More Info:

Ensure SSM Documents are not public

Risk Level

High

Address

Security

Compliance Standards

HITRUST,SEBI,RBI_MD_ITF,RBI_UCB

Remediation

Using Console

  1. Navigate to the AWS Systems Manager (SSM) Documents page in the AWS Management Console.
  2. Identify the SSM documents that are shared with all accounts.
  3. Click on the document to view its details.
  4. Modify the document permissions to remove the “All” option from the account sharing list.
  5. Save the changes.

Using CLI

aws ssm modify-document-permission --name <document-name> --permission-type Share --account-ids <account-ids>

Replace <document-name> with the name of the SSM document and <account-ids> with a comma-separated list of account IDs that should have access to the document.

Using Python

import boto3

def remediate_ssm_document_permission(document_name):
    # Initialize AWS SSM client
    ssm_client = boto3.client('ssm')

    # Remove the "All" option from the document permissions
    response = ssm_client.modify_document_permission(
        Name=document_name,
        PermissionType='Share',
        AccountIds=[],
        SharedDocumentVersion=None
    )
    print(f"Permissions updated for SSM document '{document_name}'.")

def main():
    # Specify the name of the SSM document to remediate
    document_name = 'your-ssm-document-name'

    # Remediate SSM document permissions
    remediate_ssm_document_permission(document_name)

if __name__ == "__main__":
    main()

Replace 'your-ssm-document-name' with the name of the SSM document you want to remediate. This script removes the “All” option from the document permissions to ensure it is not shared with all accounts. Adjust the script as needed to fit your environment and document permissions.