AWS systems-manager medium security documentation change
Summary
Added security recommendation to use interpolationType for command injection protection and modified IAM policy example
Security assessment
The change explicitly recommends using interpolationType: ENV_VAR to prevent command injection attacks in shared documents. The security guidance about treating parameters as string literals directly addresses a common attack vector. The IAM policy modification appears to be a formatting correction without security implications.
Diff
diff --git a/systems-manager/latest/userguide/documents-ssm-sharing.md b/systems-manager/latest/userguide/documents-ssm-sharing.md index c8325ab95..2350d7d56 100644 --- a//systems-manager/latest/userguide/documents-ssm-sharing.md +++ b//systems-manager/latest/userguide/documents-ssm-sharing.md @@ -90,0 +91,5 @@ If the hash doesn't match the specified document or if the content of the shared +**Use the interpolation parameter to improve security** + + +For `String` type parameters in your SSM documents, use the parameter and value `interpolationType": "ENV_VAR` to improve security against command injection attacks by treating parameter inputs as string literals rather than potentially executable commands. In this case, the agent creates an environment variable named `SSM_`parameter-name`` with the parameter's value. We recommend updating all your existing SSM documents that include `String` type parameters to include `"interpolationType": "ENV_VAR"`. For more information, see [Writing SSM document content](./documents-creating-content.html#writing-ssm-doc-content). + @@ -174,0 +180,6 @@ The following is an example of an IAM policy that prevents users from updating t +JSON + + +**** + + @@ -182 +193 @@ The following is an example of an IAM policy that prevents users from updating t - "Resource": "arn:aws:ssm:*:987654321098:servicesetting/ssm/documents/console/public-sharing-permission" + "Resource": "arn:aws:ssm:*::servicesetting/ssm/documents/console/public-sharing-permission"