AWS_ASM_2

Ensure that sensitive Parameters are encrypted

Description

Sensitive parameters in AWS System Manager Parameter Store should be encrypted using the SecureString type.

Remediation

From Portal:
1. Sign in to the AWS Management Console.
2. Navigate to SSM dashboard at https://console.aws.amazon.com/systems-manager/.
3. In the navigation panel, under the Application Management section, choose Parameter Store.
4. Choose the SSM parameter that you want to re-create then click on its name to open the resource details page.
5. On the selected SSM parameter details page, copy the values set for the Name, Description and Value attributes in a secured location.
6. Once the necessary information is copied, click the Delete button from the dashboard top-right menu to remove the selected parameter.
7. Inside the Delete Parameter dialog box, click Delete to confirm the action.
8. In the navigation panel, in the Application Management section, select Parameter Store and click Create parameter button from the dashboard top menu to initiate the setup process.
9. Paste the values copied at step no. 5 in the Name, Description and Value boxes to utilize the same data as the source parameter.
10. Set the parameter Type to SecureString, choose whether to use a KMS key from your current AWS account or from a different AWS account, then select the key to encrypt your parameter data from the KMS Key ID dropdown list.
11. Click Create parameter to finish the setup process.

From Command Line:
1. To encrypt the sensitive parameter, you should first delete the old one by running the following command:

aws ssm delete-parameter ParamName

2. Then, create again the same parameter but this time encrypted:

aws ssm put-parameter –name PARAMETER_NAME –value PARAMETER_VALUE –type SecureString

References:
1. https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html
2. https://docs.aws.amazon.com/systems-manager/latest/userguide/param-create-cli.html
3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/delete-parameter.html
4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ssm/put-parameter.html

Service

AWS Systems Manager

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!