More Info:

Ensure that all AWS Systems Manager (SSM) parameters that store sensitive information such as passwords, database strings and license codes are encrypted in order to meet security and compliance requirements. An encrypted SSM parameter (i.e. a configuration parameter with the type set to SecureString) is any sensitive data that needs to be stored and referenced in a secure manner. An encrypted SSM parameters can be used for the following scenarios:

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, GDPR, CISAWS, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “SSM Parameters Should Be Encrypted” in AWS using the AWS console, you can follow the below steps:
  1. Open the AWS Management Console and navigate to the AWS Systems Manager console.
  2. Click on the “Parameter Store” option in the left-hand navigation menu.
  3. Select the parameter you want to encrypt and click on its name.
  4. Click on the “Edit” button at the top of the page.
  5. Check the “SecureString” option to encrypt the parameter.
  6. Click on the “Save changes” button.
After completing these steps, the selected parameter will be encrypted. You can repeat these steps for any other parameters that need to be encrypted.

To remediate the misconfiguration of SSM parameters not being encrypted in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Check if the SSM parameters are encrypted or not using the following command: 
aws ssm get-parameters --names "parameter-name" --with-decryption
Replace “parameter-name” with the name of the SSM parameter you want to check.
  1. If the SSM parameter is not encrypted, encrypt it using the following command:
aws ssm put-parameter --name "parameter-name" --value "parameter-value" --type "SecureString" --key-id "alias/aws/ssm" --overwrite
Replace “parameter-name” with the name of the SSM parameter you want to encrypt, “parameter-value” with the value of the parameter, and “—key-id” with the KMS key ID to use for encryption. In this case, we are using the default AWS SSM KMS key.
  1. Verify that the SSM parameter is now encrypted by running the “get-parameters” command again with the “—with-decryption” flag.
aws ssm get-parameters --names "parameter-name" --with-decryption
This should return the value of the encrypted SSM parameter.
  1. Repeat steps 2-4 for all SSM parameters that are not encrypted.
By following these steps, you can remediate the misconfiguration of SSM parameters not being encrypted in AWS using AWS CLI.
To remediate the misconfiguration of SSM Parameters not being encrypted in AWS, you can follow these steps using Python:
  1. Install the AWS SDK for Python (Boto3) using pip.
pip install boto3
  1. Create an AWS session using the AWS access key and secret access key.
import boto3

session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY'
)
  1. Create a boto3 client for the SSM service.
ssm_client = session.client('ssm')
  1. Use the describe_parameters() method to get a list of all the SSM parameters in the AWS account.
parameters = ssm_client.describe_parameters()
  1. Loop through the list of parameters and check if the KeyId attribute is present. If it is not present, it means that the parameter is not encrypted.
for parameter in parameters['Parameters']:
    if 'KeyId' not in parameter:
        # Parameter is not encrypted
  1. Use the update_parameter() method to encrypt the parameter. Set the KeyId parameter to the ARN of the KMS key to be used for encryption.
ssm_client.update_parameter(
    Name='PARAMETER_NAME',
    KeyId='KMS_KEY_ARN',
    Overwrite=True
)
  1. Repeat steps 5 and 6 for all the SSM parameters that are not encrypted.
By following these steps, you can remediate the misconfiguration of SSM parameters not being encrypted in AWS using Python.

Additional Reading: