chore(aws): enhance metadata for ssm service (#9430)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2026-01-25 02:08:11 +00:00 · 2025-12-26 11:06:08 +01:00
parent 627d6da699
commit 53b5030f00
4 changed files with 64 additions and 39 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -22,6 +22,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Redshift service metadata to new format [(#9385)](https://github.com/prowler-cloud/prowler/pull/9385)
 - Update AWS Storage Gateway service metadata to new format [(#9433)](https://github.com/prowler-cloud/prowler/pull/9433)
 - Update AWS Well-Architected service metadata to new format [(#9482)](https://github.com/prowler-cloud/prowler/pull/9482)
+- Update AWS SSM service metadata to new format [(#9430)](https://github.com/prowler-cloud/prowler/pull/9430)

 ---

--- a/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.metadata.json
+++ b/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.metadata.json
@@ -1,27 +1,34 @@
 {
  "Provider": "aws",
  "CheckID": "ssm_document_secrets",
-  "CheckTitle": "Find secrets in SSM Documents.",
-  "CheckType": [],
+  "CheckTitle": "SSM document contains no secrets",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Sensitive Data Identifications/Security",
+    "Effects/Data Exposure"
+  ],
  "ServiceName": "ssm",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:ssm:region:account-id:document/document-name",
-  "Severity": "critical",
-  "ResourceType": "AwsSsmDocument",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "AwsSsmPatchCompliance",
  "ResourceGroup": "devops",
-  "Description": "Find secrets in SSM Documents.",
-  "Risk": "Secrets hardcoded into SSM Documents by malware and bad actors to gain lateral access to other services.",
-  "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html",
+  "Description": "**AWS Systems Manager documents** are inspected for embedded **secrets** within their content. Patterns resembling passwords, access keys, tokens, or private keys in document steps are flagged when values appear hardcoded rather than referenced securely.",
+  "Risk": "Hardcoded secrets in SSM documents weaken CIA:\n- Confidentiality: readers of the document can exfiltrate credentials.\n- Integrity: stolen keys enable privilege escalation and automation tampering.\n- Availability: abused credentials can disrupt systems and impede recovery.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws ssm update-document --name <example_resource_name> --content file://<SANITIZED_DOCUMENT_FILE>.json",
+      "NativeIaC": "```yaml\nResources:\n  <example_resource_name>:\n    Type: AWS::SSM::Document\n    Properties:\n      DocumentType: Command\n      Content:\n        schemaVersion: '2.2'\n        mainSteps:\n          - action: aws:runShellScript\n            inputs:\n              runCommand:\n                # Critical: reference a SecureString parameter instead of hardcoding a secret\n                # This avoids embedding secrets in the document content\n                - \"export PASSWORD='{{ssm-secure:/path/to/secret}}'\"\n```",
+      "Other": "1. In the AWS Console, go to Systems Manager > Parameter Store > Create parameter\n2. Set Name to /path/to/secret, Type to SecureString, enter the secret value, and click Create parameter\n3. Go to Systems Manager > Documents, select the document, then Actions > Edit content\n4. Remove any hardcoded secrets and reference the SecureString parameter, e.g.: {{ssm-secure:/path/to/secret}}\n5. Save to create a new version and set it as Default\n6. Re-run the check to confirm it passes",
+      "Terraform": "```hcl\nresource \"aws_ssm_document\" \"<example_resource_name>\" {\n  name          = \"<example_resource_name>\"\n  document_type = \"Command\"\n\n  content = jsonencode({\n    schemaVersion = \"2.2\"\n    mainSteps = [{\n      action = \"aws:runShellScript\"\n      name   = \"run\"\n      inputs = {\n        runCommand = [\n          // Critical: use ssm-secure dynamic reference to avoid hardcoded secrets\n          \"export PASSWORD='{{ssm-secure:/path/to/secret}}'\"\n        ]\n      }\n    }]\n  })\n}\n```"
    },
    "Recommendation": {
-      "Text": "Implement automated detective control (e.g. using tools like Prowler) to scan accounts for passwords and secrets. Use Secrets Manager service to store and retrieve passwords and secrets.",
-      "Url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html"
+      "Text": "Avoid embedding secrets. Store them in **Secrets Manager** or **Parameter Store** as `SecureString` (KMS-encrypted) and reference at runtime.\n\nApply **least privilege** to documents and secrets, prefer **short-lived role credentials**, rotate credentials, continuously scan/audit documents, and enforce **separation of duties** for authoring and approval.",
+      "Url": "https://hub.prowler.com/check/ssm_document_secrets"
    }
  },
  "Categories": [
--- a/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.metadata.json
+++ b/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.metadata.json
@@ -1,30 +1,37 @@
 {
  "Provider": "aws",
  "CheckID": "ssm_documents_set_as_public",
-  "CheckTitle": "Check if there are SSM Documents set as public.",
-  "CheckType": [],
+  "CheckTitle": "SSM document is not public and shared only with trusted AWS accounts",
+  "CheckType": [
+    "Software and Configuration Checks/AWS Security Best Practices",
+    "Effects/Data Exposure"
+  ],
  "ServiceName": "ssm",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:ssm:region:account-id:document/document-name",
+  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AwsSsmDocument",
+  "ResourceType": "AwsSsmPatchCompliance",
  "ResourceGroup": "devops",
-  "Description": "Check if there are SSM Documents set as public.",
-  "Risk": "SSM Documents may contain private information or even secrets and tokens.",
-  "RelatedUrl": "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html",
+  "Description": "**SSM documents** are evaluated for **public sharing** (`all`) and for shares with AWS accounts outside a defined trusted list. Documents that remain private or are shared only with trusted accounts indicate restricted distribution.",
