Scan EC2 Instances Using AWS Systems Manager
Configure AWS Systems Manager (SSM) to scan EC2 instances for security misconfigurations without installing agents.
Use AWS Systems Manager (SSM) to scan EC2 instances without installing agents. When Mondoo runs an SSM scan, it installs cnspec on the instance for the duration of the scan and removes it afterward.
How Mondoo scans with SSM
When Mondoo performs an SSM scan, these steps occur:
- SSM Run Command calls the
AWS-RunShellScriptSSM document. - The latest version of cnspec is installed and configured to authenticate with your Mondoo Platform account.
- The EC2 instance runs
cnspec scanto execute policy checks. - cnspec publishes the scan results to Mondoo Platform.
- cnspec is uninstalled from the EC2 instance.
Configure AWS SSM
This section walks through a fresh SSM setup. If SSM is new to you, the AWS documentation covers it in greater depth.
Create an IAM role and instance profile for SSM
Before you can manage EC2 instances using SSM, complete these steps in the AWS console or the AWS CLI:
- Set up an IAM role with a trust policy for EC2.
- Attach the AWS managed
AmazonSSMManagedInstanceCorepolicy to the IAM role. - Create an instance profile (only needed if you're using the AWS CLI).
- Attach the IAM role to the instance profile (only needed if you're using the AWS CLI).
Choose a workflow:
Requirements
- AWS console access to any account you plan to integrate with Mondoo
- Administrator privileges in those accounts
Create an IAM role with the AmazonSSMManagedInstanceCore policy
- Log in to the AWS console.
- Navigate to IAM.
- Select Roles.
- Select Create Role.
- For Trust entity type, select AWS service. For Use case, select EC2. Select Next.
- In the Filter policies box, search for SSM, select AmazonSSMManagedInstanceCore, and select Next.
- Under Role details, give the role a name (such as
EC2_SSM_ROLE) and an optional description. Select Create role.
The role is now ready. You can attach it to existing EC2 instances or assign it as the instance profile when launching new instances.
Launch an EC2 instance with the new instance profile
- Log in to the AWS console.
- Navigate to EC2.
- Select Launch Instance.
- Under Name and tags, enter a name (for example, EC2 SSM Instance).
- Under Application and OS Images (Amazon Machine Image), select an image with the SSM Agent preinstalled (for example, the latest Amazon Linux AMI).
- Under Instance type, select
t3.micro(or another type that fits your workload).
- Under Key pair (login), you can either add an SSH key or select Proceed without a key pair. SSH access is not required for SSM scanning.
- Under Network settings — Firewall (security groups), choose an appropriate security group. SSM does not require open inbound ports.
- Expand Advanced details. Under IAM instance profile, select the role you created above.
- Review the configuration, then select Launch.
- Copy the instance ID for the next step.
Confirm the instance is managed by SSM
- Log in to the AWS console.
- Navigate to Systems Manager.
- Select Fleet Manager.
- Locate the instance ID you copied in the previous step and select it.
If the instance appears in Fleet Manager, it is under SSM management and Mondoo can use it to perform continuous scans.
Requirements
- The AWS CLI installed and configured for your account
- Administrator privileges (or equivalent IAM permissions) on the account
Look up the ARN of the AmazonSSMManagedInstanceCore policy
aws iam list-policies --scope AWS --query "Policies[?PolicyName == 'AmazonSSMManagedInstanceCore']"Create the trust policy file
Create a file named ec2-trust.json with this content:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com" },
"Action": "sts:AssumeRole"
}
}Create the IAM role and attach the SSM policy
aws iam create-role \
--role-name EC2_SSM_ROLE \
--assume-role-policy-document file://ec2-trust.json
aws iam attach-role-policy \
--role-name EC2_SSM_ROLE \
--policy-arn <SSM-POLICY-ARN>Create an instance profile
aws iam create-instance-profile --instance-profile-name EC2_SSM_PROFILE
aws iam add-role-to-instance-profile \
--instance-profile-name EC2_SSM_PROFILE \
--role-name EC2_SSM_ROLELaunch an EC2 instance with the instance profile
Not every AMI ships with the SSM Agent preinstalled. For the current list, see About SSM Agent in the AWS documentation.
Look up an Amazon Linux 2023 AMI ID (which includes the SSM Agent):
aws ec2 describe-images \
--owners amazon \
--filters "Name=name,Values=al2023-ami-*-x86_64" \
"Name=state,Values=available" \
--query "sort_by(Images, &CreationDate)[-1].ImageId" \
--output textPick a VPC subnet and security group to use, then launch the instance:
aws ec2 run-instances \
--image-id <AMI-ID> \
--instance-type t3.micro \
--subnet-id <SUBNET-ID> \
--security-group-ids <SECURITY-GROUP-ID> \
--iam-instance-profile Name=EC2_SSM_PROFILE \
--tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=SSMTestInstance}]"Confirm the instance is managed by SSM
Look up the new instance ID:
aws ec2 describe-instances \
--filters Name=tag:Name,Values=SSMTestInstance \
--query "Reservations[].Instances[].InstanceId" \
--output textConfirm SSM has registered the instance:
aws ssm describe-instance-information \
--query "InstanceInformationList[?InstanceId == '<INSTANCE-ID>']"Learn more
- Scan Instances Using EBS Snapshots — assess instances by mounting volume snapshots
- Continuously Scan AWS — set up the Mondoo AWS integration
- The cnspec documentation — learn more about cnspec