AWS systems-manager medium security documentation change
Summary
Added warning about SSM Agent following HTTP redirects which could downgrade HTTPS to HTTP
Security assessment
Explicitly documents a security risk where HTTPS URLs can be redirected to insecure HTTP, creating potential for man-in-the-middle attacks. This constitutes concrete evidence of a security vulnerability related to encryption downgrade.
Diff
diff --git a/systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md b/systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md index efbd6aa41..e95619d9a 100644 --- a//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md +++ b//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.md @@ -1323 +1323 @@ Additionally, you can specify the following optional parameters: -Determines whether a download can be performed over a connection that isn't encrypted with Secure Socket Layer (SSL) or Transport Layer Security (TLS). The default value is `false`. We don't recommend performing downloads without encryption. If you choose to do so, you assume all associated risks. Security is a shared responsibility between AWS and you. This is described as the shared responsibility model. To learn more, see the [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/). +Determines whether a download can be performed over a connection that isn't encrypted with Secure Socket Layer (SSL) or Transport Layer Security (TLS). The default value is `false`. We don't recommend performing downloads without encryption. If you choose to do so, you assume all associated risks. SSM Agent follows HTTP redirects, which means an HTTPS URL can be redirected to an HTTP URL. Security is a shared responsibility between AWS and you. This is described as the shared responsibility model. To learn more, see the [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/).