AWS Security ChangesHomeSearch

AWS code-library documentation change

Service: code-library · 2026-04-19 · Documentation low

File: code-library/latest/ug/bash_2_iam_code_examples.md

Summary

Replaced Attribute-Based Access Control (ABAC) for DynamoDB example with ECS Service Connect setup script including IAM roles, security groups, and logging configuration

Security assessment

The change adds documentation about configuring IAM roles (including task execution roles with limited permissions), security groups with restricted ingress rules, and CloudWatch logging - all security best practices. However, there's no evidence this addresses a specific security vulnerability or incident.

Diff

diff --git a/code-library/latest/ug/bash_2_iam_code_examples.md b/code-library/latest/ug/bash_2_iam_code_examples.md
index 364ba0071..9e771f39c 100644
--- a//code-library/latest/ug/bash_2_iam_code_examples.md
+++ b//code-library/latest/ug/bash_2_iam_code_examples.md
@@ -2529 +2529 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-The following code example shows how to implement Attribute-Based Access Control (ABAC) for DynamoDB.
+The following code example shows how to:
@@ -2531 +2531 @@ The following code example shows how to implement Attribute-Based Access Control
-  * Create an IAM policy for ABAC.
+  * Create the VPC infrastructure
@@ -2533 +2533 @@ The following code example shows how to implement Attribute-Based Access Control
-  * Create tables with tags for different departments.
+  * Set up logging
@@ -2535 +2535,9 @@ The following code example shows how to implement Attribute-Based Access Control
-  * List and filter tables based on tags.
+  * Create the ECS cluster
+
+  * Configure IAM roles
+
+  * Create the service with Service Connect
+
+  * Verify the deployment
+
+  * Clean up resources
@@ -2543 +2551 @@ The following code example shows how to implement Attribute-Based Access Control
-Create an IAM policy for ABAC.
+###### Note
@@ -2544,0 +2553 @@ Create an IAM policy for ABAC.
+There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/085-amazon-ecs-service-connect) repository. 
@@ -2546,2 +2555,243 @@ Create an IAM policy for ABAC.
-    # Step 1: Create a policy document for ABAC
-    cat > abac-policy.json << 'EOF'
+    
+    #!/bin/bash
+    
+    # ECS Service Connect Tutorial Script v4 - Modified to use Default VPC
+    # This script creates an ECS cluster with Service Connect and deploys an nginx service
+    # Uses the default VPC to avoid VPC limits
+    
+    set -e  # Exit on any error
+    
+    # Configuration
+    SCRIPT_NAME="ECS Service Connect Tutorial"
+    LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log"
+    REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}}
+    if [ -z "$REGION" ]; then
+        echo "ERROR: No AWS region configured."
+        echo "Set one with: aws configure set region us-east-1"
+        exit 1
+    fi
+    ENV_PREFIX="tutorial"
+    CLUSTER_NAME="${ENV_PREFIX}-cluster"
+    NAMESPACE_NAME="service-connect"
+    
+    # Generate random suffix for unique resource names
+    RANDOM_SUFFIX=$(openssl rand -hex 6)
+    
+    # Arrays to track created resources for cleanup
+    declare -a CREATED_RESOURCES=()
+    
+    # Logging function
+    log() {
+        echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
+    }
+    
+    # Error handling function
+    handle_error() {
+        log "ERROR: Script failed at line $1"
+        log "Attempting to clean up resources..."
+        cleanup_resources
+        exit 1
+    }
+    
+    # Set up error handling
+    trap 'handle_error $LINENO' ERR
+    
+    # Function to add resource to tracking array
+    track_resource() {
+        CREATED_RESOURCES+=("$1")
+        log "Tracking resource: $1"
+    }
+    
+    # Function to check if command output contains actual errors
+    check_for_errors() {
+        local output="$1"
+        local command_name="$2"
+        
+        # Check for specific AWS CLI error patterns, not just any occurrence of "error"
+        if echo "$output" | grep -qi "An error occurred\|InvalidParameterException\|AccessDenied\|ValidationException\|ResourceNotFoundException"; then
+            log "ERROR in $command_name: $output"
+            return 1
+        fi
+        return 0
+    }
+    
+    # Function to get AWS account ID
