v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 4 SSM documents should not be public

Description

This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public.

SSM documents that are public might allow unintended access to your documents. A public SSM document can expose valuable information about your account, resources, and internal processes.

Unless your use case requires public sharing to be enabled, Security Hub recommends that you turn on the block public sharing setting for your Systems Manager documents that are owned by Self.

Remediation

For more information about disabling public access to SSM documents, see Modify permissions for a shared SSM document and Best practices for shared SSM documents in the AWS Systems Manager User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ssm_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ssm_4 --share

SQL

This control uses a named query:

ssm_document_prohibit_public_access

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resources_not_publicly_accessible
foundational_security_item_id = ssm_4
plugin = aws
service = AWS/SSM