Rule: EC2 instances should be managed by AWS Systems Manager
Ensure compliance by managing EC2 instances through AWS Systems Manager.
| Rule | EC2 instances should be managed by AWS Systems Manager |
| Framework | PCI v3.2.1 |
| Severity | ✔ Medium |
Rule Description:
The rule states that all EC2 instances should be managed by AWS Systems Manager to comply with the PCI v3 (Payment Card Industry Data Security Standard) requirements. Utilizing AWS Systems Manager ensures better management, monitoring, and security of EC2 instances, thus enhancing compliance with PCI v3.
Troubleshooting Steps:
If you encounter issues with managing EC2 instances using AWS Systems Manager, you can follow the steps below to troubleshoot:
- 1.
Confirm Systems Manager prerequisites: Ensure that your AWS account has the necessary permissions to use Systems Manager. Check if the EC2 instances you are attempting to manage are running in a supported region.
- 2.
Verify instance IAM role: Check if the EC2 instances have an IAM role associated with them that grants the necessary permissions to Systems Manager. Ensure that the IAM role includes the required policies to access Systems Manager functionalities.
- 3.
Validate Systems Manager agent: Confirm that the EC2 instances have the Systems Manager agent installed and running. You can check the agent status by connecting to the instance and running the following command:
sudo systemctl status amazon-ssm-agent
If the agent is not running, you can try restarting the agent using the command:
sudo systemctl start amazon-ssm-agent
- 1.
Check instance connectivity: Ensure that the EC2 instances have outbound internet connectivity to communicate with the AWS Systems Manager service. Verify the security group configurations and network ACL rules to allow outbound connections.
- 2.
Review Systems Manager logs: Check the Systems Manager logs for any error messages or issues. You can access the logs through the AWS Management Console or by using the AWS Command Line Interface (CLI) command:
aws ssm get-parameters --names /aws/service/ssm/agent/logs/execution
Necessary Codes:
No specific codes are provided for this rule. However, you can utilize AWS CLI commands or AWS SDKs to manage EC2 instances through AWS Systems Manager.
Step-by-Step Guide for Remediation:
To manage EC2 instances using AWS Systems Manager and comply with PCI v3, follow these step-by-step instructions:
- 1.
Ensure necessary prerequisites:
- Make sure you have an AWS account with appropriate permissions to use Systems Manager.
- Confirm that your EC2 instances are running in a supported region.
- 2.
Set up instance IAM role:
- Create an IAM role or modify an existing role to grant required permissions for Systems Manager.
- Attach the IAM role to the EC2 instances you want to manage.
- 3.
Install the Systems Manager agent:
- Connect to the EC2 instances either through SSH or RDP.
- Download and install the Systems Manager agent appropriate for your operating system. Refer to the AWS Systems Manager documentation for detailed installation instructions.
- 4.
Verify agent status:
- On the EC2 instances, check the status of the Systems Manager agent using the command:
sudo systemctl status amazon-ssm-agent - If the agent is not running, start it using the command:
sudo systemctl start amazon-ssm-agent
- 5.
Configure outbound connectivity:
- Ensure that the EC2 instances have outbound internet connectivity for Systems Manager communication.
- Review the security group and network ACL configurations to allow outbound connections.
- 6.
Monitor Systems Manager logs:
- Check the Systems Manager logs for any errors or issues.
- Access the logs through the AWS Management Console or by using the CLI command:
aws ssm get-parameters --names /aws/service/ssm/agent/logs/execution
Following these steps will allow you to manage EC2 instances using AWS Systems Manager, thus complying with the PCI v3 guidelines.