AWS systems-manager documentation change
Summary
Added explanation about TLS encryption for SSH connections via Session Manager
Security assessment
Clarifies security benefits of existing feature (encrypted tunnels) but does not address a vulnerability
Diff
diff --git a/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md b/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md index 63dd9ed2c..3a54b414c 100644 --- a//systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md +++ b//systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.md @@ -10,0 +11,2 @@ You can allow users in your AWS account to use the AWS Command Line Interface (A +When you establish SSH connections through Session Manager, the AWS CLI and SSM Agent create secure WebSocket connections over TLS to Session Manager endpoints. The SSH session runs within this encrypted tunnel, providing an additional layer of security without requiring inbound ports to be opened on your managed nodes. + @@ -15 +17 @@ After allowing SSH connections, you can use AWS Identity and Access Management ( -Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data, and Session Manager only serves as a tunnel for SSH connections. +Logging isn't available for Session Manager sessions that connect through port forwarding or SSH. This is because SSH encrypts all session data within the secure TLS connection established between the AWS CLI and Session Manager endpoints, and Session Manager only serves as a tunnel for SSH connections.