Check for SSM Managed Instances

Risk Level: High (not acceptable risk)

Rule ID: SSM-003

Ensure that all your Amazon EC2 instances are managed by Systems Manager (SSM). Systems Manager simplifies AWS cloud resource management, shortens the time to detect and resolve operational problems, and makes it easy to operate and manage your instances securely at scale. For Amazon EC2 instances to be monitored and managed with Amazon Systems Manager service, they must be configured as managed instances. In order for EC2 instances to be managed by Systems Manager and be available in the list of managed instances, your instances have to meet 3 primary requirements:

The SSM Agent must be installed on an instance with a supported Operating System (OS).
An AWS Identity and Access Management (IAM) instance profile that supplies the required permissions for the instance to communicate with the Systems Manager service must be attached to the EC2 instance.
The SSM Agent must be able to connect to a Systems Manager endpoint in order to register itself with the service. Then, the instance must be available to the SSM service, which is confirmed by the service sending a signal every five minutes to check the instance's health.

Because there is a delay between an Amazon EC2 instance becoming operational and the SSM agent being active, a delay period for recently launched instances must be configured within the rule settings, in your TrendAI Vision One™ Cloud Risk Management Dashboard. If the delay period is not configured in the rule settings, the default threshold of 3 minutes will apply.

This rule can help you work with the AWS Well-Architected Framework.

Security

Operational
excellence

Amazon Systems Manager through Fleet Manager feature offers multiple benefits for managed Amazon EC2 instances. Some of these benefits are:

Perform a variety of common systems administration tasks without having to manually connect to your EC2 instances.
Manage EC2 instances running on multiple platforms from a single unified console.
Manage EC2 instances running different Operating Systems from a single unified console.
Improve the efficiency of your systems administration.
Control access to Fleet Manager feature using AWS Identity and Access Management (IAM) policies. With these policies, you can control which individual IAM users or groups can use various Fleet Manager capabilities, and which Amazon EC2 instances they can manage.

From a security standpoint, when you're not using Systems Manager (SSM) to manage your EC2 instance fleet, you have to manually patch each instance and this may cause a risk factor of missing patches in some of your instances, exposing system vulnerabilities which potential attackers could take advantage of. With Patch Manager, a feature of System Manager service, you can automate the process of patching Linux and Windows managed instances at scale. Systems Manager (SSM) also lets you collect software inventory and execute scripts without logging into your instances' system.

Audit

To determine if your Amazon EC2 instances are managed by Systems Manager (SSM), perform the following actions:

Using AWS Console

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access the Check for SSM Managed Instances rule settings, and identify the delay period (in minutes) configured for recently launched EC2 instances.
Sign in to the AWS Management Console.
Navigate to Amazon EC2 console available at https://console.aws.amazon.com/ec2/.
In the left navigation panel, under Instances, choose Instances.
Select the Amazon EC2 instance that you want to examine.
Choose the Security tab from the console bottom panel to access the security details available for the selected instance.
To avoid false negative checks due to the delay between an EC2 instance becoming operational and the SSM agent being active, check the instance launch time first. In the Security details section, check the Launch time attribute value to identify the instance launch date/time. If the instance was created in the last x minutes (where x represents the delay period configured for recently launched instances, identified in step 1), the selected Amazon EC2 instance was recently launched and is not yet eligible for checks (a waiting period is required). Otherwise, you can continue the Audit process with the next step.
Choose the Details tab from the console bottom panel to access the instance configuration details.
In the Instance summary section, copy the Instance ID attribute value.
Navigate to AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
In the left navigation panel, under Node Management, select Fleet Manager to access the list with your SSM managed instances. A managed instance is any Amazon EC2 instance that has been configured for Systems Manager.
In the Managed Nodes section, click inside the Filter box, select Node ID, choose Equals, paste the instance ID of the instance copied at step no. 9, and press Enter. If no managed instances matching your filter criteria are found, the selected Amazon EC2 instance is not managed using AWS Systems Manager (SSM).
Repeat steps no. 3 – 12 to determine the SSM association status for each Amazon EC2 instance available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access the Check for SSM Managed Instances rule settings, and identify the delay period (in minutes) configured for recently launched EC2 instances.

Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon EC2 instance running within the selected AWS region:

aws ec2 describe-instances
  --region us-east-1
  --filters "Name=instance-state-name,Values=running"
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

The command output should return a table with the requested EC2 instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcabcabc1234567  |
|  i-01234567abcabcabc  |
|  i-0abcd1234abcd1234  |
+-----------------------+

Run describe-instances command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom output filters to describe the launch date/time (UTC time) for the selected instance:
```
aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --query 'Reservations[*].Instances[].LaunchTime'
```
The command output should return the instance launch date/time (UTC time):
```
[
	"2024-07-24T08:59:10+00:00"
]
```
To avoid false negative checks due to the delay between an EC2 instance becoming operational and the SSM agent being active, check the instance launch date/time returned by the describe-instances command output. If the instance was created in the last x minutes (where x represents the delay period configured for recently launched instances, identified in step 1), the selected Amazon EC2 instance was recently launched and is not yet eligible for checks (a waiting period is required). Otherwise, you can continue the Audit process with the next step.
Run describe-instance-information command (OSX/Linux/UNIX) with the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom filtering to describe the SSM-based information available for the selected instance, such as the fully qualified host name of the managed instance, the IP address of the managed EC2 instance, the Operating System (OS) platform, the version of SSM Agent installed on the instance, and the managed instance status:
```
aws ssm describe-instance-information
  --region us-east-1
  --instance-information-filter-list key=InstanceIds,valueSet=i-01234abcd1234abcd
  --query "InstanceInformationList"
```
The command output should return the requested SSM-based information:
```
[]
```
If the describe-instance-information command output returns an empty array (i.e. []), as shown in the output example above, the selected Amazon EC2 instance is not managed using AWS Systems Manager (SSM).
Repeat steps no. 4 - 7 to determine the SSM association status for each Amazon EC2 instance provisioned in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the Audit process for other regions.

Remediation / Resolution

Manually installing software for multiple Amazon EC2 instances can be tedious and error prone. To ensure that all your running Amazon EC2 instances are managed by the Systems Manager (SSM) service, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to AWS Systems Manager console available at https://console.aws.amazon.com/systems-manager/.
You can use Systems Manager Quick Setup to help you quickly configure your Amazon EC2 instances as managed instances in an individual account or across multiple organizational units (OUs) and AWS regions by integrating with AWS Organizations. The Quick Setup feature automatically configures required IAM roles and commonly used Systems Manager capabilities on your Amazon EC2 instances. The commonly used capabilities enabled by AWS Systems Manager Quick Setup include updating SSM Agent, scanning instances for missing security patches, and collecting inventory for your managed instances. These capabilities help you manage and monitor the health of your Amazon EC2 instances while providing the minimum required permissions to get started. To initiate the setup process, select Quick Setup from the left navigation panel and choose Create from the Host Management section. The Host Management configuration type is used to set up IAM roles and enables commonly used Systems Manager capabilities to securely manage your EC2 instances. If the Get Started page is shown, select the appropriate AWS region, choose Get started, and select Create from the Host Management section.
On the Host Management setup page, perform the following operations:
1. For Configuration options, ensure that the following options are selected under Systems Manager. Quick Setup configures these components based on best practices:
  1. Update Systems Manager (SSM) Agent every two weeks.
  2. Collect inventory from your instances every 30 minutes.
  3. Scan instances for missing patches daily.
2. For Targets, select Current Region for Choose between deploying to the current Region or a custom set of Regions., and choose All instances for Choose how you want to target instances. This selection will deploy your configuration to all Amazon EC2 instances available in the target AWS cloud region.
3. Choose Create to deploy the new SSM configuration for all target Amazon EC2 instances. Once the SSM configuration is implemented, the target EC2 instances will be registered with Systems Manager (SSM) and you will be able to manage them using SSM capabilities.
Change the AWS cloud region from the navigation bar and repeat the Remediation process for other cloud regions.

