From 53b5030f00979bde5223c71bc44ccc8f508b9e21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Fri, 26 Dec 2025 11:06:08 +0100 Subject: [PATCH] chore(aws): enhance metadata for `ssm` service (#9430) Co-authored-by: Daniel Barranquero --- prowler/CHANGELOG.md | 1 + .../ssm_document_secrets.metadata.json | 35 ++++++++++-------- .../ssm_documents_set_as_public.metadata.json | 31 +++++++++------- ...m_managed_compliant_patching.metadata.json | 36 ++++++++++++------- 4 files changed, 64 insertions(+), 39 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 5929f90c6c..b1736c9261 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -22,6 +22,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Redshift service metadata to new format [(#9385)](https://github.com/prowler-cloud/prowler/pull/9385) - Update AWS Storage Gateway service metadata to new format [(#9433)](https://github.com/prowler-cloud/prowler/pull/9433) - Update AWS Well-Architected service metadata to new format [(#9482)](https://github.com/prowler-cloud/prowler/pull/9482) +- Update AWS SSM service metadata to new format [(#9430)](https://github.com/prowler-cloud/prowler/pull/9430) --- diff --git a/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.metadata.json b/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.metadata.json index a83ef7411f..093b23338f 100644 --- a/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.metadata.json +++ b/prowler/providers/aws/services/ssm/ssm_document_secrets/ssm_document_secrets.metadata.json @@ -1,27 +1,34 @@ { "Provider": "aws", "CheckID": "ssm_document_secrets", - "CheckTitle": "Find secrets in SSM Documents.", - "CheckType": [], + "CheckTitle": "SSM document contains no secrets", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Sensitive Data Identifications/Security", + "Effects/Data Exposure" + ], "ServiceName": "ssm", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:ssm:region:account-id:document/document-name", - "Severity": "critical", - "ResourceType": "AwsSsmDocument", + "ResourceIdTemplate": "", + "Severity": "high", + "ResourceType": "AwsSsmPatchCompliance", "ResourceGroup": "devops", - "Description": "Find secrets in SSM Documents.", - "Risk": "Secrets hardcoded into SSM Documents by malware and bad actors to gain lateral access to other services.", - "RelatedUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html", + "Description": "**AWS Systems Manager documents** are inspected for embedded **secrets** within their content. Patterns resembling passwords, access keys, tokens, or private keys in document steps are flagged when values appear hardcoded rather than referenced securely.", + "Risk": "Hardcoded secrets in SSM documents weaken CIA:\n- Confidentiality: readers of the document can exfiltrate credentials.\n- Integrity: stolen keys enable privilege escalation and automation tampering.\n- Availability: abused credentials can disrupt systems and impede recovery.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "aws ssm update-document --name --content file://.json", + "NativeIaC": "```yaml\nResources:\n :\n Type: AWS::SSM::Document\n Properties:\n DocumentType: Command\n Content:\n schemaVersion: '2.2'\n mainSteps:\n - action: aws:runShellScript\n inputs:\n runCommand:\n # Critical: reference a SecureString parameter instead of hardcoding a secret\n # This avoids embedding secrets in the document content\n - \"export PASSWORD='{{ssm-secure:/path/to/secret}}'\"\n```", + "Other": "1. In the AWS Console, go to Systems Manager > Parameter Store > Create parameter\n2. Set Name to /path/to/secret, Type to SecureString, enter the secret value, and click Create parameter\n3. Go to Systems Manager > Documents, select the document, then Actions > Edit content\n4. Remove any hardcoded secrets and reference the SecureString parameter, e.g.: {{ssm-secure:/path/to/secret}}\n5. Save to create a new version and set it as Default\n6. Re-run the check to confirm it passes", + "Terraform": "```hcl\nresource \"aws_ssm_document\" \"\" {\n name = \"\"\n document_type = \"Command\"\n\n content = jsonencode({\n schemaVersion = \"2.2\"\n mainSteps = [{\n action = \"aws:runShellScript\"\n name = \"run\"\n inputs = {\n runCommand = [\n // Critical: use ssm-secure dynamic reference to avoid hardcoded secrets\n \"export PASSWORD='{{ssm-secure:/path/to/secret}}'\"\n ]\n }\n }]\n })\n}\n```" }, "Recommendation": { - "Text": "Implement automated detective control (e.g. using tools like Prowler) to scan accounts for passwords and secrets. Use Secrets Manager service to store and retrieve passwords and secrets.", - "Url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html" + "Text": "Avoid embedding secrets. Store them in **Secrets Manager** or **Parameter Store** as `SecureString` (KMS-encrypted) and reference at runtime.