Description: 

Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM). Systems Manager simplifies AWS cloud resource management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your instances securely at scale. For Amazon EC2 instances to be monitored and managed with AWS Systems Manager service, they must be configured as managed instances. In order for EC2 instances to be managed by the Systems Manager and be available in the list of managed instances, your instances have to meet 3 primary requirements:

1. The SSM Agent must be installed on an instance with a supported Operating System (OS).

2. An AWS Identity and Access Management (IAM) instance profile that supplies the required permissions for the instance to communicate with the Systems Manager service must be attached to the EC2 instance.

3. The SSM Agent must be able to connect to a Systems Manager endpoint in order to register itself with the service. Then, the instance must be available to the SSM service, which is confirmed by the service sending a signal every five minutes to check the instance's health.

Rationale:

AWS Systems Manager through Fleet Manager feature offers multiple benefits for managed Amazon EC2 instances. Some of these benefits are:

1. Perform a variety of common systems administration tasks without having to manually connect to your EC2 instances.

2. Manage EC2 instances running on multiple platforms from a single unified console.

3. Manage EC2 instances running different Operating Systems from a single unified console.

4. Improve the efficiency of your systems administration.

Impact:

From a security standpoint, when you're not using Systems Manager (SSM) to manage your EC2 instance fleet, you have to manually patch each instance and this may cause a risk factor of missing patches in some of your instances, exposing system vulnerabilities which potential attackers could take advantage of. With Patch Manager, a feature of System Manager service, you can automate the process of patching Linux and Windows managed instances at scale. Systems Manager (SSM) also lets you collect software inventory and execute scripts without logging into your instances' system.

Default Value: 

SSM Agent is installed, by default.

Audit :

1. Sign in to the AWS Management Console.

2. Navigate to EC2 console at https://console.aws.amazon.com/ec2/..

3. In the left navigation panel, under INSTANCES, choose Instances.

4. Select the running Amazon EC2 instance that you want to examine.

5. Select the Details tab from the console bottom panel.

6. In the left column, identify the Instance ID configuration attribute and copy its value.

7. Navigate to the Systems Manager console at https://console.aws.amazon.com/systems-manager/.

8. In the navigation panel, under Node Management, select Managed Instances to access your SSM managed instances. A managed instance is an Amazon EC2 instance that has been configured for Systems Manager.

9. On the Managed Instances page, click inside the search box, select Instance ID, choose Equal, paste the ID of the instance copied at step no. 6, and press Enter.

Remediation:

Pre-Requisite:

This Implementation requires a managed instance, which is an EC2 instance or on-premises instance that has AWS Systems Manager Agent (also called SSM Agent) installed and has an IAM role with AmazonEC2RoleforSSM policy attached to it.


Implementation Steps:

1. Sign into AWS Management Console.

2. Navigate to Systems Manager console at https://console.aws.amazon.com/systems-manager/.

3. You can use AWS Systems Manager Quick Setup to help you quickly configure your Amazon EC2 instances as managed instances in an individual account or across multiple organizational units (OUs) and AWS regions by integrating with AWS Organizations. In the navigation panel, under AWS Systems Manager, select Quick Setup, and choose to Create to initiate the setup process.

On the Quick Setup page, perform the following operations:

  1. For Configuration types, select Host Management. This configuration type is used to set up IAM roles and enables commonly used Systems Manager capabilities to securely manage your EC2 instances.

  2. Choose Next to continue the process.

  3. For Configuration options, ensure that the following options are selected under Systems Manager. Quick Setup configures these components based on best practices:

    • Update Systems Manager (SSM) Agent every two weeks.

    • Collect inventory from your instances every 30 minutes.

    • Scan instances for missing patches daily.

  4. For Targets, perform the following actions:

    • Choose Current Region for Choose between deploying to the current region or a custom set of regions.

    • Select Manual for Choose how you want to target instances and choose the running Amazon EC2 instance(s) where the SSM configuration will be deployed (see Audit section part I to identify the right instance(s)).

  5. Choose to Create to deploy the new SSM configuration for the selected instance(s). Once the SSM configuration is implemented, the target EC2 instance(s) will be registered with AWS Systems Manager and you will be able to manage them using Systems Manager capabilities.


Via CLI:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=instance-state-name,Values=running"
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'


aws ssm describe-instance-information
  --region us-east-1
  --instance-information-filter-list key=InstanceIds,valueSet=i-01234abcd1234abcd
  --query "InstanceInformationList"


Backout Plan:

if you want to change or revoke the terminated instance-id it was shown in audit section 4step

References

  1.   What is AWS Systems Manager? - AWS Systems Manager 

  2.  Working with SSM Agent - AWS Systems Manager