AWS Security Hub - Detect SSM documents public sharing enabled
| Id | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2 |
| Rulename | AWS Security Hub - Detect SSM documents public sharing enabled |
| Description | This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings. Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering. |
| Severity | High |
| Tactics | Execution |
| Techniques | T1059 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml |
| Version | 1.0.0 |
| Arm template | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
name: AWS Security Hub - Detect SSM documents public sharing enabled
kind: Scheduled
id: 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
severity: High
triggerThreshold: 0
version: 1.0.0
description: |
This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.
Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.
relevantTechniques:
- T1059
alertDetailsOverride:
alertDisplayNameFormat: AWS Account {{AwsAccountId}} SSM documents public sharing enabled
alertDescriptionFormat: AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.
tags:
- AWS Foundational Security Best Practices v1.0.0
queryPeriod: 1h
tactics:
- Execution
customDetails:
FindingId: AwsSecurityFindingId
Region: AwsRegion
ComplianceControlId: ComplianceSecurityControlId
queryFrequency: 1h
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AwsAccountId
- identifier: CloudAppAccountId
columnName: AwsAccountId
entityType: Account
status: Available
triggerOperator: gt
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.",
"alertDisplayNameFormat": "AWS Account {{AwsAccountId}} SSM documents public sharing enabled"
},
"alertRuleTemplateName": "0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2",
"customDetails": {
"ComplianceControlId": "ComplianceSecurityControlId",
"FindingId": "AwsSecurityFindingId",
"Region": "AwsRegion"
},
"description": "This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.\nAllowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.\n",
"displayName": "AWS Security Hub - Detect SSM documents public sharing enabled",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AwsAccountId",
"identifier": "Name"
},
{
"columnName": "AwsAccountId",
"identifier": "CloudAppAccountId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml",
"query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SSM.7\"\n or tostring(ComplianceSecurityControlId) == \"SSM.7\"\n| summarize TimeGenerated = max(TimeGenerated)\n by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n AwsSecurityFindingId, ComplianceSecurityControlId\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"AWS Foundational Security Best Practices v1.0.0"
],
"techniques": [
"T1059"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}