AWS SSM using insecure HMAC

Question

My PCI vendor recently flagged that the AWS SSM was allowing an insecure hmac-sha1-96 algorithm.

This algorithm is not enabled in my ssh configuration (/etc/ssh/sshd_config and related), I could not find any information about this in the documentation and Amazon is mandating that I subscribe to one of their support plans before telling me how to secure their service ... which is also apparently enabled by default on all new Ubuntu ec2 instances!

Can anyone tell me how to secure the Amazon SSM service correctly as it is apparently not the case out of the box?

Additionally, is there any reason this insecure service is 1) installed by default and 2) accessible from the Internet on a fixed port number?

Thanks.

Kidd Ip · Answer

Try disable insecure Algorithms like below:

```
MACs hmac-sha2-256,hmac-sha2-512
```

Taz · Answer

Hey,

Hope you're keeping well.

AWS Systems Manager Session Manager does not use SSH for its connections, so changes to `/etc/ssh/sshd_config` won’t affect its encryption algorithms. Session Manager traffic is encrypted using TLS over HTTPS via the SSM Agent, and any “hmac-sha1-96” finding is likely coming from the agent’s underlying WebSocket or channel negotiation, not from OpenSSH. To address PCI findings, make sure your SSM Agent is fully up to date (`sudo snap refresh amazon-ssm-agent` or use `sudo yum update amazon-ssm-agent` depending on your OS) since newer versions use stronger algorithms.

Thanks and regards,  
Taz

AWS SSM using insecure HMAC

新增您的答案

相關內容