Ensure that all AWS Systems Manager (SSM) parameters that store sensitive information such as passwords, database strings and license codes are encrypted in order to meet security and compliance requirements. An encrypted SSM parameter (i.e. a configuration parameter with the type set to SecureString) is any sensitive data that needs to be stored and referenced in a secure manner. An encrypted SSM parameters can be used for the following scenarios:
When you need to use data/parameters across multiple AWS services without exposing the values as clear text in commands, functions, agent logs or CloudTrail logs.
When you want to control who has access to your sensitive configuration data.
When you want AWS-level encryption for your sensitive configuration data and you want to bring your own encryption keys (i.e. Amazon KMS CMKs) to manage access.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
With encrypted AWS SSM parameters you can separate secrets and configuration data from code and common administration tasks while ensuring that only approved users have access to the protected parameter values
Note: Only the value of the SSM parameter is encrypted. Parameter names, descriptions and other characteristics are not encrypted.
Audit
To determine if the SSM parameters that hold sensitive information are encrypted within your AWS account, perform the following actions:
Remediation / Resolution
To encrypt any existing AWS SSM parameters that store sensitive information, you need to re-create those parameters with the SecureString configuration type. To re-create the necessary Amazon SSM resources, perform the following:
References
- AWS Documentation
- What Is AWS Systems Manager?
- About Systems Manager Parameters
- How AWS Systems Manager Parameter Store Uses AWS KMS
- AWS Command Line Interface (CLI) Documentation
- ssm
- describe-parameters
- get-parameters
- put-parameter