Check for SSM Managed Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SSM-003

Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM). Systems Manager simplifies AWS cloud resource management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your instances securely at scale. For Amazon EC2 instances to be monitored and managed with AWS Systems Manager service, they must be configured as managed instances. In order for EC2 instances to be managed by Systems Manager and be available in the list of managed instances, your instances have to meet 3 primary requirements:

The SSM Agent must be installed on an instance with a supported Operating System (OS).

An AWS Identity and Access Management (IAM) instance profile that supplies the required permissions for the instance to communicate with the Systems Manager service must be attached to the EC2 instance.

The SSM Agent must be able to connect to a Systems Manager endpoint in order to register itself with the service. Then, the instance must be available to the SSM service, which is confirmed by the service sending a signal every five minutes to check the instance's health.

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security
Operational
excellence

AWS Systems Manager through Fleet Manager feature offers multiple benefits for managed Amazon EC2 instances. Some of these benefits are:

Perform a variety of common systems administration tasks without having to manually connect to your EC2 instances.

Manage EC2 instances running on multiple platforms from a single unified console.

Manage EC2 instances running different Operating Systems from a single unified console.

Improve the efficiency of your systems administration.

Control access to Fleet Manager feature using AWS Identity and Access Management (IAM) policies. With these policies, you can control which individual IAM users or groups can use various Fleet Manager capabilities, and which Amazon EC2 instances they can manage.

From a security standpoint, when you're not using Systems Manager (SSM) to manage your EC2 instance fleet, you have to manually patch each instance and this may cause a risk factor of missing patches in some of your instances, exposing system vulnerabilities which potential attackers could take advantage of. With Patch Manager, a feature of System Manager service, you can automate the process of patching Linux and Windows managed instances at scale. Systems Manager (SSM) also lets you collect software inventory and execute scripts without logging into your instances' system.


Audit

To determine if your Amazon EC2 instances are managed by AWS Systems Manager (SSM), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the left navigation panel, under INSTANCES, choose Instances.

04 Select the running Amazon EC2 instance that you want to examine.

05 Select the Details tab from the console bottom panel.

06 In the left column, identify the Instance ID configuration attribute and copy its value.

07 Navigate to Amazon Systems Manager console at https://console.aws.amazon.com/systems-manager/.

08 In the navigation panel, under Node Management, select Managed Instances to access your SSM managed instances. A managed instance is any Amazon EC2 instance that has been configured for Systems Manager.

09 On the Managed Instances page, click inside the search box, select Instance ID, choose Equal, paste the ID of the instance copied at step no. 6, and press Enter. If no managed instances matching your filter criteria are found, the selected Amazon EC2 instance is not managed using AWS Systems Manager (SSM) service.

10 Repeat steps no. 4 – 9 to determine the SSM association status for each Amazon EC2 instance available within the current AWS region.

11 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of all Amazon EC2 instances running within the selected AWS region:

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=instance-state-name,Values=running"
	--output table
	--query 'Reservations[*].Instances[*].InstanceId'

02 The command output should return a table with the requested EC2 instance identifiers:

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
|  i-0abcd1234abcd1234  |
+-----------------------+

03 Run describe-instance-information command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as identifier parameter and custom query filters to describe the SSM-based information available for the selected instance, such as the fully qualified host name of the managed instance, the IP address of the managed EC2 instance, the Operating System (OS) platform, the version of SSM Agent installed on the instance, and the managed instance status:

aws ssm describe-instance-information
	--region us-east-1
	--instance-information-filter-list key=InstanceIds,valueSet=i-01234abcd1234abcd
	--query "InstanceInformationList"

04 The command output should return the requested SSM-based information:

[]

If the describe-instance-information command output returns an empty array (i.e. no SSM managed instance information), as shown in the output example above, the selected Amazon EC2 instance is not managed using AWS Systems Manager (SSM) service.

05 Repeat step no. 3 and 4 to determine the SSM association status for each Amazon EC2 instance provisioned in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the entire audit process for other regions.

Remediation / Resolution

Manually installing software for multiple Amazon EC2 instances can be tedious and error prone. To ensure that all your running EC2 instances are managed by AWS Systems Manager (SSM) service, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Systems Manager console at https://console.aws.amazon.com/systems-manager/.

03 You can use AWS Systems Manager Quick Setup to help you quickly configure your Amazon EC2 instances as managed instances in an individual account or across multiple organizational units (OUs) and AWS regions by integrating with AWS Organizations. The Quick Setup feature automatically configures required IAM roles and commonly used Systems Manager capabilities on your Amazon EC2 instances. The commonly used capabilities enabled by AWS Systems Manager Quick Setup include /knowledge-base/components/updating SSM Agent, scanning instances for missing security patches, and collecting inventory for your managed instances. These capabilities help you manage and monitor the health of your Amazon EC2 instances while providing the minimum required permissions to get started. In the navigation panel, under AWS Systems Manager, select Quick Setup, and choose Create to initiate the setup process.

