SSM Documents Set as Public
Overview
This check identifies AWS Systems Manager (SSM) documents that are shared publicly or with untrusted AWS accounts. SSM documents are automation runbooks that can contain scripts, configuration details, and potentially sensitive information. When documents are public, anyone on the internet can view their contents.
Risk
Public SSM documents pose significant security risks:
- Credential exposure: Documents may contain embedded secrets, API keys, or tokens
- Attack surface expansion: Adversaries can reverse-engineer your automation workflows
- Compliance violations: Sharing internal runbooks publicly may violate regulatory requirements
- Reconnaissance opportunity: Attackers can learn about your infrastructure and processes
This is rated as high severity because exposed documents can directly lead to credential compromise and downstream security incidents.
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to manage SSM documents
- Knowledge of which AWS accounts (if any) should have legitimate access to your documents
AWS Console Method
Step 1: Enable account-level block on public sharing
- Open the AWS Systems Manager console
- In the left navigation, click Documents
- Click the Preferences tab
- Under Block public sharing, click Edit
- Select Block public sharing
- Click Save
This prevents any document in your account from being shared publicly going forward.
Step 2: Remove public access from existing documents
- In the SSM Documents console, click the Owned by me tab
- Select a document that is flagged as public
- Click the Permissions tab
- Click Edit
- Change the sharing setting from Public to Private
- If specific AWS accounts need access, add only those trusted account IDs
- Click Save
- Repeat for each public document
AWS CLI (optional)
Block public sharing at account level
aws ssm update-service-setting \
--setting-id /ssm/documents/console/public-sharing-permission \
--setting-value Disable \
--region us-east-1
List your SSM documents
aws ssm list-documents \
--filters Key=Owner,Values=Self \
--region us-east-1 \
--query 'DocumentIdentifiers[].Name' \
--output table
Check permissions on a specific document
aws ssm describe-document-permission \
--name <your-document-name> \
--permission-type Share \
--region us-east-1
If the output shows "All" in the AccountIds, the document is public.
Remove public access from a document
aws ssm modify-document-permission \
--name <your-document-name> \
--permission-type Share \
--account-ids-to-remove all \
--region us-east-1
Share with specific trusted accounts only (if needed)
aws ssm modify-document-permission \
--name <your-document-name> \
--permission-type Share \
--account-ids-to-add 123456789012 987654321098 \
--region us-east-1
CloudFormation (optional)
SSM documents created via CloudFormation are private by default. Simply omit any permissions configuration to keep them private.
AWSTemplateFormatVersion: '2010-09-09'
Description: Create a private SSM document (default behavior - no public sharing)
Resources:
PrivateSSMDocument:
Type: AWS::SSM::Document
Properties:
DocumentType: Command
Name: MyPrivateRunbook
Content:
schemaVersion: '2.2'
description: Example private SSM document
mainSteps:
- action: aws:runShellScript
name: exampleCommand
inputs:
runCommand:
- echo "Hello World"
Tags:
- Key: Environment
Value: Production
Outputs:
DocumentName:
Description: Name of the SSM document
Value: !Ref PrivateSSMDocument
Note: CloudFormation does not have a native resource for the account-level public sharing block setting. Use a Custom Resource with Lambda or apply the setting via AWS CLI separately.
Terraform (optional)
SSM documents in Terraform are private by default when no permissions are specified.
# SSM Document - Private by default (no permissions block = private)
resource "aws_ssm_document" "private_document" {
name = "MyPrivateRunbook"
document_type = "Command"
document_format = "YAML"
content = <<DOC
schemaVersion: '2.2'
description: Example private SSM document
mainSteps:
- action: aws:runShellScript
name: exampleCommand
inputs:
runCommand:
- echo "Hello World"
DOC
tags = {
Environment = "Production"
}
}
To share with specific accounts only (not public):
resource "aws_ssm_document" "shared_document" {
name = "MySharedRunbook"
document_type = "Command"
document_format = "YAML"
content = <<DOC
schemaVersion: '2.2'
description: Document shared with trusted accounts
mainSteps:
- action: aws:runShellScript
name: exampleCommand
inputs:
runCommand:
- echo "Hello World"
DOC
permissions = {
type = "Share"
account_ids = "123456789012,987654321098" # Only trusted accounts
}
}
Important: Never use account_ids = "all" as this makes the document public.
Verification
After remediation, verify your documents are no longer public:
- In the SSM Documents console, check the Permissions tab for each document you own
- Confirm the sharing setting shows Private or lists only specific trusted account IDs
- Verify the account-level block is enabled under Documents > Preferences
CLI verification commands
Verify account-level block is enabled
aws ssm get-service-setting \
--setting-id /ssm/documents/console/public-sharing-permission \
--region us-east-1
Expected output should show "SettingValue": "Disable".
Check a document's permissions
aws ssm describe-document-permission \
--name <your-document-name> \
--permission-type Share \
--region us-east-1
The output should show an empty AccountIds list (private) or only specific trusted account IDs.
Additional Resources
- AWS SSM Document Sharing Best Practices
- AWS SSM Document Permissions
- Block public sharing for SSM documents
Notes
- Review before sharing: Even when sharing with specific trusted accounts, review document contents to ensure no secrets or sensitive configuration is embedded
- Use parameter references: Instead of hardcoding sensitive values, use AWS Systems Manager Parameter Store (SecureString) or Secrets Manager references
- Audit regularly: Periodically review document permissions as part of your security hygiene
- Version control: When updating shared documents, consider the impact on accounts consuming those documents