EC2 Instance Managed by AWS Systems Manager

Overview

This check verifies that your EC2 instances are enrolled as AWS Systems Manager (SSM) managed nodes. When an instance is managed by SSM, you gain centralized visibility, patch management, and secure remote access capabilities. Instances that are running but not registered with SSM are flagged as unmanaged.

Risk

EC2 instances not managed by Systems Manager create significant security and operational gaps:

• No centralized patch management: Unmanaged instances may miss critical security updates, leaving them vulnerable to known exploits
• Limited visibility: You cannot track software inventory, configurations, or compliance status
• Insecure remote access: Without SSM Session Manager, you rely on SSH/RDP with open inbound ports, increasing exposure to brute-force attacks
• Difficult incident response: No ability to run commands remotely through secure channels during security incidents
• Compliance gaps: Many security frameworks (CIS, NIST) require centralized management of compute resources

Remediation Steps

Prerequisites

• AWS account access with permissions to modify EC2 instances and create IAM roles
• The EC2 instance must have network connectivity to SSM endpoints (internet access or VPC endpoints)

Required IAM permissions

To complete this remediation, you need:

• iam:CreateRole - Create the SSM role
• iam:AttachRolePolicy - Attach the SSM managed policy
• iam:CreateInstanceProfile - Create the instance profile
• iam:AddRoleToInstanceProfile - Add role to instance profile
• ec2:AssociateIamInstanceProfile - Attach profile to instance
• ec2:DescribeInstances - View instance details
• ssm:DescribeInstanceInformation - Verify SSM registration

Network requirements for SSM

For SSM to work, your EC2 instance needs to reach these AWS endpoints:

• ssm.<region>.amazonaws.com
• ssmmessages.<region>.amazonaws.com
• ec2messages.<region>.amazonaws.com

Option A: Internet access

• Instance in a public subnet with internet gateway, OR
• Instance in a private subnet with NAT gateway

Option B: VPC endpoints (for private instances without internet) Create VPC endpoints for:

• com.amazonaws.<region>.ssm
• com.amazonaws.<region>.ssmmessages
• com.amazonaws.<region>.ec2messages

AWS Console Method

Step 1: Create an IAM role for SSM (if you do not already have one)

1. Sign in to the AWS Management Console
2. Navigate to IAM > Roles
3. Click Create role
4. Select AWS service as the trusted entity type
5. Under Use case, select EC2
6. Click Next
7. In the search box, type AmazonSSMManagedInstanceCore
8. Check the box next to AmazonSSMManagedInstanceCore
9. Click Next
10. Enter a role name (e.g., EC2-SSM-Role)
11. Click Create role

Step 2: Create an instance profile (if needed)

If you created a new role through the console using the steps above, AWS automatically creates an instance profile with the same name. Skip to Step 3.

Step 3: Attach the IAM role to your EC2 instance

1. Navigate to EC2 > Instances
2. Select the instance that needs SSM management
3. Click Actions > Security > Modify IAM role
4. In the IAM role dropdown, select the role you created (e.g., EC2-SSM-Role)
5. Click Update IAM role

Step 4: Verify the SSM Agent is installed and running

Most Amazon Linux, Amazon Linux 2, Ubuntu, and Windows AMIs come with SSM Agent pre-installed. If your instance uses a custom AMI:

1. Connect to your instance (SSH, RDP, or EC2 Instance Connect)
2. Check if SSM Agent is running:
   • Linux: sudo systemctl status amazon-ssm-agent
   • Windows: Check Services for "Amazon SSM Agent"
3. If not installed, see the collapsible section below for installation instructions

Installing SSM Agent manually

Amazon Linux 2 / RHEL / CentOS:

sudo yum install -y amazon-ssm-agent
sudo systemctl enable amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

Ubuntu / Debian:

sudo snap install amazon-ssm-agent --classic
sudo systemctl enable snap.amazon-ssm-agent.amazon-ssm-agent.service
sudo systemctl start snap.amazon-ssm-agent.amazon-ssm-agent.service

Windows (PowerShell as Administrator):

Invoke-WebRequest -Uri https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/windows_amd64/AmazonSSMAgentSetup.exe -OutFile $env:TEMP\SSMAgentSetup.exe
Start-Process -FilePath $env:TEMP\SSMAgentSetup.exe -ArgumentList "/S" -Wait

Step 5: Wait for SSM registration

1. Navigate to Systems Manager > Fleet Manager (or Managed Instances)
2. Wait 2-5 minutes for your instance to appear
3. The instance should show with a green Online status

AWS CLI (optional)

Create an IAM role for SSM:

First, create a trust policy file:

cat > /tmp/ec2-trust-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

Create the role and attach the policy:

aws iam create-role \
    --role-name EC2-SSM-Role \
    --assume-role-policy-document file:///tmp/ec2-trust-policy.json \
    --region us-east-1

aws iam attach-role-policy \
    --role-name EC2-SSM-Role \
    --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore \
    --region us-east-1

Create an instance profile and add the role:

aws iam create-instance-profile \
    --instance-profile-name EC2-SSM-Profile \
    --region us-east-1

aws iam add-role-to-instance-profile \
    --instance-profile-name EC2-SSM-Profile \
    --role-name EC2-SSM-Role \
    --region us-east-1

Attach the instance profile to an EC2 instance:

aws ec2 associate-iam-instance-profile \
    --instance-id <your-instance-id> \
    --iam-instance-profile Name=EC2-SSM-Profile \
    --region us-east-1

Verify SSM registration:

aws ssm describe-instance-information \
    --filters "Key=InstanceIds,Values=<your-instance-id>" \
    --region us-east-1

The instance should appear with PingStatus: Online.

