turbot/steampipe-mod-aws-compliance

Control: 7 SSM documents should have the block public sharing setting enabled

Description

This control checks whether the block public sharing setting is enabled for AWS Systems Manager documents. The control fails if the block public sharing setting is disabled for Systems Manager documents.

The block public sharing setting for AWS Systems Manager (SSM) documents is an account-level setting. Enabling this setting can prevent unwanted access to your SSM documents. If you enable this setting, your change doesn't affect any SSM documents that you're currently sharing with the public. Unless your use case requires you to share SSM documents with the public, we recommend that you enable the block public sharing setting. The setting can differ for each AWS Region.

Remediation

For information about enabling the block public sharing setting for AWS Systems Manager (SSM) documents, see Block public sharing for SSM documents in the AWS Systems Manager User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_ssm_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_ssm_7 --share

SQL

This control uses a named query:

select
arn as resource,
case
when setting_value = 'Enable' then 'ok'
else 'alarm'
end as status,
case
when setting_value = 'Enable' then title || ' public sharing setting enabled for region ' || region || '(' || account_id || ').'
else title || ' public sharing setting disabled for region ' || region || '(' || account_id || ').'
end as reason
, region, account_id
from
aws_ssm_service_setting
where
setting_id = '/ssm/documents/console/public-sharing-permission';

Tags