AWS code-library high security documentation change
Summary
Enhanced example script with security improvements including strict file permissions, secure JSON handling, error output redirection, sensitive data redaction, and automated resource cleanup.
Security assessment
The changes implement multiple security hardening measures: 1) Added 'umask 077' and 'chmod 600' to restrict log file permissions, preventing unauthorized access. 2) Redirected error outputs to stderr to prevent sensitive data leakage. 3) Implemented JSON validation and secure value extraction to prevent injection vulnerabilities. 4) Added lock token redaction to prevent credential exposure. 5) Automated cleanup with 'trap EXIT' ensures resources aren't left unsecured. 6) Secured AWS account ID retrieval with error handling.
Diff
diff --git a/code-library/latest/ug/cloudfront_example_wafv2_GettingStarted_052_section.md b/code-library/latest/ug/cloudfront_example_wafv2_GettingStarted_052_section.md index 5a32c2975..659ab5f2c 100644 --- a//code-library/latest/ug/cloudfront_example_wafv2_GettingStarted_052_section.md +++ b//code-library/latest/ug/cloudfront_example_wafv2_GettingStarted_052_section.md @@ -43 +43,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Set up logging + set -euo pipefail + + # Security: Restrict file permissions + umask 077 + + # Set up logging with secure file handling @@ -44,0 +50,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + touch "$LOG_FILE" + chmod 600 "$LOG_FILE" @@ -57 +64 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to handle errors + # Function to handle errors securely @@ -59,2 +66,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "ERROR: $1" - echo "Check the log file for details: $LOG_FILE" + local error_msg="$1" + echo "ERROR: $error_msg" >&2 + echo "Check the log file for details: $LOG_FILE" >&2 @@ -65,4 +73,16 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to check command success - check_command() { - if echo "$1" | grep -i "error" > /dev/null; then - handle_error "$2: $1" + # Function to validate AWS CLI JSON output + validate_json() { + local json_string="$1" + if ! echo "$json_string" | jq empty 2>/dev/null; then + return 1 + fi + return 0 + } + + # Function to safely extract JSON values + extract_json_value() { + local json_string="$1" + local key_path="$2" + + if ! validate_json "$json_string"; then + return 1 @@ -69,0 +90,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + + echo "$json_string" | jq -r "$key_path" 2>/dev/null || return 1 @@ -72 +94 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to clean up resources + # Function to clean up resources securely @@ -79 +101 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$DISTRIBUTION_ID" ] && [ -n "$WEB_ACL_ARN" ]; then + if [ -n "${DISTRIBUTION_ID:-}" ] && [ -n "${WEB_ACL_ARN:-}" ]; then @@ -81,3 +103,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - DISASSOCIATE_RESULT=$(aws wafv2 disassociate-web-acl \ - --resource-arn "arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID" \ - --region us-east-1 2>&1) + local account_id + account_id=$(aws sts get-caller-identity --query Account --output text 2>/dev/null) || account_id="" + + if [ -z "$account_id" ]; then + echo "Warning: Could not retrieve AWS account ID" + return + fi @@ -85,2 +111,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$DISASSOCIATE_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to disassociate Web ACL: $DISASSOCIATE_RESULT" + local disassociate_result + disassociate_result=$(aws wafv2 disassociate-web-acl \ + --resource-arn "arn:aws:cloudfront::${account_id}:distribution/${DISTRIBUTION_ID}" \ + --region us-east-1 2>&1) || true + + if echo "$disassociate_result" | grep -qi "error"; then + echo "Warning: Failed to disassociate Web ACL: $disassociate_result" @@ -92 +123 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$WEB_ACL_ID" ] && [ -n "$WEB_ACL_NAME" ]; then + if [ -n "${WEB_ACL_ID:-}" ] && [ -n "${WEB_ACL_NAME:-}" ]; then @@ -95,2 +126,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Get the latest lock token before deletion - GET_RESULT=$(aws wafv2 get-web-acl \ + local get_result + get_result=$(aws wafv2 get-web-acl \ @@ -100 +131 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) + --region us-east-1 2>&1) || true @@ -102,2 +133,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$GET_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to get Web ACL for deletion: $GET_RESULT" + if echo "$get_result" | grep -qi "error"; then + echo "Warning: Failed to get Web ACL for deletion: $get_result" @@ -106 +137,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) + local latest_token + latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || latest_token="" @@ -108,2 +140,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$LATEST_TOKEN" ]; then - DELETE_RESULT=$(aws