EC2 instance is missing SSM agent association Affecting EC2 service in AWS

Snyk CCSS

Operating System / Configuration

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00759
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Absence of the AWS Systems Manager (SSM) agent on an EC2 instance prevents remote and automated management tasks, which can lead to unpatched software, misconfigurations, and operational inefficiencies. It also hinders the ability to execute commands, apply patches, collect inventory, and configure instances at scale.

How to fix?

Set the targets.values attribute in an aws_ssm_association resource to valid instance ID or refer to all instances with "*".

Example Configuration

resource "aws_instance" "allowed" {
  ami           = "ami-0c7217cdde317cfec"
  instance_type = "t3.micro"

  tags = {
    Name = "snyk-759-allowed-instance"
  }
}

resource "aws_ssm_document" "doc-759" {
  name          = "snyk-759-ssm-doc"
  document_type = "Command"

  content = <<DOC
  {
    "schemaVersion": "1.2",
    "description": "Check ip configuration of a Linux instance.",
    "parameters": {

    },
    "runtimeConfig": {
      "aws:runShellScript": {
        "properties": [
          {
            "id": "0.aws:runShellScript",
            "runCommand": ["ifconfig"]
          }
        ]
      }
    }
  }
DOC
}

resource "aws_ssm_association" "example" {
  name = aws_ssm_document.doc-759.name

  targets {
    key    = "InstanceIds"
    values = [aws_instance.allowed.id]
  }
}

EC2 instance is missing SSM agent association Affecting EC2 service in AWS

Severity

Description

How to fix?

Example Configuration

Terraform