AWS greengrass documentation change
Summary
Added documentation for version 2.0.x of the secure tunneling component, including system requirements, dependencies, configuration parameters, logging instructions, third-party software, and changelog entry.
Security assessment
The changes document new security-related features including access control policies for MQTT topic subscriptions and OpenSSL 3.0.0+ requirement, but there's no evidence of addressing a specific security vulnerability. The accessControl configuration allows restricting subscriptions to device-specific topics, improving security posture.
Diff
diff --git a/greengrass/v2/developerguide/secure-tunneling-component.md b/greengrass/v2/developerguide/secure-tunneling-component.md index da0fc4752..de807e61d 100644 --- a//greengrass/v2/developerguide/secure-tunneling-component.md +++ b//greengrass/v2/developerguide/secure-tunneling-component.md @@ -47,0 +48,2 @@ This component has the following versions: + * 2.0.x + @@ -79,0 +82,27 @@ This component has the following requirements: +2.0.x + + + * Minimum of 4 MB disk space available for the secure tunneling component. This requirement does not include the Greengrass core software or other components running on the same device. + + * Minimum of 3 MB RAM available for the secure tunneling component. This requirement does not include the Greengrass core software or other components running on the same device. + + * GNU C Library (glibc) version 2.35 or greater. Versions of the operating system and libraries past their long-term support end of life date are not supported. You should use an operating system and libraries with long-term support. + + * The following runtime libraries installed on the Greengrass core device: + + * `libstdc++` version 3.4.29 or greater + + * `libgcc_s` version 3.0 or greater + + * OpenSSL version 3.0.0 or greater + + * Open outbound traffic on port 443 on the Greengrass core device. + + * Turn on support for the communication service that you want to use to communicate with the Greengrass core device. For example, to open an SSH connection to the device, you must turn on SSH on that device. + + + + +1.0.x - 1.1.x + + @@ -110,0 +140,9 @@ When you deploy a component, AWS IoT Greengrass also deploys compatible versions +2.0.0 + + +Version 2.0.0 of this component supports both Greengrass nucleus and Greengrass nucleus lite. The following table lists the dependencies for version 2.0.0 of this component. + +Dependency | Compatible versions | Dependency type +---|---|--- +[Greengrass nucleus](./greengrass-nucleus-component.html) OR [Greengrass nucleus lite](./greengrass-nucleus-lite-component.html) | >=2.0.0 <3.0.0 | Soft + @@ -242,0 +281,71 @@ This component provides the following configuration parameters that you can cust +2.0.x + + +`maxConcurrentTunnels` + + +(Optional) Maximum number of concurrent tunnels allowed. + +###### Note + +The value cannot be more than 20. + +Default: `20` + +`tunnelTimeoutSeconds` + + +(Optional) Tunnel timeout duration in seconds. + +Default: `43200` (12 hours) + +`accessControl` + + +(Optional) The object that contains the [authorization policy](./interprocess-communication.html#ipc-authorization-policies) that allows the component to subscribe to the secure tunneling notifications topic. + +###### Note + +Do not modify this configuration parameter if your deployment targets a thing group. If your deployment targets an individual core device, and you want to restrict its subscription to the device's topic, specify the core device's thing name. In the `resources` value in the device's authorization policy, replace the MQTT topic wildcard with the device's thing name. + + + { + "aws.greengrass.ipc.mqttproxy": { + "aws.greengrass.SecureTunneling:mqttproxy:1": { + "policyDescription": "Access to tunnel notification pubsub topic", + "operations": [ + "aws.greengrass#SubscribeToIoTCore" + ], + "resources": [ + "$aws/things/+/tunnels/notify" + ] + } + } + } + +###### Example: Configuration merge update + +The following example configuration specifies the maximum concurrent tunnels and timeout settings. + + + { + "maxConcurrentTunnels": 20, + "tunnelTimeoutSeconds": 43200, + "accessControl": { + "aws.greengrass.ipc.mqttproxy": { + "aws.greengrass.SecureTunneling:mqttproxy:1": { + "policyDescription": "Access to tunnel notification pubsub topic", + "operations": [ + "aws.greengrass#SubscribeToIoTCore" + ], + "resources": [ + "$aws/things/MyGreengrassCore/tunnels/notify" + ] + } + } + } + } + +1.0.x - 1.1.x + + @@ -299,0 +409,3 @@ The following example configuration specifies to allow this component to open se +Greengrass nucleus + + @@ -313,0 +426,13 @@ This component uses the following log file. +Greengrass nucleus lite + + +Run the following command on the core device to view this component's logs. + + + journalctl -xeau ggl.aws.greengrass.SecureTunneling.service + +Run the following command on the core device to view this component's logs in real time. + + + journalctl -fau ggl.aws.greengrass.SecureTunneling.service + @@ -317,0 +443,17 @@ This component includes the following third-party software/licensing: +2.0.x + + + * [AWS IoT Secure Tunneling Local Proxy](https://github.com/aws-samples/aws-iot-securetunneling-localproxy)/Apache License 2.0 + + * [AWS Greengrass Component SDK](https://github.com/aws-greengrass/aws-greengrass-component-sdk)/Apache License 2.0 + + * [Boost C++ Libraries](https://www.boost.org/)/Boost Software License 1.0 + + * [Protocol Buffers](https://github.com/protocolbuffers/protobuf)/BSD 3-Clause License + + + + +1.0.x - 1.1.x + + @@ -362,0 +505,11 @@ The following table describes the changes in each version of the component. +2.0.0 | + +New features + + + * Replaces the Java wrapper with a C wrapper. + * Replaces AWS IoT Device Client with [AWS IoT Securetunneling Localproxy](https://github.com/aws-samples/aws-iot-securetunneling-localproxy). + * Reduces the binary size from approximately 36 MB to approximately 4 MB. + * Reduces the memory footprint from approximately 100 MB to approximately 2 MB. + +