Monitoring the SSM agent status of ec2 instances

[richgreen-moj]

User Story

As a MP Engineer I want to be able to monitor and alert on any ec2 instances that do not have the SSM agent installed.

Value / Purpose

As a follow on from https://github.com/ministryofjustice/modernisation-platform/issues/2415

This story would involve scanning for instances that don't have the SSM agent installed and to gather details of the affected instances and alert MP when this is discovered.

Currently this can be achieved by running this job ad-hoc to retrieve a csv file of non-managed instances.

We may decide to use observability platform for this, but not necessarily

This is to improve our security posture

Useful Contacts

@richgreen-moj @davidkelliott

Additional Information

No response

Proposal / Unknowns

Hypothesis If we... [do a thing] Then... [this will happ]

Proposal A proposal that is something testable, don't worry whether it works or not, it's a place for ideas.

Unknowns Potential pitfalls that could cause the story to expand beyond its original scope. Ideally this section will remain blank.

Definition of Done

Example - [ ] Documentation has been written / updated

• [ ] MP access to Observability Platform is established - if we decide to us Observability platform
• [ ] Dashboard or query created that can monitor ec2 instances across accounts to check for their SSM agent status
• [ ] Alerts added as required to notify MP team of instances without the agent installed
• [ ] Another team member has reviewed
• [ ] Tests are green

[richgreen-moj]

Might not be ready to do this yet on the Observability Platform as we are only trialling it for internal platform use currently (rather than subscribing all member accounts to it).

There was a suggestion that this be turned into a SPIKE and to look into other ways it might be achieved e.g. using fleet manager.

[dms1981]

As a question, is this also tracked by AWS SecurityHub? If that's the case could we pull the SecurityHub findings into Observability Platform?