Hacker News new | past | comments | ask | show | jobs | submit login

These background agents are needed for various VM recovery scenario. It's not a silent install. Very much needed.



The vuln is that API calls with no auth headers run as root.


They're not mandatory- we don't use these agents, and instead consider every VM to be replaceable.


Is that an official statement?


Are they optional? As far as I understand, AWS doesn't do the same.


https://docs.aws.amazon.com/systems-manager/latest/userguide...

By default, SSM Agent is preinstalled on instances created from the following Amazon Machine Images (AMIs):

Amazon Linux

Amazon Linux 2

Amazon Linux 2 ECS-Optimized Base AMIs

macOS 10.14.x (Mojave) and 10.15.x (Catalina)

Ubuntu Server 16.04, 18.04, and 20.04

Windows Server 2008-2012 R2 AMIs published in November 2016 or later

Windows Server 2016 and 2019


But the AWS SSM agent doesn't listen on the network [0]. The connection is initiated by the agent towards the cloud API, so any commands that come in aren't new connections established over a possibly insecure network.

Of course, if the agent's verification of who it's talking to is as good as in the case of Azure, all bets are off.

---

[0] I've just checked this on an Ubuntu EC2 instance. The SSM agent is running, but it doesn't listen on any interface. No custom configuration was done it.


Amazon does do the same from what I understand, their official AMI's contain a management agent - I don't believe it's required though.


It's not and by the default it's not allowed to talk to the Service Manager. You have to explicitly allow this through an instance role.

You do lose some functionality, though.


Oracle on OCI does the same. You can perform some administrative tasks directly from a web panel for instance.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: