AWS systems-manager high security documentation change
Summary
Added documentation for environment variable interpolation (interpolationType: ENV_VAR) to handle parameters securely and prevent command injection
Security assessment
Explicitly states that environment variable interpolation helps prevent command injection by treating parameter values as literal strings. Mentions security implications of handling parameters and includes allowedPattern validation.
Diff
diff --git a/systems-manager/latest/userguide/documents-syntax-data-elements-parameters.md b/systems-manager/latest/userguide/documents-syntax-data-elements-parameters.md index 00749a552..a8f80fb76 100644 --- a//systems-manager/latest/userguide/documents-syntax-data-elements-parameters.md +++ b//systems-manager/latest/userguide/documents-syntax-data-elements-parameters.md @@ -37,0 +38,36 @@ A structure that defines the parameters the document accepts. +For enhanced security when handling string parameters, you can use environment variable interpolation by specifying the `interpolationType` property. When set to `ENV_VAR`, the system creates an environment variable named `SSM_`parameter-name`` containing the parameter value. + +The following includes an example of a parameter using environment variable `interpolationType`: + + + { + "schemaVersion": "2.2", + "description": "An example document.", + "parameters": { + "Message": { + "type": "String", + "description": "Message to be printed", + "default": "Hello", + "interpolationType" : "ENV_VAR", + "allowedPattern": "^[^"]*$" + + } + }, + "mainSteps": [{ + "action": "aws:runShellScript", + "name": "printMessage", + "precondition" : { + "StringEquals" : ["platformType", "Linux"] + }, + "inputs": { + "runCommand": [ + "echo {{Message}}" + ] + } + } + } + +###### Note + +`allowedPattern` isn’t technically required in SSM documents that don’t use double braces: `{{ }}` + @@ -56 +92,4 @@ YAML - default: ["{{ ssm:myShellCommands }}"] + default: ["{{ ssm:myShellCommands }}"], + interpolationType : 'ENV_VAR' + allowedPattern: '^[^"]*$' + @@ -74 +113,2 @@ JSON - "default": ["{{ ssm:myShellCommands }}"] + "default": ["{{ ssm:myShellCommands }}"], + "interpolationType" : "ENV_VAR" @@ -172,0 +213,6 @@ JSON + * `interpolationType`: (Optional) Defines how parameter values are processed before command execution. When set to `ENV_VAR`, the parameter value is made available as an environment variable named `SSM_`parameter-name``. This feature helps prevent command injection by treating parameter values as literal strings. + +Type: String + +Valid values: `ENV_VAR` + @@ -284,0 +331,2 @@ A sequence of zero or more Unicode characters wrapped in quotation marks. For ex +String parameters can include an optional `interpolationType` field with the value `ENV_VAR` to enable environment variable interpolation for improved security. + @@ -292,0 +341 @@ YAML + interpolationType: ENV_VAR @@ -300 +349,2 @@ JSON - "description":"(Optional) The target EC2 instance ID." + "description":"(Optional) The target EC2 instance ID.", + "interpolationType": "ENV_VAR"