For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-ssm-session-transit-encryption-disabled.md.
A documentation index is available at /llms.txt.
When creating an aws_ssm_document of type Session, session data should be encrypted in transit to protect sensitive information from interception or exposure. By omitting critical encryption-related attributes such as "s3EncryptionEnabled": true, "cloudWatchEncryptionEnabled": true, and specifying a KMS key with "kmsKeyId", unencrypted data could be transferred between AWS resources and users, increasing the risk of unauthorized access or data leakage. Ensuring encryption for SSM Session Manager sessions mitigates these risks by enforcing secure data transport and proper visibility restrictions.
A secure Terraform configuration looks like the following:
resource"aws_ssm_document""negative"{name="test_document"document_type="Session"content=<<DOC {
"schemaVersion": "1.2",
"description": "Check ip configuration of a Linux instance.",
"inputs": {
"s3EncryptionEnabled": true,
"cloudWatchEncryptionEnabled": true,
"cloudWatchStreamingEnabled": true,
"runAsEnabled": false,
"kmsKeyId": "${var.kms_key_id}"
}
}
DOC}
Non-Compliant Code Examples
resource"aws_ssm_document""positive1"{name="test_document"document_type="Session"content=<<DOC {
"schemaVersion": "1.2",
"description": "Check ip configuration of a Linux instance."
}
DOC}
resource"aws_ssm_document""positive2"{name="test_document"document_type="Session"content=<<DOC {
"schemaVersion": "1.2",
"description": "Check ip configuration of a Linux instance.",
"inputs": {
"s3EncryptionEnabled": true,
"cloudWatchEncryptionEnabled": true,
"cloudWatchStreamingEnabled": true,
"runAsEnabled": false
}
}
DOC}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
