AWS Security ChangesHomeSearch

AWS systems-manager high security documentation change

Service: systems-manager · 2025-07-16 · Security-related high

File: systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md

Summary

Added security-focused example using interpolationType=ENV_VAR to prevent command injection

Security assessment

Explicitly documents security best practice to mitigate command injection risks by using ENV_VAR interpolation. Directly addresses a security concern in parameter handling.

Diff

diff --git a/systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md b/systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md
index ae6734822..f60e64304 100644
--- a//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md
+++ b//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md
@@ -12,0 +13,17 @@ Systems Manager determines the actions to perform on a managed instance by readi
+For plugins that accept String parameters, such as `aws:runShellScript` and `aws:runPowerShellScript`, the `interpolationType` parameter can be used to enhance security by treating parameter inputs as string literals rather than potentially executable commands. For example:
+    
+    
+    {
+        "schemaVersion": "2.2",
+        "description": "runShellScript with command strings stored as Parameter Store parameter",
+        "parameters": {
+          "commands": {
+            "type": "StringList",
+            "description": "(Required) The commands to run on the instance.",
+            "default": ["{{ ssm:myShellCommands }}"],
+            "interpolationType" : "ENV_VAR"
+          }
+        },
+        //truncated
+     }
+