Corrective Controls for Public Resources (SSM Documents, EBS Snapshots)

I hope to come back and expand on this and give code examples for the resolution, but for the time being…

Let’s start with the recent discovery from Check Point:

• The Need to Protect Public AWS SSM Documents — What the Research Shows — Check Point Research
• Companies’ 5 Million Personal identifiable information records detected on an AWS service due to misconception of users

Preventative controls are typically preferred for enforcing security and configuration compliance. This can be achieved in AWS through IAM policies, resource policies, and service control policies, among more traditional controls.

Where preventative measures are not possible due to a required level of granularity in the use case, corrective controls provide another layer of the security solution.

SSM Documents, like EBS snapshots, can be made public. Because the API calls of interest have legitimate operational use cases, completely blocking these actions with preventative controls is not an option. In both cases there are API calls which can trigger evaluation of the event and make a decision to respond.

Within the SSM service, the ModifyDocumentPermission action is used to set the permissions for both sharing with specific accounts and making the document public. This action can be seen in CloudTrail and trigger an event response using EventBridge to run a Lambda function to evaluate and take corrective action if needed. Below is a portion of the event for ModifyDocumentPermission:

"requestParameters": {
  "name”: "<documentname>",
  "permissionType": "Share",
  "accountIdsToAdd": [
    "all"
  ],
  "accountIdsToRemove": []
},

The EventBridge rule should look for all ModifyDocumentPermission events. The target function should evaluate and take action to remove the all value.

Within the EC2 service, EBS snapshots can be set to Public or shared with specific accounts. Just like with SSM above, completely blocking the ModifySnapshotAttribute action, which is required to set the sharing settings, is not an option as a preventative control. The ModifySnapshotAttributeevent contains the following:

"requestParameters": {
  "snapshotId": "snap-abc123def456ghi",
  "createVolumePermission": {
    "add": {
      "items": [
        {
          "group": "all"
        }
      ]
    } 
  }
  "attributeType": "CREATE_VOLUME_PERMISSION"
}

As previously described, upon evaluation of all ModifySnapshotAttribute events, removing the group all using ModifySnapshotAttribute within the response function will allow granular corrective steps for this potential misconfiguration.

Misconfigurations from human error continue to plague companies of all sizes. Whenever preventative controls are unable to be used as guardrails, automation of corrective controls are essential to remain secure while allowing innovation.