wafv2 delete-web-acl \ + if [ -n "$latest_token" ]; then + local delete_result + delete_result=$(aws wafv2 delete-web-acl \ @@ -113,2 +146,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --lock-token "$LATEST_TOKEN" \ - --region us-east-1 2>&1) + --lock-token "$latest_token" \ + --region us-east-1 2>&1) || true @@ -116,2 +149,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to delete Web ACL: $DELETE_RESULT" + if echo "$delete_result" | grep -qi "error"; then + echo "Warning: Failed to delete Web ACL: $delete_result" @@ -131,2 +164,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Generate a random identifier for resource names - RANDOM_ID=$(openssl rand -hex 4) + # Security: Trap EXIT to ensure cleanup on any exit + trap cleanup_resources EXIT + + # Generate a random identifier for resource names using secure method + RANDOM_ID=$(openssl rand -hex 4) || handle_error "Failed to generate random ID" @@ -144 +180,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - CREATE_RESULT=$(aws wafv2 create-web-acl \ + local create_result + create_result=$(aws wafv2 create-web-acl \ @@ -149,3 +186 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) - - check_command "$CREATE_RESULT" "Failed to create Web ACL" + --region us-east-1 2>&1) || handle_error "Failed to create Web ACL" @@ -153,7 +188,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Extract Web ACL ID, ARN, and Lock Token from the Summary object - WEB_ACL_ID=$(echo "$CREATE_RESULT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) - WEB_ACL_ARN=$(echo "$CREATE_RESULT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4) - LOCK_TOKEN=$(echo "$CREATE_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) - - if [ -z "$WEB_ACL_ID" ]; then - handle_error "Failed to extract Web ACL ID" + if ! validate_json "$create_result"; then + handle_error "Invalid JSON response from create-web-acl" @@ -162,3 +192,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -z "$LOCK_TOKEN" ]; then - handle_error "Failed to extract Lock Token" - fi + # Extract Web ACL ID, ARN, and Lock Token from the response + WEB_ACL_ID=$(extract_json_value "$create_result" '.Summary.Id') || handle_error "Failed to extract Web ACL ID" + WEB_ACL_ARN=$(extract_json_value "$create_result" '.Summary.ARN') || handle_error "Failed to extract Web ACL ARN" + LOCK_TOKEN=$(extract_json_value "$create_result" '.Summary.LockToken') || handle_error "Failed to extract Lock Token" @@ -167 +198 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Lock Token: $LOCK_TOKEN" + echo "Lock Token: [REDACTED]" @@ -175 +205,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Try to update with retries @@ -180 +210,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - GET_RESULT=$(aws wafv2 get-web-acl \ + local get_result + get_result=$(aws wafv2 get-web-acl \ @@ -184 +215 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) + --region us-east-1 2>&1) || true @@ -186,2 +217,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$GET_RESULT" | grep -i "error" > /dev/null; then - echo "Warning: Failed to get Web ACL for update: $GET_RESULT" + if echo "$get_result" | grep -qi "error"; then + echo "Warning: Failed to get Web ACL for update: $get_result" @@ -195 +226,11 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) + if ! validate_json "$get_result"; then + echo "Warning: Invalid JSON response from get-web-acl" + if [ "$i" -eq "$MAX_RETRIES" ]; then + handle_error "Invalid JSON response after $MAX_RETRIES attempts" + fi + sleep 2 + continue + fi + + local latest_token + latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || true @@ -197 +238 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -z "$LATEST_TOKEN" ]; then + if [ -z "$latest_token" ]; then @@ -206,3 +247,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Using lock token: $LATEST_TOKEN" - - UPDATE_RESULT=$(aws wafv2 update-web-acl \ + local update_result + update_result=$(aws wafv2 update-web-acl \ @@ -212 +252 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --lock-token "$LATEST_TOKEN" \ + --lock-token "$latest_token" \ @@ -244 +284 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --region us-east-1 2>&1) + --region us-east-1 2>&1) || true @@ -246 +286 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$UPDATE_RESULT" | grep -i "WAFOptimisticLockException" > /dev/null; then + if echo "$update_result" | grep -qi "WAFOptimisticLockException"; then @@ -249 +289 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - handle_error "Failed to add string match rule after $MAX_RETRIES attempts: $UPDATE_RESULT" + handle_error "Failed to add string match rule after $MAX_RETRIES attempts" @@ -253,2 +293,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - elif echo "$UPDATE_RESULT" | grep -i "error" > /dev/null; then - handle_error "Failed to add string match rule: $UPDATE_RESULT"