Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS SSM using insecure HMAC

0

My PCI vendor recently flagged that the AWS SSM was allowing an insecure hmac-sha1-96 algorithm.

This algorithm is not enabled in my ssh configuration (/etc/ssh/sshd_config and related), I could not find any information about this in the documentation and Amazon is mandating that I subscribe to one of their support plans before telling me how to secure their service ... which is also apparently enabled by default on all new Ubuntu ec2 instances!

Can anyone tell me how to secure the Amazon SSM service correctly as it is apparently not the case out of the box?

Additionally, is there any reason this insecure service is 1) installed by default and 2) accessible from the Internet on a fixed port number?

Thanks.

Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
asked a year ago138 views
2 Answers
4

Try disable insecure Algorithms like below:

MACs hmac-sha2-256,hmac-sha2-512
EXPERT
answered a year ago
0

Hey,

Hope you're keeping well.

AWS Systems Manager Session Manager does not use SSH for its connections, so changes to /etc/ssh/sshd_config won’t affect its encryption algorithms. Session Manager traffic is encrypted using TLS over HTTPS via the SSM Agent, and any “hmac-sha1-96” finding is likely coming from the agent’s underlying WebSocket or channel negotiation, not from OpenSSH. To address PCI findings, make sure your SSM Agent is fully up to date (sudo snap refresh amazon-ssm-agent or use sudo yum update amazon-ssm-agent depending on your OS) since newer versions use stronger algorithms.

Thanks and regards,
Taz

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content