Automatically Stop or Terminate EC2 Instances without Antivirus Installed

Short description

In light of recent security incidents involving IMDSv1 vulnerabilities, it's crucial to ensure that all EC2 instances have proper security measures in place. This article outlines a robust solution leveraging AWS Config, Systems Manager, and SNS to automatically identify and terminate non-compliant EC2 instances, significantly enhancing your AWS environment's security posture.

Resolution

NOTE: The following steps will deploy a rule for a single account. To deploy rules for all accounts in an Organization, it must be done via the CLI. For more information, review Managing AWS Config Rules Across All Accounts in Your Organization.

Prerequisites

• AWS account with appropriate permissions
• EC2 instance deployed with SSM Agent installed
• AWS Config setup. For more information see: Setting Up AWS Config with the Console
• Inventory in AWS Systems Manager setup. For more information see: Setting up Systems Manager Inventory
• Service Role created for Systems Manager Automation. For more information see Create the service roles for Automation using the console

Identify Application Package Name

1. Navigate to Fleet Manager in the AWS Systems Manager Console
2. Select the Node ID of one of the instances that has the installed application package that should be on all EC2 instances and click Inventory on the left-hand side under Properties
3. Filter by the Application name under AWS:Application to identify the exact package name (i.e. Clam AV would appear as clamav)
4. Note the package name to use in the next step

NOTE: it can take up to 5 minutes after EC2 instances creation for the Fleet Manager to inventory all installed application packages

Create an AWS Config rule

1. Navigate to Rules the AWS Config console and select Add Rule
2. Select the ec2-managedinstance-applications-required rule and click Next
3. Under Parameters, ensure the applicationNames row exists (NOTE: keep the platformType row if the applicationName varies based on OS)
4. For the applicationNames Value, enter the name of the application from the previous step that you want to require on all EC2 instances (i.e. clamav)
5. Click Next and then click Save

Implement Remediation using Systems Manager Automation

1. Click the newly created rule and then click on Actions and then Manage Remediation
2. Select either Automatic remediation or Manual remediation depending on your use case
3. Select either AWS-StopEC2Instance or AWS-TerminateEC2Instance depending on your use case
4. Select instanceID under Resource ID paramenter
5. Under the AutomationAssumeRole parameter enter ARN of the IAM role (i.e. arn:aws:iam::############:role/ConfigRemediationRole) used for Systems Manager Automation
6. Click Save changes

Under Resources in scope, EC2 instances that do have the required application package installed will be marked as COMPLIANT. EC2 instances that do not have the required application package installed will be marked as NON_COMPLIANT and Terminated or Stopped depending on the option selected in the previous step.

Set up EventBridge

For a step by step guide see Creating Amazon EventBridge Rule for AWS Config

Configure SNS Topic

For a step by step guide see Send an email when events happen using Amazon EventBridge

Note: This solution can be adapted for other applications beyond antivirus such as Clam AV or CrowdStrike Falcon. Always ensure you're following your organization's security policies and compliance requirements.

Architectural Diagram Using CrowdStrike Falcon Sensor as an Example