AWS AWSCloudFormation medium security documentation change
Summary
Added documentation about required trusted host key format for VPC_LATTICE connectors, specifying removal of hostname from key entries
Security assessment
The change enforces proper host key validation format for VPC_LATTICE connectors to prevent potential man-in-the-middle attacks by ensuring keys are verified correctly without hostnames. This addresses a security configuration best practice.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md index da021d2f3..d7e76c4fe 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md @@ -65,0 +66,2 @@ The public portion of the host key, or keys, that are used to identify the exter +When creating connectors with egress config (VPC_LATTICE type connectors), since host name is not something we can verify, the only accepted trusted host key format is `key-type key-body` without the host name. For example: `ssh-rsa AAAAB3Nza...<long-string-for-public-key>` + @@ -83 +85 @@ This prints the public host key to standard output. -`ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key` +`ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key>` @@ -86,0 +89,2 @@ Copy and paste this string into the `TrustedHostKeys` field for the `create-conn +For VPC Lattice type connectors (VPC_LATTICE), remove the hostname from the key and use only the `key-type key-body` format. In this example, it should be: `ssh-rsa AAAAB3Nza...<long-string-for-public-key>` +