AWS systems-manager-automation-runbooks documentation change
Summary
Added security recommendation note about cloning the runbook, adding validation logic for JiraURL parameter, and restricting IAM permissions
Security assessment
This change adds proactive security guidance recommending parameter validation and permission restrictions to prevent potential SSRF attacks or unauthorized Jira instance access. It doesn't indicate a specific security issue was found but provides security best practices documentation.
Diff
diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-aws-createjiraissue.md b/systems-manager-automation-runbooks/latest/userguide/automation-aws-createjiraissue.md index 611252ba8..e1f773dcc 100644 --- a//systems-manager-automation-runbooks/latest/userguide/automation-aws-createjiraissue.md +++ b//systems-manager-automation-runbooks/latest/userguide/automation-aws-createjiraissue.md @@ -10,0 +11,4 @@ Create an issue in Jira. +###### Note + +For better control and validation, we recommend [ cloning](https://docs.aws.amazon.com/systems-manager/latest/userguide/documents-creating-content.html#cloning-ssm-document) the `AWS-CreateJiraIssue` runbook to create your own private version. In your cloned runbook, add [validation logic](https://docs.aws.amazon.com/systems-manager/latest/userguide/documents-schemas-features.html#parameter-security-best-practices) for the `JiraURL` parameter to ensure it matches your approved Jira instances before execution. Then use your cloned runbook in place of the AWS-managed one and restrict IAM permissions for executing `AWS-CreateJiraIssue`. This approach gives you more flexibility and ensures the parameter meets your organization's security and compliance requirements. +