SSM.7: SSM documents can be shared publicly

What does AWS Security Hub SSM.7 check?

SSM.7 evaluates the account-level block-public-sharing setting for Systems Manager documents and fails when it is off. With the setting enabled, the account is prevented from ever sharing any SSM document publicly, regardless of an individual document's permissions.

Why does SSM.7 matter?

Where SSM.4 catches documents that are already public, SSM.7 is the preventive guardrail that stops the next one. Without it, a single misconfigured Permissions value can expose a runbook's full body — internal hostnames, role names, bucket paths — to anyone with an AWS account. Turning on the block makes public sharing fail closed across the whole account rather than relying on per-document hygiene.

How do I fix SSM.7?

1. Enable the block-public-sharing account setting for SSM documents in each region.
2. First confirm no current document genuinely needs to stay public, or the block will conflict.
3. Roll the setting out across all accounts via an SCP or org-wide automation.
4. Pair it with SSM.4 monitoring so existing public documents are caught and revoked.

# Close the highest-impact public exposure first: databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --no-publicly-accessible --apply-immediately
  echo "$db: public access removed"
done

# Ratchet S3 shut at the account level so no bucket can be made public again.
aws s3control put-public-access-block --account-id 123456789012 \
  --public-access-block-configuration \
    'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'