AWS Security ChangesHomeSearch

AWS code-library medium security documentation change

Service: code-library · 2026-05-01 · Security-related medium

File: code-library/latest/ug/bash_2_elasticache_code_examples.md

Summary

Enhanced bash script with improved error handling, security warnings, and reliability improvements for Elasticache operations. Changes include: added AWS CLI validation, safer variable handling, enhanced security group rule management, JSON parsing improvements, and auto-confirmed cleanup.

Security assessment

The change prominently adds a security warning about allowing 0.0.0.0/0 access (now marked with ⚠️ and uppercase warnings) and explicitly states this is unsafe for production. It also adds documentation instructing users to update CIDR blocks before production use. The security group rule handling now properly detects existing rules without failing, preventing accidental exposure.

Diff

diff --git a/code-library/latest/ug/bash_2_elasticache_code_examples.md b/code-library/latest/ug/bash_2_elasticache_code_examples.md
index 42e2c40f6..180a4bf33 100644
--- a//code-library/latest/ug/bash_2_elasticache_code_examples.md
+++ b//code-library/latest/ug/bash_2_elasticache_code_examples.md
@@ -52,0 +53,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    set -euo pipefail
+    
@@ -64 +66 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$CACHE_NAME" ]; then
+        if [ -n "${CACHE_NAME:-}" ]; then
@@ -67 +69 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$SG_RULE_6379" ] || [ -n "$SG_RULE_6380" ]; then
+        if [ -n "${SG_RULE_6379:-}" ] || [ -n "${SG_RULE_6380:-}" ]; then
@@ -73,0 +76,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    # Validate AWS CLI is installed and configured
+    if ! command -v aws &> /dev/null; then
+        handle_error "AWS CLI is not installed or not in PATH"
+    fi
+    
+    # Check AWS credentials are configured
+    if ! aws sts get-caller-identity &> /dev/null; then
+        handle_error "AWS credentials are not configured or invalid"
+    fi
+    
@@ -88 +100 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text)
+      --output text 2>/dev/null || echo "")
@@ -98 +110,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \
+    SG_RULE_6379=""
+    if SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \
@@ -104,6 +117,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text 2>&1)
-    
-    # Check for errors in the output
-    if echo "$SG_RULE_6379" | grep -i "error" > /dev/null; then
-        # If the rule already exists, this is not a fatal error
-        if echo "$SG_RULE_6379" | grep -i "already exists" > /dev/null; then
+      --output text 2>&1); then
+        if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then
+            echo "Rule for port 6379 already exists, continuing..."
+            SG_RULE_6379="existing"
+        fi
+    else
+        if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then
@@ -119 +133,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \
+    SG_RULE_6380=""
+    if SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \
@@ -125,6 +140,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text 2>&1)
-    
-    # Check for errors in the output
-    if echo "$SG_RULE_6380" | grep -i "error" > /dev/null; then
-        # If the rule already exists, this is not a fatal error
-        if echo "$SG_RULE_6380" | grep -i "already exists" > /dev/null; then
+      --output text 2>&1); then
+        if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then
+            echo "Rule for port 6380 already exists, continuing..."
+            SG_RULE_6380="existing"
+        fi
+    else
+        if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then
@@ -140,2 +156,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "SECURITY NOTE: The security group rules created allow access from any IP address (0.0.0.0/0)."
-    echo "This is not recommended for production environments. For production,"
+    echo "⚠️  SECURITY WARNING: The security group rules created allow access from any IP address (0.0.0.0/0)."
+    echo "This is NOT RECOMMENDED for production environments. For production,"
@@ -142,0 +159 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    echo "Update the CIDR blocks in this script before using in production."
@@ -147 +164 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    CREATE_RESULT=$(aws elasticache create-serverless-cache \
+    if ! CREATE_RESULT=$(aws elasticache create-serverless-cache \
@@ -149,4 +166 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --engine valkey 2>&1)
-    
-    # Check for errors in the output
-    if echo "$CREATE_RESULT" | grep -i "error" > /dev/null; then
+      --engine valkey 2>&1); then
@@ -169,5 +183,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \
-          --serverless-cache-name "$CACHE_NAME" 2>&1)
-        
-        # Check for errors in the output
-        if echo "$DESCRIBE_RESULT" | grep -i "error" > /dev/null; then
+        if ! DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \
+          --serverless-cache-name "$CACHE_NAME" 2>&1); then
@@ -177,2 +188,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        # Extract status using grep and awk for more reliable parsing
-        CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}')
+        # Extract status using jq for reliable JSON parsing
+        if command -v jq &> /dev/null; then
+            CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | jq -r '.ServerlessCaches[0].Status // "UNKNOWN"' 2>/dev/null || echo "")
+        else
+            CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}' | head -n 1)
+        fi
@@ -203 +218 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    ENDPOINT=$(aws elasticache describe-serverless-caches \
+    if ! ENDPOINT=$(aws elasticache describe-serverless-caches \
@@ -206 +221,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text)
+      --output text 2>&1); then
+        handle_error "Failed to get cache endpoint: $ENDPOINT"
+    fi
@@ -240 +257 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Prompt for cleanup
+    # Auto-confirm cleanup
@@ -247 +264 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then
+    if [[ "${SG_RULE_6379:-}" != "existing" ]] || [[ "${SG_RULE_6380:-}" != "existing" ]]; then
@@ -251,2 +268,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "Do you want to clean up all created resources? (y/n): "
-    read -r CLEANUP_CHOICE
+    echo "Proceeding with cleanup..."
+    
+    CLEANUP_CHOICE="y"
@@ -259,5 +277,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        DELETE_RESULT=$(aws elasticache delete-serverless-cache \
-          --serverless-cache-name "$CACHE_NAME" 2>&1)
-        
-        # Check for errors in the output
-        if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then
+        if ! DELETE_RESULT=$(aws elasticache delete-serverless-cache \
+          --serverless-cache-name "$CACHE_NAME" 2>&1); then
@@ -271 +286 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ "$SG_RULE_6379" != "existing" ]; then
+        if [[ "${SG_RULE_6379:-}" != "existing" ]]; then
@@ -273 +288 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws ec2 revoke-security-group-ingress \
+            if ! aws ec2 revoke-security-group-ingress \
@@ -277 +292,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-              --cidr 0.0.0.0/0
+              --cidr 0.0.0.0/0 2>&1; then
+                echo "WARNING: Failed to remove security group rule for port 6379"
+            fi
@@ -280 +297 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ "$SG_RULE_6380" != "existing" ]; then
+        if [[ "${SG_RULE_6380:-}" != "existing" ]]; then
@@ -282 +299 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws ec2 revoke-security-group-ingress \
+            if ! aws ec2 revoke-security-group-ingress \
@@ -286 +303,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-              --cidr 0.0.0.0/0
+              --cidr 0.0.0.0/0 2>&1; then
+                echo "WARNING: Failed to remove security group rule for port 6380"
+            fi
@@ -290,7 +308,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    else
-        echo "Cleanup skipped. Resources will remain in your AWS account."
-        echo "To clean up later, run:"
-        echo "aws elasticache delete-serverless-cache --serverless-cache-name $CACHE_NAME"
-        if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then
-            echo "And remove the security group rules for ports 6379 and 6380 from security group $SG_ID"
-        fi