docs.aws.amazon.com
Open in
urlscan Pro
13.33.88.60
Public Scan
Submitted URL: https://docs.aws.amazon.com/console/securityhub/SSM.3/remediation
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html
Submission: On December 31 via api from SG — Scanned from SG
Effective URL: https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html
Submission: On December 31 via api from SG — Scanned from SG
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Security Hub
5. User Guide
Feedback
Preferences
AWS SECURITY HUB
USER GUIDE
* What is AWS Security Hub?
* Terminology and concepts
* Prerequisites and recommendations
* Enabling Security Hub
* Central configuration
* Start using central configuration
* Choosing management type
* How configuration policies work
* Creating and associating configuration policies
* Viewing configuration policies
* Updating configuration policies
* Deleting and disassociating configuration policies
* In-context configuration
* Stop using central configuration
* Managing administrator and member accounts
* Managing accounts with AWS Organizations
* Integrating Security Hub with AWS Organizations
* Enabling new accounts automatically
* Enabling member accounts
* Disassociating organization member accounts
* Disabling integration with AWS Organizations
* Managing accounts by invitation
* Adding and inviting member accounts
* Responding to an invitation
* Disassociating member accounts
* Deleting member accounts
* Disassociating from your administrator account
* Transitioning to AWS Organizations
* Allowed actions for accounts
* Restrictions and recommendations
* Effect of account actions on Security Hub data
* Cross-Region aggregation
* Central configuration and cross-Region aggregation
* Enabling cross-Region aggregation
* Viewing cross-Region aggregation settings
* Updating the configuration
* Stopping cross-Region aggregation
* Findings
* Creating and updating findings
* Using BatchImportFindings
* Using BatchUpdateFindings
* Viewing a cross-Region finding summary
* Viewing finding lists and details
* Filtering and grouping findings (console)
* Viewing finding details
* Taking action on findings
* Setting the workflow status of findings
* Sending findings to a custom action
* Finding format
* ASFF syntax
* Consolidation and ASFF
* ASFF examples
* Required top-level attributes
* Optional top-level attributes
* Resources
* Resource attributes
* AwsAmazonMQ
* AwsApiGateway
* AwsAppSync
* AwsAthena
* AwsAutoScaling
* AwsBackup
* AwsCertificateManager
* AwsCloudFormation
* AwsCloudFront
* AwsCloudTrail
* AwsCloudWatch
* AwsCodeBuild
* AwsDms
* AwsDynamoDB
* AwsEc2
* AwsEcr
* AwsEcs
* AwsEfs
* AwsEks
* AwsElasticBeanstalk
* AwsElasticSearch
* AwsElb
* AwsEventBridge
* AwsGuardDuty
* AwsIam
* AwsKinesis
* AwsKms
* AwsLambda
* AwsMsk
* AwsNetworkFirewall
* AwsOpenSearchService
* AwsRds
* AwsRedshift
* AwsRoute53
* AwsS3
* AwsSageMaker
* AwsSecretsManager
* AwsSns
* AwsSqs
* AwsSsm
* AwsStepFunctions
* AwsWaf
* AwsXray
* Container
* Other
* Insights
* Viewing and filtering the list of insights
* Viewing insight results and findings
* Managed insights
* Custom insights
* Automations
* Automation rules
* Automated response and remediation
* Types of EventBridge integration
* EventBridge event formats
* Configuring a rule for automatically sent findings
* Configuring and using custom actions
* Product integrations
* Managing product integrations
* AWS service integrations
* Third-party product integrations
* Using custom product integrations
* Standards and controls
* IAM permissions for standards and controls
* Security checks and scores
* AWS Config rules and security checks
* Required AWS Config resources for control findings
* Schedule for running security checks
* Generating and updating control findings
* Determining the control status
* Determining security scores
* Standards reference
* AWS FSBP
* CIS AWS Foundations Benchmark v1.2.0 and v1.4.0
* NIST SP 800-53 Rev. 5
* PCI DSS
* Service-managed standards
* Service-Managed Standard: AWS Control Tower
* Viewing and managing security standards
* Enabling and disabling standards
* Viewing details for a standard
* Enabling and disabling controls in specific standards
* Controls reference
* AWS account controls
* AWS Certificate Manager controls
* API Gateway controls
* AWS AppSync controls
* Athena controls
* AWS Backup controls
* CloudFormation controls
* CloudFront controls
* CloudTrail controls
* CloudWatch controls
* CodeBuild controls
* AWS Config controls
* AWS DMS controls
* Amazon DocumentDB controls
* DynamoDB controls
* Amazon ECR controls
* Amazon ECS controls
* Amazon EC2 controls
* Amazon EC2 Auto Scaling controls
* Amazon EC2 Systems Manager controls
