Data protection in Amazon Systems Manager - Amazon Systems Manager
Data encryptionInternetwork traffic privacy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data protection in Amazon Systems Manager

Data protection refers to protecting data while in transit (as it travels to and from Systems Manager) and at rest (while it's stored in Amazon data centers).

The Amazon shared responsibility model applies to data protection in Amazon Systems Manager. As described in this model, Amazon is responsible for protecting the global infrastructure that runs all of the Amazon Web Services Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the Amazon Web Services services that you use. For more information about data privacy, see the Data Privacy FAQ.

For data protection purposes, we recommend that you protect Amazon Web Services account credentials and set up individual users with Amazon IAM Identity Center or Amazon Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:

  • Use multi-factor authentication (MFA) with each account.

  • Use SSL/TLS to communicate with Amazon resources. We require TLS 1.2 and recommend TLS 1.3.

  • Set up API and user activity logging with Amazon CloudTrail. For information about using CloudTrail trails to capture Amazon activities, see Working with CloudTrail trails in the Amazon CloudTrail User Guide.

  • Use Amazon encryption solutions, along with all default security controls within Amazon Web Services services.

  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.

  • If you require FIPS 140-3 validated cryptographic modules when accessing Amazon through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-3.

We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a Name field. This includes when you work with Systems Manager or other Amazon Web Services services using the console, API, Amazon CLI, or Amazon SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.

Data encryption

Encryption at rest

Parameter Store parameters

The types of parameters you can create in Parameter Store, a tool in Amazon Systems Manager, include String, StringList, and SecureString.

All parameters, regardless of their type, are encrypted both in transit and at rest. In transit, parameters are encrypted using transport layer security (TLS) to create a secure HTTPS connection for API requests. At rest, they are encrypted with an Amazon owned key in Amazon Key Management Service (Amazon KMS). For more information about Amazon owned key encryption, see Amazon owned keys in the Amazon Key Management Service Developer Guide .

The SecureString type offers additional encryption options and is recommended for all sensitive data. You can choose from the following types of Amazon KMS keys to encrypt and decrypt the value of a SecureString parameter:

  • The Amazon managed key for your account

  • A customer managed key (CMK) that you have created in your account

  • A CMK in another Amazon Web Services account that has been shared with you

For more information about Amazon KMS encryption, see the Amazon Key Management Service Developer Guide.

Content in S3 buckets

As part of your Systems Manager operations, you might choose to upload or store data in one or more Amazon Simple Storage Service (Amazon S3) buckets.

For information about S3 bucket encryption, see Protecting data using encryption and Data protection in Amazon S3 in the Amazon Simple Storage Service User Guide.

The following are types of data you can upload or have stored in S3 buckets as part of your Systems Manager activities:

  • The output of commands in Run Command, a tool in Amazon Systems Manager

  • Packages in Distributor, a tool in Amazon Systems Manager

  • Patching operation logs in Patch Manager, a tool in Amazon Systems Manager

  • Patch Manager patch override lists

  • Scripts or Ansible Playbooks to run in a runbook workflow in Automation, a tool in Amazon Systems Manager

  • Chef InSpec profiles for use with scans in Compliance, a tool in Amazon Systems Manager

  • Amazon CloudTrail logs

  • Session history logs in Session Manager, a tool in Amazon Systems Manager

  • Reports from Explorer, a tool in Amazon Systems Manager

  • OpsData from OpsCenter, a tool in Amazon Systems Manager

  • Amazon CloudFormation templates for use with Automation workflows

  • Compliance data from a resource data sync scan

  • Output of requests to create or edit association in State Manager, a tool in Amazon Systems Manager, on managed nodes

  • Custom Systems Manager documents (SSM documents) that you can run using the Amazon managed SSM document AWS-RunDocument

CloudWatch Logs log groups

As part of your Systems Manager operations, you might choose to stream data to one or more Amazon CloudWatch Logs log groups.

For information about CloudWatch Logs log group encryption, see Encrypt log data in CloudWatch Logs using Amazon Key Management Service in the Amazon CloudWatch Logs User Guide.

The following are types of data you might have streamed to a CloudWatch Logs log group as part of your Systems Manager activities:

  • The output of Run Command commands

  • The output of scripts run using the aws:executeScript action in an Automation runbook

  • Session Manager session history logs

  • Logs from SSM Agent on your managed nodes

Encryption in transit

We recommend that you use an encryption protocol such as Transport Layer Security (TLS) to encrypt sensitive data in transit between clients and your nodes.

Systems Manager provides the following support for encryption of your data in transit.

Connections to Systems Manager API endpoints

Systems Manager API endpoints only support secure connections over HTTPS. When you manage Systems Manager resources with the Amazon Web Services Management Console, Amazon SDK, or the Systems Manager API, all communication is encrypted with Transport Layer Security (TLS). For a full list of API endpoints, see Amazon Web Services service endpoints in the Amazon Web Services General Reference.

Managed instances

Amazon provides secure and private connectivity between Amazon Elastic Compute Cloud (Amazon EC2) instances. In addition, we automatically encrypt in-transit traffic between supported instances in the same virtual private cloud (VPC) or in peered VPCs, using AEAD algorithms with 256-bit encryption. This encryption feature uses the offload capabilities of the underlying hardware, and there is no impact on network performance. The supported instances are: C5n, G4, I3en, M5dn, M5n, P3dn, R5dn, and R5n.

Session Manager sessions

By default, Session Manager uses TLS 1.3 to encrypt session data transmitted between the local machines of users in your account and your EC2 instances. You can also choose to further encrypt the data in transit using an Amazon KMS key that has been created in Amazon KMS. Amazon KMS encryption is available for Standard_Stream, InteractiveCommands, and NonInteractiveCommands session types.

Run Command access

By default, remote access to your nodes using Run Command is encrypted using TLS 1.3, and requests to create a connection are signed using SigV4.

Internetwork traffic privacy

You can use Amazon Virtual Private Cloud (Amazon VPC) to create boundaries between resources in your managed nodes and control traffic between them, your on-premises network, and the internet. For details, see Improve the security of EC2 instances by using VPC endpoints for Systems Manager.

For more information about Amazon Virtual Private Cloud security, see Internetwork traffic privacy in Amazon VPC in the Amazon VPC User Guide.