AWS Security Hub - Detect SSM documents public sharing enabled
| Id | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2 |
| Rulename | AWS Security Hub - Detect SSM documents public sharing enabled |
| Description | This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings. Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering. |
| Severity | High |
| Tactics | Execution |
| Techniques | T1059 |
| Required data connectors | AWSSecurityHub |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml |
| Version | 1.0.0 |
| Arm template | 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2.json |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
kind: Scheduled
customDetails:
ComplianceControlId: ComplianceSecurityControlId
FindingId: AwsSecurityFindingId
Region: AwsRegion
alertDetailsOverride:
alertDisplayNameFormat: AWS Account {{AwsAccountId}} SSM documents public sharing enabled
alertDescriptionFormat: AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AwsAccountId
identifier: Name
- columnName: AwsAccountId
identifier: CloudAppAccountId
description: |
This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.
Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.
severity: High
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1059
tags:
- AWS Foundational Security Best Practices v1.0.0
status: Available
tactics:
- Execution
name: AWS Security Hub - Detect SSM documents public sharing enabled
id: 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2
query: |
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
AwsSecurityFindingId, ComplianceSecurityControlId
requiredDataConnectors:
- dataTypes:
- AWSSecurityHubFindings
connectorId: AWSSecurityHub
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml
queryPeriod: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.",
"alertDisplayNameFormat": "AWS Account {{AwsAccountId}} SSM documents public sharing enabled"
},
"alertRuleTemplateName": "0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2",
"customDetails": {
"ComplianceControlId": "ComplianceSecurityControlId",
"FindingId": "AwsSecurityFindingId",
"Region": "AwsRegion"
},
"description": "This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.\nAllowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.\n",
"displayName": "AWS Security Hub - Detect SSM documents public sharing enabled",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AwsAccountId",
"identifier": "Name"
},
{
"columnName": "AwsAccountId",
"identifier": "CloudAppAccountId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml",
"query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SSM.7\"\n or tostring(ComplianceSecurityControlId) == \"SSM.7\"\n| summarize TimeGenerated = max(TimeGenerated)\n by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n AwsSecurityFindingId, ComplianceSecurityControlId\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"tags": [
"AWS Foundational Security Best Practices v1.0.0"
],
"techniques": [
"T1059"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}