AWS Security ChangesHomeSearch

AWS code-library documentation change

Service: code-library · 2026-04-19 · Documentation low

File: code-library/latest/ug/bash_2_cloudfront_code_examples.md

Summary

Added a comprehensive AWS WAF (Web Application Firewall) tutorial with CloudFront integration, including creating web ACLs, adding string match rules, AWS managed rules, and cleanup procedures. Also simplified the existing CloudFront example description.

Security assessment

This change adds extensive documentation about AWS WAF, which is a security feature for protecting web applications. The tutorial demonstrates how to create web ACLs with security rules (including AWS Managed Rules Common Rule Set) and associate them with CloudFront distributions. While this adds security documentation, there is no evidence it addresses a specific security vulnerability or incident - it appears to be routine documentation enhancement for security features.

Diff

diff --git a/code-library/latest/ug/bash_2_cloudfront_code_examples.md b/code-library/latest/ug/bash_2_cloudfront_code_examples.md
index 7d73c0a48..78d21bea3 100644
--- a//code-library/latest/ug/bash_2_cloudfront_code_examples.md
+++ b//code-library/latest/ug/bash_2_cloudfront_code_examples.md
@@ -30 +30 @@ The following code example shows how to:
-  * Create an Amazon S3 bucket for content storage
+  * Create an Amazon S3 bucket
@@ -32 +32 @@ The following code example shows how to:
-  * Upload sample content to the S3 bucket
+  * Upload content to the bucket
@@ -34 +34 @@ The following code example shows how to:
-  * Create an origin access control (OAC) for secure S3 access
+  * Create a CloudFront distribution with OAC
@@ -36,7 +36 @@ The following code example shows how to:
-  * Create a CloudFront distribution with S3 as origin
-
-  * Update S3 bucket policy to allow CloudFront access
-
-  * Wait for distribution deployment and test content access
-
-  * Clean up resources including distribution, OAC, and S3 bucket
+  * Clean up resources
@@ -376,0 +371,464 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+The following code example shows how to:
+
+  * Create a web ACL
+
+  * Add a string match rule
+
+  * Add managed rules
+
+  * Configure logging
+
+  * Clean up resources
+
+
+
+
+**AWS CLI with Bash script**
+    
+
+###### Note
+
+There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/052-aws-waf-gs) repository. 
+    
+    
+    #!/bin/bash
+    
+    # AWS WAF Getting Started Script
+    # This script creates a Web ACL with a string match rule and AWS Managed Rules,
+    # associates it with a CloudFront distribution, and then cleans up all resources.
+    
+    # Set up logging
+    LOG_FILE="waf-tutorial.log"
+    exec > >(tee -a "$LOG_FILE") 2>&1
+    
+    echo "==================================================="
+    echo "AWS WAF Getting Started Tutorial"
+    echo "==================================================="
+    echo "This script will create AWS WAF resources and associate"
+    echo "them with a CloudFront distribution."
+    echo ""
+    
+    # Maximum number of retries for operations
+    MAX_RETRIES=3
+    
+    # Function to handle errors
+    handle_error() {
+        echo "ERROR: $1"
+        echo "Check the log file for details: $LOG_FILE"
+        cleanup_resources
+        exit 1
+    }
+    
+    # Function to check command success
+    check_command() {
+        if echo "$1" | grep -i "error" > /dev/null; then
+            handle_error "$2: $1"
+        fi
+    }
+    
+    # Function to clean up resources
+    cleanup_resources() {
+        echo ""
+        echo "==================================================="
+        echo "CLEANING UP RESOURCES"
+        echo "==================================================="
+        
+        if [ -n "$DISTRIBUTION_ID" ] && [ -n "$WEB_ACL_ARN" ]; then
+            echo "Disassociating Web ACL from CloudFront distribution..."
+            DISASSOCIATE_RESULT=$(aws wafv2 disassociate-web-acl \
+                --resource-arn "arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID" \
+                --region us-east-1 2>&1)
+            
+            if echo "$DISASSOCIATE_RESULT" | grep -i "error" > /dev/null; then
+                echo "Warning: Failed to disassociate Web ACL: $DISASSOCIATE_RESULT"
