Control: 7 SSM documents should have the block public sharing setting enabled
Description
This control checks whether the block public sharing setting is enabled for AWS Systems Manager documents. The control fails if the block public sharing setting is disabled for Systems Manager documents.
The block public sharing setting for AWS Systems Manager (SSM) documents is an account-level setting. Enabling this setting can prevent unwanted access to your SSM documents. If you enable this setting, your change doesn't affect any SSM documents that you're currently sharing with the public. Unless your use case requires you to share SSM documents with the public, we recommend that you enable the block public sharing setting. The setting can differ for each AWS Region.
Remediation
For information about enabling the block public sharing setting for AWS Systems Manager (SSM) documents, see Block public sharing for SSM documents in the AWS Systems Manager User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_ssm_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_ssm_7 --share
SQL
This control uses a named query:
select arn as resource, case when setting_value = 'Enable' then 'ok' else 'alarm' end as status, case when setting_value = 'Enable' then title || ' public sharing setting enabled for region ' || region || '(' || account_id || ').' else title || ' public sharing setting disabled for region ' || region || '(' || account_id || ').' end as reason , region, account_idfrom aws_ssm_service_settingwhere setting_id = '/ssm/documents/console/public-sharing-permission';