AWS Security ChangesHomeSearch

AWS code-library high security documentation change

Service: code-library · 2026-05-01 · Security-related high

File: code-library/latest/ug/iam_example_ecs_GettingStarted_018_section.md

Summary

Added multiple security improvements to ECS example script including JSON validation, bash script validation, IMDSv2 enforcement, secure variable substitution, CloudWatch logging, and security warnings

Security assessment

The changes explicitly address security vulnerabilities: 1) Adds warning about open security group (0.0.0.0/0) with CIDR restriction recommendation, 2) Implements JSON validation to prevent malformed trust policies, 3) Adds bash syntax validation for user data scripts, 4) Enforces IMDSv2 with HttpTokens=required to prevent SSRF attacks, 5) Uses secure heredoc with quotes to prevent variable injection in task definitions, 6) Adds CloudWatch logging for monitoring. The changes include explicit 'SECURITY FIX' comments and address specific vulnerabilities like open security groups, IMDSv1 weaknesses, and input validation issues.

Diff

diff --git a/code-library/latest/ug/iam_example_ecs_GettingStarted_018_section.md b/code-library/latest/ug/iam_example_ecs_GettingStarted_018_section.md
index 700b3de73..abf65eea6 100644
--- a//code-library/latest/ug/iam_example_ecs_GettingStarted_018_section.md
+++ b//code-library/latest/ug/iam_example_ecs_GettingStarted_018_section.md
@@ -282 +282,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        # Add HTTP access rule for nginx web server
+        # Add HTTP access rule for nginx web server with restricted CIDR
+        # SECURITY FIX: Restrict access to specific CIDR if available, otherwise document the risk
+        log "WARNING: Security group allows HTTP (port 80) from 0.0.0.0/0 - restrict this in production"
@@ -332,0 +335,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            # SECURITY FIX: Validate JSON before using
+            if ! jq empty ecs-instance-trust-policy.json 2>/dev/null; then
+                log "ERROR: Invalid JSON in trust policy"
+                rm -f ecs-instance-trust-policy.json
+                exit 1
+            fi
+            
@@ -373,0 +383,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        # SECURITY FIX: Validate user data script before use
+        if ! bash -n ecs-user-data.sh 2>/dev/null; then
+            log "ERROR: Invalid user data script"
+            rm -f ecs-user-data.sh
+            exit 1
+        fi
+        
@@ -382,0 +399,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            --monitoring Enabled=false \
+            --metadata-options HttpTokens=required,HttpPutResponseHopLimit=1 \
@@ -386,0 +405 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f ecs-user-data.sh
@@ -390,0 +410 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        log "Instance metadata options: IMDSv2 enforced with hop limit 1"
@@ -415,0 +436 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f ecs-user-data.sh
@@ -427 +448 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        cat > task-definition.json << EOF
+        cat > task-definition.json << 'EOF'
@@ -429 +450 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        "family": "$TASK_FAMILY",
+        "family": "TASK_FAMILY_PLACEHOLDER",
@@ -443 +464,9 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                ]
+                ],
+                "logConfiguration": {
+                    "logDriver": "awslogs",
+                    "options": {
+                        "awslogs-group": "/ecs/nginx-task",
+                        "awslogs-region": "REGION_PLACEHOLDER",
+                        "awslogs-stream-prefix": "ecs"
+                    }
+                }
@@ -450,0 +480,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        # Replace placeholders securely
+        sed -i "s|TASK_FAMILY_PLACEHOLDER|$TASK_FAMILY|g" task-definition.json
+        sed -i "s|REGION_PLACEHOLDER|$AWS_REGION|g" task-definition.json
+        
@@ -453,0 +487 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f task-definition.json
@@ -462,0 +497 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+            rm -f task-definition.json
@@ -466,0 +502 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        log "Task definition includes CloudWatch Logs configuration for monitoring"
@@ -568,0 +605 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        log "Security improvements: IMDSv2 enforced, JSON validation, input sanitization, CloudWatch Logs configured"
@@ -603,4 +640 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "Do you want to clean up all created resources? (y/n): "
-        read -r CLEANUP_CHOICE
-        
-        if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then
+        log "Auto-confirming cleanup - proceeding with resource cleanup"
@@ -609,13 +642,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        else
-            log "Resources left running. Remember to clean them up manually to avoid charges."
-            echo ""
-            echo "To clean up manually later, run these commands:"
-            echo "  aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0"
-            echo "  aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME"
-            echo "  aws ecs delete-cluster --cluster $CLUSTER_NAME"
-            echo "  aws ec2 terminate-instances --instance-ids $INSTANCE_ID"
-            echo "  aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID"
-            echo "  aws ec2 delete-key-pair --key-name $KEY_PAIR_NAME"
-        fi
-        
-        log "Script execution completed"