Using AWS CLI

By default, Systems Manager (SSM) doesn't have permission to communicate with or perform actions on your Amazon EC2 instances, therefore you must grant access by using an Identity and Access Management (IAM) instance profile and an IAM service role (or assume role). You can start by creating the trust relationship policy for the required IAM service role. To create the required trust relationship policy for the new role, save the following policy document to a JSON file named cc-ssm-role-trust-policy.json
```
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "ec2.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}
```
Run create-role command (OSX/Linux/UNIX) to create the required Amazon IAM role using the trust relationship policy defined at the previous step (i.e. cc-ssm-role-trust-policy.json):
```
aws iam create-role
  --role-name cc-ssm-role-for-managed-instances
  --assume-role-policy-document file://cc-ssm-role-trust-policy.json
```

The command output should return the information available for the new IAM role:

{
	"Role": {
		"AssumeRolePolicyDocument": {
			"Version": "2012-10-17",
			"Statement": [
				{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Principal": {
						"Service": "ec2.amazonaws.com"
					}
				}
			]
		},
		"RoleId": "AAAABBBBCCCCDDDDEEEE",
		"CreateDate": "2024-07-21T11:00:00Z",
		"RoleName": "cc-ssm-role-for-managed-instances",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:role/cc-ssm-role-for-managed-instances"
	}
}

Run attach-role-policy command (OSX/Linux/UNIX) to attach the specified AWS-managed policy to the newly created IAM role. The "AmazonSSMManagedInstanceCore" managed policy is required to enable Systems Manager service core functionality on target Amazon EC2 instances (the command does not produce an output):
```
aws iam attach-role-policy
  --role-name cc-ssm-role-for-managed-instances
  --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
```
Create the instance profile that needs to integrate with the new IAM role. Run create-instance-profile command (OSX/Linux/UNIX) to create the required IAM instance profile:
```
aws iam create-instance-profile
  --region us-east-1
  --instance-profile-name cc-ssm-core-instance-profile
```

The command output should return the information available for the newly created instance profile:

{
	"InstanceProfile": {
		"InstanceProfileId": "ABCDABCDABCDABCDABCDA",
		"Roles": [],
		"CreateDate": "2024-07-21T12:00:00Z",
		"InstanceProfileName": "cc-ssm-core-instance-profile",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:instance-profile/cc-ssm-core-instance-profile"
	}
}

Run add-role-to-instance-profile command (OSX/Linux/UNIX) to integrate the IAM role created at step no. 2 with the instance profile created at step no. 5 (the command does not produce an output):
```
aws iam add-role-to-instance-profile
  --role-name cc-ssm-role-for-managed-instances
  --instance-profile-name cc-ssm-core-instance-profile
```
Run associate-iam-instance-profile command (OSX/Linux/UNIX) to associate the new IAM instance profile with the running Amazon EC2 instance that you want to manage with AWS Systems Manager (SSM):
```
aws ec2 associate-iam-instance-profile
  --region us-east-1
  --iam-instance-profile Name=cc-ssm-core-instance-profile
  --instance-id i-01234abcd1234abcd
```

The output should return the associate-iam-instance-profile command request information:

{
	"IamInstanceProfileAssociation": {
		"InstanceId": "i-01234abcd1234abcd",
		"AssociationId": "iip-assoc-01234abcd1234abcd",
		"IamInstanceProfile": {
			"Id": "ABCDABCDABCDABCDABCDA",
			"Arn": "arn:aws:iam::123456789012:instance-profile/cc-ssm-core-instance-profile"
		}
	}
}

Now that Systems Manager (SSM) has permission to communicate with or perform actions on your target Amazon EC2 instances, you can implement the Systems Manager core capabilities for managing EC2 instances. To enable the commonly used Systems Manager capabilities that allows you to securely manage your Amazon EC2 instances, perform the following commands:

Run create-association command (OSX/Linux/UNIX) to create an association that automatically updates the SSM Agent according to a schedule that you specify, for the Amazon EC2 instance that you want to manage with Systems Manager. By default, once the association is successfully implemented, the system runs it immediately after it is created and then according to the specified schedule. For example, the --schedule-expression parameter sets a schedule to run the association every Sunday morning at 5:00 AM (UTC time):
```
	aws ssm create-association
	  --region us-east-1
	  --name "AWS-UpdateSSMAgent"
	  --targets "Key=instanceids,Values=i-01234abcd1234abcd"
	  --schedule-expression "cron(0 5 ? * SUN *)"
	
```

The command output should return the "AWS-UpdateSSMAgent" association information:

