Ensure SSM Incidents is Enabled with Response Plans

Overview

This check verifies that AWS Systems Manager Incident Manager has an active replication set and at least one response plan configured. Incident Manager helps teams respond to and resolve critical incidents affecting AWS-hosted applications through automated workflows, collaboration tools, and escalation procedures.

Risk

Without Incident Manager properly configured, your organization may face:

• Delayed incident response - No automated workflows to kick off when issues occur
• Extended outages - Higher mean time to recovery (MTTR) due to manual coordination
• Poor visibility - Lack of centralized tracking for ongoing incidents
• Missed escalations - No automatic notification of the right people at the right time
• Data exposure risk - Delayed containment allows potential data exfiltration

Remediation Steps

Prerequisites

You need:

• AWS Console access with permissions to manage SSM Incident Manager
• Ability to create IAM service-linked roles (happens automatically on first use)

AWS Console Method

1. Open Incident Manager

   • Go to the AWS Systems Manager Console
   • In the left navigation, under Operations Management, click Incident Manager

2. Set Up Incident Manager (if first time)

   • If you see a "Get prepared" or setup screen, click Get prepared
   • Select at least one AWS Region (us-east-1 is recommended)
   • Choose your encryption option (AWS managed key is fine for most cases)
   • Click Create

3. Verify Replication Set is Active

   • On the Incident Manager dashboard, look for Replication set status
   • Confirm it shows Active
   • If it shows "Creating" or "Updating", wait a few minutes and refresh

4. Create a Response Plan

   • Click Response plans in the left navigation
   • Click Create response plan
   • Enter a Name (e.g., security-incident-response)
   • Enter a Display name (e.g., Security Incident Response Plan)
   • Under Incident defaults:
     • Enter a Title (e.g., Security Incident)
     • Select an Impact level (1 = Critical, 5 = Low)
   • Optionally add contacts, chat channels, or runbooks
   • Click Create response plan

5. Verify the Response Plan Exists

   • Return to Response plans
   • Confirm your new plan appears in the list

AWS CLI Method

Step 1: Check if a replication set already exists

aws ssm-incidents list-replication-sets --region us-east-1

If the output shows an empty replicationSetArns array, you need to create one.

Step 2: Create a replication set

aws ssm-incidents create-replication-set \
    --region us-east-1 \
    --regions '{"us-east-1": {}}'

Step 3: Wait for the replication set to become active

aws ssm-incidents wait replication-set-active --region us-east-1 --arn <replication-set-arn>

Or check status manually:

aws ssm-incidents get-replication-set \
    --region us-east-1 \
    --arn <replication-set-arn>

Look for "status": "ACTIVE" in the output.

Step 4: Create a response plan

aws ssm-incidents create-response-plan \
    --region us-east-1 \
    --name "security-incident-response" \
    --display-name "Security Incident Response Plan" \
    --incident-template '{"title": "Security Incident", "impact": 2}'

Step 5: Verify response plans exist

aws ssm-incidents list-response-plans --region us-east-1

CloudFormation Template

AWSTemplateFormatVersion: '2010-09-09'
Description: SSM Incidents Replication Set and Response Plan

Parameters:
  ResponsePlanName:
    Type: String
    Default: security-incident-response
    Description: Name of the response plan

Resources:
  IncidentReplicationSet:
    Type: AWS::SSMIncidents::ReplicationSet
    Properties:
      Regions:
        - RegionName: us-east-1
      DeletionProtected: false

  SecurityIncidentResponsePlan:
    Type: AWS::SSMIncidents::ResponsePlan
    DependsOn: IncidentReplicationSet
    Properties:
      Name: !Ref ResponsePlanName
      DisplayName: Security Incident Response Plan
      IncidentTemplate:
        Title: Security Incident
        Impact: 2
        Summary: An incident requiring investigation and response.

Outputs:
  ReplicationSetArn:
    Description: ARN of the SSM Incidents Replication Set
    Value: !Ref IncidentReplicationSet
  ResponsePlanArn:
    Description: ARN of the Response Plan
    Value: !GetAtt SecurityIncidentResponsePlan.Arn

Deploy the stack:

aws cloudformation create-stack \
    --stack-name ssm-incidents-setup \
    --template-body file://template.yaml \
    --region us-east-1

Terraform Configuration

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# SSM Incidents Replication Set
resource "aws_ssmincidents_replication_set" "main" {
  region {
    name = "us-east-1"
  }
}

# SSM Incidents Response Plan
resource "aws_ssmincidents_response_plan" "security_incident" {
  name = "security-incident-response"

  incident_template {
    title  = "Security Incident"
    impact = 2
  }

  depends_on = [aws_ssmincidents_replication_set.main]

  tags = {
    Environment = "production"
  }
}

output "replication_set_arn" {
  description = "ARN of the SSM Incidents Replication Set"
  value       = aws_ssmincidents_replication_set.main.arn
}

output "response_plan_arn" {
  description = "ARN of the Response Plan"
  value       = aws_ssmincidents_response_plan.security_incident.arn
}

Deploy:

terraform init
terraform apply

Verification

After remediation, verify the fix:

1. In the AWS Console:

   • Go to Systems Manager > Incident Manager
   • Confirm the replication set shows Active status
   • Click Response plans and verify at least one plan exists

2. Re-run the Prowler check:

   prowler aws --check ssmincidents_enabled_with_plans --region us-east-1

Additional Resources

• AWS Incident Manager User Guide
• Creating Response Plans
• Incident Manager Best Practices
• Replication Sets

Notes

• One replication set per account: You can only have one replication set in your AWS account, but it can span up to three regions.
• Impact levels: Impact ranges from 1 (Critical) to 5 (Low). Choose based on your organization's incident classification.
• Service-linked role: Incident Manager automatically creates a service-linked role (AWSServiceRoleForIncidentManager) when you first use the service.
• Multi-region resilience: For production environments, consider adding multiple regions to your replication set for higher availability.
• Response plan enhancements: After basic setup, consider adding contacts (for notifications), chat channels (for collaboration), and runbooks (for automated remediation steps) to your response plans.