Rule: EC2 Instances Should Be Managed by AWS Systems Manager
This rule emphasizes managing EC2 instances using AWS Systems Manager for optimal performance and security.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | CISA-cyber-essentials |
| Severity | ✔ High |
EC2 Instances Managed by AWS Systems Manager for CISA Cyber Essentials
Managing EC2 instances with AWS Systems Manager (SSM) is an important aspect of adhering to the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Essentials. AWS Systems Manager helps you to automate management tasks, helping to maintain security and compliance by managing system patches, software configurations, and other crucial administrative tasks.
Rule/Policy Description
AWS Systems Manager
AWS Systems Manager is a management service that enables visibility and control over AWS infrastructure. SSM provides a unified user interface which allows you to view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.
CISA Cyber Essentials
The CISA Cyber Essentials are a set of recommended practices for cybersecurity, designed to guide businesses, particularly those with small to medium-sized operations, through the process of establishing and maintaining a cybersecurity program.
Troubleshooting Steps
If your EC2 instances are not currently managed by AWS Systems Manager, follow these steps to troubleshoot and remediate:
Step 1: Verify SSM Agent Installation
Each EC2 instance must have the AWS Systems Manager Agent (SSM Agent) installed and running.
- 1.
Connect to your EC2 instance using SSH or Session Manager.
- 2.
Run the following command to check if the SSM Agent is installed:
sudo systemctl status amazon-ssm-agent - 3.
If the SSM Agent is not installed or not running, install or start the agent using the relevant commands for your operating system.
Step 2: Attach IAM Role to EC2 Instances
EC2 instances must have an IAM role with permissions to communicate with Systems Manager.
- 1.Open the AWS Management Console.
- 2.Navigate to the EC2 dashboard.
- 3.Select the instance, and choose Actions -> Security -> Modify IAM role.
- 4.Attach the
role to the instance. This pre-built role includes the necessary permissions.AmazonEC2RoleforSSM
Step 3: Ensure Network Accessibility
The instances must be in a VPC with access to the Systems Manager service endpoints.
- 1.Open the VPC console.
- 2.Verify that the VPC has an internet gateway attached if accessing the SSM service over the internet.
- 3.Alternatively, set up VPC endpoints for AWS Systems Manager.
Step 4: Confirm Instance Registration
After proper setup, check if your instance appears in the Systems Manager:
- 1.Open the AWS Systems Manager console.
- 2.Navigate to Managed Instances.
- 3.Verify your instance is listed.
Remediation using CLI Commands
Install SSM Agent on Linux
sudo yum install -y https://amazon-ssm-<AWS_REGION>.s3.amazonaws.com/latest/linux_amd64/amazon-ssm-agent.rpm
Replace
<AWS_REGION>Start SSM Agent on Linux
sudo systemctl start amazon-ssm-agent sudo systemctl enable amazon-ssm-agent
Attach IAM Role to EC2 Instance via CLI
- 1.Create a role with the
policy:AmazonEC2RoleforSSM
aws iam create-role --role-name SSMRoleForEC2 --assume-role-policy-document file://TrustPolicyForSSM.json
- 1.Attach the policy to the role:
aws iam attach-role-policy --role-name SSMRoleForEC2 --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
- 1.Attach the role to an instance:
aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=SSMRoleForEC2
Replace
i-1234567890abcdef0By ensuring that EC2 instances are effectively managed by AWS Systems Manager according to CISA's Cyber Essentials, organizations can maintain a sound security posture. It's essential to frequently audit and verify that all instances comply with this rule to avoid security risks and non-compliance issues.