Description:
An AWS Systems Manager document (SSM Document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime
Rationale:
AWS Systems Manager automates operational tasks across AWS resources by creating SSM documents. The SSM documents, created in JSON or YAML, contain the operations that an AWS Systems Manager will perform on the cloud assets.
Impact:
A misconfigured public SSM document can give an attacker valuable information about the account’s internal resources and operations and can lead to the exposure of additional resources.
Default Value
By default, the documents are set as private.
Prerequisites
We already have Documents we can set the public.
if you want to you can create a new Document.
Remediation
Test Plan:
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
In the navigation pane, choose Documents
Choose Preferences, check for block public sharing setting - on/off.
List documents
aws ssm list-documents
To know the permissions in the Documents
aws ssm \
get-service-setting \
--setting-id /ssm/documents/console/public-sharing-permission \
--region <region>
Implementation Steps:
To block public sharing of your SSM documents
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
In the navigation pane, choose Documents.
Choose Preferences,
Click on Edit in the Block public sharing section.
Select the Block public sharing check box
Click on Save.
To make the document Public
aws ssm \
update-service-setting \
--setting-id /ssm/documents/console/public-sharing-permission \
--setting-value Disable \
--region <region>
Backout Plan:
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
In the navigation pane, choose Documents.
Choose Preferences
Click Edit in the Block public sharing section.
Uncheck the Block public sharing check box
Then choose Save.
To start sharing to public
aws ssm \
update-service-setting \
--setting-id /ssm/documents/console/public-sharing-permission \
--setting-value Enable \
--region <region>
Block public sharing for SSM Document