EC2 instance is missing SSM agent association Affecting EC2 service in AWS


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Operating System / Configuration

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00759
  • credit Snyk Research Team

Description

Absence of the AWS Systems Manager (SSM) agent on an EC2 instance prevents remote and automated management tasks, which can lead to unpatched software, misconfigurations, and operational inefficiencies. It also hinders the ability to execute commands, apply patches, collect inventory, and configure instances at scale.

How to fix?

Set the targets.values attribute in an aws_ssm_association resource to valid instance ID or refer to all instances with "*".

Example Configuration

resource "aws_instance" "allowed" {
  ami           = "ami-0c7217cdde317cfec"
  instance_type = "t3.micro"

  tags = {
    Name = "snyk-759-allowed-instance"
  }
}

resource "aws_ssm_document" "doc-759" {
  name          = "snyk-759-ssm-doc"
  document_type = "Command"

  content = <<DOC
  {
    "schemaVersion": "1.2",
    "description": "Check ip configuration of a Linux instance.",
    "parameters": {

    },
    "runtimeConfig": {
      "aws:runShellScript": {
        "properties": [
          {
            "id": "0.aws:runShellScript",
            "runCommand": ["ifconfig"]
          }
        ]
      }
    }
  }
DOC
}

resource "aws_ssm_association" "example" {
  name = aws_ssm_document.doc-759.name

  targets {
    key    = "InstanceIds"
    values = [aws_instance.allowed.id]
  }
}