More Info:

This rule checks if none of the specified applications are installed on the instance. Optionally, specify the version. Newer versions will not be denylisted. Optionally, specify the platform to apply the rule only to instances running that platform.

Risk Level

High

Address

Configuration

Compliance Standards

CBP

Remediation

Using Console

  1. Identify the EC2 managed instances where blacklisted applications are installed.
  2. Connect to each identified instance using Systems Manager Session Manager or SSH.
  3. Uninstall or disable the blacklisted applications using the appropriate package management commands (e.g., apt-get for Debian/Ubuntu, yum for RHEL/CentOS).
  4. Verify that the blacklisted applications have been successfully removed or disabled.

Using CLI

There’s no direct AWS CLI command to uninstall or disable applications on EC2 managed instances. You’ll typically need to use a combination of AWS Systems Manager Run Command or AWS SSM Session Manager along with remote execution commands to achieve this. Below is a generic example of how you might do this:

aws ssm send-command --instance-ids <instance-id> --document-name "AWS-RunShellScript" --parameters "commands=<uninstall-command>" --output text

Replace <instance-id> with the ID of the EC2 managed instance and <uninstall-command> with the appropriate command to uninstall or disable the blacklisted application.

Using Python

import boto3

def remediate_managed_instance(application_names):
    # Initialize Systems Manager client
    ssm_client = boto3.client('ssm')

    # Retrieve EC2 managed instances
    response = ssm_client.describe_instance_information()

    for instance in response['InstanceInformationList']:
        instance_id = instance['InstanceId']
        inventory = ssm_client.get_inventory(
            Filters=[
                {
                    'Key': 'AWS:InstanceInformation.InstanceId',
                    'Values': [instance_id]
                },
            ]
        )

        if 'Applications' in inventory['Entities'][0]['Data']:
            installed_applications = inventory['Entities'][0]['Data']['Applications']

            # Check for blacklisted applications
            for app in installed_applications:
                if app['Name'] in application_names:
                    print(f"Blacklisted application '{app['Name']}' found on instance '{instance_id}'.")
                    # Perform remediation action here (e.g., uninstall or disable the application)
                    # Example:
                    # ssm_client.send_command(
                    #     InstanceIds=[instance_id],
                    #     DocumentName='AWS-RunShellScript',
                    #     Parameters={
                    #         'commands': ['<uninstall-command>']
                    #     }
                    # )
                    break

def main():
    # Specify the list of blacklisted application names
    blacklisted_applications = ['application1', 'application2']

    # Remediate EC2 managed instances with blacklisted applications
    remediate_managed_instance(blacklisted_applications)

if __name__ == "__main__":
    main()

Replace 'application1', 'application2' with the names of the blacklisted applications. This script checks for the presence of blacklisted applications on EC2 managed instances using AWS Systems Manager Inventory and takes remediation actions accordingly. Adjust the remediation action (e.g., uninstall command) as per your requirements.