Direkt zum Inhalt
Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post
Über re:Post

AWS SSM using insecure HMAC

0

My PCI vendor recently flagged that the AWS SSM was allowing an insecure hmac-sha1-96 algorithm.

This algorithm is not enabled in my ssh configuration (/etc/ssh/sshd_config and related), I could not find any information about this in the documentation and Amazon is mandating that I subscribe to one of their support plans before telling me how to secure their service ... which is also apparently enabled by default on all new Ubuntu ec2 instances!

Can anyone tell me how to secure the Amazon SSM service correctly as it is apparently not the case out of the box?

Additionally, is there any reason this insecure service is 1) installed by default and 2) accessible from the Internet on a fixed port number?

Thanks.

Themen
Management & Unternehmensführung
Tags
AWS-Systemmanager
Sprache
English
gefragt vor einem Jahr149 Aufrufe
2 Antworten
4

Try disable insecure Algorithms like below:

MACs hmac-sha2-256,hmac-sha2-512
EXPERTE
beantwortet vor einem Jahr
0

Hey,

Hope you're keeping well.

AWS Systems Manager Session Manager does not use SSH for its connections, so changes to /etc/ssh/sshd_config won’t affect its encryption algorithms. Session Manager traffic is encrypted using TLS over HTTPS via the SSM Agent, and any “hmac-sha1-96” finding is likely coming from the agent’s underlying WebSocket or channel negotiation, not from OpenSSH. To address PCI findings, make sure your SSM Agent is fully up to date (sudo snap refresh amazon-ssm-agent or use sudo yum update amazon-ssm-agent depending on your OS) since newer versions use stronger algorithms.

Thanks and regards,
Taz

beantwortet vor 6 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Relevanter Inhalt