Profile Applicability

  • Level 2

Description

Secrets embedded in SSM documents, such as credentials, API keys, or sensitive configuration data, can pose a security risk if not properly managed. Identifying and securing these secrets ensures compliance with security best practices and reduces the risk of unauthorized access.

Rationale

  • Enhanced Security: Prevents exposure of sensitive information embedded in SSM documents.

  • Risk Mitigation: Reduces the risk of unauthorized access and data breaches.

  • Compliance: Aligns with security standards for managing sensitive data.

Impact

Pros:

  • Protects sensitive information from unauthorized access.

  • Reduces the risk of data breaches and misuse of credentials.

  • Enhances overall security posture.

Cons:

  • Requires additional effort to identify and secure secrets.

  • May involve reconfiguring SSM documents to reference secrets securely.

Default Value

By default, SSM documents do not enforce secure handling of embedded secrets. Secrets must be explicitly managed using secure methods, such as AWS Secrets Manager or Parameter Store.

Pre-Requisite

IAM Permissions Required:

  • ssm:ListDocuments

  • ssm:GetDocument

  • ssm:DescribeDocument

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Systems Manager > Documents.

  3. Open each SSM document and review its content for embedded secrets, such as hardcoded credentials or sensitive data.

Using AWS CLI:

  1. List all SSM documents:

    aws ssm list-documents --query "DocumentIdentifiers[*].{Name:Name,DocumentType:DocumentType}"

  2. Retrieve the content of each document:

    aws ssm get-document --name <document-name> --query "Content"

  3. Search for sensitive information, such as passwords, API keys, or other secrets.

Implementation Steps:

Using AWS Console:

  1. Identify SSM documents containing secrets.

  2. Replace embedded secrets with references to secure storage solutions, such as AWS Secrets Manager or Parameter Store.

  3. Update the SSM document to retrieve secrets dynamically at runtime.

Using AWS CLI:

  1. Replace embedded secrets with secure references:

  2. Use AWS Secrets Manager:

    aws secretsmanager create-secret --name <secret-name> --secret-string <secret-value>

  3. Use Parameter Store:

    aws ssm put-parameter --name <parameter-name> --value <secret-value> --type SecureString

  4. Update the SSM document to reference the secret:

    aws ssm update-document --name <document-name> --content file://updated-document.json

Backout Plan

Using AWS Console:

  1. If securing the document causes issues, revert the document content back to its previous state.

  2. Manually restore any secrets that were removed or replaced during the update.
    Save the changes and test to ensure that the document is functioning as expected.

Using AWS CLI:

  1. To revert the document to its original state, update it again with the original content:

    aws ssm update-document --name <DOCUMENT_NAME> --content file://original-document.json --region <REGION>

  2. Ensure that the document is functioning as expected.

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.