EC2 not managed by SSM

AWS-SSM-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for running EC2 instances that are not registered with AWS Systems Manager for patching and remote management.

Why it matters

Instances not managed by AWS Systems Manager are invisible to your patch management, compliance scanning, and remote management processes. They cannot receive automated security patches through SSM Patch Manager, cannot be inventoried for installed software and configurations, and require SSH/RDP access with key management overhead. Unit 42 2024 Cloud Threat Report found that unmanaged instances are 3.5x more likely to have critical unpatched vulnerabilities. SSM also enables Session Manager, which provides secure shell access without opening SSH ports or managing SSH keys - eliminating an entire attack surface. The SSM agent is pre-installed on Amazon Linux 2, Amazon Linux 2023, and recent Ubuntu AMIs.

Common causes

Instances are not managed by SSM because they lack the required IAM instance profile with AmazonSSMManagedInstanceCore policy. Custom AMIs built without the SSM agent pre-installed or instances in private subnets without VPC endpoints for SSM cannot register with the service. Teams that rely on traditional SSH access may not see the value in SSM management and skip the configuration during instance provisioning.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

# Attach SSM managed policy to the instance role:
aws iam attach-role-policy --role-name INSTANCE_ROLE --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore

Remediation: Terraform

resource "aws_iam_role_policy_attachment" "ssm" {
  role       = aws_iam_role.instance_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}