> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# SSM Parameters Should Be Encrypted

### More Info:

Ensure that all AWS Systems Manager (SSM) parameters that store sensitive information such as passwords, database strings and license codes are encrypted in order to meet security and compliance requirements. An encrypted SSM parameter (i.e. a configuration parameter with the type set to SecureString) is any sensitive data that needs to be stored and referenced in a secure manner. An encrypted SSM parameters can be used for the following scenarios:

### Risk Level

Medium

### Address

Security

### Compliance Standards

HIPAA, GDPR, CISAWS, CBP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "SSM Parameters Should Be Encrypted" in AWS using the AWS console, you can follow the below steps:

        1. Open the AWS Management Console and navigate to the AWS Systems Manager console.
        2. Click on the "Parameter Store" option in the left-hand navigation menu.
        3. Select the parameter you want to encrypt and click on its name.
        4. Click on the "Edit" button at the top of the page.
        5. Check the "SecureString" option to encrypt the parameter.
        6. Click on the "Save changes" button.

        After completing these steps, the selected parameter will be encrypted. You can repeat these steps for any other parameters that need to be encrypted.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of SSM parameters not being encrypted in AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI on your local machine.

        2. Check if the SSM parameters are encrypted or not using the following command:

        ```
        aws ssm get-parameters --names "parameter-name" --with-decryption
        ```

        Replace "parameter-name" with the name of the SSM parameter you want to check.

        3. If the SSM parameter is not encrypted, encrypt it using the following command:

        ```
        aws ssm put-parameter --name "parameter-name" --value "parameter-value" --type "SecureString" --key-id "alias/aws/ssm" --overwrite
        ```

        Replace "parameter-name" with the name of the SSM parameter you want to encrypt, "parameter-value" with the value of the parameter, and "--key-id" with the KMS key ID to use for encryption. In this case, we are using the default AWS SSM KMS key.

        4. Verify that the SSM parameter is now encrypted by running the "get-parameters" command again with the "--with-decryption" flag.

        ```
        aws ssm get-parameters --names "parameter-name" --with-decryption
        ```

        This should return the value of the encrypted SSM parameter.

        5. Repeat steps 2-4 for all SSM parameters that are not encrypted.

        By following these steps, you can remediate the misconfiguration of SSM parameters not being encrypted in AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of SSM Parameters not being encrypted in AWS, you can follow these steps using Python:

        1. Install the AWS SDK for Python (Boto3) using pip.

        ```
        pip install boto3
        ```

        2. Create an AWS session using the AWS access key and secret access key.

        ```python theme={null}
        import boto3

        session = boto3.Session(
            aws_access_key_id='YOUR_ACCESS_KEY',
            aws_secret_access_key='YOUR_SECRET_KEY'
        )
        ```

        3. Create a boto3 client for the SSM service.

        ```python theme={null}
        ssm_client = session.client('ssm')
        ```

        4. Use the `describe_parameters()` method to get a list of all the SSM parameters in the AWS account.

        ```python theme={null}
        parameters = ssm_client.describe_parameters()
        ```

        5. Loop through the list of parameters and check if the `KeyId` attribute is present. If it is not present, it means that the parameter is not encrypted.

        ```python theme={null}
        for parameter in parameters['Parameters']:
            if 'KeyId' not in parameter:
                # Parameter is not encrypted
        ```

        6. Use the `update_parameter()` method to encrypt the parameter. Set the `KeyId` parameter to the ARN of the KMS key to be used for encryption.

        ```python theme={null}
        ssm_client.update_parameter(
            Name='PARAMETER_NAME',
            KeyId='KMS_KEY_ARN',
            Overwrite=True
        )
        ```

        7. Repeat steps 5 and 6 for all the SSM parameters that are not encrypted.

        By following these steps, you can remediate the misconfiguration of SSM parameters not being encrypted in AWS using Python.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html](https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html)
