AWS Security ChangesHomeSearch

AWS securityhub low security documentation change

Service: securityhub · 2025-04-16 · Security-related low

File: securityhub/latest/userguide/ssm-controls.md

Summary

Added new SSM.5 control requiring SSM documents to be tagged, updated Config rule link formatting, and consolidated region availability text

Security assessment

The SSM.5 control addition explicitly enforces tagging of SSM documents for security purposes like access control (ABAC) and resource management. This qualifies as security documentation and addresses security posture improvement through tagging requirements.

Diff

diff --git a/securityhub/latest/userguide/ssm-controls.md b/securityhub/latest/userguide/ssm-controls.md
index 7e28d2404..952d01e38 100644
--- a//securityhub/latest/userguide/ssm-controls.md
+++ b//securityhub/latest/userguide/ssm-controls.md
@@ -5 +5 @@
-[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT[SSM.4] SSM documents should not be public
+[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT[SSM.4] SSM documents should not be public[SSM.5] SSM documents should be tagged
@@ -9,3 +9 @@
-These AWS Security Hub controls evaluate the AWS Systems Manager (SSM) service and resources.
-
-These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub controls evaluate the AWS Systems Manager (SSM) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -25 +23 @@ These controls may not be available in all AWS Regions. For more information, se
-**AWS Config rule:** [`ec2-instance-managed-by-systems-manager`](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html)
+**AWS Config rule:** [ec2-instance-managed-by-systems-manager](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-managed-by-systems-manager.html)
@@ -51 +49 @@ To manage EC2 instances with Systems Manager, see [Amazon EC2 host management](h
-**AWS Config rule:** [`ec2-managedinstance-patch-compliance-status-check`](https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html)
+**AWS Config rule:** [ec2-managedinstance-patch-compliance-status-check](https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-patch-compliance-status-check.html)
@@ -94 +92 @@ Systems Manager recommends using [patch policies](https://docs.aws.amazon.com/sy
-**AWS Config rule:** [`ec2-managedinstance-association-compliance-status-check`](https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html)
+**AWS Config rule:** [ec2-managedinstance-association-compliance-status-check](https://docs.aws.amazon.com/config/latest/developerguide/ec2-managedinstance-association-compliance-status-check.html)
@@ -124 +122 @@ After investigating, you can edit the association to correct the identified issu
-**AWS Config rule:** [`ssm-document-not-public`](https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-not-public.html)
+**AWS Config rule:** [ssm-document-not-public](https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-not-public.html)
@@ -139,0 +138,30 @@ To block public sharing for Systems Manager documents, see [Block public sharing
+## [SSM.5] SSM documents should be tagged
+
+**Category:** Identify > Inventory > Tagging
+
+**Severity:** Low
+
+**Resource type:** `AWS::SSM::Document`
+
+**AWS Config rule:** [ssm-document-tagged](https://docs.aws.amazon.com/config/latest/developerguide/ssm-document-tagged.html)
+
+**Schedule type:** Change triggered
+
+**Parameters:**
+
+Parameter | Description | Type | Allowed custom values | Security Hub default value  
+---|---|---|---|---  
+`requiredKeyTags` | A list of non-system tag keys that must be assigned to an evaluated resource. Tag keys are case sensitive. | StringList (maximum of 6 items) | 1–6 tag keys that meet [AWS requirements](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions). | No default value  
+  
+This control checks whether an AWS Systems Manager document has the tag keys specified by the `requiredKeyTags` parameter. The control fails if the document doesn't have any tag keys, or it doesn't have all the keys specified by the `requiredKeyTags` parameter. If you don't specify any values for the `requiredKeyTags` parameter, the control checks only for the existence of a tag key and fails if the document doesn't have any tag keys. The control ignores system tags, which are applied automatically and have the `aws:` prefix. The control doesn't evaluate Systems Manager documents that are owned by Amazon.
+
+A tag is a label that you create and assign to an AWS resource. Each tag consists of a required tag key and an optional tag value. You can use tags to categorize resources by purpose, owner, environment, or other criteria. They can help you identify, organize, search for, and filter resources. They can also help you track resource owners for actions and notifications. You can also use tags to implement attribute-based access control (ABAC) as an authorization strategy. For more information about ABAC strategies, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the _IAM User Guide_. For more information about tags, see the [Tagging AWS Resources and Tag Editor User Guide](https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html).
+
+###### Note
+
+Do not store personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible from many AWS services. They aren't intended to be used for private or sensitive data.
+
+### Remediation
+
+To add tags to an AWS Systems Manager document, you can use the [AddTagsToResource](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_AddTagsToResource.html) operation of the AWS Systems Manager API or, if you're using the AWS CLI, run the [add-tags-to-resource](https://docs.aws.amazon.com/cli/latest/reference/ssm/add-tags-to-resource.html) command. You can also use the AWS Systems Manager console.
+