Amazon System Manager Document should not be publicly available

Ensure that your AWS System Manager documents are not publicly exposed (unless it is really necessary!). In case the document has been publicly exposed by accident, make it private immediately. In case the document should be publicly exposed then make sure it does not contain any sensitive information like S3 bucket names, keys, users etc.

Risk Level: Critical
Cloud Entity: Amazon Systems Manager document
CloudGuard Rule ID: D9.AWS.VLN.04
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

SystemManagerDocument should not have accountSharingInfoList contain [ accountId='all' ]

REMEDIATION

From Portal
To block public sharing of your SSM documents

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
  2. In the navigation pane, choose Documents.
    -or- If the AWS Systems Manager home page opens first, choose the menu icon to open the navigation pane, and then choose Documents in the navigation pane.
  3. Choose Preferences, and then choose Edit in the Block public sharing section.
  4. Select the Block public sharing check box, and then choose Save.

From TF
The permissions attribute specifies how you want to share the document. If you share a document privately, you must specify the AWS user account IDs for those people who can use the document. If you share a document publicly, you must specify All as the account ID.

resource "aws_ssm_document" "example" {
	name          = "document_name"
	document_format = "YAML"
	document_type = "value"
	
	permissions {
		type = "Share"
		
		# use AWS user accounts ID who can use the document
		account_ids = "AWSuser_account_id"
	}

From Command Line

  1. Run following command to block public sharing of your SSM documents.
aws ssm update-service-setting --setting-id service_setting_id --setting-value Disable --region AWS_Region (you want to block public sharing in)
  1. Configure your AWS System Manager document to be private by running the following command:
aws ssm modify-document-permission --name Document_Name --permission-type Share --account-ids-to-remove All
  1. In case you would like to share with specific AWS accounts, run the following command:
aws ssm modify-document-permission --name Document_Name --permission-type Share --account-ids-to-add AWS_account_id

References

  1. https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-share-block.html
  2. https://docs.aws.amazon.com/cli/latest/reference/ssm/update-service-setting.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/modify-document-permission.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document#account_ids
  6. https://github.com/hashicorp/terraform-provider-aws/issues/5308

Amazon Systems Manager document

An AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime. Pre-configured documents can be found in the Systems Manager Documents console by choosing the Owned by Amazon tab, or by specifying Amazon for the Owner filter when calling the ListDocuments API operation. Documents use JavaScript Object Notation (JSON) or YAML, and they include steps and parameters that you specify.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset