Profile Applicability:

  • Level 2

Description:
AWS Systems Manager is a powerful service for managing EC2 instances and other AWS resources. It allows you to automate management tasks, such as patching, inventory collection, and configuration compliance. By using Systems Manager to manage EC2 instances, you can streamline operations and ensure that your EC2 instances are properly maintained and configured.

Rationale:
 AWS Systems Manager helps ensure that EC2 instances are consistently maintained and compliant with organizational policies. Systems Manager provides features like:

  • Inventory management of installed software and configurations on EC2 instances.

  • Patch management for operating system and application patches.

  • Automation for routine operational tasks.

  • Monitoring and auditing of EC2 instances to ensure compliance with security and configuration standards.

Using Systems Manager reduces the risk of configuration drift, ensures better security posture, and helps to maintain operational consistency across instances.

Impact:
 Pros:

  • Improved management of EC2 instances through automation and consistency.

  • Enhanced security by ensuring that all instances are compliant with organizational security policies.

  • Reduced operational overhead through the use of Systems Manager automation features for tasks like patching and inventory management.

  • Compliance and auditing capabilities to help meet regulatory requirements.

Cons:

  • Initial setup for integrating Systems Manager with EC2 instances may require time and effort.

  • Potential complexity for managing different IAM roles and permissions for Systems Manager access.

Default Value:
 By default, EC2 instances are not automatically managed by AWS Systems Manager. It requires configuration to enable integration between EC2 instances and Systems Manager.

Pre-requisites:

  • AWS IAM permissions to manage Systems Manager, EC2 instances, and associated configurations:
     ssm:DescribeInstances, ssm:PutInventory, ec2:DescribeInstances, ec2:ModifyInstanceAttribute

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Systems Manager Console at AWS Systems Manager Console.

  2. In the left pane, click Node Management, then select Inventory.

  3. On the Inventory Dashboard, confirm that all EC2 instances are listed as part of the inventory.

    • If any instances are missing, refer to the remediation steps below.

Using AWS CLI:

  1. Run the following command to list EC2 instances managed by Systems Manager:

    aws ssm describe-instance-information --query "InstanceInformationList[*].{InstanceId:InstanceId,PlatformType:PlatformType}"

  2. Review the output to ensure that all EC2 instances are being managed by Systems Manager.

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Systems Manager Console at AWS Systems Manager Console.

  2. On the left-hand menu, click Node Management, and then click Inventory.

  3. If any EC2 instances are missing, follow the steps below to ensure Systems Manager is properly set up.

    • Ensure that EC2 instances have the Systems Manager Agent (SSM Agent) installed.

    • Ensure that the IAM role associated with the EC2 instance has the necessary SSM permissions (e.g., AmazonEC2RoleforSSM, AmazonSSMManagedInstanceCore).

  4. Once the necessary configuration is in place, confirm that instances appear in the Systems Manager Inventory dashboard.

Using AWS CLI:

  1. Ensure that the SSM Agent is installed and running on all EC2 instances.

  2. Verify that each EC2 instance has the required IAM role with SSM permissions.

  3. Run the following command to associate EC2 instances with Systems Manager:

    aws ec2 associate-iam-instance-profile --instance-id <instance-id> --iam-instance-profile Name="AmazonSSMManagedInstanceCore"

Backout Plan:

Using AWS Console:

  1. If integrating Systems Manager causes issues, you can remove the SSM Agent from EC2 instances by stopping and disabling the agent.

  2. You can also detach the IAM role from the EC2 instance if necessary by selecting the instance in the EC2 console and modifying its IAM role settings.

Using AWS CLI:

  1. To remove the IAM role from an EC2 instance, run:

    aws ec2 disassociate-iam-instance-profile --instance-id <instance-id> --iam-instance-profile Name="AmazonSSMManagedInstanceCore"

  2. If the SSM Agent causes issues, you can stop and disable it from the EC2 instance by running:

    sudo systemctl stop amazon-ssm-agent
sudo systemctl disable amazon-ssm-agent

References:

  1. AWS Systems Manager Setup Guide

  2. AWS Systems Manager Inventory

  3. AWS EC2: EC2 Systems Manager Integration

CIS Controls:

Version

Control ID

Control Description

v8

1.1

Establish and maintain an inventory of enterprise assets, including EC2 instances, and ensure they are managed through AWS Systems Manager to improve operational efficiency and security.

v7

1.4

Maintain an up-to-date inventory of all technology assets, including EC2 instances, and use AWS Systems Manager to track, manage, and configure these instances efficiently.