AWS systems-manager high security documentation change
Summary
Added note about environment variable interpolation security feature for SSM documents to prevent command injection attacks
Security assessment
Explicitly states the security purpose of the new feature ('helps prevent command injection attacks') and specifies version requirements for secure implementation.
Diff
diff --git a/systems-manager/latest/userguide/documents.md b/systems-manager/latest/userguide/documents.md index 42245490e..62dee5f02 100644 --- a//systems-manager/latest/userguide/documents.md +++ b//systems-manager/latest/userguide/documents.md @@ -9 +9,5 @@ How can the Documents tool benefit my organization?Who should use Documents?What -An AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime. You can find pre-configured documents in the Systems Manager Documents console by choosing the **Owned by Amazon** tab, or by specifying Amazon for the `Owner` filter when calling the `ListDocuments` API operation. Documents use JavaScript Object Notation (JSON) or YAML, and they include steps and parameters that you specify. To get started with SSM documents, open the [Systems Manager console](https://console.aws.amazon.com/systems-manager/documents). In the navigation pane, choose **Documents**. +An AWS Systems Manager document (SSM document) defines the actions that Systems Manager performs on your managed instances. Systems Manager includes more than 100 pre-configured documents that you can use by specifying parameters at runtime. You can find pre-configured documents in the Systems Manager Documents console by choosing the **Owned by Amazon** tab, or by specifying Amazon for the `Owner` filter when calling the `ListDocuments` API operation. Documents use JavaScript Object Notation (JSON) or YAML, and they include steps and parameters that you specify. + +For enhanced security, as of July 14th, 2025, SSM documents support environment variable interpolation when processing parameters. This feature, available in schema version 2.2 and with SSM Agent version 3.3.2746.0 or higher, helps prevent command injection attacks. + +To get started with SSM documents, open the [Systems Manager console](https://console.aws.amazon.com/systems-manager/documents). In the navigation pane, choose **Documents**. @@ -98,0 +103,2 @@ For information about SSM document quotas, see [Systems Manager service quotas]( + * [Troubleshooting parameter handling issues](./parameter-troubleshooting.html) +