+  "Risk": "Public or non-trusted sharing exposes document content, eroding **confidentiality** of scripts, parameters, and embedded secrets. Adversaries can study runbooks to craft targeted attacks and reuse logic, causing credential leakage and downstream **integrity** and **availability** impacts.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
+      "CLI": "aws ssm modify-document-permission --name <DOCUMENT_NAME> --permission-type Share --account-ids-to-remove all",
      "NativeIaC": "",
-      "Other": "https://github.com/cloudmatos/matos/tree/master/remediations/aws/ssm/ssm-doc-block",
-      "Terraform": ""
+      "Other": "1. Open AWS Systems Manager > Documents\n2. Select the document > Permissions tab > Edit\n3. Select Private (remove Public/'all')\n4. Remove any non-trusted AWS account IDs\n5. Save",
+      "Terraform": "```hcl\nresource \"aws_ssm_document\" \"<example_resource_name>\" {\n  name          = \"<example_resource_name>\"\n  document_type = \"Command\"\n  content       = jsonencode({\n    schemaVersion = \"2.2\"\n    mainSteps     = []\n  })\n  # Critical: no permissions block -> document remains private (not public/shared)\n}\n```"
    },
    "Recommendation": {
-      "Text": "Carefully review the contents of the document before is shared. Enable SSM Block public sharing for documents.",
-      "Url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html"
+      "Text": "Apply **least privilege** to document distribution:\n- Keep documents private; share only with specific trusted account IDs\n- Enable account-level block public sharing for documents\n- Remove secrets from content; use secure parameters\n- Limit who can share or run documents; require reviews and version control",
+      "Url": "https://hub.prowler.com/check/ssm_documents_set_as_public"
    }
  },
  "Categories": [
+    "identity-access",
    "internet-exposed"
  ],
  "DependsOn": [],
--- a/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.metadata.json
+++ b/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.metadata.json
@@ -1,30 +1,40 @@
 {
  "Provider": "aws",
  "CheckID": "ssm_managed_compliant_patching",
-  "CheckTitle": "Check if EC2 instances managed by Systems Manager are compliant with patching requirements.",
-  "CheckType": [],
+  "CheckTitle": "EC2 managed instance is compliant with Systems Manager patching requirements",
+  "CheckType": [
+    "Software and Configuration Checks/Patch Management",
+    "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
+  ],
  "ServiceName": "ssm",
  "SubServiceName": "",
-  "ResourceIdTemplate": "arn:aws:ec2:region:account-id:instance/instance-id",
+  "ResourceIdTemplate": "",
  "Severity": "high",
  "ResourceType": "AwsSsmPatchCompliance",
  "ResourceGroup": "devops",
-  "Description": "Check if EC2 instances managed by Systems Manager are compliant with patching requirements.",
-  "Risk": "Without the most recent security patches your system is potentially vulnerable to cyberattacks. Even the best-designed software can not anticipate every future threat to cybersecurity. Poor patch management can leave an organizations data exposed subjecting them to malware and ransomware attacks.",
-  "RelatedUrl": "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html",
+  "Description": "**SSM-managed EC2 instances** report **patch compliance** against defined baselines. This evaluates each managed node's compliance status from Patch Manager to determine whether required security updates are applied according to policy.",
+  "Risk": "**Unpatched instances** expose known `CVE` vulnerabilities, enabling **remote code execution**, **privilege escalation**, and **lateral movement**.\n\nThis threatens **confidentiality** (data exfiltration), **integrity** (unauthorized changes), and **availability** (ransomware, crypto-mining, outages).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html",
+    "https://support.icompaas.com/support/solutions/articles/62000233554-ensure-ec2-instances-managed-by-systems-manager-are-compliant-with-patching-requirements",
+    "https://docs.aws.amazon.com/systems-manager/latest/userguide/compliance-fixing.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "aws ssm send-command --instance-ids <INSTANCE_ID> --document-name AWS-RunPatchBaseline --parameters Operation=Install",
+      "NativeIaC": "```yaml\n# Create an SSM Association to install missing patches on the instance\nResources:\n  <example_resource_name>:\n    Type: AWS::SSM::Association\n    Properties:\n      Name: AWS-RunPatchBaseline\n      InstanceId: <example_resource_id>\n      Parameters:\n        Operation:\n          - Install  # Critical: installs missing patches so the instance becomes COMPLIANT\n```",
+      "Other": "1. Open AWS Console > Systems Manager > Run Command\n2. Click Run command\n3. Select document: AWS-RunPatchBaseline\n4. In Parameters, set Operation = Install\n5. In Targets, select the non-compliant instance\n6. Click Run; wait for command to complete and verify Compliance shows COMPLIANT",
+      "Terraform": "```hcl\n# Run AWS-RunPatchBaseline to install missing patches on the instance\nresource \"aws_ssm_association\" \"<example_resource_name>\" {\n  name        = \"AWS-RunPatchBaseline\"\n  instance_id = \"<example_resource_id>\"\n  parameters = {\n    Operation = [\"Install\"]  # Critical: installs patches to achieve COMPLIANT status\n  }\n}\n```"
    },
    "Recommendation": {
-      "Text": "Consider using SSM in all accounts and services to at least monitor for missing patches on servers. Use a robust process to apply security fixes as soon as they are made available. Patch compliance data from Patch Manager can be sent to AWS Security Hub to centralize security issues.",
-      "Url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html"
+      "Text": "Adopt **automated patch management** with Systems Manager: enroll EC2 as managed nodes, define strict **patch baselines**, run frequent **compliance scans**, and **install critical updates** promptly.\n\nApply **defense in depth**: least-privileged roles for patching, staged rollouts, maintenance windows, and centralized compliance reporting with alerting.",
+      "Url": "https://hub.prowler.com/check/ssm_managed_compliant_patching"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""