Removing unnecessary services on cloud workloads is a foundational configuration-management control for NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (CM.L2-3.4.6); this post gives practical, cloud-specific steps, commands, automation recipes, and small-business examples for AWS, Azure, and GCP so you can reduce attack surface, demonstrate control implementation, and document compliance.
What CM.L2-3.4.6 requires and key objectives
The core requirement of CM.L2-3.4.6 is to ensure systems do not run services that are not required for their role — i.e., disable or remove unnecessary services, daemons, and network-exposed features. Objectives are: 1) detect installed/running services; 2) decide which are required based on a system baseline; 3) remove or disable the rest; 4) continuously enforce and monitor the configuration and 5) document exceptions for your SSP and POA&M. For small businesses, this reduces risk and helps meet contractual compliance obligations without large engineering overhead.
Implementing the control in AWS
Start with inventory: enable AWS Systems Manager (SSM) Inventory on your EC2 fleet to collect package and service details. Use SSM Run Command to enumerate services on Linux (systemd) or Windows. Example SSM Run Command (Linux) to list enabled services:
aws ssm send-command \
--document-name "AWS-RunShellScript" \
--targets "Key=tag:Role,Values=web" \
--parameters commands=["systemctl list-unit-files --type=service --state=enabled"] \
--region us-east-1
To remediate at scale, use SSM State Manager or an SSM Automation document to apply a baseline that disables or removes unwanted services. Example command to disable FTP and rpcbind:
systemctl disable --now vsftpd
systemctl disable --now rpcbind
yum remove -y vsftpd rpcbind # for RHEL/CentOS
apt-get purge -y vsftpd rpcbind # for Debian/Ubuntu
At the account/configuration level, avoid provisioning unnecessary managed services: enforce Service Control Policies (SCPs) to disallow creation of services you don't use (e.g., legacy services), and use IAM least privilege to prevent developers from launching new images with extra services. Audit with Amazon Inspector and AWS Config rules (e.g., custom rules to flag instances with specific listening ports) and export findings to your SIEM for continuous evidence collection.
Implementing the control in Azure
On Azure VMs, use Azure Arc / VM Extensions for inventory or Azure Policy Guest Configuration to audit services. You can use the Run Command (az vm run-command) or Azure Automation DSC to enforce service state. Example PowerShell snippet to identify and disable Telnet and FTP on Windows VMs via Run Command:
Get-Service | Where-Object { $_.Status -eq 'Running' -and ($_.Name -match 'Telnet' -or $_.Name -match 'FTPSVC') }
Stop-Service -Name Telnet -Force; Set-Service -Name Telnet -StartupType Disabled
Uninstall-WindowsFeature -Name Telnet-Client # if applicable
For Linux VMs in Azure, use custom script extension or the Azure VM guest policy (Azure Policy Guest Configuration) to run the same systemctl commands as AWS. Use Azure Security Center (Microsoft Defender for Cloud) recommendations to identify insecure or unnecessary features and integrate remediation via Logic Apps or Automation runbooks. Enforce service baselines with images (Azure VM Image Builder) so new VMs are deployed without unwanted packages.
Implementing the control in GCP
GCP offers OS Inventory and OS Config (guest policies) to manage installed packages and running services. Use OS Config to create guest policies that enforce package state and startup behavior. Example gcloud command to execute a one-off disable on a Linux VM:
gcloud compute ssh my-instance --command "sudo systemctl disable --now avahi-daemon && sudo apt-get purge -y avahi-daemon"
To scale, create OS Config guest policies that ensure packages are absent and services are disabled on all matching instances. Use Security Command Center and Vulnerability Scanning to identify exposed management services and automatically create tickets or trigger Cloud Functions to remediate. Combine with organization-level constraints (e.g., Service Usage API) to block the creation of certain managed services if they are not part of your allowed baseline.
Automation, enforcement, and small-business scenarios
Practical small-business example: an e-commerce firm with 10 instances. Turn on SSM (AWS) or OS Config (GCP) for inventory, create a single Ansible playbook or SSM State Manager association that disables Telnet, FTP, Samba, and unused RPC services, and schedule it weekly. Sample Ansible tasks (Linux):
- name: Disable unwanted services
systemd:
name: ""
state: stopped
enabled: no
loop:
- vsftpd
- rpcbind
- telnet.socket
Use IaC (Terraform/ARM/Bicep/gcloud) to bake hardened images and to avoid provisioning unnecessary managed services. Use Cloud Custodian or scripts to detect instances with open ports (21/23/137-139/445) and either notify owners or remediate automatically. Keep a documented whitelist of allowed services per workload and require approvals for exceptions (logged in your SSP/POA&M).
Risk of not removing unnecessary services
Failing to remove unused services increases attack surface (extra listening ports, vulnerable daemons), enables credential exposure and lateral movement, and can result in failed audits or loss of contracts that require NIST/CMMC compliance. For small businesses, a single exposed legacy service (e.g., FTP) led to ransomware incidents in many public breaches; compliance-wise, inability to demonstrate control implementation can force remediation windows, conditional contract termination, or increased insurance premiums.
Compliance tips and best practices
1) Define baselines per workload type (web, db, admin) and document them in your System Security Plan (SSP). 2) Use CIS Benchmarks as a starting point; map benchmark items to CM.L2-3.4.6 for evidence. 3) Automate detection and remediation using cloud-native agents (SSM, OS Config, Azure Guest Configuration) and orchestration (Ansible, State Manager). 4) Enforce via IaC and prevent drift with periodic scans (weekly). 5) Maintain exception records and POA&Ms for services that cannot be removed immediately, with compensating controls (segmentation, host-based firewall, strict logging). 6) Collect audit evidence: inventory exports, remediation job run logs, and policy evaluation history for compliance reviewers.
Summary: Removing unnecessary services is practical, high-impact, and achievable with native cloud tooling plus lightweight automation; inventory first, define baselines, remediate at scale (SSM/OS Config/Guest Configuration), enforce with IaC and organization policies, and continuously monitor to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 CM.L2-3.4.6 — for small businesses this reduces attack surface, demonstrates due diligence, and simplifies compliance evidence collection.
