SSM Parameters Should Be Encrypted

More Info:

Ensure that all AWS Systems Manager (SSM) parameters that store sensitive information such as passwords, database strings and license codes are encrypted in order to meet security and compliance requirements. An encrypted SSM parameter (i.e. a configuration parameter with the type set to SecureString) is any sensitive data that needs to be stored and referenced in a secure manner. An encrypted SSM parameters can be used for the following scenarios:

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, GDPR, CISAWS, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of SSM parameters not being encrypted in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Check if the SSM parameters are encrypted or not using the following command:

aws ssm get-parameters --names "parameter-name" --with-decryption

Replace “parameter-name” with the name of the SSM parameter you want to check.

If the SSM parameter is not encrypted, encrypt it using the following command:

aws ssm put-parameter --name "parameter-name" --value "parameter-value" --type "SecureString" --key-id "alias/aws/ssm" --overwrite

Replace “parameter-name” with the name of the SSM parameter you want to encrypt, “parameter-value” with the value of the parameter, and “—key-id” with the KMS key ID to use for encryption. In this case, we are using the default AWS SSM KMS key.

Verify that the SSM parameter is now encrypted by running the “get-parameters” command again with the “—with-decryption” flag.

aws ssm get-parameters --names "parameter-name" --with-decryption

This should return the value of the encrypted SSM parameter.

Repeat steps 2-4 for all SSM parameters that are not encrypted.

By following these steps, you can remediate the misconfiguration of SSM parameters not being encrypted in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of SSM Parameters not being encrypted in AWS, you can follow these steps using Python:

Install the AWS SDK for Python (Boto3) using pip.

pip install boto3

Create an AWS session using the AWS access key and secret access key.

import boto3

session = boto3.Session(
    aws_access_key_id='YOUR_ACCESS_KEY',
    aws_secret_access_key='YOUR_SECRET_KEY'
)

Create a boto3 client for the SSM service.

ssm_client = session.client('ssm')

Use the describe_parameters() method to get a list of all the SSM parameters in the AWS account.

parameters = ssm_client.describe_parameters()

Loop through the list of parameters and check if the KeyId attribute is present. If it is not present, it means that the parameter is not encrypted.

for parameter in parameters['Parameters']:
    if 'KeyId' not in parameter:
        # Parameter is not encrypted

Use the update_parameter() method to encrypt the parameter. Set the KeyId parameter to the ARN of the KMS key to be used for encryption.

ssm_client.update_parameter(
    Name='PARAMETER_NAME',
    KeyId='KMS_KEY_ARN',
    Overwrite=True
)

Repeat steps 5 and 6 for all the SSM parameters that are not encrypted.

By following these steps, you can remediate the misconfiguration of SSM parameters not being encrypted in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

SSM Parameters Should Be Encrypted

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: