Ir para o conteúdo
Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post
sobre o re:Post

AWS SSM using insecure HMAC

0

My PCI vendor recently flagged that the AWS SSM was allowing an insecure hmac-sha1-96 algorithm.

This algorithm is not enabled in my ssh configuration (/etc/ssh/sshd_config and related), I could not find any information about this in the documentation and Amazon is mandating that I subscribe to one of their support plans before telling me how to secure their service ... which is also apparently enabled by default on all new Ubuntu ec2 instances!

Can anyone tell me how to secure the Amazon SSM service correctly as it is apparently not the case out of the box?

Additionally, is there any reason this insecure service is 1) installed by default and 2) accessible from the Internet on a fixed port number?

Thanks.

Tópicos
Gestão e governança
Tags
Gerenciador de sistemas da AWS
Idioma
English

feita há um ano150 visualizações

2 Respostas
4

Try disable insecure Algorithms like below:

MACs hmac-sha2-256,hmac-sha2-512
ESPECIALISTA

respondido há um ano

0

Hey,

Hope you're keeping well.

AWS Systems Manager Session Manager does not use SSH for its connections, so changes to /etc/ssh/sshd_config won’t affect its encryption algorithms. Session Manager traffic is encrypted using TLS over HTTPS via the SSM Agent, and any “hmac-sha1-96” finding is likely coming from the agent’s underlying WebSocket or channel negotiation, not from OpenSSH. To address PCI findings, make sure your SSM Agent is fully up to date (sudo snap refresh amazon-ssm-agent or use sudo yum update amazon-ssm-agent depending on your OS) since newer versions use stronger algorithms.

Thanks and regards,
Taz

respondido há 6 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Conteúdo relevante