The Need to Protect Public AWS SSM Documents – What the Research Shows
AWS Systems Manager automates operational tasks across AWS resources by creating SSM documents. The SSM documents, created in JSON or YAML, contain the operations that an AWS Systems Manager will perform on the cloud assets. By default, SSM documents are private, but can be configured to be shared with other AWS accounts or publicly. AWS provides best practices for shared SSM documents.
The Check Point CloudGuard Research team analyzed SSM documents configured by their owners to be shared publicly. The research team discovered that some basic misconceptions of the service had occurred, along with a lack of proper parameters usage (as defined in AWS best practices). As presented in this report, a misconfigured public SSM document can give an attacker valuable information about the account’s internal resources and operations. This not only serves as a basis for social engineering attacks, but can lead to the exposure of additional resources. The SSM document can provide an initial foothold into the victim’s environment and sometimes even grant an attacker a view into the account’s deployment processes, resources, and backup procedures.
During this research, CPR detected several SSM documents that led to the discovery of over five million Personally Identifiable Information (PII) records and credit card transactions for several companies. In total, Check Point researchers discovered over 3,000 public SSM documents that were potentially related to this trend. CPR worked with AWS Security to provide customers with the necessary guidelines to help make their business information more secure.
