HIGH SSM

SSM insecure parameters

Check ID: aws-ssm-002

AWS-SSM-002 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for SSM parameters with secret-like names (password, api_key, token, etc.) that are stored as plain String instead of SecureString.

Why it matters

SSM parameters stored as String type are not encrypted at rest or in transit within the Parameter Store. Anyone with ssm:GetParameter permission - a common permission included in many IAM policies - can read the plaintext value, including secrets like database passwords, API keys, and tokens. CloudTrail logs will show the GetParameter call but the parameter value itself is logged in plaintext for String type. SecureString parameters use KMS encryption, ensuring values are encrypted at rest and only decryptable by principals with both ssm:GetParameter and kms:Decrypt permissions on the associated KMS key. Migration is simple: read the current value and write it back as SecureString with the same parameter name using the overwrite flag.

Common causes

Parameters are stored as plain String because the SSM PutParameter API defaults to String type, and engineers must explicitly specify SecureString. Teams migrating configuration from .env files or config maps into Parameter Store use the same type for all values without distinguishing secrets from non-sensitive config. Some engineers avoid SecureString because it requires KMS permissions that add complexity to IAM policies for the applications consuming the parameters.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

VALUE=$(aws ssm get-parameter --name '/param/name' --with-decryption --query 'Parameter.Value' --output text --region REGION)
aws ssm put-parameter --name '/param/name' --value "$VALUE" --type SecureString --overwrite --region REGION

Remediation: Terraform

resource "aws_ssm_parameter" "secret" {
  name  = "/param/name"
  type  = "SecureString"
  value = var.secret_value
}

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related SSM checks

MEDIUM aws-ssm-001

EC2 not managed by SSM

← All checks