lacework-global-381

Systems Manager (SSM) documents should not be public (Automated)

Description

This policy checks whether AWS Systems Manager documents owned by the account are public.

SSM documents that are public might allow unintended access to your documents. A public SSM document can expose valuable information about your account, resources, and internal processes.

Unless your use case requires public sharing, you should block public sharing for self owned SSM documents.

Remediation

From the AWS Console:

To update the permission for an existing SSM document:

1. Log in to the AWS Management Console.
2. Click Services.
3. Select Management & Governance > Systems Manager.
4. In the navigation pane, under Shared Resources, click Documents.
5. In the Owned by Me tab, select the public document.
6. Click Details.
7. Under Permissions, select the Private radio button.
8. Click Save.

To block public sharing:

1. Log in to the AWS Management Console.
2. Click Services.
3. Select Management & Governance > Systems Manager.
4. In the navigation pane, under Shared Resources, click Documents.
5. Click Preferences, then click Edit.
6. Click the tick box beside Block public sharing.
7. Click Save.

From CLI:

To update the permission for an existing SSM document:

aws ssm modify-document-permission --name <document_name> --permission-type Share --account-ids-to-remove 'all'

To block public sharing:

aws ssm update-service-setting --setting-id /ssm/documents/console/public-sharing-permission --setting-value Disable --region '<AWS_region_to_block_public_sharing>'

References

https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-4
https://docs.aws.amazon.com/systems-manager/latest/userguide/documents-ssm-sharing.html#block-public-access