Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM). Systems Manager simplifies AWS cloud resource management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your instances securely at scale. For Amazon EC2 instances to be monitored and managed with AWS Systems Manager service, they must be configured as managed instances. In order for EC2 instances to be managed by Systems Manager and be available in the list of managed instances, your instances have to meet 3 primary requirements:
The SSM Agent must be installed on an instance with a supported Operating System (OS).
An AWS Identity and Access Management (IAM) instance profile that supplies the required permissions for the instance to communicate with the Systems Manager service must be attached to the EC2 instance.
The SSM Agent must be able to connect to a Systems Manager endpoint in order to register itself with the service. Then, the instance must be available to the SSM service, which is confirmed by the service sending a signal every five minutes to check the instance's health.
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
AWS Systems Manager through Fleet Manager feature offers multiple benefits for managed Amazon EC2 instances. Some of these benefits are:
Perform a variety of common systems administration tasks without having to manually connect to your EC2 instances.
Manage EC2 instances running on multiple platforms from a single unified console.
Manage EC2 instances running different Operating Systems from a single unified console.
Improve the efficiency of your systems administration.
Control access to Fleet Manager feature using AWS Identity and Access Management (IAM) policies. With these policies, you can control which individual IAM users or groups can use various Fleet Manager capabilities, and which Amazon EC2 instances they can manage.
From a security standpoint, when you're not using Systems Manager (SSM) to manage your EC2 instance fleet, you have to manually patch each instance and this may cause a risk factor of missing patches in some of your instances, exposing system vulnerabilities which potential attackers could take advantage of. With Patch Manager, a feature of System Manager service, you can automate the process of patching Linux and Windows managed instances at scale. Systems Manager (SSM) also lets you collect software inventory and execute scripts without logging into your instances' system.
To determine if your Amazon EC2 instances are managed by AWS Systems Manager (SSM), perform the following actions:
Remediation / Resolution
Manually installing software for multiple Amazon EC2 instances can be tedious and error prone. To ensure that all your running EC2 instances are managed by AWS Systems Manager (SSM) service, perform the following actions:
- AWS Documentation
- AWS Systems Manager Fleet Manager
- AWS Systems Manager Managed Instances
- Systems Manager prerequisites
- Quick Setup Host Management
- Troubleshooting Amazon EC2 managed instance availability
- Creating associations
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Check for SSM Managed Instances
Risk level: High