More Info:

Ensure that all Amazon EC2 instances are managed by AWS Systems Manager (SSM). Systems Manager simplifies AWS cloud resource management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your instances securely at scale. For Amazon EC2 instances to be monitored and managed with AWS Systems Manager service, they must be configured as managed instances. In order for EC2 instances to be managed by Systems Manager and be available in the list of managed instances, your instances have to meet 3 primary requirements:

Risk Level

High

Address

Security

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration “EC2 Instances Should Be Managed By SSM” in AWS using the AWS console, follow the below steps:

  1. Open the AWS Management Console and navigate to the EC2 dashboard.
  2. Select the EC2 instance that needs to be managed by SSM.
  3. Click on the “Actions” button and select “Instance Settings” and then click on “Attach/Replace IAM Role”.
  4. In the “Attach/Replace IAM Role” window, select the option “SSMManagedInstanceCore” in the “IAM Role” drop-down menu.
  5. Click on “Apply” to attach the IAM role to the EC2 instance.
  6. Once the IAM role is attached, navigate to the SSM dashboard.
  7. Select “Managed Instances” from the left-hand menu.
  8. Verify that the EC2 instance is listed as a managed instance. If it is not listed, select “Register instances” to add the EC2 instance to SSM.
  9. After registering the instance, select the instance and click on “Actions” and then select “Run Command”.
  10. In the “Run a Command” window, select the “AWS-ConfigureAWSPackage” document.
  11. In the “Command Parameters” section, select the “Install” option for the “action” parameter.
  12. Click on “Run” to install the SSM agent on the EC2 instance.
  13. Once the SSM agent is installed, the EC2 instance will be managed by SSM.

By following the above steps, the misconfiguration “EC2 Instances Should Be Managed By SSM” can be remediated for AWS using the AWS console.

Using CLI

To remediate the misconfiguration “EC2 Instances Should Be Managed By SSM” in AWS using AWS CLI, follow the below steps:

Step 1: Install and configure AWS CLI on your local machine.

Step 2: Run the following command to identify the EC2 instances that are not managed by SSM:

aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" --query 'Reservations[*].Instances[*].[InstanceId,Tags[?Key==`Name`].Value|[0], [not contains(Tags[?Key==`aws: ssm: managed`, Value==`true`)], InstanceId]]' --output text

Step 3: The above command will output a list of all EC2 instances that are not managed by SSM. Identify the instances that need to be remediated.

Step 4: Run the following command to enable SSM management for the identified EC2 instances:

aws ssm send-command --document-name "AWS-ConfigureAWSPackage" --document-version "1" --targets "Key=InstanceIds,Values=<Instance-ID>" --parameters '{"action":["Install"],"installationType":["Uninstall and reinstall"],"name":["AmazonCloudWatchAgent"],"version":["latest"]}' --timeout-seconds 600 --max-concurrency "50" --max-errors "0" --output-s3-bucket-name "<S3-Bucket-Name>" --output-s3-key-prefix "output" --region "<Region>"

Note: Replace <Instance-ID>, <S3-Bucket-Name>, and <Region> with the appropriate values.

Step 5: Repeat Step 4 for all the identified EC2 instances.

Step 6: Verify that SSM management is enabled for the EC2 instances by running the following command:

aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" --query 'Reservations[*].Instances[*].[InstanceId,Tags[?Key==`Name`].Value|[0], [not contains(Tags[?Key==`aws: ssm: managed`, Value==`true`)], InstanceId]]' --output text

The above command should not return any output, indicating that all EC2 instances are now managed by SSM.

Using Python

To remediate the misconfiguration “EC2 Instances Should Be Managed By SSM” in AWS using Python, you can follow these steps:

  1. Install the AWS SDK for Python (Boto3) using pip: pip install boto3

  2. Create an AWS SSM client object using the following code:

import boto3

ssm_client = boto3.client('ssm')
  1. Retrieve a list of all EC2 instances in the AWS account using the following code:
import boto3

ec2_client = boto3.client('ec2')

response = ec2_client.describe_instances()
instances = []

for reservation in response['Reservations']:
    for instance in reservation['Instances']:
        instances.append(instance['InstanceId'])
  1. For each EC2 instance, check if it is already managed by SSM using the following code:
import boto3

ssm_client = boto3.client('ssm')

response = ssm_client.describe_instance_information(
    InstanceInformationFilterList=[
        {
            'key': 'InstanceIds',
            'valueSet': [
                'INSTANCE_ID'
            ]
        },
    ]
)

if len(response['InstanceInformationList']) > 0:
    print('Instance is already managed by SSM')
else:
    print('Instance is not managed by SSM')

Replace INSTANCE_ID with the ID of the EC2 instance you want to check.

  1. If the EC2 instance is not already managed by SSM, you can remediate the misconfiguration by running the following command:
import boto3

ssm_client = boto3.client('ssm')

response = ssm_client.send_command(
    InstanceIds=[
        'INSTANCE_ID',
    ],
    DocumentName='AWS-ConfigureAWSPackage',
    Parameters={
        'action': ['Install'],
        'name': ['AmazonCloudWatchAgent'],
    }
)

command_id = response['Command']['CommandId']

Replace INSTANCE_ID with the ID of the EC2 instance you want to remediate.

This command will install the Amazon CloudWatch agent on the EC2 instance and configure it to be managed by SSM. You can monitor the progress of the command using the command_id returned by the send_command method.

Additional Reading: