Removing unnecessary services on cloud workloads is a foundational configuration-management control for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (CM.L2-3.4.6); this post gives practical, cloud-specific steps, commands, automation recipes, and small-business examples for AWS, Azure, and GCP so you can reduce attack surface, demonstrate control implementation, and document compliance.
\n\nThe core requirement of CM.L2-3.4.6 is to ensure systems do not run services that are not required for their role — i.e., disable or remove unnecessary services, daemons, and network-exposed features. Objectives are: 1) detect installed/running services; 2) decide which are required based on a system baseline; 3) remove or disable the rest; 4) continuously enforce and monitor the configuration and 5) document exceptions for your SSP and POA&M. For small businesses, this reduces risk and helps meet contractual compliance obligations without large engineering overhead.
\n\nStart with inventory: enable AWS Systems Manager (SSM) Inventory on your EC2 fleet to collect package and service details. Use SSM Run Command to enumerate services on Linux (systemd) or Windows. Example SSM Run Command (Linux) to list enabled services:
\naws ssm send-command \\\n --document-name \"AWS-RunShellScript\" \\\n --targets \"Key=tag:Role,Values=web\" \\\n --parameters commands=[\"systemctl list-unit-files --type=service --state=enabled\"] \\\n --region us-east-1\nTo remediate at scale, use SSM State Manager or an SSM Automation document to apply a baseline that disables or removes unwanted services. Example command to disable FTP and rpcbind:
\nsystemctl disable --now vsftpd\nsystemctl disable --now rpcbind\nyum remove -y vsftpd rpcbind # for RHEL/CentOS\napt-get purge -y vsftpd rpcbind # for Debian/Ubuntu\nAt the account/configuration level, avoid provisioning unnecessary managed services: enforce Service Control Policies (SCPs) to disallow creation of services you don't use (e.g., legacy services), and use IAM least privilege to prevent developers from launching new images with extra services. Audit with Amazon Inspector and AWS Config rules (e.g., custom rules to flag instances with specific listening ports) and export findings to your SIEM for continuous evidence collection.
\n\nOn Azure VMs, use Azure Arc / VM Extensions for inventory or Azure Policy Guest Configuration to audit services. You can use the Run Command (az vm run-command) or Azure Automation DSC to enforce service state. Example PowerShell snippet to identify and disable Telnet and FTP on Windows VMs via Run Command:
\nGet-Service | Where-Object { $_.Status -eq 'Running' -and ($_.Name -match 'Telnet' -or $_.Name -match 'FTPSVC') }\nStop-Service -Name Telnet -Force; Set-Service -Name Telnet -StartupType Disabled\nUninstall-WindowsFeature -Name Telnet-Client # if applicable\nFor Linux VMs in Azure, use custom script extension or the Azure VM guest policy (Azure Policy Guest Configuration) to run the same systemctl commands as AWS. Use Azure Security Center (Microsoft Defender for Cloud) recommendations to identify insecure or unnecessary features and integrate remediation via Logic Apps or Automation runbooks. Enforce service baselines with images (Azure VM Image Builder) so new VMs are deployed without unwanted packages.
\n\nGCP offers OS Inventory and OS Config (guest policies) to manage installed packages and running services. Use OS Config to create guest policies that enforce package state and startup behavior. Example gcloud command to execute a one-off disable on a Linux VM:
\ngcloud compute ssh my-instance --command \"sudo systemctl disable --now avahi-daemon && sudo apt-get purge -y avahi-daemon\"\nTo scale, create OS Config guest policies that ensure packages are absent and services are disabled on all matching instances. Use Security Command Center and Vulnerability Scanning to identify exposed management services and automatically create tickets or trigger Cloud Functions to remediate. Combine with organization-level constraints (e.g., Service Usage API) to block the creation of certain managed services if they are not part of your allowed baseline.
\n\nPractical small-business example: an e-commerce firm with 10 instances. Turn on SSM (AWS) or OS Config (GCP) for inventory, create a single Ansible playbook or SSM State Manager association that disables Telnet, FTP, Samba, and unused RPC services, and schedule it weekly. Sample Ansible tasks (Linux):
\n- name: Disable unwanted services\n systemd:\n name: \"{{ item }}\"\n state: stopped\n enabled: no\n loop:\n - vsftpd\n - rpcbind\n - telnet.socket\nUse IaC (Terraform/ARM/Bicep/gcloud) to bake hardened images and to avoid provisioning unnecessary managed services. Use Cloud Custodian or scripts to detect instances with open ports (21/23/137-139/445) and either notify owners or remediate automatically. Keep a documented whitelist of allowed services per workload and require approvals for exceptions (logged in your SSP/POA&M).
\n\nFailing to remove unused services increases attack surface (extra listening ports, vulnerable daemons), enables credential exposure and lateral movement, and can result in failed audits or loss of contracts that require NIST/CMMC compliance. For small businesses, a single exposed legacy service (e.g., FTP) led to ransomware incidents in many public breaches; compliance-wise, inability to demonstrate control implementation can force remediation windows, conditional contract termination, or increased insurance premiums.
\n\n1) Define baselines per workload type (web, db, admin) and document them in your System Security Plan (SSP). 2) Use CIS Benchmarks as a starting point; map benchmark items to CM.L2-3.4.6 for evidence. 3) Automate detection and remediation using cloud-native agents (SSM, OS Config, Azure Guest Configuration) and orchestration (Ansible, State Manager). 4) Enforce via IaC and prevent drift with periodic scans (weekly). 5) Maintain exception records and POA&Ms for services that cannot be removed immediately, with compensating controls (segmentation, host-based firewall, strict logging). 6) Collect audit evidence: inventory exports, remediation job run logs, and policy evaluation history for compliance reviewers.
\n\nSummary: Removing unnecessary services is practical, high-impact, and achievable with native cloud tooling plus lightweight automation; inventory first, define baselines, remediate at scale (SSM/OS Config/Guest Configuration), enforce with IaC and organization policies, and continuously monitor to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 CM.L2-3.4.6 — for small businesses this reduces attack surface, demonstrates due diligence, and simplifies compliance evidence collection.
", "plain_text": "Removing unnecessary services on cloud workloads is a foundational configuration-management control for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (CM.L2-3.4.6); this post gives practical, cloud-specific steps, commands, automation recipes, and small-business examples for AWS, Azure, and GCP so you can reduce attack surface, demonstrate control implementation, and document compliance.\n\nWhat CM.L2-3.4.6 requires and key objectives\nThe core requirement of CM.L2-3.4.6 is to ensure systems do not run services that are not required for their role — i.e., disable or remove unnecessary services, daemons, and network-exposed features. Objectives are: 1) detect installed/running services; 2) decide which are required based on a system baseline; 3) remove or disable the rest; 4) continuously enforce and monitor the configuration and 5) document exceptions for your SSP and POA&M. For small businesses, this reduces risk and helps meet contractual compliance obligations without large engineering overhead.\n\nImplementing the control in AWS\nStart with inventory: enable AWS Systems Manager (SSM) Inventory on your EC2 fleet to collect package and service details. Use SSM Run Command to enumerate services on Linux (systemd) or Windows. Example SSM Run Command (Linux) to list enabled services:\naws ssm send-command \\\n --document-name \"AWS-RunShellScript\" \\\n --targets \"Key=tag:Role,Values=web\" \\\n --parameters commands=[\"systemctl list-unit-files --type=service --state=enabled\"] \\\n --region us-east-1\n\nTo remediate at scale, use SSM State Manager or an SSM Automation document to apply a baseline that disables or removes unwanted services. Example command to disable FTP and rpcbind:\nsystemctl disable --now vsftpd\nsystemctl disable --now rpcbind\nyum remove -y vsftpd rpcbind # for RHEL/CentOS\napt-get purge -y vsftpd rpcbind # for Debian/Ubuntu\n\nAt the account/configuration level, avoid provisioning unnecessary managed services: enforce Service Control Policies (SCPs) to disallow creation of services you don't use (e.g., legacy services), and use IAM least privilege to prevent developers from launching new images with extra services. Audit with Amazon Inspector and AWS Config rules (e.g., custom rules to flag instances with specific listening ports) and export findings to your SIEM for continuous evidence collection.