Profile Applicability

  • Level 2

Description

AWS Systems Manager (SSM) documents define the actions that Systems Manager performs on managed instances. Publicly shared SSM documents can be accessed by anyone, potentially exposing sensitive information or allowing unauthorized actions. Ensuring that SSM documents are not set as public helps maintain security and control over your environment.

Rationale

  • Enhanced Security: Prevents unauthorized access to sensitive SSM documents.

  • Risk Mitigation: Reduces the risk of malicious actions or data exposure.

  • Compliance: Aligns with security best practices and regulatory requirements.

Impact

Pros:

  • Protects sensitive information and configurations in SSM documents.

  • Reduces the risk of unauthorized actions on managed instances.

  • Enhances overall security posture.

Cons:

  • Requires careful management of document sharing permissions.

  • May limit collaboration if not properly configured.

Default Value

By default, SSM documents are private and accessible only to the AWS account that created them. Public sharing must be explicitly configured.

Pre-Requisite

IAM Permissions Required:

  • ssm:ListDocuments

  • ssm:GetDocument

  • ssm:ModifyDocumentPermission


Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Systems Manager > Documents.

  3. Review the Permissions column for each document. Identify any documents marked as Public.

Using AWS CLI:

  1. List all SSM documents:

    aws ssm list-documents --query "DocumentIdentifiers[*].{Name:Name,Owner:Owner}"

  2. Check the permissions of each document:

    aws ssm describe-document-permission --name <document-name> --permission-type Share

  3. Identify documents shared with All (indicating public access).

Implementation Steps:

Using AWS Console:

  1. Navigate to Systems Manager > Documents.

  2. Select the document marked as Public.

  3. Click Actions > Modify Permissions.

  4. Remove the All permission to revoke public access.

  5. Save the changes.

Using AWS CLI:

  1. Revoke public access to the document:

    aws ssm modify-document-permission --name <document-name> --permission-type Share --account-ids-to-remove All

  2. Verify the changes:

    aws ssm describe-document-permission --name <document-name> --permission-type Share

Backout Plan

Using AWS Console:

  1. If restricting access to SSM documents causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon SSM, select the document, and go to Permissions.
    Revert the access permissions, if necessary, to allow specific accounts or services while minimizing exposure.

  3. Save and ensure the document is accessible to the necessary users without exposing it publicly.

Using AWS CLI:

  1. If changes cause issues, you can re-enable public access by running:

    aws ssm put-document-permission --name <DOCUMENT_NAME> --principal "*" --action "DescribeDocument" --region <REGION>

  2. Verify that the document is again accessible publicly (though this is not recommended):

    aws ssm describe-document --name <DOCUMENT_NAME> --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.