Rule: EC2 instances should be managed by AWS Systems Manager
Ensure proper management of EC2 instances using AWS Systems Manager.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ High |
Rule Description
According to the NIST 800-53 Revision 4 compliance framework, all EC2 instances within an AWS environment should be managed and configured using AWS Systems Manager. AWS Systems Manager provides centralized visibility and control over your EC2 instances, allowing for efficient management, monitoring, and automation of your AWS resources.
Troubleshooting Steps
If you encounter any issues with implementing AWS Systems Manager for EC2 instance management, you can follow these troubleshooting steps:
- 1.
Check AWS Systems Manager Agent: Ensure that the AWS Systems Manager agent is installed and running on your EC2 instances. You can verify this by logging into the instance and checking if the "amazon-ssm-agent" service is active.
- 2.
Check Systems Manager permissions: Make sure that the IAM role associated with your EC2 instances has the necessary permissions to interact with AWS Systems Manager. The role should have the required policies attached, such as "AmazonSSMManagedInstanceCore" and "AmazonEC2RoleforSSM".
- 3.
Verify EC2 instance connectivity: Ensure that your EC2 instances have outbound internet connectivity to communicate with the AWS Systems Manager service. Check your security group rules and network configuration to ensure there are no restrictions limiting access.
- 4.
Review Systems Manager logs: Inspect the Systems Manager logs for any error messages or warnings that might provide insights into the issue. You can find these logs in the Amazon S3 bucket or CloudWatch Logs group configured for Systems Manager.
Necessary Codes
To implement the rule of managing EC2 instances with AWS Systems Manager, you need to create an IAM role with the necessary policies, and attach it to your EC2 instances. Here are the necessary codes:
- 1.IAM Role Creation:
Create a new IAM role or modify an existing role to include the following policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:*",
"ssm:UpdateInstanceInformation",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}
- 1.Attach IAM role to EC2 instances:
Attach the IAM role to your EC2 instances using either the AWS Management Console or the AWS CLI.
Step-by-step Remediation Guide
Follow these steps to remediate and ensure compliance with the rule of managing EC2 instances with AWS Systems Manager:
- 1.Create or Modify IAM Role:
Create a new IAM role or modify an existing role with the necessary policies mentioned above.
- 1.Attach IAM role to EC2 instances:
Attach the IAM role to your EC2 instances using one of the following methods:
- AWS Management Console:
- Go to the EC2 Instances page in the AWS Management Console.
- Select the EC2 instance(s) you want to manage with Systems Manager.
- Click on "Actions" -> "Instance Settings" -> "Attach/Replace IAM Role".
- Select the IAM role you created or modified in step 1.
- Click on "Apply".
- AWS CLI:
Open the AWS CLI or any CLI tool with AWS CLI configured.
Run the following CLI command, replacing
with the ID of the EC2 instance:instance-idaws ec2 associate-iam-instance-profile --instance-id <instance-id> --iam-instance-profile Arn=<IAM-Role-ARN>
- 1.Verify Systems Manager agent installation:
Log into the EC2 instances and verify that the AWS Systems Manager agent is installed and running. You can check the service status by running the following command:
sudo systemctl status amazon-ssm-agent
Ensure that the service is active and running.
- 1.Confirm Systems Manager connectivity:
Verify that your EC2 instances have outbound internet connectivity to communicate with the AWS Systems Manager service. Ensure that your network configuration, security groups, and NACLs allow traffic to the required Systems Manager endpoints.
- 1.Validate compliance:
Recheck the compliance status of your EC2 instances to ensure that they are now being managed by AWS Systems Manager. You can use AWS Config or the NIST 800-53 compliance tool to validate compliance.
By following these steps, you can effectively manage your EC2 instances using AWS Systems Manager, ensuring compliance with the NIST 800-53 Revision 4 framework.