AWS systems-manager-automation-runbooks documentation change
Summary
Updated Packer version from v1.7.2 to v1.11.2 and added an Important section warning about Packer provisioners running with root-level privileges, advising least-privilege practices and caution with IAM role permissions.
Security assessment
The change adds security documentation about the risks of Packer provisioners running with root privileges and the need to follow least-privilege practices. It warns about potential access to sensitive instance metadata and expanded IAM permissions. This is a security best practice advisory, not a fix for a specific security vulnerability.
Diff
diff --git a/systems-manager-automation-runbooks/latest/userguide/automation-aws-runpacker.md b/systems-manager-automation-runbooks/latest/userguide/automation-aws-runpacker.md index b78410d16..dc15d4f5f 100644 --- a//systems-manager-automation-runbooks/latest/userguide/automation-aws-runpacker.md +++ b//systems-manager-automation-runbooks/latest/userguide/automation-aws-runpacker.md @@ -0,0 +1,2 @@ +[View a markdown version of this page](automation-aws-runpacker.md) + @@ -9 +11 @@ -This runbook uses the HashiCorp [Packer](https://www.packer.io/) tool to validate, fix, or build packer templates that are used to create machine images. This runbook uses Packer v1.7.2. +This runbook uses the HashiCorp [Packer](https://www.packer.io/) tool to validate, fix, or build packer templates that are used to create machine images. This runbook uses Packer v1.11.2. @@ -14,0 +17,4 @@ If you specify a `vpc_id` value, you must also specify the `subnet_id` value of +###### Important + +Packer provisioners execute with root-level privileges on the temporary EC2 instance. Follow least-privilege practices when authoring Packer templates. Avoid granting provisioners access to sensitive instance metadata or local credential files. If you have added additional policies to the IAM role used by [Default Host Management Configuration](https://docs.aws.amazon.com/systems-manager/latest/userguide/fleet-manager-default-host-management-configuration.html), be aware that any process running as root on the instance can access those expanded permissions. Review your Packer templates to ensure they contain only trusted commands. +