AWS_ASM_1
Ensure that your AWS System Manager documents are not publicly exposed (unless it is really necessary!).
In case the document has been publicly exposed by accident, make it private immediately!
In case the document should be publicly exposed then make sure it does not contain any sensitive information like S3 bucket names, keys, users etc.
From Portal
To block public sharing of your SSM documents
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.
In the navigation pane, choose Documents. -or- If the AWS Systems Manager home page opens first, choose the menu icon to open the navigation pane, and then choose Documents in the navigation pane.
Choose Preferences, and then choose Edit in the Block public sharing section.
Select the Block public sharing check box, and then choose Save.
From TF
The permissions attribute specifies how you want to share the document. If you share a document privately, you must specify the AWS user account IDs for those people who can use the document. If you share a document publicly, you must specify All as the account ID.
resource “aws_ssm_document” “example” {
name = “document_name”
document_format = “YAML”
document_type = “value”
permissions {
type = “Share”
# use AWS user accounts ID who can use the document
account_ids = “AWSuser_account_id”
}
From Command Line
Run following command to block public sharing of your SSM documents.
aws ssm update-service-setting –setting-id service_setting_id –setting-value Disable –region AWS_Region (you want to block public sharing in)
Configure your AWS System Manager document to be private by running the following command:
aws ssm modify-document-permission –name Document_Name –permission-type Share –account-ids-to-remove All
In case you would like to share with specific AWS accounts, run the following command:
aws ssm modify-document-permission –name Document_Name –permission-type Share –account-ids-to-add AWS_account_id
References
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-share-block.html
https://docs.aws.amazon.com/cli/latest/reference/ssm/update-service-setting.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/modify-document-permission.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document#account_ids
https://github.com/hashicorp/terraform-provider-aws/issues/5308
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.
