Rule: EC2 instances should be managed by AWS Systems Manager
This rule ensures EC2 instances are properly managed by AWS Systems Manager.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ High |
Rule Description:
According to the NIST Cybersecurity Framework (CSF) v1, EC2 instances should be managed by AWS Systems Manager. AWS Systems Manager provides centralized visibility and control over your EC2 instances, helping you to maintain security and compliance.
By managing your EC2 instances with AWS Systems Manager, you can ensure that security patches and updates are regularly applied, enable centralized logging and monitoring, and enable compliance controls.
Troubleshooting Steps:
In case you encounter any issues while managing EC2 instances with AWS Systems Manager, you can follow these troubleshooting steps:
- 1.
Check IAM Roles: Ensure that the EC2 instances have the necessary IAM roles attached to enable communication with AWS Systems Manager. Verify that the instance IAM role has the appropriate permissions to interact with Systems Manager.
- 2.
Check Instance Connectivity: Make sure that the EC2 instances have proper network connectivity to reach AWS Systems Manager. Verify that the instances are in the correct subnet and have a route to the Systems Manager service.
- 3.
Verify Systems Manager Agent: Confirm that the Systems Manager agent is installed and running on the EC2 instances. Check the agent version and ensure it is up to date.
- 4.
Review Systems Manager Logs: Check the Systems Manager logs for any error messages or issues. The logs can provide insights into any failures or misconfigurations.
Necessary Codes:
In order to manage EC2 instances with AWS Systems Manager, you need to define appropriate IAM roles and attach them to the instances. Here is an example of how to create IAM roles using AWS CLI:
Create an IAM role for Systems Manager:
aws iam create-role --role-name MySystemsManagerRole --assume-role-policy-document file://trust-policy.json
Attach necessary policies to the role:
aws iam attach-role-policy --role-name MySystemsManagerRole --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Associate the IAM role with the EC2 instance:
aws ec2 associate-iam-instance-profile --instance-id $INSTANCE_ID --iam-instance-profile Name=MySystemsManagerRole
Replace
$INSTANCE_IDStep-by-step Guide for Remediation:
To manage EC2 instances with AWS Systems Manager, follow these step-by-step instructions:
- 1.
Create an IAM role for Systems Manager:
- Open the AWS Management Console and navigate to the IAM service.
- Click on "Roles" in the sidebar and then click on "Create role".
- Choose the service that will use this role (EC2 in this case) and click "Next".
- Select the federated identity provider as "AWSServiceRoleForAmazonSSM" and click "Next".
- Add tags if necessary and click "Next".
- Specify a name for the role (e.g., MySystemsManagerRole) and click "Create role".
- 2.
Attach necessary policies to the role:
- In the Roles list, search for the role you just created (e.g., MySystemsManagerRole) and click on it.
- Click on "Attach policies".
- Search for "AmazonSSMManagedInstanceCore" and select the corresponding policy.
- Click "Attach policy" to attach it to the role.
- 3.
Associate the IAM role with the EC2 instance:
- Open the AWS Management Console and navigate to the EC2 service.
- Select the EC2 instance you want to manage with Systems Manager.
- Click on "Actions" and then "Instance settings" and select "Attach/Replace IAM Role".
- Select the IAM role you created earlier (e.g., MySystemsManagerRole).
- Click "Apply" to associate the IAM role with the EC2 instance.
Once these steps are completed, the EC2 instance will be managed by AWS Systems Manager. You can utilize Systems Manager features such as patch management, automation, and Run Command to maintain security and compliance.