AWS systems-manager high security documentation change
Summary
Added security-focused example using interpolationType=ENV_VAR to prevent command injection
Security assessment
Explicitly documents security best practice to mitigate command injection risks by using ENV_VAR interpolation. Directly addresses a security concern in parameter handling.
Diff
diff --git a/systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md b/systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md index ae6734822..f60e64304 100644 --- a//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md +++ b//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md @@ -12,0 +13,17 @@ Systems Manager determines the actions to perform on a managed instance by readi +For plugins that accept String parameters, such as `aws:runShellScript` and `aws:runPowerShellScript`, the `interpolationType` parameter can be used to enhance security by treating parameter inputs as string literals rather than potentially executable commands. For example: + + + { + "schemaVersion": "2.2", + "description": "runShellScript with command strings stored as Parameter Store parameter", + "parameters": { + "commands": { + "type": "StringList", + "description": "(Required) The commands to run on the instance.", + "default": ["{{ ssm:myShellCommands }}"], + "interpolationType" : "ENV_VAR" + } + }, + //truncated + } +