Security Hub controls for Systems Manager
These AWS Security Hub controls evaluate the AWS Systems Manager (SSM) service and resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
Related requirements: PCI DSS v3.2.1/2.4, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(1), NIST.800-53.r5 CM-8(2), NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SA-15(2), NIST.800-53.r5 SA-15(8), NIST.800-53.r5 SA-3, NIST.800-53.r5 SI-2(3)
Category: Identify > Inventory
Severity: Medium
Evaluated resource: AWS::EC2::Instance
Required AWS Config recording resources: AWS::EC2::Instance
, AWS::SSM::ManagedInstanceInventory
AWS Config rule:
ec2-instance-managed-by-systems-manager
Schedule type: Change triggered
Parameters: None
This control checks whether the stopped and running EC2 instances in your account are managed by AWS Systems Manager. Systems Manager is an AWS service that you can use to view and control your AWS infrastructure.
To help you to maintain security and compliance, Systems Manager scans your stopped and running managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances.
To learn more, see AWS Systems Manager User Guide.
Remediation
To manage EC2 instances with Systems Manager, see Amazon EC2 host management in the AWS Systems Manager User Guide. In the Configuration options section, you can keep the default choices or change them as necessary for your preferred configuration.
[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
Related requirements: PCI DSS v3.2.1/6.2, NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(3), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5)
Category: Detect > Detection services
Severity: High
Resource type:
AWS::SSM::PatchCompliance
AWS Config rule:
ec2-managedinstance-patch-compliance-status-check
Schedule type: Change triggered
Parameters: None
This control checks whether the compliance status of Systems Manager patch compliance is
COMPLIANT
or NON_COMPLIANT
after the patch installation on the
instance. The control fails if the compliance status is NON_COMPLIANT
. The control only
checks instances that are managed by Systems Manager Patch Manager.
Patching your EC2 instances as required by your organization reduces the attack surface of your AWS accounts.
Remediation
Systems Manager recommends using patch policies to configure patching for your managed instances. You can also use Systems Manager documents, as described in the following procedure, to patch an instance.
To remediate noncompliant patches
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. -
For Node Management, choose Run Command, and then choose Run command.
-
Choose the option for AWS-RunPatchBaseline.
-
Change the Operation to Install.
-
Choose Choose instances manually, and then choose the noncompliant instances.
-
Choose Run.
-
After the command is complete, to monitor the new compliance status of your patched instances, choose Compliance in the navigation pane.
[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT
Related requirements: PCI DSS v3.2.1/2.4, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(1), NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SI-2(3)
Category: Detect > Detection services
Severity: Low
Resource type:
AWS::SSM::AssociationCompliance
AWS Config rule:
ec2-managedinstance-association-compliance-status-check
Schedule type: Change triggered
Parameters: None
This control checks whether the status of the AWS Systems Manager association compliance is
COMPLIANT
or NON_COMPLIANT
after the association is run on an
instance. The control fails if the association compliance status is
NON_COMPLIANT
.
A State Manager association is a configuration that is assigned to your managed instances. The configuration defines the state that you want to maintain on your instances. For example, an association can specify that antivirus software must be installed and running on your instances or that certain ports must be closed.
After you create one or more State Manager associations, compliance status information is
immediately available to you. You can view the compliance status in the console or in response
to AWS CLI commands or corresponding Systems Manager API actions. For associations, Configuration Compliance
shows the compliance status (Compliant
or Non-compliant
). It also
shows the severity level assigned to the association, such as Critical
or
Medium
.
To learn more about State Manager association compliance, see About State Manager association compliance in the AWS Systems Manager User Guide.
Remediation
A failed association can be related to different things, including targets and Systems Manager document names. To remediate this issue, you must first identify and investigate the association by viewing association history. For instructions on viewing association history, see Viewing association histories in the AWS Systems Manager User Guide.
After investigating, you can edit the association to correct the identified issue. You can edit an association to specify a new name, schedule, severity level, or targets. After you edit an association, AWS Systems Manager creates a new version. For instructions on editing an association, see Editing and creating a new version of an association in the AWS Systems Manager User Guide.
[SSM.4] SSM documents should not be public
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration > Resources not publicly accessible
Severity: Critical
Resource type:
AWS::SSM::Document
AWS Config rule:
ssm-document-not-public
Schedule type: Periodic
Parameters: None
This control checks whether AWS Systems Manager documents that are owned by the account are public.
This control fails if Systems Manager documents with the owner Self
are public.
Systems Manager documents that are public might allow unintended access to your documents. A public Systems Manager document can expose valuable information about your account, resources, and internal processes.
Unless your use case requires public sharing, we recommend that you
block public sharing setting for Systems Manager documents that are owned by
Self
.
Remediation
To block public sharing for Systems Manager documents, see Block public sharing for SSM documents in the AWS Systems Manager User Guide.