04 On the Quick Setup page, perform the following operations:

  1. For Configuration types, select Host Management. This configuration type is used to set up IAM roles and enables commonly used Systems Manager capabilities to securely manage your EC2 instances.
  2. Choose Next to continue the process.
  3. For Configuration options, ensure that the following options are selected under Systems Manager. Quick Setup configures these components based on best practices:
    • Update Systems Manager (SSM) Agent every two weeks.
    • Collect inventory from your instances every 30 minutes.
    • Scan instances for missing patches daily.
  4. For Targets, perform the following actions:
    • Choose Current Region for Choose between deploying to the current region or a custom set of regions.
    • Select Manual for Choose how you want to target instances, and choose the running Amazon EC2 instance(s) where the SSM configuration will be deployed (see Audit section part I to identify the right instance(s)).
  5. Choose Create to deploy the new SSM configuration for the selected instance(s). Once the SSM configuration is implemented, the target EC2 instance(s) will be registered with AWS Systems Manager and you will be able to manage them using Systems Manager capabilities.

05 Change the AWS region from the navigation bar and repeat the remediation/resolution process for other cloud regions.

06 Change the AWS region from the navigation bar and repeat step no. 3 and 4 to execute AWS Systems Manager Quick Setup for Amazon EC2 instances running within other cloud regions.

Using AWS CLI

01 By default, AWS Systems Manager (SSM) doesn't have permission to communicate with or perform actions on your Amazon EC2 instances, therefore you must grant access by using an Identity and Access Management (IAM) instance profile and an IAM service role (or assume role). You can start by creating the trust relationship policy for the required IAM service role. To create the required trust relationship policy for the new role, save the following policy document to a JSON file named cc-iam-trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create the necessary Amazon IAM role using the trust relationship policy defined at the previous step:

aws iam create-role
	--role-name cc-ssm-role-for-managed-instances
	--assume-role-policy-document file://cc-iam-trust-policy.json

03 The command output should return the metadata available for the new IAM role:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AAAABBBBCCCCDDDDEEEE",
        "CreateDate": "2020-12-21T10:00:00Z",
        "RoleName": "cc-ssm-role-for-managed-instances",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-ssm-role-for-managed-instances"
    }
}

04 Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified AWS-managed policy to the newly created IAM role. The "AmazonSSMManagedInstanceCore" managed policy is required to enable AWS Systems Manager service core functionality on target EC2 instances (the command does not produce an output):

aws iam attach-role-policy
	--role-name cc-ssm-role-for-managed-instances
	--policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

05 Create the instance profile that needs to integrate the new IAM role. Run create-instance-profile command (OSX/Linux/UNIX) to create the required IAM instance profile:

aws iam create-instance-profile
	--region us-east-1
	--instance-profile-name cc-ssm-core-instance-profile

06 The command output should return the metadata for the newly created instance profile:

{
    "InstanceProfile": {
        "InstanceProfileId": "ABCDABCDABCDABCDABCDA",
        "Roles": [],
        "CreateDate": "2020-12-21T10:00:00Z",
        "InstanceProfileName": "cc-ssm-core-instance-profile",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:instance-profile/cc-ssm-core-instance-profile"
    }
}

07 Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the instance profile created at step no. 5 (the command does not produce an output):

aws iam add-role-to-instance-profile
	--role-name cc-ssm-role-for-managed-instances
	--instance-profile-name cc-ssm-core-instance-profile

08 Run associate-iam-instance-profile command (OSX/Linux/UNIX) to associate the new IAM instance profile with the running Amazon EC2 instance that you want to manage with AWS Systems Manager (see Audit section part I to identify the right instance). You might need to reboot your EC2 to apply the change after this step:

aws ec2 associate-iam-instance-profile
	--region us-east-1
	--iam-instance-profile Name=cc-ssm-core-instance-profile
	--instance-id i-01234abcd1234abcd

09 The output should return the associate-iam-instance-profile command request metadata:

{
    "IamInstanceProfileAssociation": {
        "InstanceId": "i-01234abcd1234abcd",
        "AssociationId": "iip-assoc-01234abcd1234abcd",
        "IamInstanceProfile": {
            "Id": "ABCDABCDABCDABCDABCDA",
            "Arn": "arn:aws:iam::123456789012:instance-profile/cc-ssm-core-instance-profile"
        }
    }
}

10 Now that AWS Systems Manager has permission to communicate with or perform actions on your target EC2 instance, you can implement the Systems Manager core capabilities for managing Amazon EC2 instances. To enable the commonly used Systems Manager capabilities that allows you to securely manage your Amazon EC2 instances, perform the following commands:

