Rule: EC2 Instances Should be Managed by AWS Systems Manager
Ensure EC2 instances are managed by AWS Systems Manager for improved security and compliance.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ High |
Rule Description
According to NIST 800-53 Revision 4, EC2 instances should be managed by AWS Systems Manager. This rule ensures that proper management and control are maintained over EC2 instances for enhanced security and operational efficiency.
Troubleshooting Steps
Troubleshooting Step 1: Verify Systems Manager Agent (SSM Agent) Installation
- 1.Log in to the AWS Management Console.
- 2.Navigate to the EC2 dashboard.
- 3.Select the desired EC2 instance.
- 4.Check the "Status Checks" tab.
- 5.If the SSM Agent status is not "Ok," the agent might not be installed correctly.
- 6.Install the SSM Agent by following the AWS Systems Manager documentation.
Troubleshooting Step 2: Verify IAM Role and Permissions
- 1.Confirm that the EC2 instance has an IAM role attached.
- 2.Ensure that the IAM role has the necessary permissions for Systems Manager.
- 3.Grant permissions such as "ssm:UpdateInstanceInformation" and "ssm:ListAssociations" to the role.
- 4.In the IAM console, search for the IAM role attached to the EC2 instance.
- 5.Select the role and add the required permissions.
Troubleshooting Step 3: Check Security Group Rules
- 1.Verify that the security group associated with the EC2 instance allows outbound traffic to the Systems Manager service endpoints.
- 2.Open the EC2 dashboard.
- 3.Select the desired EC2 instance and note the associated security group.
- 4.Navigate to the EC2 dashboard's "Security Group" section.
- 5.Select the security group associated with the EC2 instance.
- 6.Add an outbound rule to allow traffic to the Systems Manager service endpoints on port 443.
Necessary Codes
There are no specific codes associated with this rule. However, you may need to execute some AWS Command Line Interface (CLI) commands for troubleshooting and remediation purposes.
Step-by-Step Guide for Remediation
Follow these steps to remediate the rule and ensure EC2 instances are managed by AWS Systems Manager:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the EC2 dashboard.
- 3.Select the desired EC2 instance.
- 4.Check the "Status Checks" tab. If the SSM Agent status is not "Ok," proceed to Step 5. Otherwise, jump to Step 8.
- 5.Install the SSM Agent by following the AWS Systems Manager documentation. Once installed, proceed to Step 6.
- 6.Verify the SSM Agent status again to ensure it is now "Ok."
- 7.If the SSM Agent status is still not "Ok," contact AWS support for further assistance.
- 8.Check if the EC2 instance has an IAM role attached. If not, proceed to Step 9. Otherwise, jump to Step 12.
- 9.In the EC2 dashboard, select the EC2 instance and navigate to the "Actions" dropdown menu.
- 10.Choose "Instance Settings" and then click on "Attach/Replace IAM Role."
- 11.Create a new IAM role or select an existing one and attach it to the EC2 instance. Proceed to Step 12.
- 12.Verify that the IAM role attached to the EC2 instance has the necessary permissions for Systems Manager. If not, proceed to Step 13. Otherwise, the remediation is complete.
- 13.In the IAM console, search for the IAM role attached to the EC2 instance.
- 14.Select the role and click on the "Attach policies" button.
- 15.Search for policies such as "AmazonSSMManagedInstanceCore" and attach them to the role.
- 16.Additionally, add any other required permissions like "s3:GetObject" or "ssm:ListAssociations" as per your specific use case.
- 17.Save the changes, and the EC2 instances will now be managed by AWS Systems Manager.
Note: Ensure that the security group associated with the EC2 instance allows outbound traffic to the Systems Manager service endpoints as described in the troubleshooting steps.
Remember to follow AWS best practices and guidelines while implementing security controls and managing EC2 instances within your environment.