\n\nApply **least privilege** to documents and secrets, prefer **short-lived role credentials**, rotate credentials, continuously scan/audit documents, and enforce **separation of duties** for authoring and approval.", + "Url": "https://hub.prowler.com/check/ssm_document_secrets" } }, "Categories": [ diff --git a/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.metadata.json b/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.metadata.json index 77e3b8edef..6ac42ea03c 100644 --- a/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.metadata.json +++ b/prowler/providers/aws/services/ssm/ssm_documents_set_as_public/ssm_documents_set_as_public.metadata.json @@ -1,30 +1,37 @@ { "Provider": "aws", "CheckID": "ssm_documents_set_as_public", - "CheckTitle": "Check if there are SSM Documents set as public.", - "CheckType": [], + "CheckTitle": "SSM document is not public and shared only with trusted AWS accounts", + "CheckType": [ + "Software and Configuration Checks/AWS Security Best Practices", + "Effects/Data Exposure" + ], "ServiceName": "ssm", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:ssm:region:account-id:document/document-name", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AwsSsmDocument", + "ResourceType": "AwsSsmPatchCompliance", "ResourceGroup": "devops", - "Description": "Check if there are SSM Documents set as public.", - "Risk": "SSM Documents may contain private information or even secrets and tokens.", - "RelatedUrl": "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html", + "Description": "**SSM documents** are evaluated for **public sharing** (`all`) and for shares with AWS accounts outside a defined trusted list. Documents that remain private or are shared only with trusted accounts indicate restricted distribution.", + "Risk": "Public or non-trusted sharing exposes document content, eroding **confidentiality** of scripts, parameters, and embedded secrets. Adversaries can study runbooks to craft targeted attacks and reuse logic, causing credential leakage and downstream **integrity** and **availability** impacts.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "aws ssm modify-document-permission --name --permission-type Share --account-ids-to-remove all", "NativeIaC": "", - "Other": "https://github.com/cloudmatos/matos/tree/master/remediations/aws/ssm/ssm-doc-block", - "Terraform": "" + "Other": "1. Open AWS Systems Manager > Documents\n2. Select the document > Permissions tab > Edit\n3. Select Private (remove Public/'all')\n4. Remove any non-trusted AWS account IDs\n5. Save", + "Terraform": "```hcl\nresource \"aws_ssm_document\" \"\" {\n name = \"\"\n document_type = \"Command\"\n content = jsonencode({\n schemaVersion = \"2.2\"\n mainSteps = []\n })\n # Critical: no permissions block -> document remains private (not public/shared)\n}\n```" }, "Recommendation": { - "Text": "Carefully review the contents of the document before is shared. Enable SSM Block public sharing for documents.", - "Url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-before-you-share.html" + "Text": "Apply **least privilege** to document distribution:\n- Keep documents private; share only with specific trusted account IDs\n- Enable account-level block public sharing for documents\n- Remove secrets from content; use secure parameters\n- Limit who can share or run documents; require reviews and version control", + "Url": "https://hub.prowler.com/check/ssm_documents_set_as_public" } }, "Categories": [ + "identity-access", "internet-exposed" ], "DependsOn": [], diff --git a/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.metadata.json b/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.metadata.json index 43e3c6dff6..42ed8968f1 100644 --- a/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.metadata.json +++ b/prowler/providers/aws/services/ssm/ssm_managed_compliant_patching/ssm_managed_compliant_patching.metadata.json @@ -1,30 +1,40 @@ { "Provider": "aws", "CheckID": "ssm_managed_compliant_patching", - "CheckTitle": "Check if EC2 instances managed by Systems Manager are compliant with patching requirements.", - "CheckType": [], + "CheckTitle": "EC2 managed instance is compliant with Systems Manager patching requirements", + "CheckType": [ + "Software and Configuration Checks/Patch Management", + "Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices" + ], "ServiceName": "ssm", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:ec2:region:account-id:instance/instance-id", + "ResourceIdTemplate": "", "Severity": "high", "ResourceType": "AwsSsmPatchCompliance", "ResourceGroup": "devops", - "Description": "Check if EC2 instances managed by Systems Manager are compliant with patching requirements.", - "Risk": "Without the most recent security patches your system is potentially vulnerable to cyberattacks. Even the best-designed software can not anticipate every future threat to cybersecurity. Poor patch management can leave an organizations data exposed subjecting them to malware and ransomware attacks.", - "RelatedUrl": "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html", + "Description": "**SSM-managed EC2 instances** report **patch compliance** against defined baselines. This evaluates each managed node's compliance status from Patch Manager to determine whether required security updates are applied according to policy.", + "Risk": "**Unpatched instances** expose known `CVE` vulnerabilities, enabling **remote code execution**, **privilege escalation**, and **lateral movement**.\n\nThis threatens **confidentiality** (data exfiltration), **integrity** (unauthorized changes), and **availability** (ransomware, crypto-mining, outages).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html", + "https://support.icompaas.com/support/solutions/articles/62000233554-ensure-ec2-instances-managed-by-systems-manager-are-compliant-with-patching-requirements", + "https://docs.aws.amazon.com/systems-manager/latest/userguide/compliance-fixing.html" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "", - "Other": "", - "Terraform": "" + "CLI": "aws ssm send-command --instance-ids --document-name AWS-RunPatchBaseline --parameters Operation=Install", + "NativeIaC": "```yaml\n# Create an SSM Association to install missing patches on the instance\nResources:\n :\n Type: AWS::SSM::Association\n Properties:\n Name: AWS-RunPatchBaseline\n InstanceId: \n Parameters:\n Operation:\n - Install # Critical: installs missing patches so the instance becomes COMPLIANT\n```", + "Other": "1. Open AWS Console > Systems Manager > Run Command\n2. Click Run command\n3. Select document: AWS-RunPatchBaseline\n4. In Parameters, set Operation = Install\n5. In Targets, select the non-compliant instance\n6. Click Run; wait for command to complete and verify Compliance shows COMPLIANT", + "Terraform": "```hcl\n# Run AWS-RunPatchBaseline to install missing patches on the instance\nresource \"aws_ssm_association\" \"\" {\n name = \"AWS-RunPatchBaseline\"\n instance_id = \"\"\n parameters = {\n Operation = [\"Install\"] # Critical: installs patches to achieve COMPLIANT status\n }\n}\n```" }, "Recommendation": { - "Text": "Consider using SSM in all accounts and services to at least monitor for missing patches on servers. Use a robust process to apply security fixes as soon as they are made available. Patch compliance data from Patch Manager can be sent to AWS Security Hub to centralize security issues.", - "Url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-compliance-identify.html" + "Text": "Adopt **automated patch management** with Systems Manager: enroll EC2 as managed nodes, define strict **patch baselines**, run frequent **compliance scans**, and **install critical updates** promptly.\n\nApply **defense in depth**: least-privileged roles for patching, staged rollouts, maintenance windows, and centralized compliance reporting with alerting.", + "Url": "https://hub.prowler.com/check/ssm_managed_compliant_patching" } }, - "Categories": [], + "Categories": [ + "vulnerabilities" + ], "DependsOn": [], "RelatedTo": [], "Notes": ""