\n\nImplementing the control in Azure\nOn Azure VMs, use Azure Arc / VM Extensions for inventory or Azure Policy Guest Configuration to audit services. You can use the Run Command (az vm run-command) or Azure Automation DSC to enforce service state. Example PowerShell snippet to identify and disable Telnet and FTP on Windows VMs via Run Command:\nGet-Service | Where-Object { $_.Status -eq 'Running' -and ($_.Name -match 'Telnet' -or $_.Name -match 'FTPSVC') }\nStop-Service -Name Telnet -Force; Set-Service -Name Telnet -StartupType Disabled\nUninstall-WindowsFeature -Name Telnet-Client # if applicable\n\nFor Linux VMs in Azure, use custom script extension or the Azure VM guest policy (Azure Policy Guest Configuration) to run the same systemctl commands as AWS. Use Azure Security Center (Microsoft Defender for Cloud) recommendations to identify insecure or unnecessary features and integrate remediation via Logic Apps or Automation runbooks. Enforce service baselines with images (Azure VM Image Builder) so new VMs are deployed without unwanted packages.\n\nImplementing the control in GCP\nGCP offers OS Inventory and OS Config (guest policies) to manage installed packages and running services. Use OS Config to create guest policies that enforce package state and startup behavior. Example gcloud command to execute a one-off disable on a Linux VM:\ngcloud compute ssh my-instance --command \"sudo systemctl disable --now avahi-daemon && sudo apt-get purge -y avahi-daemon\"\n\nTo scale, create OS Config guest policies that ensure packages are absent and services are disabled on all matching instances. Use Security Command Center and Vulnerability Scanning to identify exposed management services and automatically create tickets or trigger Cloud Functions to remediate. Combine with organization-level constraints (e.g., Service Usage API) to block the creation of certain managed services if they are not part of your allowed baseline.\n\nAutomation, enforcement, and small-business scenarios\nPractical small-business example: an e-commerce firm with 10 instances. Turn on SSM (AWS) or OS Config (GCP) for inventory, create a single Ansible playbook or SSM State Manager association that disables Telnet, FTP, Samba, and unused RPC services, and schedule it weekly. Sample Ansible tasks (Linux):\n- name: Disable unwanted services\n systemd:\n name: \"{{ item }}\"\n state: stopped\n enabled: no\n loop:\n - vsftpd\n - rpcbind\n - telnet.socket\n\nUse IaC (Terraform/ARM/Bicep/gcloud) to bake hardened images and to avoid provisioning unnecessary managed services. Use Cloud Custodian or scripts to detect instances with open ports (21/23/137-139/445) and either notify owners or remediate automatically. Keep a documented whitelist of allowed services per workload and require approvals for exceptions (logged in your SSP/POA&M).\n\nRisk of not removing unnecessary services\nFailing to remove unused services increases attack surface (extra listening ports, vulnerable daemons), enables credential exposure and lateral movement, and can result in failed audits or loss of contracts that require NIST/CMMC compliance. For small businesses, a single exposed legacy service (e.g., FTP) led to ransomware incidents in many public breaches; compliance-wise, inability to demonstrate control implementation can force remediation windows, conditional contract termination, or increased insurance premiums.\n\nCompliance tips and best practices\n1) Define baselines per workload type (web, db, admin) and document them in your System Security Plan (SSP). 2) Use CIS Benchmarks as a starting point; map benchmark items to CM.L2-3.4.6 for evidence. 3) Automate detection and remediation using cloud-native agents (SSM, OS Config, Azure Guest Configuration) and orchestration (Ansible, State Manager). 4) Enforce via IaC and prevent drift with periodic scans (weekly). 5) Maintain exception records and POA&Ms for services that cannot be removed immediately, with compensating controls (segmentation, host-based firewall, strict logging). 6) Collect audit evidence: inventory exports, remediation job run logs, and policy evaluation history for compliance reviewers.\n\nSummary: Removing unnecessary services is practical, high-impact, and achievable with native cloud tooling plus lightweight automation; inventory first, define baselines, remediate at scale (SSM/OS Config/Guest Configuration), enforce with IaC and organization policies, and continuously monitor to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 CM.L2-3.4.6 — for small businesses this reduces attack surface, demonstrates due diligence, and simplifies compliance evidence collection." }, "metadata": { "description": "Practical, step-by-step guidance to remove unnecessary services from cloud workloads to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 CM.L2-3.4.6 using AWS, Azure, and GCP native and automation tooling.", "permalink": "/how-to-harden-cloud-workloads-for-nist-sp-800-171-rev2-cmmc-20-level-2-control-cml2-346-removing-unnecessary-services-in-aws-azure-and-gcp.json", "categories": [], "tags": [] } }