CloudFormation (optional)

This template creates an EC2 instance with SSM management enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: EC2 instance managed by AWS Systems Manager

Parameters:
  InstanceType:
    Type: String
    Default: t3.micro
    Description: EC2 instance type
  LatestAmiId:
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64
    Description: Latest Amazon Linux 2023 AMI ID
  SubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: Subnet ID for the EC2 instance

Resources:
  SSMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: EC2-SSM-Role
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

  SSMInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      InstanceProfileName: EC2-SSM-Profile
      Roles:
        - !Ref SSMRole

  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: !Ref InstanceType
      ImageId: !Ref LatestAmiId
      SubnetId: !Ref SubnetId
      IamInstanceProfile: !Ref SSMInstanceProfile
      Tags:
        - Key: Name
          Value: SSM-Managed-Instance

Outputs:
  InstanceId:
    Description: EC2 Instance ID
    Value: !Ref EC2Instance
  SSMRoleArn:
    Description: ARN of the SSM IAM Role
    Value: !GetAtt SSMRole.Arn

Deploy the template:

aws cloudformation deploy \
    --template-file ssm-managed-instance.yaml \
    --stack-name ssm-managed-ec2 \
    --parameter-overrides SubnetId=<your-subnet-id> \
    --capabilities CAPABILITY_NAMED_IAM \
    --region us-east-1

Terraform (optional)

provider "aws" {
  region = "us-east-1"
}

# IAM role for SSM
resource "aws_iam_role" "ssm_role" {
  name = "EC2-SSM-Role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "ec2.amazonaws.com"
      }
    }]
  })
}

# Attach the SSM managed policy
resource "aws_iam_role_policy_attachment" "ssm_policy" {
  role       = aws_iam_role.ssm_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

# Instance profile
resource "aws_iam_instance_profile" "ssm_profile" {
  name = "EC2-SSM-Profile"
  role = aws_iam_role.ssm_role.name
}

# Get latest Amazon Linux 2023 AMI
data "aws_ami" "amazon_linux_2023" {
  most_recent = true
  owners      = ["amazon"]

  filter {
    name   = "name"
    values = ["al2023-ami-*-x86_64"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }
}

# EC2 instance with SSM management
resource "aws_instance" "ssm_managed" {
  ami                  = data.aws_ami.amazon_linux_2023.id
  instance_type        = "t3.micro"
  iam_instance_profile = aws_iam_instance_profile.ssm_profile.name
  subnet_id            = var.subnet_id

  tags = {
    Name = "SSM-Managed-Instance"
  }
}

variable "subnet_id" {
  description = "Subnet ID for the EC2 instance"
  type        = string
}

output "instance_id" {
  description = "EC2 Instance ID"
  value       = aws_instance.ssm_managed.id
}

Apply the configuration:

terraform init
terraform apply -var="subnet_id=<your-subnet-id>"

Verification

After completing the remediation:

1. Go to Systems Manager > Fleet Manager in the AWS Console
2. Look for your instance in the list
3. Confirm it shows Online status (green indicator)
4. Optionally, test Session Manager access:
   • Select your instance
   • Click Node actions > Start terminal session
   • A browser-based terminal should open

CLI verification commands

Check if the instance is registered with SSM:

aws ssm describe-instance-information \
    --filters "Key=InstanceIds,Values=<your-instance-id>" \
    --region us-east-1

Expected output includes:

{
    "InstanceInformationList": [
        {
            "InstanceId": "i-0123456789abcdef0",
            "PingStatus": "Online",
            "PlatformType": "Linux",
            "PlatformName": "Amazon Linux",
            "IsLatestVersion": true,
            ...
        }
    ]
}

If the instance does not appear or shows PingStatus: Inactive:

• Verify the IAM role is attached: aws ec2 describe-instances --instance-ids <your-instance-id> --query 'Reservations[].Instances[].IamInstanceProfile'
• Check network connectivity to SSM endpoints
• Verify SSM Agent is running on the instance

Re-run the Prowler check:

prowler aws --checks ec2_instance_managed_by_ssm

Additional Resources

• AWS Systems Manager Documentation
• Setting Up Systems Manager
• SSM Agent Installation
• Session Manager Documentation
• Create VPC Endpoints for SSM
• AmazonSSMManagedInstanceCore Policy

Notes

• SSM Agent pre-installed: Most AWS-provided AMIs (Amazon Linux, Ubuntu, Windows Server 2016+) include SSM Agent by default. Custom or older AMIs may require manual installation.
• Instance state matters: Only running instances can register with SSM. Stopped, terminated, or pending instances are not flagged by this check.
• Network connectivity is critical: If your instance is in a private subnet without NAT or VPC endpoints, it cannot reach SSM endpoints and will not register.
• Registration delay: After attaching an IAM role, allow 2-5 minutes for the instance to appear in Fleet Manager.
• Session Manager benefits: Once managed by SSM, use Session Manager instead of SSH/RDP. This eliminates the need for open inbound ports (22/3389) and provides audit logging.
• Hybrid environments: For on-premises servers or VMs in other clouds, you can also register them as SSM managed instances using hybrid activations.
• Least privilege: The AmazonSSMManagedInstanceCore policy provides minimum permissions for SSM. Add additional policies only as needed for specific SSM features (e.g., AmazonSSMPatchAssociation for Patch Manager).