+    get_account_id() {
+        ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+        log "Using AWS Account ID: $ACCOUNT_ID"
+    }
+    
+    # Function to wait for resources to be ready
+    wait_for_resource() {
+        local resource_type="$1"
+        local resource_id="$2"
+        
+        case "$resource_type" in
+            "cluster")
+                log "Waiting for cluster $resource_id to be active..."
+                local attempt=1
+                local max_attempts=30
+                while [ $attempt -le $max_attempts ]; do
+                    local status=$(aws ecs describe-clusters --clusters "$resource_id" --query 'clusters[0].status' --output text)
+                    if [ "$status" = "ACTIVE" ]; then
+                        log "Cluster is now active"
+                        return 0
+                    fi
+                    log "Cluster status: $status (attempt $attempt/$max_attempts)"
+                    sleep 10
+                    ((attempt++))
+                done
+                log "ERROR: Cluster did not become active within expected time"
+                return 1
+                ;;
+            "service")
+                log "Waiting for service $resource_id to be stable..."
+                aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id"
+                ;;
+            "nat-gateway")
+                log "Waiting for NAT Gateway $resource_id to be available..."
+                aws ec2 wait nat-gateway-available --nat-gateway-ids "$resource_id"
+                ;;
+        esac
+    }
+    
+    # Function to use default VPC infrastructure
+    setup_default_vpc_infrastructure() {
+        log "Using default VPC infrastructure..."
+        
+        # Get default VPC
+        VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[0].VpcId' --output text)
+        if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then
+            log "ERROR: No default VPC found. Please create a default VPC first."
+            exit 1
+        fi
+        log "Using default VPC: $VPC_ID"
+        
+        # Get default subnets
+        SUBNETS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" --query 'Subnets[].SubnetId' --output text)
+        SUBNET_ARRAY=($SUBNETS)
+        
+        if [ ${#SUBNET_ARRAY[@]} -lt 2 ]; then
+            log "ERROR: Need at least 2 subnets for ECS Service Connect. Found: ${#SUBNET_ARRAY[@]}"
+            exit 1
+        fi
+        
+        PUBLIC_SUBNET1=${SUBNET_ARRAY[0]}
+        PUBLIC_SUBNET2=${SUBNET_ARRAY[1]}
+        
+        log "Using subnets: $PUBLIC_SUBNET1, $PUBLIC_SUBNET2"
+        
+        # Create security group for ECS tasks
+        SG_OUTPUT=$(aws ec2 create-security-group \
+            --group-name "${ENV_PREFIX}-ecs-sg-${RANDOM_SUFFIX}" \
+            --description "Security group for ECS Service Connect tutorial" \
+            --vpc-id "$VPC_ID" 2>&1)
+        check_for_errors "$SG_OUTPUT" "create-security-group"
+        SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4)
+        track_resource "SG:$SECURITY_GROUP_ID"
+        log "Created security group: $SECURITY_GROUP_ID"
+        
+        # Add inbound rules to security group
+        aws ec2 authorize-security-group-ingress \
+            --group-id "$SECURITY_GROUP_ID" \
+            --protocol tcp \
+            --port 80 \
+            --cidr 0.0.0.0/0 >/dev/null 2>&1 || true
+        
+        aws ec2 authorize-security-group-ingress \
+            --group-id "$SECURITY_GROUP_ID" \
+            --protocol tcp \
+            --port 443 \
+            --cidr 0.0.0.0/0 >/dev/null 2>&1 || true
+        
+        log "Default VPC infrastructure setup completed"
+    }
+    
+    # Function to create CloudWatch log groups
+    create_log_groups() {
+        log "Creating CloudWatch log groups..."
+        
+        # Create log group for nginx container
+        aws logs create-log-group --log-group-name "/ecs/service-connect-nginx" 2>&1 | grep -v "ResourceAlreadyExistsException" || {
+            if [ ${PIPESTATUS[0]} -eq 0 ]; then
+                log "Log group /ecs/service-connect-nginx created"
+                track_resource "LOG_GROUP:/ecs/service-connect-nginx"
+            else
+                log "Log group /ecs/service-connect-nginx already exists"
+            fi
+        }