Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “SSM Parameters Should Be Encrypted” in AWS using the AWS console, you can follow the below steps:
- Open the AWS Management Console and navigate to the AWS Systems Manager console.
- Click on the “Parameter Store” option in the left-hand navigation menu.
- Select the parameter you want to encrypt and click on its name.
- Click on the “Edit” button at the top of the page.
- Check the “SecureString” option to encrypt the parameter.
- Click on the “Save changes” button.
Using CLI
Using CLI
To remediate the misconfiguration of SSM parameters not being encrypted in AWS using AWS CLI, follow these steps:Replace “parameter-name” with the name of the SSM parameter you want to check.Replace “parameter-name” with the name of the SSM parameter you want to encrypt, “parameter-value” with the value of the parameter, and “—key-id” with the KMS key ID to use for encryption. In this case, we are using the default AWS SSM KMS key.This should return the value of the encrypted SSM parameter.
- Open the AWS CLI on your local machine.
- Check if the SSM parameters are encrypted or not using the following command:
- If the SSM parameter is not encrypted, encrypt it using the following command:
- Verify that the SSM parameter is now encrypted by running the “get-parameters” command again with the “—with-decryption” flag.
- Repeat steps 2-4 for all SSM parameters that are not encrypted.
Using Python
Using Python
To remediate the misconfiguration of SSM Parameters not being encrypted in AWS, you can follow these steps using Python:
- Install the AWS SDK for Python (Boto3) using pip.
- Create an AWS session using the AWS access key and secret access key.
- Create a boto3 client for the SSM service.
- Use the
describe_parameters()method to get a list of all the SSM parameters in the AWS account.
- Loop through the list of parameters and check if the
KeyIdattribute is present. If it is not present, it means that the parameter is not encrypted.
- Use the
update_parameter()method to encrypt the parameter. Set theKeyIdparameter to the ARN of the KMS key to be used for encryption.
- Repeat steps 5 and 6 for all the SSM parameters that are not encrypted.