AWS code-library medium security documentation change
Summary
Enhanced script reliability and security: Added AWS CLI validation, improved security group rule handling, added explicit security warnings, and made cleanup automatic.
Security assessment
The change adds explicit security warnings about allowing 0.0.0.0/0 access (now marked with ⚠️ and NOT RECOMMENDED), which directly addresses a security misconfiguration risk. It also improves security group rule handling by checking for existing rules and adding error handling. The addition of AWS CLI and credential validation prevents insecure execution states.
Diff
diff --git a/code-library/latest/ug/ec2_example_ec2_GettingStarted_065_section.md b/code-library/latest/ug/ec2_example_ec2_GettingStarted_065_section.md index 5b3d4a197..87ab51859 100644 --- a//code-library/latest/ug/ec2_example_ec2_GettingStarted_065_section.md +++ b//code-library/latest/ug/ec2_example_ec2_GettingStarted_065_section.md @@ -38,0 +39,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + set -euo pipefail + @@ -50 +52 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$CACHE_NAME" ]; then + if [ -n "${CACHE_NAME:-}" ]; then @@ -53 +55 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$SG_RULE_6379" ] || [ -n "$SG_RULE_6380" ]; then + if [ -n "${SG_RULE_6379:-}" ] || [ -n "${SG_RULE_6380:-}" ]; then @@ -59,0 +62,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Validate AWS CLI is installed and configured + if ! command -v aws &> /dev/null; then + handle_error "AWS CLI is not installed or not in PATH" + fi + + # Check AWS credentials are configured + if ! aws sts get-caller-identity &> /dev/null; then + handle_error "AWS credentials are not configured or invalid" + fi + @@ -74 +86 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text) + --output text 2>/dev/null || echo "") @@ -84 +96,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \ + SG_RULE_6379="" + if SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \ @@ -90,6 +103,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text 2>&1) - - # Check for errors in the output - if echo "$SG_RULE_6379" | grep -i "error" > /dev/null; then - # If the rule already exists, this is not a fatal error - if echo "$SG_RULE_6379" | grep -i "already exists" > /dev/null; then + --output text 2>&1); then + if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then + echo "Rule for port 6379 already exists, continuing..." + SG_RULE_6379="existing" + fi + else + if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then @@ -105 +119,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \ + SG_RULE_6380="" + if SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \ @@ -111,6 +126,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text 2>&1) - - # Check for errors in the output - if echo "$SG_RULE_6380" | grep -i "error" > /dev/null; then - # If the rule already exists, this is not a fatal error - if echo "$SG_RULE_6380" | grep -i "already exists" > /dev/null; then + --output text 2>&1); then + if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then + echo "Rule for port 6380 already exists, continuing..." + SG_RULE_6380="existing" + fi + else + if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then @@ -126,2 +142,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "SECURITY NOTE: The security group rules created allow access from any IP address (0.0.0.0/0)." - echo "This is not recommended for production environments. For production," + echo "⚠️ SECURITY WARNING: The security group rules created allow access from any IP address (0.0.0.0/0)." + echo "This is NOT RECOMMENDED for production environments. For production," @@ -128,0 +145 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + echo "Update the CIDR blocks in this script before using in production." @@ -133 +150 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - CREATE_RESULT=$(aws elasticache create-serverless-cache \ + if ! CREATE_RESULT=$(aws elasticache create-serverless-cache \ @@ -135,4 +152 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --engine valkey 2>&1) - - # Check for errors in the output - if echo "$CREATE_RESULT" | grep -i "error" > /dev/null; then + --engine valkey 2>&1); then @@ -155,5 +169,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \ - --serverless-cache-name "$CACHE_NAME" 2>&1) - - # Check for errors in the output - if echo "$DESCRIBE_RESULT" | grep -i "error" > /dev/null; then + if ! DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \ + --serverless-cache-name "$CACHE_NAME" 2>&1); then @@ -163,2 +174,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Extract status using grep and awk for more reliable parsing - CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}') + # Extract status using jq for reliable JSON parsing + if command -v jq &> /dev/null; then + CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | jq -r '.ServerlessCaches[0].Status // "UNKNOWN"' 2>/dev/null || echo "") + else + CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}' | head -n 1) + fi @@ -189 +204 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - ENDPOINT=$(aws elasticache describe-serverless-caches \ + if ! ENDPOINT=$(aws elasticache describe-serverless-caches \ @@ -192 +207,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text) + --output text 2>&1); then + handle_error "Failed to get cache endpoint: $ENDPOINT" + fi @@ -226 +243 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Prompt for cleanup + # Auto-confirm cleanup @@ -233 +250 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then + if [[ "${SG_RULE_6379:-}" != "existing" ]] || [[ "${SG_RULE_6380:-}" != "existing" ]]; then @@ -237,2 +254,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Do you want to clean up all created resources? (y/n): " - read -r CLEANUP_CHOICE + echo "Proceeding with cleanup..." + + CLEANUP_CHOICE="y" @@ -245,5 +263,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - DELETE_RESULT=$(aws elasticache delete-serverless-cache \ - --serverless-cache-name "$CACHE_NAME" 2>&1) - - # Check for errors in the output - if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then + if ! DELETE_RESULT=$(aws elasticache delete-serverless-cache \ + --serverless-cache-name "$CACHE_NAME" 2>&1); then @@ -257 +272 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$SG_RULE_6379" != "existing" ]; then + if [[ "${SG_RULE_6379:-}" != "existing" ]]; then @@ -259 +274 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws ec2 revoke-security-group-ingress \ + if ! aws ec2 revoke-security-group-ingress \ @@ -263 +278,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --cidr 0.0.0.0/0 + --cidr 0.0.0.0/0 2>&1; then + echo "WARNING: Failed to remove security group rule for port 6379" + fi @@ -266 +283 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$SG_RULE_6380" != "existing" ]; then + if [[ "${SG_RULE_6380:-}" != "existing" ]]; then @@ -268 +285 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws ec2 revoke-security-group-ingress \ + if ! aws ec2 revoke-security-group-ingress \ @@ -272 +289,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --cidr 0.0.0.0/0 + --cidr 0.0.0.0/0 2>&1; then + echo "WARNING: Failed to remove security group rule for port 6380" + fi @@ -276,7 +294,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - else - echo "Cleanup skipped. Resources will remain in your AWS account." - echo "To clean up later, run:" - echo "aws elasticache delete-serverless-cache --serverless-cache-name $CACHE_NAME" - if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then - echo "And remove the security group rules for ports 6379 and 6380 from security group $SG_ID" - fi