Rule: EC2 Instances should be managed by AWS Systems Manager
This rule ensures that EC2 instances are effectively managed by AWS Systems Manager.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | Federal Financial Institutions Examination Council (FFIEC) |
| Severity | ✔ High |
AWS Systems Manager Compliance for FFIEC on EC2 Instances
Rule Description
The Federal Financial Institutions Examination Council (FFIEC) mandates that financial institutions manage and secure their information technology systems in accordance with specific guidelines. For EC2 instances operating in the cloud environment of a financial institution regulated by FFIEC, it is required that the instances be managed through AWS Systems Manager. This ensures standardized, secure, and auditable management of the compute resources.
AWS Systems Manager provides visibility and control of the infrastructure on AWS. It allows organizations to automate operational tasks, which helps in maintaining system security and compliance. Using Systems Manager, you can apply patches, enforce policies, and create system images, as well as monitor the state of your EC2 instances.
Compliance Verification Steps
- 1.
First, ensure that the EC2 instances have the Systems Manager Agent (SSM Agent) installed and running. The agent facilitates management tasks.
# Check SSM Agent status on an EC2 instance (run on the instance itself) sudo systemctl status amazon-ssm-agent - 2.
On the AWS Management Console, navigate to Systems Manager > "Managed Instances" to verify that the EC2 instances are listed and reporting as managed.
- 3.
Ensure that the EC2 instances have the correct IAM role attached to them with policies that grant the required permissions for Systems Manager to manage the instances.
- 4.
If an instance is not managed, ensure that it is properly registered with Systems Manager.
Troubleshooting Steps
SSM Agent Not Installed: If the SSM Agent is not installed, follow the instructions in the AWS documentation to install it.
SSM Agent Not Reporting: If the agent is installed but not reporting, check the agent's logs, verify network connectivity, and ensure the IAM role and policies are correctly configured.
Network Issues: Ensure that the instances have access to the Systems Manager service endpoints, either through an internet gateway or a VPC endpoint.
Permissions Issues: If there are permission-related issues, troubleshoot and fix any IAM role and policy issues.
Remediation Steps
To remediate non-compliant instances, you will need to:
Install SSM Agent on EC2 Instances
For Amazon Linux:
sudo yum install -y amazon-ssm-agent sudo systemctl enable amazon-ssm-agent sudo systemctl start amazon-ssm-agent
For Ubuntu:
wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb sudo dpkg -i amazon-ssm-agent.deb sudo systemctl enable amazon-ssm-agent sudo systemctl start amazon-ssm-agent
Attach an IAM Role to an Instance
Create an IAM role with the
AmazonSSMManagedInstanceCore- 1.
Navigate to the IAM console and create a new role.
- 2.
Select EC2 as the service that will use the role.
- 3.
Attach the
policy to the role.AmazonSSMManagedInstanceCore - 4.
Assign the IAM role to the EC2 instance through the console or using the AWS CLI.
# Example AWS CLI command to attach the IAM role to an EC2 instance aws ec2 associate-iam-instance-profile --instance-id i-0123456789abcdef0 --iam-instance-profile Name="YourSSMRole"
Verify Instance Registration in Systems Manager
- 1.Navigate to the Systems Manager console.
- 2.Check for your instances under "Managed Instances."
By following these steps, you can ensure that your EC2 instances are managed by AWS Systems Manager, compliant with FFIEC guidelines. It's essential always to be up-to-date with AWS best practices and FFIEC requirements to maintain regulatory compliance.