AWS Security Hub - Detect SSM documents public sharing enabled

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings. Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.

Attribute	Value
Type	Analytic Rule
Solution	AWS Security Hub
ID	0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2
Severity	High
Status	Available
Kind	Scheduled
Tactics	Execution
Techniques	T1059
Required Connectors	AWSSecurityHub
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSSecurityHubFindings	ComplianceStatus == "FAILED" RecordState == "ACTIVE"	✓	✓	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules · Back to AWS Security Hub