Security best practices for Systems Manager

When granting permissions, you decide who is getting what permissions to which Systems Manager resources. You allow specific actions that you want to allow on those resources. Therefore you should grant only the permissions that are required to perform a task. Implementing least privilege access is fundamental in reducing security risk and the impact that could result from errors or malicious intent.

The following tools are available to implement least privilege access:

If you configure SSM Agent to use a proxy, use the no_proxy variable with the IP address of the Systems Manager instance metadata service to ensure that calls to Systems Manager don't take on the identity of the proxy service.

For more information, see Configuring SSM Agent to use a proxy (Linux) and Configure SSM Agent to use a proxy for Windows Server instances.

In Parameter Store, a capability of Amazon Systems Manager, a SecureString parameter is any sensitive data that needs to be stored and referenced in a secure manner. If you have data that you don't want users to alter or reference in plaintext, such as passwords or license keys, create those parameters using the SecureString data type. Parameter Store uses an Amazon KMS key in Amazon Key Management Service (Amazon KMS) to encrypt the parameter value. Amazon KMS uses either a customer managed key or an Amazon managed key when encrypting the parameter value. For maximum security, we recommend using your own KMS key. If you use the Amazon managed key, any user with permission to run the GetParameter and GetParameters actions in your account can view or retrieve the content of all SecureString parameters. If you're using customer managed keys to encrypt your secure SecureString values, you can use IAM policies and key policies to manage permissions for encrypting and decrypting parameters. It's more difficult to establish access control policies for these operations when you use the customer managed keys. For example, you if you use the Amazon managed key to encrypt SecureString parameters and don't want users to work with SecureString parameters, their IAM policies must explicitly deny access to the default key.

For more information, see Restricting access to Systems Manager parameters using IAM policies and How Amazon Systems Manager Parameter Store Uses Amazon KMS in the Amazon Key Management Service Developer Guide.

You can validate user input for parameters in Systems Manager documents (SSM documents) by defining allowedValues and allowedPattern. For allowedValues, you define an array of values allowed for the parameter. If a user inputs a value that isn't allowed, the execution fails to start. For allowedPattern, you define a regular expression that validates whether the user input matches the defined pattern for the parameter. If the user input doesn't match the allowed pattern, the execution fails to start.

For more information about allowedValues and allowedPattern, see Data elements and parameters.

Unless your use case requires public sharing to be allowed, we recommend turning on the block public sharing setting for your SSM documents in the Preferences section of the Systems Manager Documents console.

You can use Amazon VPC to launch Amazon resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of Amazon.

By implementing a VPC endpoint, you can privately connect your VPC to supported Amazon Web Services and VPC endpoint services powered by Amazon PrivateLink without requiring an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service doesn't leave the Amazon network.

For more information about Amazon VPC security, see Create VPC endpoints and Internetwork traffic privacy in Amazon VPC in the Amazon VPC User Guide.

Session Manager, a capability of Amazon Systems Manager, provides several methods for starting sessions to your managed nodes. For the most secure connections, you can require users to connect using the interactive commands method to limit user interaction to a specific command or command sequence. This helps you manage the interactive actions a user can take. For more information, see Starting a session (interactive and noninteractive commands).

For added security, you can limit Session Manager access to specific Amazon EC2 instances and specific Session Manager session documents. You grant or revoke Session Manager access in this way by using Amazon Identity and Access Management (IAM) policies. For more information, see Step 3: Control session access to managed nodes.

During a workflow in Automation, a capability of Amazon Systems Manager, your nodes might need permissions that are needed for that execution only but not for other Systems Manager operations. For example, an Automation workflow might require a node to call a particular API operation or access an Amazon resource specifically during the workflow. If these calls or resources are ones that you want to limit access to, you can provide temporary, supplemental permissions for your nodes within the Automation runbook itself instead of adding the permissions to your IAM instance profile. At the end of the Automation workflow, the temporary permissions are removed. For more information, see Providing temporary instance permissions with Amazon Systems Manager Automations on the Amazon Management and Governance Blog.

Amazon regularly releases updated versions of tools and plugins that you can use in your Amazon and Systems Manager operations. Keeping these resources up to date ensures that users and nodes in your account have access to the latest functionality and security features in these tools.

Identification of your IT assets is a crucial aspect of governance and security. You need to identify all of your Systems Manager resources to assess their security posture and take action on potential areas of weakness.

Use Tag Editor to identify security-sensitive or audit-sensitive resources, then use those tags when you need to search for these resources. For more information, see Find resources to tag in the Amazon Resource Groups User Guide.

Create resource groups for your Systems Manager resources. For more information, see What are resource groups?

Monitoring is an important part of maintaining the reliability, security, availability, and performance of Systems Manager and your Amazon solutions. Amazon CloudWatch provides several tools and services to help you monitor Systems Manager and your other Amazon Web Services. For more information, see Sending node logs to unified CloudWatch Logs (CloudWatch agent) and Monitoring Systems Manager events with Amazon EventBridge.

Amazon CloudTrail provides a record of actions taken by a user, role, or an Amazon Web Service in Systems Manager. Using the information collected by CloudTrail, you can determine the request that was made to Systems Manager, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see Logging Amazon Systems Manager API calls with Amazon CloudTrail.

Amazon Config allows you to assess, audit, and evaluate the configurations of your Amazon resources. Amazon Config monitors resource configurations, allowing you to evaluate the recorded configurations against the required secure configurations. Using Amazon Config, you can review changes in configurations and relationships between Amazon resources, investigate detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This can help you simplify compliance auditing, security analysis, change management, and operational troubleshooting. For more information, see Setting Up Amazon Config with the Console in the Amazon Config Developer Guide. When specifying the resource types to record, ensure that you include Systems Manager resources.

You should regularly check security advisories posted in Trusted Advisor for your Amazon Web Services account. You can do this programmatically using describe-trusted-advisor-checks.

Further, actively monitor the primary email address registered to each of your Amazon Web Services accounts. Amazon will contact you, using this email address, about emerging security issues that might affect you.

Amazon operational issues with broad impact are posted on the Amazon Service Health Dashboard. Operational issues are also posted to individual accounts through the Personal Health Dashboard. For more information, see the Amazon Health Documentation.