AWS Security Hub - Detect SSM documents public sharing enabled
| Id | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2 |
| Rulename | AWS Security Hub - Detect SSM documents public sharing enabled |
| Description | This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings. Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering. |
| Severity | High |
| Tactics | Execution |
| Techniques | T1059 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml |
| Version | 1.0.0 |
| Arm template | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
entityMappings:
- fieldMappings:
- columnName: AwsAccountId
identifier: Name
- columnName: AwsAccountId
identifier: CloudAppAccountId
entityType: Account
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml
queryFrequency: 1h
status: Available
tags:
- AWS Foundational Security Best Practices v1.0.0
relevantTechniques:
- T1059
triggerOperator: gt
version: 1.0.0
kind: Scheduled
id: 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
alertDetailsOverride:
alertDisplayNameFormat: AWS Account {{AwsAccountId}} SSM documents public sharing enabled
alertDescriptionFormat: AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.
name: AWS Security Hub - Detect SSM documents public sharing enabled
description: |
This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.
Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
tactics:
- Execution
queryPeriod: 1h
customDetails:
Region: AwsRegion
FindingId: AwsSecurityFindingId
ComplianceControlId: ComplianceSecurityControlId
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.",
"alertDisplayNameFormat": "AWS Account {{AwsAccountId}} SSM documents public sharing enabled"
},
"alertRuleTemplateName": "0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2",
"customDetails": {
"ComplianceControlId": "ComplianceSecurityControlId",
"FindingId": "AwsSecurityFindingId",
"Region": "AwsRegion"
},
"description": "This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.\nAllowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.\n",
"displayName": "AWS Security Hub - Detect SSM documents public sharing enabled",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AwsAccountId",
"identifier": "Name"
},
{
"columnName": "AwsAccountId",
"identifier": "CloudAppAccountId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml",
"query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SSM.7\"\n or tostring(ComplianceSecurityControlId) == \"SSM.7\"\n| summarize TimeGenerated = max(TimeGenerated)\n by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n AwsSecurityFindingId, ComplianceSecurityControlId\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"AWS Foundational Security Best Practices v1.0.0"
],
"techniques": [
"T1059"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}