Ensure that sensitive parameters are encrypted

Sensitive parameters in AWS System Manager Parameter Store should be encrypted using the SecureString type.

Risk Level: High
Cloud Entity: Amazon Systems Manager Parameter
CloudGuard Rule ID: D9.AWS.CRY.53
Covered by Spectral: Yes
Category: Management Tools


SystemManagerParameter where name regexMatch /(pass|user|login|pwd|key|secret)/ should have parameterType='SecureString'


From Portal

  1. Sign in to the AWS Management Console.
  2. Navigate to SSM dashboard at https://console.aws.amazon.com/systems-manager/.
  3. In the navigation panel, under the Application Management section, choose Parameter Store.
  4. Choose the SSM parameter that you want to re-create then click on its name to open the resource details page.
  5. On the selected SSM parameter details page, copy the values set for the Name, Description and Value attributes in a secured location.
  6. Once the necessary information is copied, click the Delete button from the dashboard top-right menu to remove the selected parameter.
  7. Inside the Delete Parameter dialog box, click Delete to confirm the action.
  8. In the navigation panel, in the Application Management section, select Parameter Store and click Create parameter button from the dashboard top menu to initiate the setup process.
  9. Paste the values copied at step no. 5 in the Name, Description and Value boxes to utilize the same data as the source parameter.
  10. Set the parameter Type to SecureString, choose whether to use a KMS key from your current AWS account or from a different AWS account, then select the key to encrypt your parameter data from the KMS Key ID dropdown list.
  11. Click Create parameter to finish the setup process.

From TF

resource "aws_ssm_parameter" "example" {
	name  = "example"
	type  = "SecureString"
	value = "bar"

From Command Line

  1. To encrypt the sensitive parameter, you should first delete the old one by running the following command:
aws ssm delete-parameter ParamName
  1. Then, create again the same parameter but this time encrypted:
aws ssm put-parameter --name PARAMETER_NAME --value PARAMETER_VALUE --type SecureString


  1. https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
  3. https://docs.aws.amazon.com/systems-manager/latest/userguide/param-create-cli.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/delete-parameter.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/put-parameter.html

Amazon Systems Manager Parameter

Parameter Store, a capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data. You can reference Systems Manager parameters in your scripts, commands, SSM documents, and configuration and automation workflows by using the unique name that you specified when you created the parameter.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset