SSM Network firewall audit
Hi all, I'm using SSM on some hybrid linux nodes. I was going through the documentation and there is a mention of being able to use SSM to check open network ports on the nodes but there isn't any example of how to do it. I'm trying to setup a proof of concept right now and if there is a tutorial on how to do that that would be awesome, and would help my case. Are there any available resources?
Hello!
Usually we would suggest using AWS Firewall Manager as this is the best way to have a single view for your Security Groups and enforce a baseline policy across applications/ many instances. This is described in detail under this documentation: https://aws.amazon.com/blogs/security/how-to-continuously-audit-and-limit-security-groups-with-aws-firewall-manager/ https://aws.amazon.com/firewall-manager/ AWS Firewall Manager may be more suitable for what you are trying to accomplish.
For your questions regarding this under SSM, I was not able to find the documentation which you are referring to. Could I please ask that you include a link here so that I can check on that for you?
Hi!
If you're looking to see if the security groups on the instances allow for overly permissive access (such as wide open 0/0), you could use Trusted Advisor: https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html#security-groups-specific-ports-unrestricted. Trusted Advisor can be displayed in Systems Manager: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-trusted-advisor-and-phd.html.
If you're looking for something else, you could also use Systems Manager OpsCenter to configure alerts based off AWS Security Hub events: https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html.
AWS Firewall Manager can offer more network security checks, but requires integration with more services (Organizations, possibly Network Firewall) and can be pricier as well.
And lastly, AWS Config offers the ability to check resources and their configuration as well: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html. It's possible to create your own custom Config rules too.
Relevant questions
SSM agent syslog errors
asked 3 years agoWhat protocol and port # does SSM agent run on?
asked 4 years agoHow much does it cost to connect to private ec2 using aws ssm ?
Accepted Answerasked a month agoSSM checking file on node
asked 5 months agoSSM patching - no internet instances - who will download patches
asked 5 months agoSSM Network firewall audit
asked 5 months agoSSM Agent Latest Version Release Date
asked 2 years agoHybrid Instances using SSM VPC Endpoints
asked 2 years agoConnect to Ec2 instance bastion via Session Manager
asked 5 months agoSSM fingerprint changed
asked 4 months ago