Profile Applicability:
Level 2
Description
AWS Systems Manager provides a unified interface to manage your EC2 instances efficiently and securely. It enables capabilities such as patch management, session management, automation, and inventory collection. Ensuring that EC2 instances are managed by Systems Manager helps enforce centralized management, compliance, and operational best practices.
Rationale
Centralized Management: Simplifies managing multiple EC2 instances from a single interface.
Compliance and Monitoring: Facilitates compliance by automating security patching and monitoring.
Security: Enables secure administration of instances without the need to open SSH or RDP access.
Automation: Streamlines routine tasks using automation runbooks.
Impact
Pros:
Enhances visibility and control over EC2 instances.
Improves security by reducing dependency on insecure remote access methods.
Simplifies compliance with security and operational standards.
HCons:
Requires AWS Systems Manager agent installation on EC2 instances.
Instances must meet certain prerequisites such as IAM roles and permissions.
Default Value
By default, EC2 instances are not managed by AWS Systems Manager. Additional configuration is required.
Pre-Requisite
IAM Permissions:
ssm:DescribeInstanceInformation
ssm:GetInventorySchema
ec2:DescribeInstances
AWS CLI installed and configured.
Remediation
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to the Systems Manager Dashboard.
Select Managed Instances from the left-hand menu.
Verify if all required EC2 instances appear under Managed Instances.
Using AWS CLI:
Check Systems Manager Management Status:
aws ssm describe-instance-information --query "InstanceInformationList[].{InstanceId:InstanceId,ManagedBy:PingStatus}"Identify Unmanaged Instances:
aws ec2 describe-instances --query "Reservations[].Instances[].{InstanceId:InstanceId}" --output text | grep -vF -f <managed-instances-list.txt>Implementation Steps:
Using AWS Console:
Verify prerequisites:
Ensure the AWS Systems Manager Agent (SSM Agent) is installed and running on all required instances.
Attach an IAM role with the AmazonSSMManagedInstanceCore policy to all EC2 instances.
Navigate to the EC2 Dashboard.
Select instances to register with Systems Manager.
Use the Session Manager for secure management after registration.
Using AWS CLI:
Install and Start the SSM Agent on the instance:
sudo yum install -y amazon-ssm-agentsudo systemctl start amazon-ssm-agentAttach IAM Role to the instance:
aws ec2 associate-iam-instance-profile --instance-id <instance-id> --iam-instance-profile Name=<iam-role-name>Verify that the instance is successfully managed by Systems Manager:
aws ssm describe-instance-information --instance-ids <instance-id>Backout Plan
Using AWS Management Console:
Sign in to the AWS Management Console.
Navigate to Systems Manager > Managed Instances.
Identify the EC2 instances that were registered with Systems Manager.
Remove the Systems Manager Agent (SSM Agent) from the EC2 instances:
Connect to the instance via SSH or Session Manager.
Uninstall the SSM Agent using the appropriate command for your operating system.
Update the IAM role attached to the EC2 instances:
Remove the permissions required for Systems Manager (e.g., AmazonSSMManagedInstanceCore policy).
Verify that the instances are no longer listed as managed in Systems Manager.
Using AWS CLI:
List the managed instances:
aws ssm describe-instance-informationRemove the SSM Agent from the EC2 instances:
For Linux:
sudo yum remove amazon-ssm-agent
For Windows:
powershell
Uninstall-WindowsFeature -Name AmazonSSMAgent
Update the IAM role attached to the EC2 instances:
aws iam detach-role-policy --role-name <role-name> --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Verify that the instances are no longer managed:
aws ssm describe-instance-information