+            else
+                echo "Web ACL disassociated successfully."
+            fi
+        fi
+        
+        if [ -n "$WEB_ACL_ID" ] && [ -n "$WEB_ACL_NAME" ]; then
+            echo "Deleting Web ACL..."
+            
+            # Get the latest lock token before deletion
+            GET_RESULT=$(aws wafv2 get-web-acl \
+                --name "$WEB_ACL_NAME" \
+                --scope CLOUDFRONT \
+                --id "$WEB_ACL_ID" \
+                --region us-east-1 2>&1)
+            
+            if echo "$GET_RESULT" | grep -i "error" > /dev/null; then
+                echo "Warning: Failed to get Web ACL for deletion: $GET_RESULT"
+                echo "You may need to manually delete the Web ACL using the AWS Console."
+            else
+                LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
+                
+                if [ -n "$LATEST_TOKEN" ]; then
+                    DELETE_RESULT=$(aws wafv2 delete-web-acl \
+                        --name "$WEB_ACL_NAME" \
+                        --scope CLOUDFRONT \
+                        --id "$WEB_ACL_ID" \
+                        --lock-token "$LATEST_TOKEN" \
+                        --region us-east-1 2>&1)
+                    
+                    if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then
+                        echo "Warning: Failed to delete Web ACL: $DELETE_RESULT"
+                        echo "You may need to manually delete the Web ACL using the AWS Console."
+                    else
+                        echo "Web ACL deleted successfully."
+                    fi
+                else
+                    echo "Warning: Could not extract lock token for deletion. You may need to manually delete the Web ACL."
+                fi
+            fi
+        fi
+        
+        echo "Cleanup process completed."
+    }
+    
+    # Generate a random identifier for resource names
+    RANDOM_ID=$(openssl rand -hex 4)
+    WEB_ACL_NAME="MyWebACL-${RANDOM_ID}"
+    METRIC_NAME="MyWebACLMetrics-${RANDOM_ID}"
+    
+    echo "Using Web ACL name: $WEB_ACL_NAME"
+    
+    # Step 1: Create a Web ACL
+    echo ""
+    echo "==================================================="
+    echo "STEP 1: Creating Web ACL"
+    echo "==================================================="
+    
+    CREATE_RESULT=$(aws wafv2 create-web-acl \
+        --name "$WEB_ACL_NAME" \
+        --scope "CLOUDFRONT" \
+        --default-action Allow={} \
+        --visibility-config "SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=$METRIC_NAME" \
+        --region us-east-1 2>&1)
+    
+    check_command "$CREATE_RESULT" "Failed to create Web ACL"
+    
+    # Extract Web ACL ID, ARN, and Lock Token from the Summary object
+    WEB_ACL_ID=$(echo "$CREATE_RESULT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
+    WEB_ACL_ARN=$(echo "$CREATE_RESULT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4)
+    LOCK_TOKEN=$(echo "$CREATE_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
+    
+    if [ -z "$WEB_ACL_ID" ]; then
+        handle_error "Failed to extract Web ACL ID"
+    fi
+    
+    if [ -z "$LOCK_TOKEN" ]; then
+        handle_error "Failed to extract Lock Token"
+    fi
+    
+    echo "Web ACL created successfully with ID: $WEB_ACL_ID"
+    echo "Lock Token: $LOCK_TOKEN"
+    
+    # Step 2: Add a String Match Rule
+    echo ""
+    echo "==================================================="
+    echo "STEP 2: Adding String Match Rule"
+    echo "==================================================="
+    
+    # Try to update with retries
+    for ((i=1; i<=MAX_RETRIES; i++)); do
+        echo "Attempt $i to add string match rule..."
+        
+        # Get the latest lock token before updating
+        GET_RESULT=$(aws wafv2 get-web-acl \
+            --name "$WEB_ACL_NAME" \
+            --scope CLOUDFRONT \
+            --id "$WEB_ACL_ID" \
+            --region us-east-1 2>&1)
+        
+        if echo "$GET_RESULT" | grep -i "error" > /dev/null; then
+            echo "Warning: Failed to get Web ACL for update: $GET_RESULT"
+            if [ "$i" -eq "$MAX_RETRIES" ]; then
+                handle_error "Failed to get Web ACL after $MAX_RETRIES attempts"
+            fi