Rule: EC2 Instances Managed by AWS Systems Manager

Ensure that all EC2 instances are managed using AWS Systems Manager for enhanced security and compliance.

Rule	EC2 instances should be managed by AWS Systems Manager
Framework	NIST 800-53 Revision 4
Severity	✔ High

EC2 Instances Managed by AWS Systems Manager for NIST 800-53 Revision 4

Description

This rule ensures that all EC2 instances within the AWS environment are managed by AWS Systems Manager in compliance with the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4. AWS Systems Manager provides a unified interface for managing EC2 instances, allowing organizations to automate operational tasks and maintain compliance with security requirements.

Rationale

Managing EC2 instances with AWS Systems Manager ensures centralized control and simplifies operations, monitoring, and maintenance of EC2 instances. It allows organizations to enforce security and compliance policies consistently, making it easier to implement security controls required by the NIST 800-53 Revision 4 framework.

Troubleshooting Steps

If an EC2 instance is not managed by AWS Systems Manager, you can follow these troubleshooting steps to rectify the issue:

1.
Verify AWS Systems Manager Agent: Firstly, ensure that the EC2 instance has the AWS Systems Manager Agent installed and running. This agent is required for communication with AWS Systems Manager. Verify the agent's status by logging into the EC2 instance and checking the running services or running the command
```
sudo systemctl status amazon-ssm-agent
```
(for Linux) or
```
Get-Service -Name "AmazonSSMAgent"
```
(for Windows).

2.

Check Instance Association: Next, check if the EC2 instance is properly associated with an AWS Systems Manager document. The document should define the desired state and the actions to be performed on the instance. You can verify this by navigating to the AWS Systems Manager console and checking the "Managed Instances" section.

3.
Review IAM Permissions: Ensure that the IAM role associated with the EC2 instance has the necessary permissions to interact with AWS Systems Manager. The role should have policies attached that allow the required actions, such as
```
SSMMessages*
```
,
```
SSMManagedInstanceRole
```
,
```
AmazonSSMFullAccess
```
, and
```
AmazonEC2RoleforSSM
```
.

4.
Check Security Group Configuration: Confirm that the security group associated with the EC2 instance allows outbound traffic to the SSM endpoint (
```
ssm.<region>.amazonaws.com
```
) over the required ports (e.g., port 443). Inbound traffic for SSH/RDP access to the instance should also be allowed if necessary.

5.

Verify Network Connectivity: Ensure that the EC2 instance has proper network connectivity, allowing outbound traffic to reach the AWS Systems Manager service via the internet or VPC endpoints.

Remediation

To manage an EC2 instance with AWS Systems Manager, follow these step-by-step remediation instructions:

1.

Install AWS Systems Manager Agent: Log into the EC2 instance and install the AWS Systems Manager Agent if it is not already installed. Refer to the AWS documentation for instructions on installing the agent for Linux and Windows instances.

2.
Configure IAM Role: Ensure that the EC2 instance is associated with an IAM role granting the required permissions for AWS Systems Manager. Create or modify the IAM role and attach policies such as
```
SSMMessages*
```
,
```
SSMManagedInstanceRole
```
,
```
AmazonSSMFullAccess
```
, and
```
AmazonEC2RoleforSSM
```
. Refer to the AWS documentation for guidance on creating and attaching IAM policies.

3.

Associate Instance with Systems Manager Document: Associate the EC2 instance with an AWS Systems Manager document that defines the desired state and actions for the instance. You can create a document using either the AWS Management Console or AWS Systems Manager API/CLI. Consult the AWS documentation for instructions on associating an instance with a document.

4.
Configure Security Group: Ensure that the EC2 instance's security group allows outbound traffic to reach the SSM endpoint (
```
ssm.<region>.amazonaws.com
```
) on port 443. If necessary, modify the security group rules to allow inbound traffic for SSH/RDP access.

5.

Ensure Network Connectivity: Verify that the EC2 instance has proper network connectivity to reach the AWS Systems Manager service. Ensure that there are no network security group rules or ACLs blocking outbound traffic to the SSM endpoint. If required, configure VPC endpoints to enable private access to the service.

By following these steps, you can ensure that EC2 instances in your AWS environment are managed by AWS Systems Manager, meeting the compliance requirements of NIST 800-53 Revision 4.

Rule: EC2 Instances Managed by AWS Systems Manager

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Description

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Rationale

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation

Is your System Free of Underlying Vulnerabilities? Find Out Now

Description

Rationale

Troubleshooting Steps

Remediation

Is your System Free of Underlying Vulnerabilities?
Find Out Now