AWS code-library documentation change
Summary
Updated DocumentDB example with improved security practices: stronger password generation using openssl, secure password storage in temp files with restricted permissions, immediate password clearing from memory, KMS encryption for secrets, scheduled secret deletion with recovery window, enhanced CA certificate validation, and improved IP validation with security group rule safety.
Security assessment
The changes enhance security practices but don't address a specific vulnerability. Improvements include: 1) Replaced insecure password generation with openssl rand 2) Added secure temp file handling with chmod 600 3) Immediate password clearing from memory 4) KMS encryption for secrets 5) 7-day recovery window for secret deletion 6) Certificate validation 7) IP format verification 8) Automatic resource cleanup. These demonstrate security features without referencing a specific security incident.
Diff
diff --git a/code-library/latest/ug/docdb_example_docdb_GettingStarted_025_section.md b/code-library/latest/ug/docdb_example_docdb_GettingStarted_025_section.md index 12cb10c76..dff73c72f 100644 --- a//code-library/latest/ug/docdb_example_docdb_GettingStarted_025_section.md +++ b//code-library/latest/ug/docdb_example_docdb_GettingStarted_025_section.md @@ -47 +47 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) + SUFFIX=$(LC_ALL=C tr -dc 'a-z0-9' </dev/urandom | head -c 8) @@ -59,0 +60 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + trap 'rm -rf "$TEMP_DIR"' EXIT @@ -102 +102,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - rm -rf "$TEMP_DIR" @@ -238 +238 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Delete secret + # Delete secret with scheduled deletion instead of immediate deletion @@ -240 +240 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Deleting secret '${SECRET_NAME}'..." + echo "Deleting secret '${SECRET_NAME}' (scheduled for 7 days)..." @@ -243 +243 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --force-delete-without-recovery 2>&1 || echo "WARNING: Failed to delete secret." + --recovery-window-in-days 7 2>&1 || echo "WARNING: Failed to delete secret." @@ -258,2 +258,9 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Generate a safe password (no / @ " or spaces) - MASTER_PASSWORD=$(cat /dev/urandom | tr -dc 'A-Za-z0-9!#$%^&*()_+=-' | fold -w 20 | head -n 1) + # Generate a strong password using openssl for better randomness + # Meets DocumentDB requirements: 8-100 chars, alphanumeric + special chars + MASTER_PASSWORD=$(openssl rand -base64 32 | tr -d '/' | cut -c1-20) + + # Securely store password in temporary file with restricted permissions + TEMP_PASS_FILE=$(mktemp) + chmod 600 "$TEMP_PASS_FILE" + echo -n "$MASTER_PASSWORD" > "$TEMP_PASS_FILE" + trap "rm -f '$TEMP_PASS_FILE'; rm -rf '$TEMP_DIR'" EXIT @@ -264 +271 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --secret-string "$MASTER_PASSWORD" \ + --secret-string file://"$TEMP_PASS_FILE" \ @@ -266,0 +274,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Securely clear password from memory + MASTER_PASSWORD="" + @@ -369,0 +380,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Read password securely from file for cluster creation + MASTER_PASSWORD=$(cat "$TEMP_PASS_FILE") + @@ -377,0 +391 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + --kms-key-id "alias/aws/docdb" \ @@ -378,0 +393 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + --enable-cloudwatch-logs-exports '["audit","error","general","slowquery"]' \ @@ -380,0 +396,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Clear password immediately after use + MASTER_PASSWORD="" + @@ -453,7 +471,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Get the user's public IP - MY_IP=$(curl -s https://checkip.amazonaws.com 2>&1) - - if echo "$MY_IP" | grep -iq "error\|could not\|failed"; then - echo "ERROR: Could not determine public IP address." - exit 1 - fi + # Get the user's public IP with timeout and error handling + MY_IP=$(timeout 5 curl -s --max-time 5 https://checkip.amazonaws.com 2>/dev/null || true) @@ -460,0 +474,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + if [ -z "$MY_IP" ] || echo "$MY_IP" | grep -iq "error\|could not\|failed"; then + echo "WARNING: Could not determine public IP address. Skipping security group rule." + echo "You must manually add an ingress rule for your IP to security group $SG_ID" + MY_IP="" + else @@ -463,0 +482,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Validate IP format (basic check) + if ! echo "$MY_IP" | grep -qE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'; then + echo "WARNING: Invalid IP address format: $MY_IP. Skipping security group rule." + MY_IP="" + else @@ -481,0 +505,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + CREATED_RESOURCES+=("sg-rule:${SG_ID}:${MY_IP}") + fi + fi @@ -484 +509,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - CREATED_RESOURCES+=("sg-rule:${SG_ID}:${MY_IP}") @@ -496 +521 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - curl -s -o "$CA_CERT_PATH" https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem 2>&1 + CA_CERT_URL="https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem" @@ -498,3 +523,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ ! -s "$CA_CERT_PATH" ]; then - echo "WARNING: Failed to download CA certificate." - else + if timeout 10 curl -s --max-time 10 -o "$CA_CERT_PATH" "$CA_CERT_URL" 2>&1; then + if [ -s "$CA_CERT_PATH" ]; then + # Verify it's a valid PEM file and check file permissions + if grep -q "BEGIN CERTIFICATE" "$CA_CERT_PATH"; then + chmod 644 "$CA_CERT_PATH" @@ -501,0 +529,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + else + echo "WARNING: Downloaded file is not a valid PEM certificate." + CA_CERT_PATH="" + fi + else + echo "WARNING: Failed to download CA certificate (empty file)." + CA_CERT_PATH="" @@ -502,0 +537,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + else + echo "WARNING: Failed to download CA certificate (timeout or network error)." + CA_CERT_PATH="" + fi + @@ -516,0 +556 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + if [ -n "$CA_CERT_PATH" ]; then @@ -517,0 +558 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + fi @@ -519,0 +561 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + if [ -n "$CA_CERT_PATH" ]; then @@ -520,0 +563,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + else + echo " mongosh --tls --host ${CLUSTER_ENDPOINT} \\" + fi @@ -537,2 +582,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Do you want to clean up all created resources? (y/n): " - read -r CLEANUP_CHOICE + echo "Automatically cleaning up all created resources..." + echo "" @@ -540 +584,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$CLEANUP_CHOICE" = "y" ] || [ "$CLEANUP_CHOICE" = "Y" ]; then @@ -542,21 +585,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - else - echo "" - echo "Resources were NOT deleted. To clean up manually, run:" - echo "" - echo " # Revoke security group ingress rule" - echo " aws ec2 revoke-security-group-ingress --group-id ${SG_ID} --protocol tcp --port ${DOCDB_PORT} --cidr ${MY_IP}/32" - echo "" - echo " # Delete instance (wait for it to finish before deleting cluster)" - echo " aws docdb delete-db-instance --db-instance-identifier ${INSTANCE_ID}" - echo " aws docdb wait db-instance-deleted --db-instance-identifier ${INSTANCE_ID}" - echo "" - echo " # Delete cluster" - echo " aws docdb delete-db-cluster --db-cluster-identifier ${CLUSTER_ID} --skip-final-snapshot" - echo "" - echo " # Delete subnet group (after cluster is deleted)" - echo " aws docdb delete-db-subnet-group --db-subnet-group-name ${SUBNET_GROUP_NAME}" - echo "" - echo " # Delete secret" - echo " aws secretsmanager delete-secret --secret-id ${SECRET_NAME} --force-delete-without-recovery" - echo "" - fi @@ -564 +586,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - rm -rf "$TEMP_DIR"