Status OF Managed Instance Compliance Should Be Checked
More Info:
This rule checks if the status of the AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT after the association execution on the instance. The rule is compliant if the field status is COMPLIANT.
Risk Level
Medium
Address
Configuration
Compliance Standards
CBP,RBI_MD_ITF,RBI_UCB
Remediation
Using Console
To remediate the misconfiguration of “Status of Managed Instance Compliance should be checked” for AWS EC2 using the AWS Management Console, follow these steps:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
-
Navigate to AWS Systems Manager: In the AWS Management Console, search for “Systems Manager” in the search bar at the top and click on the “Systems Manager” service.
-
Select Managed Instances: In the Systems Manager console, under the “Node Management” section on the left-hand side, click on “Managed Instances”.
-
Check Compliance Status: In the Managed Instances dashboard, you will see a list of all your managed instances. Look for the instance that has a status of “Non-Compliant” or “Unknown” under the “Compliance” column.
-
Remediate Compliance Status: To remediate the compliance status of the instance, click on the checkbox next to the instance that needs to be remediated.
-
Run Compliance Scan: Once you have selected the instance, click on the “Actions” dropdown menu at the top and select “Scan for Patch Compliance”. This will trigger a compliance scan on the selected instance.
-
Review Compliance Results: After the compliance scan is completed, go back to the Managed Instances dashboard and check the compliance status of the instance. It should now show as “Compliant” if the remediation was successful.
-
Monitor Compliance: To ensure that the compliance status remains checked, you can set up automated compliance scans and notifications in AWS Systems Manager.
By following these steps, you should be able to remediate the misconfiguration of “Status of Managed Instance Compliance should be checked” for AWS EC2 using the AWS Management Console.
Using CLI
To remediate the misconfiguration of “Status of Managed Instance Compliance should be checked” for AWS EC2 using AWS CLI, you can follow these steps:
-
Check Compliance Status: Run the following AWS CLI command to check the compliance status of your EC2 instances:
aws ssm describe-instance-information --output json -
Identify Non-Compliant Instances: Look for instances that have a “PingStatus” or “LastPingDateTime” indicating non-compliance.
-
Update SSM Agent: If the non-compliant instances have outdated SSM agents, update the SSM agent on those instances by following these steps:
- Connect to the non-compliant EC2 instance using SSH.
- Run the following commands to update the SSM agent:
sudo yum update -y amazon-ssm-agent sudo systemctl restart amazon-ssm-agent
-
Check Compliance Again: Run the command in step 1 to check the compliance status of the instances again to ensure that the SSM agent update resolved the issue.
-
Automate Compliance Checks: To ensure continuous compliance monitoring, consider setting up AWS Config Rules or AWS Systems Manager Automation to automatically check and remediate compliance issues.
By following these steps, you can remediate the misconfiguration of “Status of Managed Instance Compliance should be checked” for AWS EC2 using AWS CLI.
Using Python
To remediate the misconfiguration related to the status of managed instance compliance for AWS EC2 instances using Python, you can use the AWS Systems Manager (SSM) service to check the compliance status of managed instances. Here are the step-by-step instructions on how to do this:
- Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
pip install boto3
- Create a Python script with the following code to check the compliance status of managed instances:
import boto3
# Initialize the AWS SDK
ssm_client = boto3.client('ssm')
# Get a list of managed instances
response = ssm_client.describe_instance_information()
# Check the compliance status for each managed instance
for instance in response['InstanceInformationList']:
instance_id = instance['InstanceId']
compliance_summary = ssm_client.get_compliance_summary_by_resource(
ResourceType='ManagedInstance',
ResourceId=instance_id
)
compliance_status = compliance_summary['ComplianceSummary']['ComplianceType']
print(f"Instance ID: {instance_id}, Compliance Status: {compliance_status}")
- Run the Python script to check the compliance status of managed instances. If the compliance status is not as expected, you may need to investigate further to identify and remediate the underlying issues causing non-compliance.
By following these steps, you can use Python and the Boto3 library to check the compliance status of managed instances in AWS EC2 and take appropriate remediation actions as needed.