AWS Systems Manager (AWS SSM)

Non-SecureString SSM Parameters present

Risk Level: Medium

Description: 

This plugin guarantees that the SSM parameters are encrypted. Encryption should be used for SSM parameters. This allows approved systems to utilise their values while limiting access to other account users.

PingSafe strongly recommends recreating unencrypted SSM Parameters with Type set to SecureString.

About the Service :

AWS Systems Manager or SSM is an AWS service that allows you to manage and see your AWS infrastructure. You may examine operational data from numerous AWS services and automate operational operations across your AWS resources using the Systems Manager UI. By monitoring your managed instances and reporting on (or taking remedial action on) any policy breaches it identifies, the Systems Manager assists you in maintaining security and compliance.

Impact : 

You may segregate secrets and configuration data from code and typical administrative activities with encrypted AWS SSM parameters, ensuring that only allowed users have access to the protected parameter values.

Steps to reproduce :

  1. Log in to your AWS Management Console.
    https://ap-south-1.console.aws.amazon.com/console/ 
  2. Navigate to the SSM dashboard.
    https://ap-south-1.console.aws.amazon.com/systems-manager/ 
  3. Next, move to Parameter Store under the Application Management.
  4. Choose the parameter that you want to examine and look at the Value, if it is set to String that means that the SSM parameter is not a secure string.
  5. Repeat the same procedure for other parameters as well.

Steps for remediation :

  1. Log in to your AWS Management Console.
    https://ap-south-1.console.aws.amazon.com/console/ 
  2. Navigate to the SSM dashboard.
    https://ap-south-1.console.aws.amazon.com/systems-manager/ 
  3. Next, move to Parameter Store under the Application Management.
  4. Choose the parameter that you want to examine and look at the Value, if it is set to String that means that theSSM parameter is not a secure string.
  5. Click on the parameter to recreate and copy the Name, Description and Value. Once the information is copied click on Delete and confirm the deletion.
  6. Next, click on Create Parameter to start the setup of secure string SSM parameter.
  7. In the parameter details, enter the Name, Description and then select the Tier and set Type as SecureString. Next, enter the Value and click Create parameter.
  8. Next enter the copied Name, Description and Value.
  9. Repeat the same procedure for other parameters as well.

References: