Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

AWS SSM using insecure HMAC

0

My PCI vendor recently flagged that the AWS SSM was allowing an insecure hmac-sha1-96 algorithm.

This algorithm is not enabled in my ssh configuration (/etc/ssh/sshd_config and related), I could not find any information about this in the documentation and Amazon is mandating that I subscribe to one of their support plans before telling me how to secure their service ... which is also apparently enabled by default on all new Ubuntu ec2 instances!

Can anyone tell me how to secure the Amazon SSM service correctly as it is apparently not the case out of the box?

Additionally, is there any reason this insecure service is 1) installed by default and 2) accessible from the Internet on a fixed port number?

Thanks.

Temas
Administración y gobierno
Etiquetas
AWS Systems Manager
Idioma
English

preguntada hace un año150 visualizaciones

2 Respuestas
4

Try disable insecure Algorithms like below:

MACs hmac-sha2-256,hmac-sha2-512
EXPERTO

respondido hace un año

0

Hey,

Hope you're keeping well.

AWS Systems Manager Session Manager does not use SSH for its connections, so changes to /etc/ssh/sshd_config won’t affect its encryption algorithms. Session Manager traffic is encrypted using TLS over HTTPS via the SSM Agent, and any “hmac-sha1-96” finding is likely coming from the agent’s underlying WebSocket or channel negotiation, not from OpenSSH. To address PCI findings, make sure your SSM Agent is fully up to date (sudo snap refresh amazon-ssm-agent or use sudo yum update amazon-ssm-agent depending on your OS) since newer versions use stronger algorithms.

Thanks and regards,
Taz

respondido hace 6 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante