Corrective Controls for Public Resources (SSM Documents, EBS Snapshots)

I hope to come back and expand on this and give code examples for the resolution, but for the time being…

Let’s start with the recent discovery from Check Point:

Preventative controls are typically preferred for enforcing security and configuration compliance. This can be achieved in AWS through IAM policies, resource policies, and service control policies, among more traditional controls.

Where preventative measures are not possible due to a required level of granularity in the use case, corrective controls provide another layer of the security solution.

SSM Documents, like EBS snapshots, can be made public. Because the API calls of interest have legitimate operational use cases, completely blocking these actions with preventative controls is not an option. In both cases there are API calls which can trigger evaluation of the event and make a decision to respond.

Within the SSM service, the ModifyDocumentPermission action is used to set the permissions for both sharing with specific accounts and making the document public. This action can be seen in CloudTrail and trigger an event response using EventBridge to run a Lambda function to evaluate and take corrective action if needed. Below is a portion of the event for ModifyDocumentPermission:

"requestParameters": {
"name”: "<documentname>",
"permissionType": "Share",
"accountIdsToAdd": [
"accountIdsToRemove": []

The EventBridge rule should look for all ModifyDocumentPermission events. The target function should evaluate and take action to remove the all value.

Within the EC2 service, EBS snapshots can be set to Public or shared with specific accounts. Just like with SSM above, completely blocking the ModifySnapshotAttribute action, which is required to set the sharing settings, is not an option as a preventative control. The ModifySnapshotAttributeevent contains the following:

"requestParameters": {
"snapshotId": "snap-abc123def456ghi",
"createVolumePermission": {
"add": {
"items": [
"group": "all"

As previously described, upon evaluation of all ModifySnapshotAttribute events, removing the group all using ModifySnapshotAttribute within the response function will allow granular corrective steps for this potential misconfiguration.

Misconfigurations from human error continue to plague companies of all sizes. Whenever preventative controls are unable to be used as guardrails, automation of corrective controls are essential to remain secure while allowing innovation.




Modernizing companies’ AWS security and governance programs at scale.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Byrd

John Byrd

Modernizing companies’ AWS security and governance programs at scale.

More from Medium

ETL for The Best Selling Jacket in Shopee

Using 360-Degree Images to Improve the Location Scouting Process: The Location Scout Assistant

My Proofpoint Internship Experience: Working on AWS Cost Optimization

It’s Time to Transform your CX with Cloud

CX with Cloud