AWS Security ChangesHomeSearch

AWS secretsmanager high security documentation change

Service: secretsmanager · 2025-05-22 · Security-related high

File: secretsmanager/latest/userguide/secrets-manager-agent.md

Summary

Added SSRF token handling instructions and ML-KEM key exchange documentation

Security assessment

Explicitly documents SSRF protection mechanisms (token generation and access control) and post-quantum key exchange. The SSRF token setup mitigates a known attack vector, providing concrete security improvements.

Diff

diff --git a/secretsmanager/latest/userguide/secrets-manager-agent.md b/secretsmanager/latest/userguide/secrets-manager-agent.md
index 514cde175..688d1b2e3 100644
--- a//secretsmanager/latest/userguide/secrets-manager-agent.md
+++ b//secretsmanager/latest/userguide/secrets-manager-agent.md
@@ -28 +28 @@ The Secrets Manager Agent retrieves and caches secrets in memory, allowing your
-The Secrets Manager Agent uses the AWS credentials from your environment to call Secrets Manager. It includes protection against Server Side Request Forgery (SSRF) to help improve secret security.
+The Secrets Manager Agent uses the AWS credentials from your environment to call Secrets Manager. It includes protection against Server Side Request Forgery (SSRF) to help improve secret security. The Secrets Manager Agent uses the post-quantum ML-KEM key exchange as the highest-priority key exchange by default.
@@ -88 +88,9 @@ RPM-based systems
-  1. ###### Install development tools
+  1. Use the `install` script provided in the repository. 
+
+The script generates a random SSRF token on startup and stores it in the file `/var/run/awssmatoken`. The token is readable by the `awssmatokenreader` group that the install script creates. 
+
+  2. To allow your application to read the token file, you need to add the user account that your application runs under to the `awssmatokenreader` group. For example, you can grant permissions for your application to read the token file with the following usermod command, where `<APP_USER>` is the user ID under which your application runs.
+    
+        sudo usermod -aG awssmatokenreader <APP_USER>
+
+###### Install development tools
@@ -94 +102 @@ On RPM-based systems such as AL2023, install the Development Tools group:
-  2. ###### Install Rust
+  3. ###### Install Rust
@@ -101 +109 @@ Follow the instructions at [Install Rust](https://www.rust-lang.org/tools/instal
-  3. ###### Build the agent
+  4. ###### Build the agent