AWS Security ChangesHomeSearch

AWS code-library high security documentation change

Service: code-library · 2026-05-01 · Security-related high

File: code-library/latest/ug/ec2_example_ecs_GettingStarted_018_section.md

Summary

Added multiple security improvements including: CIDR restriction warning for security groups, JSON validation for trust policies, user data script validation, IMDSv2 enforcement, secure placeholder handling in task definitions, CloudWatch logging setup, and automated cleanup.

Security assessment

The changes explicitly address security vulnerabilities: 1) Warning about open CIDR (0.0.0.0/0) with recommendation to restrict 2) Added JSON validation to prevent malicious payloads 3) Script validation to prevent code injection 4) Enforced IMDSv2 to prevent SSRF attacks 5) Secure placeholder replacement to avoid injection 6) Logging for monitoring. Comments like 'SECURITY FIX' and 'Security improvements' provide concrete evidence.

Diff

diff --git a/code-library/latest/ug/ec2_example_ecs_GettingStarted_018_section.md b/code-library/latest/ug/ec2_example_ecs_GettingStarted_018_section.md
index 61e3e64ce..5b2a80b97 100644
--- a//code-library/latest/ug/ec2_example_ecs_GettingStarted_018_section.md
+++ b//code-library/latest/ug/ec2_example_ecs_GettingStarted_018_section.md
@@ -282 +282,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        # Add HTTP access rule for nginx web server
+        # Add HTTP access rule for nginx web server with restricted CIDR
+        # SECURITY FIX: Restrict access to specific CIDR if available, otherwise document the risk
+        log "WARNING: Security group allows HTTP (port 80) from 0.0.0.0/0 - restrict this in production"
@@ -332,0 +335,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            # SECURITY FIX: Validate JSON before using
+            if ! jq empty ecs-instance-trust-policy.json 2>/dev/null; then
+                log "ERROR: Invalid JSON in trust policy"
+                rm -f ecs-instance-trust-policy.json
+                exit 1
+            fi
+            
@@ -373,0 +383,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        # SECURITY FIX: Validate user data script before use
+        if ! bash -n ecs-user-data.sh 2>/dev/null; then
+            log "ERROR: Invalid user data script"
+            rm -f ecs-user-data.sh
+            exit 1
+        fi
+        
@@ -382,0 +399,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            --monitoring Enabled=false \
+            --metadata-options HttpTokens=required,HttpPutResponseHopLimit=1 \
@@ -386,0 +405 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f ecs-user-data.sh
@@ -390,0 +410 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        log "Instance metadata options: IMDSv2 enforced with hop limit 1"
@@ -415,0 +436 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f ecs-user-data.sh
@@ -427 +448 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        cat > task-definition.json << EOF
+        cat > task-definition.json << 'EOF'
@@ -429 +450 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        "family": "$TASK_FAMILY",
+        "family": "TASK_FAMILY_PLACEHOLDER",
@@ -443 +464,9 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                ]
+                ],
+                "logConfiguration": {
+                    "logDriver": "awslogs",
+                    "options": {
+                        "awslogs-group": "/ecs/nginx-task",
+                        "awslogs-region": "REGION_PLACEHOLDER",
+                        "awslogs-stream-prefix": "ecs"
+                    }
+                }
@@ -450,0 +480,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        # Replace placeholders securely
+        sed -i "s|TASK_FAMILY_PLACEHOLDER|$TASK_FAMILY|g" task-definition.json
+        sed -i "s|REGION_PLACEHOLDER|$AWS_REGION|g" task-definition.json
+        
@@ -453,0 +487 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f task-definition.json
@@ -462,0 +497 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f task-definition.json
@@ -466,0 +502 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        log "Task definition includes CloudWatch Logs configuration for monitoring"
@@ -568,0 +605 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        log "Security improvements: IMDSv2 enforced, JSON validation, input sanitization, CloudWatch Logs configured"
@@ -603,4 +640 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "Do you want to clean up all created resources? (y/n): "
-        read -r CLEANUP_CHOICE
-        
-        if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then
+        log "Auto-confirming cleanup - proceeding with resource cleanup"
@@ -609,13 +642,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        else
-            log "Resources left running. Remember to clean them up manually to avoid charges."
-            echo ""
-            echo "To clean up manually later, run these commands:"
-            echo "  aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0"
-            echo "  aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME"
-            echo "  aws ecs delete-cluster --cluster $CLUSTER_NAME"
-            echo "  aws ec2 terminate-instances --instance-ids $INSTANCE_ID"
-            echo "  aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID"
-            echo "  aws ec2 delete-key-pair --key-name $KEY_PAIR_NAME"
-        fi
-        
-        log "Script execution completed"