The aws_ssm connection plugin uses an s3 buckets to transfer files to instances. These files remain in the bucket after the play has complete, they are never removed.
Acknowledgments: Name: Abel Luck (The Guardian Project)
External References: External References: https://github.com/ansible-collections/community.aws/issues/222
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Upstream fix: https://github.com/ansible-collections/community.aws/pull/237
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25635
Statement: Ansible collection aws_ssm connection community plugin 1.2.1 and previous versions until 1.0.0 when it was introduced to this plugin, are the versions affected by this flaw.