AWS Security ChangesHomeSearch

AWS code-library documentation change

Service: code-library · 2026-05-01 · Documentation low

File: code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md

Summary

Enhanced AWS CLI example script for Elastic Load Balancing with improved error handling, input validation, security warnings, and reliability improvements. Added ARN format validation, security group/VPC ID validation, stderr error messaging, dependency violation retries, and security group configuration warnings.

Security assessment

The changes add security-focused input validation (ARN/SG/VPC formats) and explicit warnings about overly permissive security group rules (0.0.0.0/0), which helps prevent misconfigurations. However, there's no evidence this addresses a specific disclosed vulnerability. The security documentation additions are proactive best practices.

Diff

diff --git a/code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md b/code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md
index dcc24127e..46e237f6e 100644
--- a//code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md
+++ b//code-library/latest/ug/bash_2_elastic-load-balancing-v2_code_examples.md
@@ -59,0 +60,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    set -euo pipefail
+    
@@ -69 +71 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "ERROR: $1"
+        echo "ERROR: $1" >&2
@@ -75 +77 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to check command success
+    # Function to check AWS CLI command success
@@ -77,2 +79,27 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if echo "$1" | grep -i "error" > /dev/null; then
-            handle_error "$1"
+        local output="$1"
+        if [[ -z "$output" ]] || [[ "$output" == "None" ]]; then
+            handle_error "AWS CLI command returned empty or invalid output"
+        fi
+    }
+    
+    # Function to validate ARN format
+    validate_arn() {
+        local arn="$1"
+        if [[ ! "$arn" =~ ^arn:aws:[a-z0-9-]+:[a-z0-9-]*:[0-9]{12}:.+$ ]]; then
+            handle_error "Invalid ARN format: $arn"
+        fi
+    }
+    
+    # Function to validate security group ID
+    validate_security_group_id() {
+        local sg_id="$1"
+        if [[ ! "$sg_id" =~ ^sg-[a-f0-9]{8,17}$ ]]; then
+            handle_error "Invalid security group ID format: $sg_id"
+        fi
+    }
+    
+    # Function to validate VPC ID
+    validate_vpc_id() {
+        local vpc_id="$1"
+        if [[ ! "$vpc_id" =~ ^vpc-[a-f0-9]{8,17}$ ]]; then
+            handle_error "Invalid VPC ID format: $vpc_id"
@@ -86 +113 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$LISTENER_ARN" ]; then
+        if [ -n "${LISTENER_ARN:-}" ]; then
@@ -88 +115 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws elbv2 delete-listener --listener-arn "$LISTENER_ARN"
+            aws elbv2 delete-listener --listener-arn "$LISTENER_ARN" 2>/dev/null || true
@@ -91 +118 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$LOAD_BALANCER_ARN" ]; then
+        if [ -n "${LOAD_BALANCER_ARN:-}" ]; then
@@ -93 +120 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws elbv2 delete-load-balancer --load-balancer-arn "$LOAD_BALANCER_ARN"
+            aws elbv2 delete-load-balancer --load-balancer-arn "$LOAD_BALANCER_ARN" 2>/dev/null || true
@@ -97 +124 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws elbv2 wait load-balancers-deleted --load-balancer-arns "$LOAD_BALANCER_ARN"
+            aws elbv2 wait load-balancers-deleted --load-balancer-arns "$LOAD_BALANCER_ARN" 2>/dev/null || true
@@ -100 +127 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$TARGET_GROUP_ARN" ]; then
+        if [ -n "${TARGET_GROUP_ARN:-}" ]; then
@@ -102 +129 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws elbv2 delete-target-group --target-group-arn "$TARGET_GROUP_ARN"
+            aws elbv2 delete-target-group --target-group-arn "$TARGET_GROUP_ARN" 2>/dev/null || true
@@ -105,3 +132 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        # Add a delay before attempting to delete the security group
-        # to ensure all ELB resources are fully deleted
-        if [ -n "$SECURITY_GROUP_ID" ]; then
+        if [ -n "${SECURITY_GROUP_ID:-}" ]; then
@@ -112,8 +137,8 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            SG_DELETE_OUTPUT=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1)
-            
-            # If there's still a dependency issue, retry a few times
-            RETRY_COUNT=0
-            MAX_RETRIES=5
-            while echo "$SG_DELETE_OUTPUT" | grep -i "DependencyViolation" > /dev/null && [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
-                RETRY_COUNT=$((RETRY_COUNT+1))
-                echo "Security group still has dependencies. Retrying in 30 seconds... (Attempt $RETRY_COUNT of $MAX_RETRIES)"
+            local sg_delete_output
+            sg_delete_output=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1 || true)
+            
+            local retry_count=0
+            local max_retries=5
+            while echo "$sg_delete_output" | grep -i "DependencyViolation" > /dev/null && [ $retry_count -lt $max_retries ]; do
+                retry_count=$((retry_count+1))
+                echo "Security group still has dependencies. Retrying in 30 seconds... (Attempt $retry_count of $max_retries)"
@@ -121 +146 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                SG_DELETE_OUTPUT=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1)
+                sg_delete_output=$(aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>&1 || true)
@@ -124,2 +149,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            if echo "$SG_DELETE_OUTPUT" | grep -i "error" > /dev/null; then
-                echo "WARNING: Could not delete security group: $SECURITY_GROUP_ID"
+            if echo "$sg_delete_output" | grep -i "error" > /dev/null; then
+                echo "WARNING: Could not delete security group: $SECURITY_GROUP_ID" >&2
@@ -136,0 +162,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    # Verify AWS CLI is available
+    if ! command -v aws &> /dev/null; then
+        handle_error "AWS CLI is not installed or not in PATH"
+    fi
+    
@@ -139,2 +169 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    aws elbv2 help > /dev/null 2>&1
-    if [ $? -ne 0 ]; then
+    if ! aws elbv2 help > /dev/null 2>&1; then
@@ -146 +175 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    VPC_INFO=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query "Vpcs[0].VpcId" --output text)
+    VPC_INFO=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query "Vpcs[0].VpcId" --output text 2>/dev/null || echo "")
@@ -148 +177,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    VPC_ID=$VPC_INFO
+    VPC_ID="$VPC_INFO"
+    validate_vpc_id "$VPC_ID"
@@ -153 +183 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    SUBNET_INFO=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" --query "Subnets[0:2].SubnetId" --output text)
+    SUBNET_INFO=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" --query "Subnets[0:2].SubnetId" --output text 2>/dev/null || echo "")
@@ -170 +200 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --query "GroupId" --output text)
+        --query "GroupId" --output text 2>/dev/null || echo "")
@@ -172 +202,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    SECURITY_GROUP_ID=$SG_INFO
+    SECURITY_GROUP_ID="$SG_INFO"
+    validate_security_group_id "$SECURITY_GROUP_ID"
@@ -181,2 +212,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --cidr "0.0.0.0/0" > /dev/null
-    # Note: In production, you should restrict the CIDR range to specific IP addresses
+        --cidr "0.0.0.0/0" > /dev/null 2>&1 || handle_error "Failed to authorize security group ingress"
+    
+    echo "WARNING: Security group allows HTTP from 0.0.0.0/0. In production, restrict to specific IP addresses." >&2
@@ -190 +222 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --query "LoadBalancers[0].LoadBalancerArn" --output text)
+        --query "LoadBalancers[0].LoadBalancerArn" --output text 2>/dev/null || echo "")
@@ -192 +224,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    LOAD_BALANCER_ARN=$LB_INFO
+    LOAD_BALANCER_ARN="$LB_INFO"
+    validate_arn "$LOAD_BALANCER_ARN"
@@ -197 +230,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    aws elbv2 wait load-balancer-available --load-balancer-arns "$LOAD_BALANCER_ARN"
+    if ! aws elbv2 wait load-balancer-available --load-balancer-arns "$LOAD_BALANCER_ARN" 2>/dev/null; then
+        handle_error "Load balancer did not reach active state within timeout period"
+    fi
@@ -207 +242 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --query "TargetGroups[0].TargetGroupArn" --output text)
+        --query "TargetGroups[0].TargetGroupArn" --output text 2>/dev/null || echo "")
@@ -209 +244,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    TARGET_GROUP_ARN=$TG_INFO
+    TARGET_GROUP_ARN="$TG_INFO"
+    validate_arn "$TARGET_GROUP_ARN"
@@ -216,2 +252 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --query "Reservations[*].Instances[*].InstanceId" --output text)
-    check_command "$INSTANCES"
+        --query "Reservations[*].Instances[*].InstanceId" --output text 2>/dev/null || echo "")
@@ -228 +263 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        TARGET_ARGS=""
+        target_args=()
@@ -230,2 +265,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            if [ "$i" -lt 2 ]; then  # Register up to 2 instances
-                TARGET_ARGS="$TARGET_ARGS Id=${INSTANCE_IDS[$i]} "
+            if [ "$i" -lt 2 ]; then
+                target_args+=("Id=${INSTANCE_IDS[$i]}")
@@ -235,2 +270,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$TARGET_ARGS" ]; then
-            aws elbv2 register-targets \
+        if [ ${#target_args[@]} -gt 0 ]; then
+            if aws elbv2 register-targets \
@@ -238,2 +273,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                --targets $TARGET_ARGS
-            echo "Registered instances: $TARGET_ARGS"
+                --targets "${target_args[@]}" 2>/dev/null; then
+                echo "Registered instances: ${target_args[*]}"
+            else
+                handle_error "Failed to register targets"
+            fi
@@ -250 +288 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --query "Listeners[0].ListenerArn" --output text)
+        --query "Listeners[0].ListenerArn" --output text 2>/dev/null || echo "")
@@ -252 +290,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    LISTENER_ARN=$LISTENER_INFO
+    LISTENER_ARN="$LISTENER_INFO"
+    validate_arn "$LISTENER_ARN"
@@ -257 +296 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    aws elbv2 describe-target-health --target-group-arn "$TARGET_GROUP_ARN"
+    aws elbv2 describe-target-health --target-group-arn "$TARGET_GROUP_ARN" 2>/dev/null || true
@@ -262 +301 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --query "LoadBalancers[0].DNSName" --output text)
+        --query "LoadBalancers[0].DNSName" --output text 2>/dev/null || echo "")
@@ -278 +317 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Ask user if they want to clean up resources
+    # Prompt for cleanup confirmation
@@ -282,2 +321 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "Do you want to clean up all created resources? (y/n): "
-    read -r CLEANUP_CHOICE
+    read -p "Do you want to clean up all created resources? (y/n): " -r CLEANUP_CHOICE
@@ -285 +323 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then
+    if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then