Rule: EC2 Instances Managed by AWS Systems Manager
Ensure all EC2 instances are managed by AWS Systems Manager for better security
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ High |
Rule Description
EC2 instances should be managed by AWS Systems Manager to comply with the security requirements set by NIST 800-171 Revision 2. This rule ensures that all EC2 instances within an AWS environment are monitored, patched, and complied with the necessary security controls.
Troubleshooting Steps
- 1.
Check EC2 instances: Identify all the EC2 instances running within your AWS environment.
- 2.
Verify AWS Systems Manager agent: Ensure that the AWS Systems Manager agent is installed and running on each EC2 instance.
- 3.
Check Systems Manager association: Confirm if the EC2 instances are properly associated with AWS Systems Manager.
- 4.
Validate inventory collections: Verify that EC2 instances' inventory collections are successfully running in Systems Manager.
- 5.
Review patch compliance: Ensure that the EC2 instances are receiving and applying the necessary patches through Systems Manager Patch Manager.
Necessary Codes
No specific code is required for this rule. However, you need to utilize AWS CLI commands to perform necessary verifications and remediations.
Remediation Steps
Follow the step-by-step guide below to remediate any non-compliant EC2 instances:
- 1.
Install and configure AWS Systems Manager agent:
SSH or RDP into the EC2 instance using appropriate credentials.
Download and install the AWS Systems Manager agent by following the official AWS documentation specific to your operating system.
- 2.
Associate EC2 instance with AWS Systems Manager:
Open AWS Management Console and navigate to the EC2 service.
Select the target EC2 instance that needs to be associated with AWS Systems Manager.
Click on "Actions" and choose "Manage: Associate instance(s)".
Select "AWS Systems Manager" from the list of available services.
Click on "Associate".
- 3.
Validate inventory collections:
Open the AWS Management Console and navigate to the Systems Manager service.
From the left-hand menu, click on "Inventory".
Verify that the associated EC2 instance is listed with the latest inventory details.
If the inventory collection does not show up, review and troubleshoot the Systems Manager agent installation on the EC2 instance.
- 4.
Review patch compliance:
Open the AWS Management Console and go to the Systems Manager service.
From the left-hand menu, click on "Patch Manager".
Select "Patch Compliance".
Verify that the associated EC2 instance is listed and shows compliance with the latest patches.
If the patch compliance is not satisfactory, review and troubleshoot the Systems Manager Patch Manager configuration.
- 5.
Repeat steps 1-4 for all non-compliant EC2 instances.
By following the above remediation steps, you can ensure that all EC2 instances within your AWS environment are properly managed by AWS Systems Manager to comply with NIST 800-171 Revision 2 requirements.