SSM Document Should Not Be Public
More Info:
Ensure SSM Documents are not public
Risk Level
High
Address
Security
Compliance Standards
HITRUST,SEBI,RBI_MD_ITF,RBI_UCB
Remediation
Using Console
- Navigate to the AWS Systems Manager (SSM) Documents page in the AWS Management Console.
- Identify the SSM documents that are shared with all accounts.
- Click on the document to view its details.
- Modify the document permissions to remove the “All” option from the account sharing list.
- Save the changes.
Using CLI
aws ssm modify-document-permission --name <document-name> --permission-type Share --account-ids <account-ids>
Replace <document-name>
with the name of the SSM document and <account-ids>
with a comma-separated list of account IDs that should have access to the document.
Using Python
import boto3
def remediate_ssm_document_permission(document_name):
# Initialize AWS SSM client
ssm_client = boto3.client('ssm')
# Remove the "All" option from the document permissions
response = ssm_client.modify_document_permission(
Name=document_name,
PermissionType='Share',
AccountIds=[],
SharedDocumentVersion=None
)
print(f"Permissions updated for SSM document '{document_name}'.")
def main():
# Specify the name of the SSM document to remediate
document_name = 'your-ssm-document-name'
# Remediate SSM document permissions
remediate_ssm_document_permission(document_name)
if __name__ == "__main__":
main()
Replace 'your-ssm-document-name'
with the name of the SSM document you want to remediate. This script removes the “All” option from the document permissions to ensure it is not shared with all accounts. Adjust the script as needed to fit your environment and document permissions.