* Amazon EFS controls
* Amazon EKS controls
* ElastiCache controls
* Elastic Beanstalk controls
* Elastic Load Balancing controls
* Amazon EMR controls
* Elasticsearch controls
* EventBridge controls
* Amazon FSx controls
* GuardDuty controls
* IAM controls
* Kinesis controls
* AWS KMS controls
* Lambda controls
* Macie controls
* Amazon MSK controls
* Amazon MQ controls
* Neptune controls
* Network Firewall controls
* OpenSearch Service controls
* AWS Private Certificate Authority controls
* Amazon RDS controls
* Amazon Redshift controls
* Route 53 controls
* Amazon S3 controls
* SageMaker controls
* Secrets Manager controls
* Amazon SNS controls
* Amazon SQS controls
* Step Functions controls
* AWS WAF controls
* Viewing and managing security controls
* Control categories
* Enabling and disabling controls in all standards
* Enabling new controls in enabled standards automatically
* Custom control parameters
* Controls that you might want to disable
* Viewing details for a control
* Filtering and sorting controls
* Viewing and taking action on control findings
* Viewing finding and resource details
* Sample control findings
* Filtering and sorting findings
* Taking action on control findings
* Dashboard
* Creating resources with CloudFormation
* Subscribing to Security Hub announcements
* Security
* Data protection
* AWS Identity and Access Management
* How AWS Security Hub works with IAM
* Using service-linked roles
* AWS managed policies
* Compliance validation
* Infrastructure security
* VPC endpoints (AWS PrivateLink)
* Logging API calls
* Tagging resources
* Quotas
* Security Hub Regional limits
* Regional limits on controls
* Disabling Security Hub
* Controls change log
* Document history
Amazon EC2 Systems Manager controls - AWS Security Hub
AWSDocumentationAWS Security HubUser Guide
[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager[SSM.2]
Amazon EC2 instances managed by Systems Manager should have a patch compliance
status of COMPLIANT after a patch installation[SSM.3] Amazon EC2 instances
managed by Systems Manager should have an association compliance status of
COMPLIANT[SSM.4] SSM documents should not be public
AMAZON EC2 SYSTEMS MANAGER CONTROLS
PDFRSS
These controls are related to Amazon EC2 instances that are managed by AWS
Systems Manager.
These controls may not be available in all AWS Regions. For more information,
see Availability of controls by Region.
[SSM.1] AMAZON EC2 INSTANCES SHOULD BE MANAGED BY AWS SYSTEMS MANAGER
Related requirements: PCI DSS v3.2.1/2.4, NIST.800-53.r5 CA-9(1), NIST.800-53.r5
CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(1),
NIST.800-53.r5 CM-8(2), NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SA-15(2),
NIST.800-53.r5 SA-15(8), NIST.800-53.r5 SA-3, NIST.800-53.r5 SI-2(3)
Category: Identify > Inventory
Severity: Medium
Resource type: AWS::EC2::Instance
AWS Config rule: ec2-instance-managed-by-systems-manager
Schedule type: Change triggered
Parameters: None
This control checks whether the stopped and running EC2 instances in your
account are managed by AWS Systems Manager. Systems Manager is an AWS service
that you can use to view and control your AWS infrastructure.
To help you to maintain security and compliance, Systems Manager scans your
stopped and running managed instances. A managed instance is a machine that is
configured for use with Systems Manager. Systems Manager then reports or takes
corrective action on any policy violations that it detects. Systems Manager also
helps you to configure and maintain your managed instances.
To learn more, see AWS Systems Manager User Guide.
REMEDIATION
To manage EC2 instances with Systems Manager, see Amazon EC2 host management in
the AWS Systems Manager User Guide. In the Configuration options section, you
can keep the default choices or change them as necessary for your preferred
configuration.
[SSM.2] AMAZON EC2 INSTANCES MANAGED BY SYSTEMS MANAGER SHOULD HAVE A PATCH
COMPLIANCE STATUS OF COMPLIANT AFTER A PATCH INSTALLATION
Related requirements: PCI DSS v3.2.1/6.2, NIST.800-53.r5 CM-8(3), NIST.800-53.r5
SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(3), NIST.800-53.r5 SI-2(4),
NIST.800-53.r5 SI-2(5)
Category: Detect > Detection services
Severity: High
Resource type: AWS::SSM::PatchCompliance
AWS Config rule: ec2-managedinstance-patch-compliance-status-check
Schedule type: Change triggered
Parameters: None
This control checks whether the compliance status of Systems Manager patch
compliance is COMPLIANT or NON_COMPLIANT after the patch installation on the
instance. The control fails if the compliance status is NON_COMPLIANT. The
control only checks instances that are managed by Systems Manager Patch Manager.
Patching your EC2 instances as required by your organization reduces the attack
surface of your AWS accounts.
REMEDIATION
To remediate this issue, install the required patches on your noncompliant
instances.
TO REMEDIATE NONCOMPLIANT PATCHES
1. Open the AWS Systems Manager console at
https://console.aws.amazon.com/systems-manager/.
2. For Node Management, choose Run Command, and then choose Run command.
3. Choose the option for AWS-RunPatchBaseline.
4. Change the Operation to Install.
5. Choose Choose instances manually, and then choose the noncompliant
instances.
6. Choose Run.
7. After the command is complete, to monitor the new compliance status of your
patched instances, choose Compliance in the navigation pane.
For more information about using Systems Manager documents to patch a managed
instance, see About SSM documents for patching instances and Running commands
using Systems Manager Run command in the AWS Systems Manager User Guide.
[SSM.3] AMAZON EC2 INSTANCES MANAGED BY SYSTEMS MANAGER SHOULD HAVE AN
ASSOCIATION COMPLIANCE STATUS OF COMPLIANT
Related requirements: PCI DSS v3.2.1/2.4, NIST.800-53.r5 CA-9(1), NIST.800-53.r5
CM-2, NIST.800-53.r5 CM-2(2), NIST.800-53.r5 CM-8, NIST.800-53.r5 CM-8(1),
NIST.800-53.r5 CM-8(3), NIST.800-53.r5 SI-2(3)
Category: Detect > Detection services
Severity: Low
Resource type: AWS::SSM::AssociationCompliance
AWS Config rule: ec2-managedinstance-association-compliance-status-check
Schedule type: Change triggered
Parameters: None
This control checks whether the status of the AWS Systems Manager association
compliance is COMPLIANT or NON_COMPLIANT after the association is run on an
instance. The control fails if the association compliance status is
NON_COMPLIANT.
A State Manager association is a configuration that is assigned to your managed
instances. The configuration defines the state that you want to maintain on your
instances. For example, an association can specify that antivirus software must
be installed and running on your instances or that certain ports must be closed.
After you create one or more State Manager associations, compliance status
information is immediately available to you. You can view the compliance status
in the console or in response to AWS CLI commands or corresponding Systems
Manager API actions. For associations, Configuration Compliance shows the
compliance status (Compliant or Non-compliant). It also shows the severity level
assigned to the association, such as Critical or Medium.
To learn more about State Manager association compliance, see About State
Manager association compliance in the AWS Systems Manager User Guide.
REMEDIATION
A failed association can be related to different things, including targets and
SSM document names. To remediate this issue, you must first identify and
investigate the association by viewing association history. For instructions on
viewing association history, see Viewing association histories in the AWS
Systems Manager User Guide.
After investigating, you can edit the association to correct the identified
issue. You can edit an association to specify a new name, schedule, severity
level, or targets. After you edit an association, AWS Systems Manager creates a
new version. For instructions on editing an association, see Editing and
creating a new version of an association in the AWS Systems Manager User Guide.
[SSM.4] SSM DOCUMENTS SHOULD NOT BE PUBLIC
Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5
AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6,
NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16),
NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3),
NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration > Resources not publicly
accessible
Severity: Critical
Resource type: AWS::SSM::Document
AWS Config rule: ssm-document-not-public
Schedule type: Periodic
Parameters: None
This control checks whether AWS Systems Manager documents that are owned by the
account are public. This control fails if SSM documents with the owner Self are
public.
SSM documents that are public might allow unintended access to your documents. A
public SSM document can expose valuable information about your account,
resources, and internal processes.
Unless your use case requires public sharing, we recommend that you block public
sharing setting for Systems Manager documents that are owned by Self.
REMEDIATION
To block public sharing for SSM documents, see Block public sharing for SSM
documents in the AWS Systems Manager User Guide.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Amazon EC2 Auto Scaling controls
Amazon EFS controls
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Amazon EFS controls
PREVIOUS TOPIC:
Amazon EC2 Auto Scaling controls
NEED HELP?
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* [SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager
* [SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch
compliance status of COMPLIANT after a patch installation
* [SSM.3] Amazon EC2 instances managed by Systems Manager should have an
association compliance status of COMPLIANT
* [SSM.4] SSM documents should not be public
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback
INTRODUCING AMAZON Q
Receive guidance, get troubleshooting tips, and learn about AWS services and
capabilities.