EC2 instances should be managed by AWS Systems Manager

turbot / steampipe-mod-aws-compliance

Run individual controls or full compliance benchmarks for CIS, PCI, NIST, HIPAA and more across all of your AWS accounts using Powerpipe and Steampipe.

https://hub.steampipe.io/mods/turbot/aws_compliance

Apache License 2.0

372 stars 63 forks source link

EC2 instances should be managed by AWS Systems Manager #540

Closed jchrisfarris closed 1 year ago

jchrisfarris commented 1 year ago

Describe the bug Stopped EC2 Instances are reported as non-compliant by the EC2 instances should be managed by AWS Systems Manager check. As they are stopped, they are not reporting to SSM and therefore can never be compliant.

Steampipe version (steampipe -v) v18.0

Plugin version (steampipe plugin list) Default in SPC Mod version 0.54.0

To reproduce Stop an instance that has been reporting into SSM, wait 24hrs, and it becomes non-compliant.

Expected behavior Stopped instances should be excluded from the query so as not to generate distracting false positive findings.

Additional context Add any other context about the problem here.

rajlearner17 commented 1 year ago

@jchrisfarris Thanks for this testing & feedback! We will check this and take appropriate action. In this case, we followed the AWS config rule specified here. I guess, initially, we thought irrespective of instance state (running/stopped), we would consider the SSM manages the instance.

To be a managed instance, instances must meet the following prerequisites: reference

Have the AWS Systems Manager Agent (SSM Agent) installed and running.
Have connectivity with Systems Manager endpoints using the SSM Agent.
Have the correct AWS Identity and Access Management (IAM) role attached.
Have connectivity to the instance metadata service. So in the query, we just picked the managed instance ID from aws_ssm_managed_instance to consider the outcome.

Should we include the instance state validation in it? Or maybe, we can recheck how the config rule evaluates the same at our end. If you can share, the result will be helpful.

jchrisfarris commented 1 year ago

I spent time yesterday trying to find the code for these AWS Config rules (and couldn't find it). If you know where the lambda source for these lives, please share.

From a practitioner's standpoint - I don't want to report a violation unless the violation can be fixed. If I wanted a rule that says "Thou shalt not have stopped instances" I'd write that as the rule so it's easy for teams to know what to fix.

In this case, if having stopped instances isn't a requirement, there is no way a team can make a stopped instance complaint with this SSM check unless they start the non-compliant instance - a result that leads to both added expense and risk.

rajlearner17 commented 1 year ago

@jchrisfarris, thanks for the input; I follow this, but it's separate from how the AWS config rule source code is developed.

In the current state, we don't have any SDK support to get the instance stop time, hence would it make sense for us to capture the instance stopped state and inform users about it as info

select
  -- Required Columns
  i.arn as resource,
  case
    when i.instance_state = 'stopped' then 'info'
    when m.instance_id is null then 'alarm'
    else 'ok'
  end as status,
  case
    when i.instance_state = 'stopped' then i.title || ' is in stopped state.'
    when m.instance_id is null then i.title || ' not managed by AWS SSM.'
    else i.title || ' managed by AWS SSM.'
  end as reason,
  -- Additional Dimentions
  i.region,
  i.account_id
from
  aws_ec2_instance i
  left join aws_ssm_managed_instance m on m.instance_id = i.instance_id;