Skip to content

fix(use_aws): gate and redact ssm parameter and kms responses#520

Draft
yonib05 wants to merge 3 commits into
strands-agents:mainfrom
yonib05:fix/use-aws-sensitive-ops-coverage
Draft

fix(use_aws): gate and redact ssm parameter and kms responses#520
yonib05 wants to merge 3 commits into
strands-agents:mainfrom
yonib05:fix/use-aws-sensitive-ops-coverage

Conversation

@yonib05

@yonib05 yonib05 commented Jun 27, 2026

Copy link
Copy Markdown
Member

Description

Extends the sensitive-operation handling added in #467 to cover two AWS response shapes that currently return sensitive values to the model context without a consent prompt or redaction: SSM Parameter Store reads and KMS key operations.

This reuses the existing SENSITIVE_OPERATIONS set, SENSITIVE_RESPONSE_KEYS set, and redact_sensitive_values pipeline introduced in #467 rather than adding a parallel mechanism.

Behavior change

  • ssm get_parameter / get_parameters / get_parameters_by_path and kms decrypt / generate_data_key / generate_data_key_pair now prompt for consent and redact their values by default.
  • Set BYPASS_TOOL_CONSENT=true to skip the consent prompt for these operations. Redaction of sensitive values in the response is independent of the prompt and always applies.

Changes

  • Add to SENSITIVE_OPERATIONS (consent gate): ssm get_parameter / get_parameters / get_parameters_by_path, and kms decrypt / generate_data_key / generate_data_key_pair.
  • Add "plaintext" and "privatekeyplaintext" to SENSITIVE_RESPONSE_KEYS so KMS plaintext output is redacted.
  • Add redact_ssm_parameter_values, a narrowly scoped helper that redacts Parameter.Value and Parameters[].Value only for ssm responses. SSM SecureString values are returned under a generic Value key, which is too broad to add to the global key set without redacting unrelated fields, so this targets only the SSM response shapes.
  • Keep response redaction unconditional: BYPASS_TOOL_CONSENT skips only the confirmation prompt, not redaction, so sensitive values never reach the model context.
  • Add regression tests: consent gating for the new ssm/kms operations, SSM get_parameter / get_parameters value redaction, KMS decrypt plaintext redaction, KMS generate_data_key_pair private-key redaction, redacted values still returned under BYPASS_TOOL_CONSENT=true, and a non-ssm passthrough check.

Testing

  • pytest tests/test_use_aws.py (60 passed)
  • ruff format --check and ruff check pass.

Follow-up

Key-name based redaction is inherently incomplete for generically named fields. A possible follow-up is an opt-in STRANDS_USE_AWS_STRICT_CONSENT env var that prompts on every use_aws call, decoupling safety from the maintained allowlist. That is a larger behavior change and is left out of this PR. IAM least-privilege scoping remains the primary control, as documented in the module.

Extend the existing sensitive-operation handling to cover AWS Systems
Manager Parameter Store reads and KMS key operations, consistent with the
consent gate and response redaction already applied to STS, Secrets
Manager, and ECR.

- Add ssm get_parameter / get_parameters / get_parameters_by_path and kms
  decrypt / generate_data_key / generate_data_key_pair to
  SENSITIVE_OPERATIONS so they prompt for consent.
- Add "plaintext" and "privatekeyplaintext" to SENSITIVE_RESPONSE_KEYS to
  redact KMS plaintext output.
- Add redact_ssm_parameter_values to scrub SSM Parameter.Value and
  Parameters[].Value, scoped to ssm responses so unrelated "Value" keys
  are not touched.
- Add regression tests for the new gating and redaction.
Redaction of sensitive values is part of the consent gate. When
BYPASS_TOOL_CONSENT=true, the operator has already disabled consent,
so return values unredacted, consistent with how the bypass disables
the confirmation prompt. With no env set, the default still prompts
for consent and redacts values.

Also add a regression test for kms.generate_data_key_pair so its
PrivateKeyPlaintext is gated and redacted by default.
@yonib05 yonib05 marked this pull request as draft June 29, 2026 21:46
@yonib05

yonib05 commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

/strands-ts review

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review — LGTM ✅

Reviewed the changes locally. This is a focused, well-scoped extension of the #467 sensitive-operation handling.

Verification

  • pytest tests/test_use_aws.py60 passed
  • ruff check → clean
  • ruff format --check → clean

Strengths

  • Reuses the existing SENSITIVE_OPERATIONS / SENSITIVE_RESPONSE_KEYS / redact_sensitive_values pipeline instead of introducing a parallel mechanism.
  • Redaction is applied unconditionally after the consent gate (use_aws.py:499-500), so BYPASS_TOOL_CONSENT only skips the human prompt and never authorizes returning secrets to model context. This is the right security posture and is explicitly regression-tested.
  • redact_ssm_parameter_values is narrowly targeted (case-insensitive service check, immutable {**param} copies, only Parameter / Parameters[].Value) and the rationale for not adding a generic Value key to the global set is well justified.
  • Good regression coverage: parametrized consent gating for the new ssm/kms ops, value redaction for get_parameter/get_parameters, KMS decrypt plaintext and generate_data_key_pair private-key redaction, bypass-still-redacts, and a non-ssm passthrough.

Minor observations (non-blocking)

  1. plaintext is a somewhat generic key to add to the global SENSITIVE_RESPONSE_KEYS. The same collision concern used to justify keeping Value out of that set applies (weakly) here — it's much rarer than Value so this is acceptable, just worth noting.
  2. ssm get_parameters_by_path and kms generate_data_key (Plaintext) redaction are covered only transitively (shared helper / global-key logic). A couple of explicit redaction assertions would round out coverage, but this is optional.

No blocking issues — approving. The follow-up note on an opt-in strict-consent env var is a reasonable future direction to keep out of this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant