Ensure compliance by managing EC2 instances through AWS Systems Manager.
Rule | EC2 instances should be managed by AWS Systems Manager |
Framework | NIST Cybersecurity Framework (CSF) v1.1 |
Severity | ✔ High |
Rule Description:
This rule enforces that all EC2 instances in an AWS account should be managed by AWS Systems Manager to align with the NIST Cybersecurity Framework (CSF) v1. AWS Systems Manager is a service that allows you to automate operational tasks, manage instances at scale, and perform detailed system-level monitoring for EC2 instances.
By utilizing AWS Systems Manager, you can ensure that your EC2 instances are continuously monitored for security compliance, patch management, software inventory, and adherence to regulatory requirements. This rule helps maintain a secure and compliant environment by centralizing and streamlining the management of EC2 instances.
Troubleshooting Steps:
Verify AWS Systems Manager is enabled:
Check EC2 instances association:
Review Instance compliance:
Verify Patching:
Required Codes:
To automate the enforcement of AWS Systems Manager management for EC2 instances, you can utilize AWS Config and AWS Systems Manager Automation documents.
{
"ConfigRuleName": "EC2ManagedBySystemsManager",
"Description": "Checks whether all EC2 instances are managed by AWS Systems Manager.",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Instance"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EC2_MANAGED_BY_SYSTEMS_MANAGER"
},
"InputParameters": "{}",
"MaximumExecutionFrequency": "TwentyFour_Hours",
"ConfigRuleState": "ACTIVE"
}
---
description: "Remediation for EC2 instances not managed by Systems Manager"
schemaVersion: "0.3"
assumeRole: "{{ AutomationAssumeRole }}"
parameters: {}
mainSteps:
- name: "InvokeAwsApiAction"
action: "aws:executeAwsApi"
inputs:
Service: "SSM"
Api: "CreateAssociation"
Name: "{{ AutomationResourceId }}"
Parameters:
Name: "AWS-UpdateSSMAgent"
Targets:
- Key: "InstanceIds"
Values:
- "{{ AutomationResourceId }}"
onFailure: "StepFunctions:Fail"
Remediation Steps:
To enforce the requirement of EC2 instances being managed by AWS Systems Manager, follow these steps:
Set up the AWS Config Rule:
Monitor Compliance:
Remediate non-compliant instances:
Create an SSM Automation Document for remediation:
Execute the Automation Document to remediate instances:
Verify compliance after remediation:
By following these steps, you can ensure that all EC2 instances within your AWS account are managed by AWS Systems Manager, aligning with the NIST Cybersecurity Framework (CSF) v1.