Description:
SSM Documents are a way to store and manage configuration data for AWS resources. They can be used to store secrets, such as passwords and API keys. However, it is important to ensure that there are no secrets in SSM Documents that are not intended to be public.

Rationale:
If there are secrets in SSM Documents that are not intended to be public, then they could be accessed by unauthorized users. This could lead to data breaches, financial losses, or even system downtime.

Impact:
If there are secrets in SSM Documents that are not intended to be public, then this could have a significant impact on your organization. For example, if an attacker were to gain access to these secrets, they could use them to access your systems or data. This could lead to data breaches, financial losses, or even system downtime.

Default Value:
By default, SSM Documents do not contain any secrets. However, you can add secrets to SSM Documents by manually entering them or by using the aws ssm put-document command.

Pre-requisites:

  • You must have an AWS account and be logged in to the AWS Management Console.
  • You must have the ssm:PutDocument permission.

Remediation Steps:

  1. Sign in to the AWS Management Console.
  2. Go to the AWS Systems Manager console.
  3. Click Documents.
  4. Select the document that you want to review.
  5. Review the contents of the document.
  6. If you find any secrets in the document, remove them.

Test Plan:

  1. Verify that there are no secrets in the SSM Document.
  2. Try to access the secret using the aws ssm get-document command.
  3. If you are unable to access the secret, then the secret has been removed successfully.

Implementation Plan:

  1. Create a policy that prohibits the addition of secrets to SSM Documents.
  2. Implement the policy by configuring IAM to deny the ssm:PutDocument permission for users who are not authorized to add secrets to SSM Documents.
  3. Monitor the status of the policy to ensure that no secrets are added to SSM Documents.

AWS CLI Process:

  1. Run the following command to list all SSM Documents:
aws ssm list-documents
  1. For each document, run the following command to check for secrets:
aws ssm get-document --document-name <document-name>
  1. If you find any secrets in a document, remove them by running the following command:
aws ssm delete-document --document-name <document-name>

Using AWS GUI:

  1. Go to the AWS Systems Manager console.
  2. Click Documents.
  3. Select the document that you want to review.
  4. Review the contents of the document.
  5. If you find any secrets in the document, remove them.

Backout Plan:

  1. If you accidentally delete a document that contains secrets, you can restore it by running the following command:
aws ssm restore-document --document-name <document-name>
  1. You can also roll back the policy that prohibits the addition of secrets to SSM Documents.

Note: