Secure AWS SSM Agent

TL;DR

This guide shows you how to protect your AWS Systems Manager (SSM) Agent from tampering and unauthorized access, ensuring the security of your managed instances. We’ll cover verifying agent integrity, restricting permissions, and using encryption.

1. Verify SSM Agent Integrity

Regularly check that the SSM Agent hasn’t been modified. This helps detect potential malware or malicious changes.

1. Check File Hashes: Compare the current hash of the SSM Agent executable with a known good hash value provided by AWS. You can find these hashes in the AWS documentation.
2. Use Configuration History: SSM Change Calendar records changes to your instances, including agent updates. Review this history for unexpected modifications.

   aws systemsmanager get-calendar-events --start-time 2023-10-26T00:00:00Z --end-time 2023-10-27T00:00:00Z

2. Restrict IAM Permissions

Grant the SSM Agent only the minimum permissions it needs to function. Avoid using overly permissive roles.

1. Create a Custom Role: Don’t use the full AmazonSSMManagedInstanceCore policy unless absolutely necessary.
2. Define Specific Permissions: Include permissions for only the required SSM actions, such as:
   • ssm:SendCommand – To execute commands.
   • ssm:GetCommandInvocation – To check command status.
   • ssm:DescribeInstanceProperties – For basic instance information.
   • ec2messages:ReceiveMessage – For communication with EC2 instances.

   { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:GetCommandInvocation", "ssm:DescribeInstanceProperties", "ec2messages:ReceiveMessage" ], "Resource": "*" } ]}

3. Apply the Role to Instances: Attach the custom IAM role to your EC2 instances.

3. Enable Encryption

Protect sensitive data transmitted by the SSM Agent using encryption.

1. Enable KMS Encryption: Configure SSM to use Key Management Service (KMS) for encrypting command invocations and other data.

   aws systemsmanager update-instance-information --instance-id i-xxxxxxxxxxxxxxxxx --kms-key-id arn:aws:kms:your-region:your-account-id:key/your-kms-key-id

2. Verify Encryption in Logs: Check the SSM Agent logs for confirmation that data is being encrypted. Look for references to KMS key usage.

4. Secure Session Manager

If using Session Manager, enhance its security.

1. Enable Session Manager Logging: Log all Session Manager sessions to CloudWatch Logs or S3 for auditing and investigation.
2. Restrict Session Access: Use IAM policies to control which users can start Session Manager sessions on specific instances.

5. Regularly Update the SSM Agent

Keep your SSM Agents up-to-date with the latest security patches and features.

1. Enable Automatic Updates: Configure automatic updates for the SSM Agent to ensure it receives the latest versions.
2. Monitor Update Status: Regularly check that instances are running the most recent version of the agent.