More Info:

This rule checks whether instances managed by Amazon EC2 Systems Manager are configured to collect blacklisted inventory types.

Risk Level

Low

Address

Configuration

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration of EC2 Systems Manager collecting blacklisted inventory in AWS, follow these steps using the AWS Management Console:

  1. Access AWS Systems Manager Console:

    • Log in to your AWS account and navigate to the AWS Management Console.
    • Go to the Systems Manager service by searching for it in the search bar.

  2. Navigate to Inventory Explorer:

    • In the Systems Manager console, navigate to the ‘Explorer’ section from the left-hand menu.

  3. Identify Blacklisted Inventory:

    • In the Inventory Explorer, you will be able to see a list of all the managed instances and the collected inventory details.
    • Identify the blacklisted inventory items that are being collected by EC2 Systems Manager.

  4. Update Inventory Collection Configuration:

    • Click on ‘Inventory Setup’ in the Systems Manager console.
    • Review the inventory collection configuration settings to identify the blacklisted items.
    • Click on ‘Edit Inventory Schema’ to modify the inventory collection configuration.

  5. Remove Blacklisted Items:

    • In the inventory schema, locate the blacklisted inventory items that are being collected.
    • Remove the blacklisted items from the inventory schema by deselecting them or deleting them from the configuration.

  6. Save Changes:

    • Once you have removed the blacklisted items from the inventory collection configuration, click on ‘Save’ to apply the changes.

  7. Verify Configuration:

    • Go back to the Inventory Explorer and verify that the blacklisted inventory items are no longer being collected.

  8. Monitor for Compliance:

    • Regularly monitor the inventory collection configuration to ensure that blacklisted items are not being collected in the future.

By following these steps, you can remediate the misconfiguration of EC2 Systems Manager collecting blacklisted inventory in AWS.

Using CLI

To remediate the misconfiguration of EC2 Systems Manager collecting blacklisted inventory in AWS, you can follow these steps using AWS CLI:

Step 1: Identify the Systems Manager inventory collection configuration Run the following AWS CLI command to describe the current inventory collection configuration for Systems Manager:

aws ssm describe-instance-information

This command will provide information about the managed instances and their inventory collection status.

Step 2: Update the inventory collection configuration Run the following AWS CLI command to update the inventory collection configuration for Systems Manager:

aws ssm update-instance-information --instance-information-filter-list key=InstanceDetailedInformation,values=true

This command will update the inventory collection configuration to collect detailed information for the managed instances.

Step 3: Verify the updated configuration You can run the describe-instance-information command again to verify that the inventory collection configuration has been updated successfully:

aws ssm describe-instance-information

Ensure that the inventory collection is now configured to collect the required information and that blacklisted inventory items are no longer being collected.

By following these steps, you can remediate the misconfiguration of EC2 Systems Manager collecting blacklisted inventory in AWS using AWS CLI.

Using Python

To remediate the misconfiguration where EC2 Systems Manager is configured to collect blacklisted inventory in AWS, you can follow these steps using Python:

  1. Identify the Blacklisted Inventory Configuration: First, you need to identify the blacklisted inventory configuration in the EC2 Systems Manager. This can be done by checking the Systems Manager Inventory configuration settings.

  2. Update the Inventory Configuration: You will need to update the inventory configuration to remove the blacklisted items. This can be done by modifying the Systems Manager Inventory configuration using the AWS SDK for Python (Boto3).

  3. Install Boto3: If you haven’t already, install the Boto3 library in your Python environment. You can install it using pip:

    pip install boto3

  4. Write Python Script: Write a Python script that uses Boto3 to update the Systems Manager Inventory configuration. Here is an example script that removes the blacklisted inventory items:

    import boto3

# Initialize the EC2 client
ssm_client = boto3.client('ssm')

# Get the current inventory configuration
response = ssm_client.get_inventory_configuration(
    InstanceId='your-instance-id-here'
)

# Remove the blacklisted items from the inventory configuration
inventory_configuration = response['InventoryConfiguration']
blacklisted_items = ['blacklisted-item1', 'blacklisted-item2']  # Add the blacklisted items here
updated_inventory = [item for item in inventory_configuration if item not in blacklisted_items]

# Update the inventory configuration
response = ssm_client.put_inventory_configuration(
    InstanceId='your-instance-id-here',
    InventoryConfiguration=updated_inventory
)

print('Inventory configuration updated successfully.')

  5. Replace ‘your-instance-id-here’ and ‘blacklisted-itemX’: Replace ‘your-instance-id-here’ with the actual EC2 instance ID and add the blacklisted items to be removed from the inventory configuration.

  6. Run the Script: Execute the Python script in your environment. This will update the Systems Manager Inventory configuration to remove the blacklisted items.

By following these steps, you can remediate the misconfiguration where EC2 Systems Manager is configured to collect blacklisted inventory in AWS using Python.