  1. Run create-association command (OSX/Linux/UNIX) to create an association that automatically updates the SSM Agent according to a schedule that you specify, for the Amazon EC2 instance that you want to manage with AWS Systems Manager (see Audit section part I to identify the right instance). By default, once the association is successfully implemented, the system runs it immediately after it is created and then according to the specified schedule. For example, the --schedule-expression parameter sets a schedule to run the association every Sunday morning at 5:00 AM (UTC):
    aws ssm create-association
    	--region us-east-1
    	--name "AWS-UpdateSSMAgent"
    	--targets "Key=instanceids,Values=i-01234abcd1234abcd"
    	--schedule-expression "cron(0 5 ? * SUN *)"
    
  2. The command output should return the "AWS-UpdateSSMAgent" association metadata:
    {
        "AssociationDescription": {
            "ScheduleExpression": "cron(0 5 ? * SUN *)",
            "Name": "AWS-UpdateSSMAgent",
            "Overview": {
                "Status": "Pending",
                "DetailedStatus": "Creating"
            },
            "AssociationId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
            "DocumentVersion": "$DEFAULT",
            "LastUpdateAssociationDate": 1608654996.549,
            "Date": 1608654996.549,
            "AssociationVersion": "1",
            "Targets": [
                {
                    "Values": [
                        "i-01234abcd1234abcd"
                    ],
                    "Key": "instanceids"
                }
            ],
            "ApplyOnlyAtCronInterval": false
        }
    }
    
  3. Run create-association command (OSX/Linux/UNIX) to create a Systems Manager (SSM) Inventory association for the specified Amazon EC2 instance. The system collects metadata from your EC2 instance according to the schedule configured for the association:
    aws ssm create-association
    	--region us-east-1
    	--name "AWS-GatherSoftwareInventory"
    	--targets "Key=instanceids,Values=i-01234abcd1234abcd"
    	--schedule-expression "rate(1 day)"
    	--parameters applications=Enabled,awsComponents=Enabled,customInventory=Enabled,instanceDetailedInformation=Enabled,networkConfig=Enabled,services=Enabled,windowsRoles=Enabled,windowsUpdates=Enabled
    
  4. The command output should return the "AWS-GatherSoftwareInventory" association configuration metadata:
    {
        "AssociationDescription": {
            "ScheduleExpression": "rate(1 day)",
            "Name": "AWS-GatherSoftwareInventory",
            "Parameters": {
                "windowsUpdates": [
                    "Enabled"
                ],
                "awsComponents": [
                    "Enabled"
                ],
                "customInventory": [
                    "Enabled"
                ],
                "networkConfig": [
                    "Enabled"
                ],
                "applications": [
                    "Enabled"
                ],
                "instanceDetailedInformation": [
                    "Enabled"
                ],
                "services": [
                    "Enabled"
                ],
                "windowsRoles": [
                    "Enabled"
                ]
            },
            "Overview": {
                "Status": "Pending",
                "DetailedStatus": "Creating"
            },
            "AssociationId": "1234abcd-1234-abcd-1234-abcd1234abcd",
            "DocumentVersion": "$DEFAULT",
            "LastUpdateAssociationDate": 1608654988.126,
            "Date": 1608654988.126,
            "AssociationVersion": "1",
            "Targets": [
                {
                    "Values": [
                        "i-01234abcd1234abcd"
                    ],
                    "Key": "instanceids"
                }
            ],
            "ApplyOnlyAtCronInterval": false
        }
    }
    
  5. Run create-association command (OSX/Linux/UNIX) to create an SSM association that scans the specified Amazon EC2 instance for missing patch updates by using the "AWS-RunPatchBaseline" document. "AWS-RunPatchBaseline" performs patching operations on EC2 instances for security related and other types of updates:
    aws ssm create-association
    	--region us-east-1
    	--name "AWS-RunPatchBaseline"
    	--targets "Key=instanceids,Values=i-01234abcd1234abcd"
    	--parameters "Operation=Scan,RebootOption=NoReboot"
    
  6. The command output should return the "AWS-RunPatchBaseline" association metadata:
    {
        "AssociationDescription": {
            "Name": "AWS-RunPatchBaseline",
            "Parameters": {
                "Operation": [
                    "Scan"
                ],
                "RebootOption": [
                    "NoReboot"
                ]
            },
            "Overview": {
                "Status": "Pending",
                "DetailedStatus": "Creating"
            },
            "AssociationId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
            "DocumentVersion": "$DEFAULT",
            "LastUpdateAssociationDate": 1608654998.845,
            "Date": 1608654998.845,
            "AssociationVersion": "1",
            "Targets": [
                {
                    "Values": [
                        "i-01234abcd1234abcd"
                    ],
                    "Key": "instanceids"
                }
            ],
            "ApplyOnlyAtCronInterval": false
        }
    }
    

11 Change the AWS region by updating the --region command parameter value and repeat steps no. 8 – 10 to perform the remediation/resolution process for other cloud regions.

References

Publication date Dec 30, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for SSM Managed Instances

Risk level: High