.Implement a State Manager policy to apply configurations across instances.
- 3.Use Automation documents to maintain standard configurations in compliance with FedRAMP Moderate Revision 4.
Step 5: Monitor and Log
Enable Amazon CloudWatch and AWS CloudTrail to monitor and log SSM operations for auditing.
Automating Remediation
For automation of processes, AWS Lambda functions and Amazon EventBridge can be used to trigger remediation actions when non-compliant instances are detected.
By following these guidelines, your EC2 instances should be managed in a FedRAMP Moderate Revision 4 compliant manner through AWS Systems Manager. Always ensure you are regularly reviewing AWS and FedRAMP documentation for the latest guidance and policy updates.