Lab: Securing Compute Workloads with Amazon EC2 and Systems Manager
Design, implement, and troubleshoot security controls for compute workloads
Lab: Securing Compute Workloads with Amazon EC2 and Systems Manager
In this lab, you will implement security best practices for Amazon EC2 instances, focusing on the removal of open administrative ports (SSH/RDP) in favor of AWS Systems Manager Session Manager, applying least-privilege instance profiles, and enabling automated vulnerability scanning with Amazon Inspector.
[!WARNING] Remember to run the teardown commands at the end of this lab to avoid ongoing charges for the EC2 instance and Amazon Inspector scanning.
Prerequisites
- An AWS Account with AdministratorAccess permissions.
- AWS CLI installed and configured on your local machine (
aws configure). - Basic familiarity with the AWS Management Console.
- A default VPC in your preferred region (e.g.,
us-east-1).
Learning Objectives
- Design & Implement a least-privilege IAM Instance Profile for EC2.
- Configure a "Zero-Inbound" Security Group to eliminate the attack surface of administrative ports.
- Deploy secure administrative access using Systems Manager Session Manager.
- Enable and interpret vulnerability findings using Amazon Inspector.
Architecture Overview
Step-by-Step Instructions
Step 1: Create a Least-Privilege IAM Instance Profile
EC2 instances require an IAM role to communicate with AWS services like Systems Manager (SSM) and Amazon Inspector.
# 1. Create the trust policy for EC2
cat <<EOF > ec2-trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
EOF
# 2. Create the IAM Role
aws iam create-role --role-name BrainyBee-Compute-Security-Role --assume-role-policy-document file://ec2-trust-policy.json
# 3. Attach the SSM Managed Policy
aws iam attach-role-policy --role-name BrainyBee-Compute-Security-Role --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
# 4. Create the Instance Profile wrapper
aws iam create-instance-profile --instance-profile-name BrainyBee-EC2-Profile
aws iam add-role-to-instance-profile --instance-profile-name BrainyBee-EC2-Profile --role-name BrainyBee-Compute-Security-Role▶Console alternative
- Navigate to IAM > Roles > Create role.
- Select AWS service and EC2.
- Search for and check AmazonSSMManagedInstanceCore.
- Name the role
BrainyBee-Compute-Security-Roleand save.
Step 2: Create a "Zero-Inbound" Security Group
To maximize security, we will create a security group that allows no inbound traffic, relying on the SSM Agent for outbound communication.
# Get your Default VPC ID
VPC_ID=$(aws ec2 describe-vpcs --filters "Name=is-default,Values=true" --query "Vpcs[0].VpcId" --output text)
# Create the Security Group
SG_ID=$(aws ec2 create-security-group --group-name SecureComputeSG --description "No Inbound Traffic" --vpc-id $VPC_ID --query "GroupId" --output text)
# Note: By default, a new SG has no inbound rules and allows all outbound.Step 3: Launch the Hardened EC2 Instance
We will use the latest Amazon Linux 2023 AMI, which has the SSM agent pre-installed.
# Find the latest AL2023 AMI
AMI_ID=$(aws ec2 describe-images --owners amazon --filters "Name=name,Values=al2023-ami-2023*-x86_64" --query "sort_by(Images, &CreationDate)[-1].ImageId" --output text)
# Launch the instance
INSTANCE_ID=$(aws ec2 run-instances \
--image-id $AMI_ID \
--count 1 \
--instance-type t3.micro \
--iam-instance-profile Name=BrainyBee-EC2-Profile \
--security-group-ids $SG_ID \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=HardenedComputeNode}]' \
--query "Instances[0].InstanceId" --output text)
echo "Launched Instance: $INSTANCE_ID"[!TIP] Notice we did not specify a KeyPair. Since we are using Session Manager, SSH keys are not required, reducing the risk of lost or stolen credentials.
Step 4: Enable Amazon Inspector for Scanning
Amazon Inspector will automatically discover the instance and begin scanning for software vulnerabilities and network reachability issues.
# Enable Inspector for EC2 scanning
aws inspector2 enable --resource-types EC2▶Console alternative
- Search for Amazon Inspector in the console.
- Click Get Started and then Enable Inspector.
- Ensure EC2 scanning is toggled to "On" in the settings.
Checkpoints
Checkpoint 1: Verify SSM Connectivity
Wait 2-3 minutes for the instance to initialize and the SSM agent to check-in.
# Check if the instance is managed by SSM
aws ssm describe-instance-information --filters "Key=InstanceIds,Values=$INSTANCE_ID" --query "InstanceInformationList[0].PingStatus" --output textExpected Result: Online
Checkpoint 2: Test Secure Administrative Access
Attempt to open a shell session without using SSH.
# Start a session
aws ssm start-session --target $INSTANCE_IDExpected Result: You should see a prompt like sh-5.2$. Type exit to close the session.
Troubleshooting
| Problem | Possible Cause | Fix |
|---|---|---|
| SSM PingStatus is "Connection Lost" | Instance lacks outbound internet access to reach SSM endpoints. | Ensure the subnet has a route to an Internet Gateway or NAT Gateway. |
| "An error occurred (TargetNotConnected)" | IAM Role is missing permissions or hasn't propagated. | Wait 60 seconds. Verify AmazonSSMManagedInstanceCore is attached to the role. |
| Inspector shows no findings | Scanning takes time to initialize. | Check the "Account Management" tab in Inspector to ensure the instance is "Active" for scanning. |
Clean-Up / Teardown
[!IMPORTANT] Always delete resources in reverse order of creation to avoid dependency errors.
# 1. Terminate the EC2 Instance
aws ec2 terminate-instances --instance-ids $INSTANCE_ID
# 2. Disable Amazon Inspector
aws inspector2 disable --resource-types EC2
# 3. Delete IAM Resources (Wait for instance to terminate first)
aws iam remove-role-from-instance-profile --instance-profile-name BrainyBee-EC2-Profile --role-name BrainyBee-Compute-Security-Role
aws iam delete-instance-profile --instance-profile-name BrainyBee-EC2-Profile
aws iam detach-role-policy --role-name BrainyBee-Compute-Security-Role --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam delete-role --role-name BrainyBee-Compute-Security-Role
# 4. Delete Security Group
aws ec2 delete-security-group --group-id $SG_IDStretch Challenge
Task: Use Systems Manager Patch Manager to run a "Scan" operation on your instance and identify missing security patches.
▶Hint
Navigate to Systems Manager > Patch Manager > Patch now. Select your instance and use the "Scan" operation.