AWS SSM document modified to allow public access
Description
AlphaSOC detected that an AWS Systems Manager (SSM) document was made publicly
accessible through the ModifyDocumentPermission API call. SSM documents define
the actions that Systems Manager performs on managed instances, including
configuration management, patching, and automation tasks. When made public,
these documents can be accessed by anyone with an AWS account. Threat actors can
exploit publicly accessible SSM documents to gather intelligence about an
organization's infrastructure, automation workflows, and operational procedures,
potentially identifying vulnerabilities or preparing for targeted attacks.
Impact
Making SSM documents public exposes operational procedures and configuration details to unauthorized parties. This could reveal information about patch management schedules, software deployment methods, system configurations, or custom automation scripts. Adversaries could analyze this information to identify unpatched systems, understand security controls, and discover internal naming conventions. In severe cases, publicly exposed documents containing credentials or API keys could lead to direct system compromise.
Severity
| Severity | Condition |
|---|---|
Medium | AWS SSM document modified to allow public access |
Investigation and Remediation
Review the SSM document that was made public and assess its contents for sensitive information. Verify whether this action was authorized. If unauthorized, revert the document to private access immediately. Conduct a comprehensive audit of all SSM documents to ensure appropriate access controls are in place.