Runbook for [SSM.7] SSM documents should have the block public sharing setting enabled

[qvqn]

Is your feature request related to a problem? Please describe.

Security-Hub reports SSM Documents public sharing is enabled as critical under SSM.7
https://docs.aws.amazon.com/securityhub/latest/userguide/ssm-controls.html#ssm-7

Describe the feature you'd like

Disable this setting using asr automation much like EBS encryption and S3 Block Public Access

SSM.Client.update_service_setting > /ssm/documents/console/public-sharing-permission, from Enable to Disable.

Additional context

action: 'aws:executeAwsApi'
inputs:
  Service: ssm
  Api: UpdateServiceSetting
  SettingId: /ssm/documents/console/public-sharing-permission
  SettingValue: Disable

[jrgaray27]

Hi @qvqn, thanks for reaching out! We will add this control to our backlog for a future release.