AWS AmazonCloudWatch medium security documentation change
Summary
Removed sections about converting Selenium scripts and handling non-standard certificates, including a note about ignoring certificate errors
Security assessment
The removal of the note about Python canaries ignoring certificate errors by default addresses a potential security risk. Previously, this documentation might have encouraged insecure practices (e.g., disabling certificate validation). Removing it reduces exposure to man-in-the-middle attacks and aligns with secure defaults.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary.md b/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary.md index 3b3c12c37..a04b16883 100644 --- a//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary.md +++ b//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary.md @@ -5,2 +4,0 @@ -Changing an existing Selenium script to use a Synthetics canaryChanging an existing Puppeteer Synthetics script to authenticate non-standard certificates - @@ -21,72 +18,0 @@ The following sections explain how to write a canary script and how to integrate - * Changing an existing Selenium script to use a Synthetics canary - - * Changing an existing Puppeteer Synthetics script to authenticate non-standard certificates - - - - -## Changing an existing Selenium script to use a Synthetics canary - -You can quickly modify an existing script for Python and Selenium to be used as a canary. For more information about Selenium, see [www.selenium.dev/](https://www.selenium.dev/). - -For this example, we'll start with the following Selenium script: - - - from selenium import webdriver - - def basic_selenium_script(): - browser = webdriver.Chrome() - browser.get('https://example.com') - browser.save_screenshot('loaded.png') - - basic_selenium_script() - -The conversion steps are as follows. - -###### To convert a Selenium script to be used as a canary - - 1. Change the `import` statement to use Selenium from the `aws_synthetics` module: - - from aws_synthetics.selenium import synthetics_webdriver as webdriver - -The Selenium module from `aws_synthetics` ensures that the canary can emit metrics and logs, generate a HAR file, and work with other CloudWatch Synthetics features. - - 2. Create a handler function and call your Selenium method. The handler is the entry point function for the script. - -If you are using `syn-python-selenium-1.0`, the handler function must be named `handler`. If you are using `syn-python-selenium-1.1` or later, the function can have any name, but it must be the same name that is used in the script. Also, if you are using `syn-python-selenium-1.1` or later, you can store your scripts under any folder and specify that folder as part of the handler name. - - def handler(event, context): - basic_selenium_script() - - - - -The script is now updated to be a CloudWatch Synthetics canary. Here is the updated script: - -The `webdriver` is an instance of the class [SyntheticsWebDriver](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Library_Python.html#CloudWatch_Synthetics_Library_Python_SyntheticsWebDriver) and the browser returned by `webdriver.Chrome()` is an instance of [SyntheticsBrowser](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Library_Python.html#CloudWatch_Synthetics_Library_Python_SyntheticsBrowser). - - - from aws_synthetics.selenium import synthetics_webdriver as webdriver - - def basic_selenium_script(): - browser = webdriver.Chrome() - browser.get('https://example.com') - browser.save_screenshot('loaded.png') - - def handler(event, context): - basic_selenium_script() - -## Changing an existing Puppeteer Synthetics script to authenticate non-standard certificates - -One important use case for Synthetics canaries is for you to monitor your own endpoints. If you want to monitor an endpoint that isn't ready for external traffic, this monitoring can sometimes mean that you don't have a proper certificate signed by a trusted third-party certificate authority. - -Two possible solutions to this scenario are as follows: - - * To authenticate a client certificate, see [ How to validate authentication using Amazon CloudWatch Synthetics – Part 2](https://aws.amazon.com/blogs/mt/how-to-validate-authentication-using-amazon-cloudwatch-synthetics-part-2/). - - * To authenticate a self-signed certificate, see [ How to validate authentication with self-signed certificates in Amazon CloudWatch Synthetics](https://aws.amazon.com/blogs/mt/how-to-validate-authentication-with-self-signed-certificates-in-amazon-cloudwatch-synthetics/) - - - - -You are not limited to these two options when you use CloudWatch Synthetics canaries. You can extend these features and add your business logic by extending the canary code. @@ -94 +19,0 @@ You are not limited to these two options when you use CloudWatch Synthetics cana -###### Note @@ -96 +20,0 @@ You are not limited to these two options when you use CloudWatch Synthetics cana -Synthetics canaries running on Python runtimes innately have the `--ignore-certificate-errors` flag enabled, so those canaries shouldn't have any issues reaching sites with non-standard certificate configurations.