AWS IAM documentation change
Summary
Enhanced example script with security best practices: added secure file permissions, input validation, error handling, sensitive data redaction, and automated resource cleanup.
Security assessment
The changes implement security improvements like umask 077 for file permissions, secure JSON validation, sensitive token redaction, and improved error handling. These are security enhancements but don't fix a specific vulnerability.
Diff
diff --git a/IAM/latest/UserGuide/sts_example_wafv2_GettingStarted_052_section.md b/IAM/latest/UserGuide/sts_example_wafv2_GettingStarted_052_section.md index 2c3bd8213..c76550e5e 100644 --- a//IAM/latest/UserGuide/sts_example_wafv2_GettingStarted_052_section.md +++ b//IAM/latest/UserGuide/sts_example_wafv2_GettingStarted_052_section.md @@ -41 +41,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Set up logging + set -euo pipefail + + # Security: Restrict file permissions + umask 077 + + # Set up logging with secure file handling @@ -42,0 +48,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + touch "$LOG_FILE" + chmod 600 "$LOG_FILE" @@ -55 +62 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to handle errors + # Function to handle errors securely @@ -57,2 +64,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "ERROR: $1" - echo "Check the log file for details: $LOG_FILE" + local error_msg="$1" + echo "ERROR: $error_msg" >&2 + echo "Check the log file for details: $LOG_FILE" >&2 @@ -63,4 +71,16 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to check command success - check_command() { - if echo "$1" | grep -i "error" > /dev/null; then - handle_error "$2: $1" + # Function to validate AWS CLI JSON output + validate_json() { + local json_string="$1" + if ! echo "$json_string" | jq empty 2>/dev/null; then + return 1 + fi + return 0 + } + + # Function to safely extract JSON values + extract_json_value() { + local json_string="$1" + local key_path="$2" + + if ! validate_json "$json_string"; then + return 1 @@ -67,0 +88,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + + echo "$json_string" | jq -r "$key_path" 2>/dev/null || return 1 @@ -70 +92 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to clean up resources + # Function to clean up resources securely @@ -77 +99 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$DISTRIBUTION_ID" ] && [ -n "$WEB_ACL_ARN" ]; then + if [ -n "${DISTRIBUTION_ID:-}" ] && [ -n "${WEB_ACL_ARN:-}" ]; then @@ -79,3 +101,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - DISASSOCIATE_RESULT=$(aws wafv2 disassociate-web-acl \ - --resource-arn "arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID" \ - --region us-east-1 2>&1) + local account_id + account_id=$(aws sts get-caller-identity --query Account --output text 2>/dev/null) || account_id="" + + if [ -z "$account_id" ]; then + echo "Warning: Could not retrieve AWS account ID" + return + fi @@ -83,2 +109,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$DISASSOCIATE_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to disassociate Web ACL: $DISASSOCIATE_RESULT" + local disassociate_result + disassociate_result=$(aws wafv2 disassociate-web-acl \ + --resource-arn "arn:aws:cloudfront::${account_id}:distribution/${DISTRIBUTION_ID}" \ + --region us-east-1 2>&1) || true + + if echo "$disassociate_result" | grep -qi "error"; then + echo "Warning: Failed to disassociate Web ACL: $disassociate_result" @@ -90 +121 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$WEB_ACL_ID" ] && [ -n "$WEB_ACL_NAME" ]; then + if [ -n "${WEB_ACL_ID:-}" ] && [ -n "${WEB_ACL_NAME:-}" ]; then @@ -93,2 +124,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Get the latest lock token before deletion - GET_RESULT=$(aws wafv2 get-web-acl \ + local get_result + get_result=$(aws wafv2 get-web-acl \ @@ -98 +129 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) + --region us-east-1 2>&1) || true @@ -100,2 +131,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$GET_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to get Web ACL for deletion: $GET_RESULT" + if echo "$get_result" | grep -qi "error"; then + echo "Warning: Failed to get Web ACL for deletion: $get_result" @@ -104 +135,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) + local latest_token + latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || latest_token="" @@ -106,2 +138,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$LATEST_TOKEN" ]; then - DELETE_RESULT=$(aws wafv2 delete-web-acl \ + if [ -n "$latest_token" ]; then + local delete_result + delete_result=$(aws wafv2 delete-web-acl \ @@ -111,2 +144,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --lock-token "$LATEST_TOKEN" \ - --region us-east-1 2>&1) + --lock-token "$latest_token" \ + --region us-east-1 2>&1) || true @@ -114,2 +147,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to delete Web ACL: $DELETE_RESULT" + if echo "$delete_result" | grep -qi "error"; then + echo "Warning: Failed to delete Web ACL: $delete_result" @@ -129,2 +162,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Generate a random identifier for resource names - RANDOM_ID=$(openssl rand -hex 4) + # Security: Trap EXIT to ensure cleanup on any exit + trap cleanup_resources EXIT + + # Generate a random identifier for resource names using secure method + RANDOM_ID=$(openssl rand -hex 4) || handle_error "Failed to generate random ID" @@ -142 +178,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - CREATE_RESULT=$(aws wafv2 create-web-acl \ + local create_result + create_result=$(aws wafv2 create-web-acl \ @@ -147,3 +184 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) - - check_command "$CREATE_RESULT" "Failed to create Web ACL" + --region us-east-1 2>&1) || handle_error "Failed to create Web ACL" @@ -151,7 +186,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Extract Web ACL ID, ARN, and Lock Token from the Summary object - WEB_ACL_ID=$(echo "$CREATE_RESULT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) - WEB_ACL_ARN=$(echo "$CREATE_RESULT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4) - LOCK_TOKEN=$(echo "$CREATE_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) - - if [ -z "$WEB_ACL_ID" ]; then - handle_error "Failed to extract Web ACL ID" + if ! validate_json "$create_result"; then + handle_error "Invalid JSON response from create-web-acl" @@ -160,3 +190,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -z "$LOCK_TOKEN" ]; then - handle_error "Failed to extract Lock Token" - fi + # Extract Web ACL ID, ARN, and Lock Token from the response + WEB_ACL_ID=$(extract_json_value "$create_result" '.Summary.Id') || handle_error "Failed to extract Web ACL ID" + WEB_ACL_ARN=$(extract_json_value "$create_result" '.Summary.ARN') || handle_error "Failed to extract Web ACL ARN" + LOCK_TOKEN=$(extract_json_value "$create_result" '.Summary.LockToken') || handle_error "Failed to extract Lock Token" @@ -165 +196 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Lock Token: $LOCK_TOKEN" + echo "Lock Token: [REDACTED]" @@ -173 +203,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Try to update with retries @@ -178 +208,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - GET_RESULT=$(aws wafv2 get-web-acl \ + local get_result + get_result=$(aws wafv2 get-web-acl \ @@ -182 +213 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) + --region us-east-1 2>&1) || true @@ -184,2 +215,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$GET_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to get Web ACL for update: $GET_RESULT" + if echo "$get_result" | grep -qi "error"; then + echo "Warning: Failed to get Web ACL for update: $get_result" @@ -193 +224,11 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) + if ! validate_json "$get_result"; then + echo "Warning: Invalid JSON response from get-web-acl" + if [ "$i" -eq "$MAX_RETRIES" ]; then + handle_error "Invalid JSON response after $MAX_RETRIES attempts" + fi + sleep 2 + continue + fi + + local latest_token + latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || true @@ -195 +236 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -z "$LATEST_TOKEN" ]; then + if [ -z "$latest_token" ]; then @@ -204,3 +245,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Using lock token: $LATEST_TOKEN" - - UPDATE_RESULT=$(aws wafv2 update-web-acl \ + local update_result + update_result=$(aws wafv2 update-web-acl \ @@ -210 +250 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --lock-token "$LATEST_TOKEN" \ + --lock-token "$latest_token" \ @@ -242 +282 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) + --region us-east-1 2>&1) || true @@ -244 +284 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$UPDATE_RESULT" | grep -i "WAFOptimisticLockException" > /dev/null; then + if echo "$update_result" | grep -qi "WAFOptimisticLockException"; then @@ -247 +287 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - handle_error "Failed to add string match rule after $MAX_RETRIES attempts: $UPDATE_RESULT" + handle_error "Failed to add string match rule after $MAX_RETRIES attempts" @@ -251,2 +291,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - elif echo "$UPDATE_RESULT" | grep -i "error" > /dev/null; then - handle_error "Failed to add string match rule: $UPDATE_RESULT"