AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
None Specified Applications Should Be Installed On Instance.
More Info:
This rule checks if none of the specified applications are installed on the instance. Optionally, specify the version. Newer versions will not be denylisted. Optionally, specify the platform to apply the rule only to instances running that platform.
Risk Level
High
Address
Configuration
Compliance Standards
CBP
Triage and Remediation
To remediate the issue of having unspecified applications installed on an AWS EC2 instance, you can follow these steps using the AWS Management Console:
-
Identify Installed Applications:
- Connect to the EC2 instance using SSH or RDP.
- Use commands like
dpkg -l
for Debian-based systems orrpm -qa
for Red Hat-based systems to list all installed packages.
-
Remove Unspecified Applications:
- Identify any applications that are not supposed to be installed on the instance.
- Use the appropriate package manager (
apt
for Debian-based systems,yum
for Red Hat-based systems) to uninstall the unwanted applications. For example:- Debian-based systems:
sudo apt-get remove <package_name>
- Red Hat-based systems:
sudo yum remove <package_name>
- Debian-based systems:
-
Update Security Groups:
- Ensure that the security groups associated with the EC2 instance only allow necessary inbound and outbound traffic. Restrict access to only required ports and protocols.
-
Implement IAM Policies:
- Use AWS Identity and Access Management (IAM) to enforce policies that restrict users’ ability to install applications on EC2 instances.
-
Enable AWS Config Rules:
- Set up AWS Config Rules to monitor and enforce compliance with your desired configuration standards. This can help prevent unauthorized applications from being installed on EC2 instances.
-
Regularly Monitor and Audit:
- Regularly monitor the instances for any unauthorized changes and audit the installed applications to ensure compliance with organizational policies.
By following these steps, you can remediate the issue of having unspecified applications installed on an AWS EC2 instance and ensure that only approved applications are running on your instances.
To remediate the misconfiguration of having unspecified applications installed on an AWS EC2 instance using the AWS CLI, follow these steps:
-
Identify Installed Applications: First, you need to identify the applications that are installed on the EC2 instance. You can SSH into the instance and manually check the installed applications or use a configuration management tool like Ansible to gather this information.
-
Remove Unspecified Applications: Once you have identified the applications that are not supposed to be installed on the instance, you can remove them using the following command:
sudo yum remove <package_name>
Replace
<package_name>
with the name of the package you want to remove. You may need to run this command for each unwanted package. -
Update Security Groups: If the applications were accessed over the network, you should also update the security groups associated with the EC2 instance to restrict access to only necessary ports and protocols.
-
Create an AMI: After removing the unwanted applications, you may want to create a new Amazon Machine Image (AMI) from the instance. This will ensure that any new instances launched from this AMI do not have the unwanted applications installed.
-
Terminate and Replace Instance: If removing the unwanted applications is not feasible or if the instance is heavily compromised, you may consider terminating the instance and launching a new instance from the updated AMI.
By following these steps, you can remediate the misconfiguration of having unspecified applications installed on an AWS EC2 instance using the AWS CLI.
To remediate the misconfiguration of having unspecified applications installed on an AWS EC2 instance using Python, you can use the AWS Systems Manager Run Command to execute a script that will uninstall any unwanted applications.
# Retrieve EC2 managed instances
response = ssm_client.describe_instance_information()
for instance in response['InstanceInformationList']:
instance_id = instance['InstanceId']
inventory = ssm_client.get_inventory(
Filters=[
{
'Key': 'AWS:InstanceInformation.InstanceId',
'Values': [instance_id]
},
]
)
if 'Applications' in inventory['Entities'][0]['Data']:
installed_applications = inventory['Entities'][0]['Data']['Applications']
# Check for blacklisted applications
for app in installed_applications:
if app['Name'] in application_names:
print(f"Blacklisted application '{app['Name']}' found on instance '{instance_id}'.")
# Perform remediation action here (e.g., uninstall or disable the application)
# Example:
# ssm_client.send_command(
# InstanceIds=[instance_id],
# DocumentName='AWS-RunShellScript',
# Parameters={
# 'commands': ['<uninstall-command>']
# }
# )
break
def main():
# Specify the list of blacklisted application names
blacklisted_applications = ['application1', 'application2']
# Remediate EC2 managed instances with blacklisted applications
remediate_managed_instance(blacklisted_applications)
if __name__ == "__main__":
main()
Replace 'application1', 'application2'
with the names of the blacklisted applications. This script checks for the presence of blacklisted applications on EC2 managed instances using AWS Systems Manager Inventory and takes remediation actions accordingly. Adjust the remediation action (e.g., uninstall command) as per your requirements.