Data protection in Amazon Systems Manager - Amazon Systems Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data protection in Amazon Systems Manager

Data protection refers to protecting data while in transit (as it travels to and from Systems Manager) and at rest (while it's stored in Amazon data centers).

The Amazon shared responsibility model applies to data protection in Amazon Systems Manager. As described in this model, Amazon is responsible for protecting the global infrastructure that runs all of the Amazon Web Services Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the Amazon Web Services that you use. For more information about data privacy, see the Data Privacy FAQ.

For data protection purposes, we recommend that you protect Amazon Web Services account credentials and set up individual users with Amazon IAM Identity Center or Amazon Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

  • Use multi-factor authentication (MFA) with each account.

  • Use SSL/TLS to communicate with Amazon resources. We require TLS 1.2 and recommend TLS 1.3.

  • Set up API and user activity logging with Amazon CloudTrail.

  • Use Amazon encryption solutions, along with all default security controls within Amazon Web Services.

  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.

  • If you require FIPS 140-2 validated cryptographic modules when accessing Amazon through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2.

We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a Name field. This includes when you work with Systems Manager or other Amazon Web Services using the console, API, Amazon CLI, or Amazon SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.

Data encryption

Encryption at rest

Parameter Store parameters

The types of parameters you can create in Parameter Store, a capability of Amazon Systems Manager, include String, StringList, and SecureString.

To encrypt SecureString parameter values, Parameter Store uses an Amazon KMS key in Amazon Key Management Service (Amazon KMS). Amazon KMS uses either a customer managed key or an Amazon managed key to encrypt the parameter value in an Amazon managed database.

Important

Don't store sensitive data in a String or StringList parameter. For all sensitive data that must remain encrypted, use only the SecureString parameter type.

For more information, see What is a parameter? and Restricting access to Systems Manager parameters using IAM policies.

Content in S3 buckets

As part of your Systems Manager operations, you might choose to upload or store data in one or more Amazon Simple Storage Service (Amazon S3) buckets.

For information about S3 bucket encryption, see Protecting data using encryption and Data protection in Amazon S3 in the Amazon Simple Storage Service User Guide.

The following are types of data you can upload or have stored in S3 buckets as part of your Systems Manager activities:

  • The output of commands in Run Command, a capability of Amazon Systems Manager

  • Packages in Distributor, a capability of Amazon Systems Manager

  • Patching operation logs in Patch Manager, a capability of Amazon Systems Manager

  • Patch Manager patch override lists

  • Scripts or Ansible Playbooks to run in a runbook workflow in Automation, a capability of Amazon Systems Manager

  • Chef InSpec profiles for use with scans in Compliance, a capability of Amazon Systems Manager

  • Amazon CloudTrail logs

  • Session history logs in Session Manager, a capability of Amazon Systems Manager

  • Reports from Explorer, a capability of Amazon Systems Manager

  • OpsData from OpsCenter, a capability of Amazon Systems Manager

  • Amazon CloudFormation templates for use with Automation workflows

  • Compliance data from a resource data sync scan

  • Output of requests to create or edit association in State Manager, a capability of Amazon Systems Manager, on managed nodes

  • Custom Systems Manager documents (SSM documents) that you can run using the Amazon managed SSM document AWS-RunDocument

CloudWatch Logs log groups

As part of your Systems Manager operations, you might choose to stream data to one or more Amazon CloudWatch Logs log groups.

For information about CloudWatch Logs log group encryption, see Encrypt log data in CloudWatch Logs using Amazon Key Management Service in the Amazon CloudWatch Logs User Guide.

The following are types of data you might have streamed to a CloudWatch Logs log group as part of your Systems Manager activities:

  • The output of Run Command commands

  • The output of scripts run using the aws:executeScript action in an Automation runbook

  • Session Manager session history logs

  • Logs from SSM Agent on your managed nodes

Encryption in transit

We recommend that you use an encryption protocol such as Transport Layer Security (TLS) to encrypt sensitive data in transit between clients and your nodes.

Systems Manager provides the following support for encryption of your data in transit.

Connections to Systems Manager API endpoints

Systems Manager API endpoints only support secure connections over HTTPS. When you manage Systems Manager resources with the Amazon Web Services Management Console, Amazon SDK, or the Systems Manager API, all communication is encrypted with Transport Layer Security (TLS). For a full list of API endpoints, see Amazon Web Service endpoints in the Amazon Web Services General Reference.

Managed instances

Amazon provides secure and private connectivity between Amazon Elastic Compute Cloud (Amazon EC2) instances. In addition, we automatically encrypt in-transit traffic between supported instances in the same virtual private cloud (VPC) or in peered VPCs, using AEAD algorithms with 256-bit encryption. This encryption feature uses the offload capabilities of the underlying hardware, and there is no impact on network performance. The supported instances are: C5n, G4, I3en, M5dn, M5n, P3dn, R5dn, and R5n.

Session Manager sessions

By default, Session Manager uses TLS 1.2 to encrypt session data transmitted between the local machines of users in your account and your EC2 instances. You can also choose to further encrypt the data in transit using an Amazon KMS key that has been created in Amazon KMS. Amazon KMS encryption is available for Standard_Stream, InteractiveCommands, and NonInteractiveCommands session types.

Run Command access

By default, remote access to your nodes using Run Command is encrypted using TLS 1.2, and requests to create a connection are signed using SigV4.

Internetwork traffic privacy

You can use Amazon Virtual Private Cloud (Amazon VPC) to create boundaries between resources in your managed nodes and control traffic between them, your on-premises network, and the internet. For details, see Create VPC endpoints.

For more information about Amazon Virtual Private Cloud security, see Internetwork traffic privacy in Amazon VPC in the Amazon VPC User Guide.