	{
		"AssociationDescription": {
			"ScheduleExpression": "cron(0 5 ? * SUN *)",
			"Name": "AWS-UpdateSSMAgent",
			"Overview": {
				"Status": "Pending",
				"DetailedStatus": "Creating"
			},
			"AssociationId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
			"DocumentVersion": "$DEFAULT",
			"LastUpdateAssociationDate": 1608877877.549,
			"Date": 1608877877.549,
			"AssociationVersion": "1",
			"Targets": [
				{
					"Values": [
						"i-01234abcd1234abcd"
					],
					"Key": "instanceids"
				}
			],
			"ApplyOnlyAtCronInterval": false
		}
	}

Run create-association command (OSX/Linux/UNIX) to create a Systems Manager (SSM) Inventory association for the specified Amazon EC2 instance. The system collects metadata from your instance according to the schedule configured for the association:

	aws ssm create-association
	  --region us-east-1
	  --name "AWS-GatherSoftwareInventory"
	  --targets "Key=instanceids,Values=i-01234abcd1234abcd"
	  --schedule-expression "rate(1 day)"
	  --parameters applications=Enabled,awsComponents=Enabled,customInventory=Enabled,instanceDetailedInformation=Enabled,networkConfig=Enabled,services=Enabled,windowsRoles=Enabled,windowsUpdates=Enabled

The command output should return the "AWS-GatherSoftwareInventory" association configuration information:

	{
		"AssociationDescription": {
			"ScheduleExpression": "rate(1 day)",
			"Name": "AWS-GatherSoftwareInventory",
			"Parameters": {
				"windowsUpdates": [
					"Enabled"
				],
				"awsComponents": [
					"Enabled"
				],
				"customInventory": [
					"Enabled"
				],
				"networkConfig": [
					"Enabled"
				],
				"applications": [
					"Enabled"
				],
				"instanceDetailedInformation": [
					"Enabled"
				],
				"services": [
					"Enabled"
				],
				"windowsRoles": [
					"Enabled"
				]
			},
			"Overview": {
				"Status": "Pending",
				"DetailedStatus": "Creating"
			},
			"AssociationId": "1234abcd-1234-abcd-1234-abcd1234abcd",
			"DocumentVersion": "$DEFAULT",
			"LastUpdateAssociationDate": 1608877877.126,
			"Date": 1608877877.126,
			"AssociationVersion": "1",
			"Targets": [
				{
					"Values": [
						"i-01234abcd1234abcd"
					],
					"Key": "instanceids"
				}
			],
			"ApplyOnlyAtCronInterval": false
		}
	}

Run create-association command (OSX/Linux/UNIX) to create an SSM association that scans the specified Amazon EC2 instance for missing patch updates by using the "AWS-RunPatchBaseline" document. "AWS-RunPatchBaseline" performs patching operations on Amazon EC2 instances for security related and other types of updates:
```
	aws ssm create-association
	  --region us-east-1
	  --name "AWS-RunPatchBaseline"
	  --targets "Key=instanceids,Values=i-01234abcd1234abcd"
	  --parameters "Operation=Scan,RebootOption=NoReboot"
	
```

The command output should return the "AWS-RunPatchBaseline" association information:

	{
		"AssociationDescription": {
			"Name": "AWS-RunPatchBaseline",
			"Parameters": {
				"Operation": [
					"Scan"
				],
				"RebootOption": [
					"NoReboot"
				]
			},
			"Overview": {
				"Status": "Pending",
				"DetailedStatus": "Creating"
			},
			"AssociationId": "abcd1234-abcd-1234-abcd-abcd1234abcd",
			"DocumentVersion": "$DEFAULT",
			"LastUpdateAssociationDate": 1608877877.845,
			"Date": 1608877877.845,
			"AssociationVersion": "1",
			"Targets": [
				{
					"Values": [
						"i-01234abcd1234abcd"
					],
					"Key": "instanceids"
				}
			],
			"ApplyOnlyAtCronInterval": false
		}
	}

Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 8 – 10 to perform the Remediation process for other cloud regions.

References

AWS Command Line Interface (CLI) Documentation
describe-instances
associate-iam-instance-profile
describe-instance-information
create-association
create-role
attach-role-policy
create-instance-profile
add-role-to-instance-profile

Publication date Dec 30, 2020

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related SSM rules