Security
Threat model and security implementation details.
Table of contents
- Design Principles
- Threat Model
- Credential Handling
- Rate Limiting
- SSRF Protection
- Deployment Checklist
Design Principles
- Memory safety -
#![forbid(unsafe_code)] - AWS transport security - All SSM traffic encrypted via TLS (WSS)
- Input validation - Defensive parsing throughout
- Rate limiting - Built-in DoS protection
Threat Model
| Threat | Mitigation |
|---|---|
| Message tampering | SHA-256 digest validation |
| Credential leakage | Redacted Debug impls, URL sanitization |
| Replay attacks | Sequence number tracking |
| DoS (large messages) | 10MB max payload |
| DoS (message flood) | Rate limiting (configurable) |
| SSRF | Strict AWS endpoint validation |
| MITM | TLS required (WSS only) |
Credential Handling
Credentials are automatically sanitized:
- Session tokens skipped in tracing spans
- URLs sanitized to remove query parameters in logs
- Custom
Debugimpls redact sensitive fields
Rate Limiting
Token bucket rate limiting:
use aws_ssm_bridge::{RateLimiter, RateLimitConfig};
let limiter = RateLimiter::new(RateLimitConfig {
tokens_per_second: 100.0,
bucket_size: 50,
..Default::default()
});
Default Limits
| Limit | Value |
|---|---|
| Max payload size | 10 MB |
| Max decompressed size | 100 MB |
| Buffer capacity | 10,000 messages |
SSRF Protection
URL validation ensures only AWS SSM endpoints are allowed:
wss://*.ssmmessages.{region}.amazonaws.com
wss://*.ssmmessages.{region}.amazonaws.com.cn
Prevents SSRF attacks where a malicious server might redirect connections.
Deployment Checklist
- Use environment variables or secrets manager for credentials
- Enable CloudTrail logging for SSM API calls
- Use VPC endpoints where possible
- Set appropriate
idle_timeoutandmax_duration - Monitor metrics for anomalies
- Keep dependencies updated (
cargo audit)