AWS securityhub critical security documentation change
Summary
Added two new controls: SSM.6 (CloudWatch logging for Automation) and SSM.7 (block public sharing of SSM documents)
Security assessment
SSM.7 explicitly addresses a critical security risk by preventing public exposure of SSM documents, a direct mitigation for unauthorized access. SSM.6 enhances logging, a security best practice.
Diff
diff --git a/securityhub/latest/userguide/ssm-controls.md b/securityhub/latest/userguide/ssm-controls.md index af0a662c7..1e4631adf 100644 --- a//securityhub/latest/userguide/ssm-controls.md +++ b//securityhub/latest/userguide/ssm-controls.md @@ -5 +5 @@ -[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT[SSM.4] SSM documents should not be public[SSM.5] SSM documents should be tagged +[SSM.1] Amazon EC2 instances should be managed by AWS Systems Manager[SSM.2] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation[SSM.3] Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT[SSM.4] SSM documents should not be public[SSM.5] SSM documents should be tagged[SSM.6] SSM Automation should have CloudWatch logging enabled[SSM.7] SSM documents should have the block public sharing setting enabled @@ -167,0 +168,44 @@ To add tags to an AWS Systems Manager document, you can use the [AddTagsToResour +## [SSM.6] SSM Automation should have CloudWatch logging enabled + +**Category:** Identify > Logging + +**Severity:** Medium + +**Resource type:** `AWS::::Account` + +**AWS Config rule:** [ssm-automation-logging-enabled](https://docs.aws.amazon.com/config/latest/developerguide/ssm-automation-logging-enabled.html) + +**Schedule type:** Periodic + +**Parameters:** None + +This control checks whether Amazon CloudWatch logging is enabled for AWS Systems Manager (SSM) Automation. The control fails if CloudWatch logging isn't enabled for SSM Automation. + +SSM Automation is an AWS Systems Manager tool that helps you build automated solutions to deploy, configure, and manage AWS resources at scale using predefined or custom runbooks. To meet operational or security requirements for your organization, you might need to provide a record of the scripts that it runs. You can configure SSM Automation to send the output from `aws:executeScript` actions in your runbooks to an Amazon CloudWatch Logs log group that you specify. With CloudWatch Logs, you can monitor, store, and access log files from various AWS services. + +### Remediation + +For information about enabling CloudWatch logging for SSM Automation, see [Logging Automation action output with CloudWatch Logs](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-action-logging.html) in the _AWS Systems Manager User Guide_. + +## [SSM.7] SSM documents should have the block public sharing setting enabled + +**Category:** Protect > Secure access management > Resource not publicly accessible + +**Severity:** Critical + +**Resource type:** `AWS::::Account` + +**AWS Config rule:** [ssm-automation-block-public-sharing](https://docs.aws.amazon.com/config/latest/developerguide/ssm-automation-block-public-sharing.html) + +**Schedule type:** Periodic + +**Parameters:** None + +This control checks whether the block public sharing setting is enabled for AWS Systems Manager documents. The control fails if the block public sharing setting is disabled for Systems Manager documents. + +The block public sharing setting for AWS Systems Manager (SSM) documents is an account-level setting. Enabling this setting can prevent unwanted access to your SSM documents. If you enable this setting, your change doesn't affect any SSM documents that you're currently sharing with the public. Unless your use case requires you to share SSM documents with the public, we recommend that you enable the block public sharing setting. The setting can differ for each AWS Region. + +### Remediation + +For information about enabling the block public sharing setting for AWS Systems Manager (SSM) documents, see [Block public sharing for SSM documents](https://docs.aws.amazon.com/systems-manager/latest/userguide/documents-ssm-sharing.html#block-public-access) in the _AWS Systems Manager User Guide_. +