22

EC2 Config Rules

Last Update 3 maanden geleden

AWS Config Rule: EC2 Managed Instance Platform Check AWS Config Rule: EC2 Stopped Instance AWS Config Rule: EC2 Instance Managed by SSM AWS Config Rule: EC2 Managed Instance Patch Compliance Status AWS Config Rule: EC2 Managed Instance Association Compliance Status

AWS Config Rule: EC2 Managed Linux Instance Applications Required

EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED

Eduardo Van Cauteren

Last Update 9 maanden geleden

Description: Checks if all of the specified applications are installed on the instance. Optionally, specify the minimum acceptable version.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Spain), Europe (Zurich) Region

How this Config Rule Works

This config rule can be useful in several scenarios, for example in the case you want to ensure that EC2 instances have a particular software present, like a monitoring agent.

The rule compares a predefined list of applications (and optionally the minimum acceptable version) against the actual installed software on an SSM-managed EC2 instance. If a required application is not found, or its version is below the minimum desired one, the rule will be marked as non-compliant.


To define the list of applications you need to login into StackZone Console and go to Provisioning -> Baseline Services -> AWSConfig Rules Regional -> Amazon EC2, then locate the Amazon EC2 managed Linux instance applications required card to enable the config rule and fill in the text field with the names (and optionally the version separated by colon) of the applications. Here you can find an example for the Firefox web browser:

Ensure that SSM agent is running on the EC2 instance and an association to gather application software inventory is created.
Also take into account that Config does not currently support wildcards for the applicationNames parameter (for example, firefox*).

How to Resolve Manually

To make this rule compliant you need to ensure that the applications you have defined within the StackZone's console are already installed in the EC2 Instance and meet the minimum required version, if this was also defined.


In some cases you may find out that the rule is still marked as non-compliant despite the application being installed and the version is also the expected one. This could be caused by a mismatch in the name of the application you have defined and the one that AWS Systems Manager is expecting. To sort this out, you can check the name that AWS expects by heading to AWS Systems Manager within AWS Console, then under Node Management, click on Fleet Manager. From here you can see all the EC2 managed instances available within the Region, click on the desired machine and finally click on the Inventory tab.


In the following screenshot you can see the name for Firefox application and the version that Systems Manager detects for the application. This is the name (and or version) that must be used when defining the required applications in StackZone Console.

Notice that if an application was recently installed, the rule can be still marked as non-compliant. This is because, by default, SSM Inventory gathers instance data by every 30 minutes.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us