AWS Security ChangesHomeSearch

AWS AmazonCloudWatch medium security documentation change

Service: AmazonCloudWatch · 2025-08-10 · Security-related medium

File: AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary_Python.md

Summary

Added documentation sections for converting Selenium scripts to Synthetics canaries and handling non-standard certificates

Security assessment

The change explicitly documents handling of non-standard certificates (self-signed/client certs) and reveals that Python canaries have '--ignore-certificate-errors' enabled by default. Disabling certificate validation introduces security risks like MITM attacks, making this a security-related documentation update.

Diff

diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary_Python.md b/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary_Python.md
index f1b14cc04..4f14f1c30 100644
--- a//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary_Python.md
+++ b//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_WritingCanary_Python.md
@@ -5 +5 @@
-Packaging your Python canary files
+Packaging your Python canary files Changing an existing Selenium script to use a Synthetics canaryChanging an existing Puppeteer Synthetics script to authenticate non-standard certificates
@@ -34,0 +35,70 @@ Be sure to set your canary’s script entry point as `my_canary_filename.functio
+##  Changing an existing Selenium script to use a Synthetics canary
+
+You can quickly modify an existing script for Python and Selenium to be used as a canary. For more information about Selenium, see [www.selenium.dev/](https://www.selenium.dev/).
+
+For this example, we'll start with the following Selenium script:
+    
+    
+    from selenium import webdriver
+    
+    def basic_selenium_script():
+        browser = webdriver.Chrome()
+        browser.get('https://example.com')
+        browser.save_screenshot('loaded.png')
+    
+    basic_selenium_script()
+
+The conversion steps are as follows.
+
+###### To convert a Selenium script to be used as a canary
+
+  1. Change the `import` statement to use Selenium from the `aws_synthetics` module:
+    
+        from aws_synthetics.selenium import synthetics_webdriver as webdriver
+
+The Selenium module from `aws_synthetics` ensures that the canary can emit metrics and logs, generate a HAR file, and work with other CloudWatch Synthetics features.
+
+  2. Create a handler function and call your Selenium method. The handler is the entry point function for the script.
+
+If you are using `syn-python-selenium-1.0`, the handler function must be named `handler`. If you are using `syn-python-selenium-1.1` or later, the function can have any name, but it must be the same name that is used in the script. Also, if you are using `syn-python-selenium-1.1` or later, you can store your scripts under any folder and specify that folder as part of the handler name.
+    
+        def handler(event, context):
+        basic_selenium_script()
+
+
+
+
+The script is now updated to be a CloudWatch Synthetics canary. Here is the updated script:
+
+The `webdriver` is an instance of the class [SyntheticsWebDriver](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Library_Python.html#CloudWatch_Synthetics_Library_Python_SyntheticsWebDriver) and the browser returned by `webdriver.Chrome()` is an instance of [SyntheticsBrowser](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Library_Python.html#CloudWatch_Synthetics_Library_Python_SyntheticsBrowser).
+    
+    
+    from aws_synthetics.selenium import synthetics_webdriver as webdriver
+    
+    def basic_selenium_script():
+        browser = webdriver.Chrome()
+        browser.get('https://example.com')
+        browser.save_screenshot('loaded.png')
+    
+    def handler(event, context):
+        basic_selenium_script()
+
+## Changing an existing Puppeteer Synthetics script to authenticate non-standard certificates
+
+One important use case for Synthetics canaries is for you to monitor your own endpoints. If you want to monitor an endpoint that isn't ready for external traffic, this monitoring can sometimes mean that you don't have a proper certificate signed by a trusted third-party certificate authority.
+
+Two possible solutions to this scenario are as follows:
+
+  * To authenticate a client certificate, see [ How to validate authentication using Amazon CloudWatch Synthetics – Part 2](https://aws.amazon.com/blogs/mt/how-to-validate-authentication-using-amazon-cloudwatch-synthetics-part-2/).
+
+  * To authenticate a self-signed certificate, see [ How to validate authentication with self-signed certificates in Amazon CloudWatch Synthetics](https://aws.amazon.com/blogs/mt/how-to-validate-authentication-with-self-signed-certificates-in-amazon-cloudwatch-synthetics/)
+
+
+
+
+You are not limited to these two options when you use CloudWatch Synthetics canaries. You can extend these features and add your business logic by extending the canary code.
+
+###### Note
+
+Synthetics canaries running on Python runtimes innately have the `--ignore-certificate-errors` flag enabled, so those canaries shouldn't have any issues reaching sites with non-standard certificate configurations.
+