Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Manage EC2 Instances Using AWS Systems Manager

Ensure compliance by managing EC2 instances through AWS Systems Manager.

RuleEC2 instances should be managed by AWS Systems Manager
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
High

Rule Description:

This rule enforces that all EC2 instances in an AWS account should be managed by AWS Systems Manager to align with the NIST Cybersecurity Framework (CSF) v1. AWS Systems Manager is a service that allows you to automate operational tasks, manage instances at scale, and perform detailed system-level monitoring for EC2 instances.

By utilizing AWS Systems Manager, you can ensure that your EC2 instances are continuously monitored for security compliance, patch management, software inventory, and adherence to regulatory requirements. This rule helps maintain a secure and compliant environment by centralizing and streamlining the management of EC2 instances.

Troubleshooting Steps:

  1. 1.

    Verify AWS Systems Manager is enabled:

    • Check if the AWS Systems Manager service is enabled in your AWS account. Go to the AWS Management Console, navigate to the Systems Manager service, and confirm its status.
  2. 2.

    Check EC2 instances association:

    • Validate that all EC2 instances in your account are properly associated with AWS Systems Manager. You can do this by navigating to the Systems Manager service > Managed Instances. Ensure that all instances are listed and have a "Managed" status.
  3. 3.

    Review Instance compliance:

    • Check the compliance status of EC2 instances managed by AWS Systems Manager. Go to Systems Manager service > Compliance > State Manager Compliance. Here, you can view the overall compliance level and identify any non-compliant instances.
  4. 4.

    Verify Patching:

    • Ensure that EC2 instances are receiving timely security patches. Go to the Systems Manager service > Patch Manager > Patch Compliance. Check if the instances are up-to-date with the latest available patches.

Required Codes:

To automate the enforcement of AWS Systems Manager management for EC2 instances, you can utilize AWS Config and AWS Systems Manager Automation documents.

  1. 1.
    AWS Config Rule:
    • Create an AWS Config Rule to check if all EC2 instances are managed by AWS Systems Manager. Use the below JSON code snippet to create the rule:
{
  "ConfigRuleName": "EC2ManagedBySystemsManager",
  "Description": "Checks whether all EC2 instances are managed by AWS Systems Manager.",
  "Scope": {
    "ComplianceResourceTypes": [
      "AWS::EC2::Instance"
    ]
  },
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "EC2_MANAGED_BY_SYSTEMS_MANAGER"
  },
  "InputParameters": "{}",
  "MaximumExecutionFrequency": "TwentyFour_Hours",
  "ConfigRuleState": "ACTIVE"
}
  1. 1.
    Systems Manager Automation Document:
    • Create an Automation document to remediate instances not managed by AWS Systems Manager. Use the below YAML code snippet as an example:
---
description: "Remediation for EC2 instances not managed by Systems Manager"
schemaVersion: "0.3"
assumeRole: "{{ AutomationAssumeRole }}"
parameters: {}
mainSteps:
  - name: "InvokeAwsApiAction"
    action: "aws:executeAwsApi"
    inputs:
      Service: "SSM"
      Api: "CreateAssociation"
      Name: "{{ AutomationResourceId }}"
      Parameters:
        Name: "AWS-UpdateSSMAgent"
        Targets:
          - Key: "InstanceIds"
            Values:
              - "{{ AutomationResourceId }}"
    onFailure: "StepFunctions:Fail"

Remediation Steps:

To enforce the requirement of EC2 instances being managed by AWS Systems Manager, follow these steps:

  1. 1.

    Set up the AWS Config Rule:

    • Sign in to the AWS Management Console.
    • Navigate to the AWS Config service.
    • Create a new rule with the provided JSON code snippet.
    • Save the rule configuration and ensure it is in an active state.
  2. 2.

    Monitor Compliance:

    • Go to the AWS Config service > Rules.
    • Locate the "EC2ManagedBySystemsManager" rule and verify its compliance evaluation status.
    • Monitor the Compliance Dashboard for any non-compliant instances.
  3. 3.

    Remediate non-compliant instances:

    • If there are any non-compliant EC2 instances, follow the remediation steps below.
  4. 4.

    Create an SSM Automation Document for remediation:

    • Go to the AWS Systems Manager service.
    • Create a new Automation Document with the provided YAML code snippet.
    • Save the Automation Document.
  5. 5.

    Execute the Automation Document to remediate instances:

    • Locate the non-compliant EC2 instance(s).
    • Select the instance(s) and choose "Execute Automation".
    • Select the Automation Document created in the previous step.
    • Start the automation execution.
  6. 6.

    Verify compliance after remediation:

    • Monitor the Compliance Dashboard in AWS Config for the updated compliance status of the EC2 instances. They should now be marked as compliant.

By following these steps, you can ensure that all EC2 instances within your AWS account are managed by AWS Systems Manager, aligning with the NIST Cybersecurity Framework (CSF) v1.

Is your System Free of Underlying Vulnerabilities?
Find Out Now