Ensure that public System Manager Documents include parameters

In case the SSM Document should be publicly exposed, then make sure to include parameters for any sensitive information like S3 bucket names, keys, users, passwords etc.

Risk Level: High
Cloud Entity: Amazon Systems Manager document
CloudGuard Rule ID: D9.AWS.VLN.05
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

SystemManagerDocument where accountSharingInfoList contain [ accountId='all' ] should not have parameters isEmpty()

REMEDIATION

From Portal
Use following steps to create a parameter

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
  2. In the navigation pane, choose Parameter Store or If the AWS Systems Manager home page opens first, choose the menu icon to open the navigation pane, and then choose Parameter Store.
  3. Choose Create parameter.
  4. In the Name box, enter a hierarchy and a name. For example, enter /Test/helloWorld.
  5. In the Description box, type a description that identifies this parameter as a test parameter.
  6. For Parameter tier choose either Standard or Advanced. For more information about advanced parameters, see Managing parameter tiers.
  7. For Type, choose String, StringList, or SecureString.
  8. In the Value box, type a value.
  9. Choose Create parameter.
  10. In the parameters list, choose the name of the parameter you just created. Verify the details on the Overview tab. If you created a SecureString parameter, choose Show to view the unencrypted value.

References

  1. https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html
  2. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-doc-syntax.html
  3. https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
  4. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/parameters-section-structure.html
  5. https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store

Amazon Systems Manager document

An AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime. Pre-configured documents can be found in the Systems Manager Documents console by choosing the Owned by Amazon tab, or by specifying Amazon for the Owner filter when calling the ListDocuments API operation. Documents use JavaScript Object Notation (JSON) or YAML, and they include steps and parameters that you specify.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset