Rule: EC2 Instances should be managed by AWS Systems Manager
This rule specifies that EC2 instances must be managed using AWS Systems Manager.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ High |
EC2 Instances Compliance with AWS Systems Manager for FedRAMP Low Revision 4
To comply with FedRAMP Low Revision 4 requirements, Amazon EC2 instances need to be managed by AWS Systems Manager (SSM). This helps ensure you have secure and efficient management capabilities. Below is a detailed guide on ensuring your EC2 instances comply with this policy, including troubleshooting steps, necessary codes, and CLI commands for remediation.
Requirement Details
FedRAMP Low Revision 4 mandates that all cloud service providers (CSPs) must use automated tools to manage their systems. AWS Systems Manager is an AWS service that allows you to view and control your infrastructure on AWS actively. Under this mandate, the following are required:
- Patch management
- Inventory management
- Configuration compliance checking
Troubleshooting Steps
If your EC2 instances are not currently managed by SSM, you may encounter compliance and security issues. Here are steps to identify and resolve such issues:
- 1.
Check SSM Agent Install: Ensure that the AWS Systems Manager Agent (SSMAgent) is installed on each EC2 instance.
- 2.
Verify IAM Role Assignment: The EC2 instance must have an IAM Role with sufficient permissions to communicate with SSM.
- 3.
Confirm Network Configuration: Ensure instances are within a VPC that can reach AWS Systems Manager endpoints, either through the internet or a VPC endpoint.
- 4.
Diagnose SSM Agent Status: If the SSMAgent is installed but not working properly, check the status or logs of the agent on the instance.
- 5.
Review Systems Manager Console: Check for any operational warnings or errors in the Systems Manager console which might indicate misconfigurations.
Remediation Steps with CLI Commands
Here is a step-by-step guide to remediate non-compliant instances using the AWS CLI:
Step 1: Ensure SSM Agent is Installed
Check if the SSM Agent is installed on the EC2 instance:
aws ssm describe-instance-information --output text --query 'InstanceInformationList[*].InstanceId'
Install the SSM Agent if it's not present:
# For Amazon Linux based instances: sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm # For Ubuntu instances: sudo snap install amazon-ssm-agent --classic
Step 2: Assign IAM Role to EC2 Instances
Create an IAM role with the
AmazonSSMManagedInstanceCoreaws iam create-role --role-name SSMRoleForCompliance --assume-role-policy-document file://trust-policy.json aws iam attach-role-policy --role-name SSMRoleForCompliance --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMManagedInstanceCore aws ec2 associate-iam-instance-profile --instance-id i-1234567890abcdef0 --iam-instance-profile Name=SSMRoleForCompliance
Step 3: Setup Network Configuration
If your instance needs to communicate with SSM without internet access, create a VPC endpoint for SSM:
aws ec2 create-vpc-endpoint --vpc-id vpc-12345678 --service-name com.amazonaws.region.ssm --vpc-endpoint-type Interface
Step 4: Verify SSM Agent Status
To check if the SSM Agent is running, use:
sudo systemctl status amazon-ssm-agent
Or for older instances that do not use systemd:
sudo status amazon-ssm-agent
Step 5: Configuring SSM Agent for Auto Update
It’s important to enable auto-updating of the SSM Agent:
sudo amazon-ssm-agent -register -y -i instance_id -r region
Conclusion
By following the above guidelines, troubleshooting steps, and remediation instructions with the necessary CLI commands, your EC2 instances should comply with AWS Systems Manager requirements for FedRAMP Low Revision 4. Always ensure your security and compliance measures are up-to-date with federal regulations.
Please note that salary offers and job opportunities are typically subject to more extensive discussions and cannot be guaranteed solely based on compliance with a given list of requirements.