AWS Security Hub - Detect SSM documents public sharing enabled
| Id | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2 |
| Rulename | AWS Security Hub - Detect SSM documents public sharing enabled |
| Description | This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings. Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering. |
| Severity | High |
| Tactics | Execution |
| Techniques | T1059 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml |
| Version | 1.0.0 |
| Arm template | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
tactics:
- Execution
name: AWS Security Hub - Detect SSM documents public sharing enabled
id: 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2
requiredDataConnectors:
- connectorId: AWSSecurityHub
dataTypes:
- AWSSecurityHubFindings
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
relevantTechniques:
- T1059
description: |
This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.
Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.
triggerOperator: gt
queryPeriod: 1h
severity: High
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AwsAccountId
- identifier: CloudAppAccountId
columnName: AwsAccountId
entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml
version: 1.0.0
alertDetailsOverride:
alertDisplayNameFormat: AWS Account {{AwsAccountId}} SSM documents public sharing enabled
alertDescriptionFormat: AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.
triggerThreshold: 0
tags:
- AWS Foundational Security Best Practices v1.0.0
kind: Scheduled
queryFrequency: 1h
status: Available
customDetails:
ComplianceControlId: ComplianceSecurityControlId
Region: AwsRegion
FindingId: AwsSecurityFindingId
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.",
"alertDisplayNameFormat": "AWS Account {{AwsAccountId}} SSM documents public sharing enabled"
},
"alertRuleTemplateName": "0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2",
"customDetails": {
"ComplianceControlId": "ComplianceSecurityControlId",
"FindingId": "AwsSecurityFindingId",
"Region": "AwsRegion"
},
"description": "This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.\nAllowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.\n",
"displayName": "AWS Security Hub - Detect SSM documents public sharing enabled",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AwsAccountId",
"identifier": "Name"
},
{
"columnName": "AwsAccountId",
"identifier": "CloudAppAccountId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml",
"query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SSM.7\"\n or tostring(ComplianceSecurityControlId) == \"SSM.7\"\n| summarize TimeGenerated = max(TimeGenerated)\n by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n AwsSecurityFindingId, ComplianceSecurityControlId\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"AWS Foundational Security Best Practices v1.0.0"
],
"techniques": [
"T1059"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}