Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SSM Parameter Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SSM-001

Ensure that all AWS Systems Manager (SSM) parameters that store sensitive information such as passwords, database strings and license codes are encrypted in order to meet security and compliance requirements. An encrypted SSM parameter (i.e. a configuration parameter with the type set to SecureString) is any sensitive data that needs to be stored and referenced in a secure manner. An encrypted SSM parameters can be used for the following scenarios:

When you need to use data/parameters across multiple AWS services without exposing the values as clear text in commands, functions, agent logs or CloudTrail logs.

When you want to control who has access to your sensitive configuration data.

When you want AWS-level encryption for your sensitive configuration data and you want to bring your own encryption keys (i.e. Amazon KMS CMKs) to manage access.

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With encrypted AWS SSM parameters you can separate secrets and configuration data from code and common administration tasks while ensuring that only approved users have access to the protected parameter values

Note: Only the value of the SSM parameter is encrypted. Parameter names, descriptions and other characteristics are not encrypted.


Audit

To determine if the SSM parameters that hold sensitive information are encrypted within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SSM dashboard at https://console.aws.amazon.com/systems-manager/.

03 In the navigation panel, in the Application Management section, choose Parameter Store.

04 Choose the SSM parameter that you want to examine then click on the parameter name (link) to access the resource details page. If the parameter holds sensitive configuration data such as passwords, database strings, license codes or security tokens as values for the Value attribute and the Type attribute value is set to String, the selected SSM parameter is not encrypted, therefore the configuration data referenced by this parameter is not protected.

05 Repeat step no. 4 to verify the encryption status for other SSM parameters available within the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-parameters command (OSX/Linux/UNIX) using custom query filters to list the name and type for each Amazon SSM parameter available within the selected region:

aws ssm describe-parameters
	--region us-east-1
	--query 'Parameters[*].{Name: Name, Type: Type}'

02 The command output should return the name and the type of each SSM parameter:

[
	{
   	 	"Name": "cc-project7-auth-token",
   	 	"Type": "String"
	},
	{
   	 	"Name": "cc-app-license-codes",
   	 	"Type": "StringList"
	},
	{
   	 	"Name": "cc-web-app-db-name",
   	 	"Type": "SecureString"
	}
]

Check the "Type" attribute value returned for each AWS SSM parameter. If the verified parameter holds sensitive configuration information such as passwords, database strings, license codes or security tokens, and its "Type" attribute value is set to "String" or "StringList", as shown in the output example above, the selected Amazon SSM parameter is not encrypted, therefore the configuration data referenced by the parameter is not protected within your application code.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To encrypt any existing AWS SSM parameters that store sensitive information, you need to re-create those parameters with the SecureString configuration type. To re-create the necessary Amazon SSM resources, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SSM dashboard at https://console.aws.amazon.com/systems-manager/.

03 In the navigation panel, in the Application Management section, choose Parameter Store.

04 Choose the SSM parameter that you want to re-create (see Audit section part I to identify the right parameter) then click on its name (link) to open the resource details page.

05 On the selected SSM parameter details page, copy the values set for the Name, Description and Value attributes in a secured location.

06 Once the necessary information is copied, click the Delete button from the dashboard top-right menu to remove the selected parameter.

07 Inside the Delete Parameter dialog box, click Delete to confirm the action.

08 In the navigation panel, in the Application Management section, select Parameter Store and click Create parameter button from the dashboard top menu to initiate the setup process.

09 Paste the values copied at step no. 5 in the Name, Description and Value boxes to utilize the same data as the source parameter.

10 Set the parameter Type to SecureString, choose whether to use a KMS key from your current AWS account or from a different AWS account, then select the key to encrypt your parameter data from the KMS Key ID dropdown list.

11 Click Create parameter to finish the setup process.

12 Repeat steps no. 4 – 11 to encrypt other AWS SSM parameters available within the current region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run get-parameters command (OSX/Linux/UNIX) using the name of the parameter that you want to re-create as identifier (see Audit section part II to identify the right parameter) and custom query filters to describe the data set for the selected SSM parameter:

aws ssm get-parameters
	--region us-east-1
	--names "cc-project7-auth-token"
	--query 'Parameters'

02 The command output should return the selected parameter data:

[
    {
        "Version": 1,
        "Type": "String",
        "Name": "cc-project7-auth-token",
        "Value": "abcdabcd-1234-1234-1234-abcdabcdabcd"
    }
]

03 Run put-parameter command (OSX/Linux/UNIX) to re-create the selected AWS SSM parameter using the data returned at the previous step and the SecureString type as parameter type. The --overwrite command parameter should overwrite the existing parameter with the new and encrypted one:

aws ssm put-parameter
	--region us-east-1
	--name "cc-project7-auth-token"
	--type "SecureString"
	--value "abcdabcd-1234-1234-1234-abcdabcdabcd"
	--overwrite

04 The command output should return the new version number of the selected parameter:

{
    "Version": 2
}

05 Repeat steps no. 1 – 4 to encrypt other AWS SSM parameters available in the selected region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the remediation/resolution process for other regions.

References

Publication date Aug 31, 2018