EC2 Instances Should Be Managed By SSM
More Info:
Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM). Systems Manager simplifies AWS cloud resource management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your instances securely at scale. For Amazon EC2 instances to be monitored and managed with AWS Systems Manager service, they must be configured as managed instances. In order for EC2 instances to be managed by Systems Manager and be available in the list of managed instances, your instances have to meet 3 primary requirements:Risk Level
HighAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “EC2 Instances Should Be Managed By SSM” in AWS using the AWS console, follow the below steps:
- Open the AWS Management Console and navigate to the EC2 dashboard.
- Select the EC2 instance that needs to be managed by SSM.
- Click on the “Actions” button and select “Instance Settings” and then click on “Attach/Replace IAM Role”.
- In the “Attach/Replace IAM Role” window, select the option “SSMManagedInstanceCore” in the “IAM Role” drop-down menu.
- Click on “Apply” to attach the IAM role to the EC2 instance.
- Once the IAM role is attached, navigate to the SSM dashboard.
- Select “Managed Instances” from the left-hand menu.
- Verify that the EC2 instance is listed as a managed instance. If it is not listed, select “Register instances” to add the EC2 instance to SSM.
- After registering the instance, select the instance and click on “Actions” and then select “Run Command”.
- In the “Run a Command” window, select the “AWS-ConfigureAWSPackage” document.
- In the “Command Parameters” section, select the “Install” option for the “action” parameter.
- Click on “Run” to install the SSM agent on the EC2 instance.
- Once the SSM agent is installed, the EC2 instance will be managed by SSM.
Using CLI
Using CLI
To remediate the misconfiguration “EC2 Instances Should Be Managed By SSM” in AWS using AWS CLI, follow the below steps:Step 1: Install and configure AWS CLI on your local machine.Step 2: Run the following command to identify the EC2 instances that are not managed by SSM:Step 3: The above command will output a list of all EC2 instances that are not managed by SSM. Identify the instances that need to be remediated.Step 4: Run the following command to enable SSM management for the identified EC2 instances:Note: Replace The above command should not return any output, indicating that all EC2 instances are now managed by SSM.
<Instance-ID>, <S3-Bucket-Name>, and <Region> with the appropriate values.Step 5: Repeat Step 4 for all the identified EC2 instances.Step 6: Verify that SSM management is enabled for the EC2 instances by running the following command:Using Python
Using Python
To remediate the misconfiguration “EC2 Instances Should Be Managed By SSM” in AWS using Python, you can follow these steps:Replace Replace
-
Install the AWS SDK for Python (Boto3) using pip:
pip install boto3 - Create an AWS SSM client object using the following code:
- Retrieve a list of all EC2 instances in the AWS account using the following code:
- For each EC2 instance, check if it is already managed by SSM using the following code:
INSTANCE_ID with the ID of the EC2 instance you want to check.- If the EC2 instance is not already managed by SSM, you can remediate the misconfiguration by running the following command:
INSTANCE_ID with the ID of the EC2 instance you want to remediate.This command will install the Amazon CloudWatch agent on the EC2 instance and configure it to be managed by SSM. You can monitor the progress of the command using the command_id returned by the send_command method.