Description:
An AWS Systems Manager document (SSM Document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime

Rationale:

AWS Systems Manager automates operational tasks across AWS resources by creating SSM documents. The SSM documents, created in JSON or YAML, contain the operations that an AWS Systems Manager will perform on the cloud assets.

Impact:

A misconfigured public SSM document can give an attacker valuable information about the account’s internal resources and operations and can lead to the exposure of additional resources.

Default Value

By default, the documents are set as private.

Prerequisites

  • We already have Documents we can set the public.

  • if you want to you can create a new Document.

Remediation

Test Plan:

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Documents

  3. Choose Preferences, check for block public sharing setting - on/off.


Using AWS CLI:
  1. List documents

    aws ssm list-documents

  2. To know the permissions in the Documents

    aws ssm \
    get-service-setting \
    --setting-id /ssm/documents/console/public-sharing-permission \
    --region <region>

Implementation Steps:

To block public sharing of your SSM documents

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Documents.

  3. Choose Preferences

  4. Click on  Edit in the Block public sharing section.
     

  5. Select the Block public sharing check box

  6. Click on  Save. 




Using AWS CLI:

To make the document Public

aws ssm \
update-service-setting \
--setting-id /ssm/documents/console/public-sharing-permission \
--setting-value Disable \
--region <region>


Backout Plan:

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

  2. In the navigation pane, choose Documents.

  3. Choose Preferences

  4. Click Edit in the Block public sharing section.

  5. Uncheck the Block public sharing check box

  6. Then choose Save.


Using AWS CLI:

To start sharing to public

aws ssm \
update-service-setting \
--setting-id /ssm/documents/console/public-sharing-permission \
--setting-value Enable \
--region <region>

References:

Block public sharing for SSM Document

Best practices for SSM Document

AWS SSM Documents Guide