Ensure that all AWS Systems Manager (SSM) parameters that store sensitive information such as passwords, database strings and license codes are encrypted in order to meet security and compliance requirements. An encrypted SSM parameter (i.e. a configuration parameter with the type set to SecureString) is any sensitive data that needs to be stored and referenced in a secure manner. An encrypted SSM parameters can be used for the following scenarios:
When you need to use data/parameters across multiple AWS services without exposing the values as clear text in commands, functions, agent logs or CloudTrail logs.
When you want to control who has access to your sensitive configuration data.
When you want AWS-level encryption for your sensitive configuration data and you want to bring your own encryption keys (i.e. Amazon KMS CMKs) to manage access.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
With encrypted AWS SSM parameters you can separate secrets and configuration data from code and common administration tasks while ensuring that only approved users have access to the protected parameter values
Note: Only the value of the SSM parameter is encrypted. Parameter names, descriptions and other characteristics are not encrypted.
To determine if the SSM parameters that hold sensitive information are encrypted within your AWS account, perform the following actions:
To encrypt any existing AWS SSM parameters that store sensitive information, you need to re-create those parameters with the SecureString configuration type. To re-create the necessary Amazon SSM resources, perform the following: