AWS code-library documentation change
Summary
Updated AWS Pinpoint getting started script with enhanced security features including secure file handling, input validation, resource tracking, and automatic cleanup
Security assessment
The changes implement security best practices but do not address a specific known vulnerability. Enhancements include secure umask (0077), temporary file shredding, input validation, credential checks, and secure AWS resource cleanup. These are proactive security improvements rather than fixes for existing vulnerabilities.
Diff
diff --git a/code-library/latest/ug/pinpoint_example_pinpoint_GettingStarted_049_section.md b/code-library/latest/ug/pinpoint_example_pinpoint_GettingStarted_049_section.md index ccbc7e768..01f285c75 100644 --- a//code-library/latest/ug/pinpoint_example_pinpoint_GettingStarted_049_section.md +++ b//code-library/latest/ug/pinpoint_example_pinpoint_GettingStarted_049_section.md @@ -45 +45 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Usage: ./2-cli-script-final-working.sh [--auto-cleanup] + # Usage: ./aws-end-user-messaging-gs.sh [--auto-cleanup] @@ -47,5 +47,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Check for auto-cleanup flag - AUTO_CLEANUP=false - if [[ "${1:-}" == "--auto-cleanup" ]]; then - AUTO_CLEANUP=true - fi + set -uo pipefail + + # Security: Set secure umask for created files + umask 0077 @@ -54 +53,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - LOG_FILE="aws-end-user-messaging-push-script-$(date +%Y%m%d-%H%M%S).log" + LOG_DIR="./aws-eump-logs" + mkdir -p "$LOG_DIR" + LOG_FILE="$LOG_DIR/aws-end-user-messaging-push-script-$(date +%Y%m%d-%H%M%S).log" @@ -60,0 +62,30 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Security: Track created resources for cleanup + declare -a TEMP_FILES=() + declare -a AWS_RESOURCES=() + + # Cleanup function with improved security + cleanup() { + local exit_code=$? + echo "Cleaning up temporary resources..." + + # Remove temporary files securely + for temp_file in "${TEMP_FILES[@]+"${TEMP_FILES[@]}"}"; do + if [ -f "$temp_file" ]; then + shred -vfz -n 3 "$temp_file" 2>/dev/null || rm -f "$temp_file" + fi + done + + # Optionally delete AWS resources + if [ "${DELETE_AWS_RESOURCES:-false}" = "true" ]; then + for resource in "${AWS_RESOURCES[@]+"${AWS_RESOURCES[@]}"}"; do + echo "Deleting AWS resource: $resource" + aws pinpoint delete-app --application-id "$resource" 2>/dev/null || \ + echo "Warning: Failed to delete application $resource" + done + fi + + exit "$exit_code" + } + + trap cleanup EXIT INT TERM + @@ -68,2 +99,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "ERROR: Command failed: $cmd" - echo "Error details: $output" + echo "ERROR: Command failed: $cmd" >&2 + echo "Error details: $output" >&2 @@ -72 +103 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Ignoring error and continuing..." + echo "Ignoring error and continuing..." >&2 @@ -75,2 +106 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - cleanup_on_error - exit 1 + return 2 @@ -83,15 +112,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to clean up resources on error - cleanup_on_error() { - echo "Error encountered. Cleaning up resources..." - - if [ -n "${APP_ID:-}" ]; then - echo "Deleting application with ID: $APP_ID" - aws pinpoint delete-app --application-id "$APP_ID" 2>/dev/null || echo "Failed to delete application" - fi - - # Clean up any created files - rm -f gcm-message.json apns-message.json - - echo "Cleanup completed." - } - @@ -104,3 +119,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "ERROR: AWS CLI is not installed. Please install it first." - echo "Visit: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" - exit 1 + echo "ERROR: AWS CLI is not installed. Please install it first." >&2 + echo "Visit: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" >&2 + return 1 @@ -113 +128 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Check if AWS CLI is configured + # Verify credentials are set (check for credential env vars or config file) @@ -115,3 +130,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "ERROR: AWS CLI is not configured or credentials are invalid." - echo "Please run 'aws configure' to set up your credentials." - exit 1 + echo "ERROR: AWS CLI credentials are not configured or invalid." >&2 + echo "Please configure credentials via environment variables, credential file, or 'aws configure'" >&2 + return 1 @@ -126,0 +142,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + + return 0 @@ -141 +158 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Function to extract JSON values + # Function to extract JSON values safely @@ -147 +164 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "$json" | jq -r ".$key" + echo "$json" | jq -r ".ApplicationResponse.$key // empty" 2>/dev/null || echo "" @@ -149,2 +166,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Fallback to grep method - echo "$json" | grep -o "\"$key\": \"[^\"]*" | cut -d'"' -f4 | head -n1 + # Fallback to grep method with better validation + echo "$json" | grep -o "\"$key\": \"[^\"]*" | cut -d'"' -f4 | head -n1 || echo "" @@ -159,10 +176,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if ! aws pinpoint get-apps &> /dev/null; then - echo "WARNING: Unable to list Pinpoint applications. Please ensure you have the following IAM permissions:" - echo "- mobiletargeting:GetApps" - echo "- mobiletargeting:CreateApp" - echo "- mobiletargeting:DeleteApp" - echo "- mobiletargeting:UpdateGcmChannel" - echo "- mobiletargeting:UpdateApnsChannel" - echo "- mobiletargeting:SendMessages" - echo "" - echo "Continuing anyway..." + if ! aws pinpoint get-apps > /dev/null 2>&1; then + echo "WARNING: Unable to list Pinpoint applications." >&2 + echo "Please ensure you have appropriate IAM permissions for Pinpoint operations." >&2 + echo "Required permissions:" >&2 + echo " - mobiletargeting:GetApps" >&2 + echo " - mobiletargeting:CreateApp" >&2 + echo " - mobiletargeting:DeleteApp" >&2 + echo " - mobiletargeting:UpdateGcmChannel" >&2 + echo " - mobiletargeting:UpdateApnsChannel" >&2 + echo " - mobiletargeting:SendMessages" >&2 @@ -173,0 +191,30 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Function to validate input parameters + validate_input() { + local app_name=$1 + + # Validate app name length and characters + if [ ${#app_name} -gt 64 ]; then + echo "ERROR: Application name exceeds maximum length of 64 characters" >&2 + return 1 + fi + + if ! [[ "$app_name" =~ ^[a-zA-Z0-9_-]+$ ]]; then + echo "ERROR: Application name contains invalid characters" >&2 + return 1 + fi + + return 0 + } + + # Function to create secure temporary files + create_temp_file() { + local temp_file + temp_file=$(mktemp) || { + echo "ERROR: Failed to create temporary file" >&2 + return 1 + } + chmod 600 "$temp_file" + TEMP_FILES+=("$temp_file") + echo "$temp_file" + } + @@ -175 +222,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - validate_aws_cli + if ! validate_aws_cli; then + exit 1 + fi + @@ -182,0 +233,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Validate input + if ! validate_input "$APP_NAME"; then + exit 1 + fi + @@ -188 +243,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - check_error "$CREATE_APP_OUTPUT" "create-app" + + if ! check_error "$CREATE_APP_OUTPUT" "create-app"; then + exit 1 + fi @@ -194,5 +252 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$USE_JQ" = "true" ]; then - APP_ID=$(echo "$CREATE_APP_OUTPUT" | jq -r '.ApplicationResponse.Id') - else - APP_ID=$(echo "$CREATE_APP_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4 | head -n1) - fi + APP_ID=$(extract_json_value "$CREATE_APP_OUTPUT" "Id") @@ -201,2 +255,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "ERROR: Failed to extract application ID from output" - echo "Output was: $CREATE_APP_OUTPUT" + echo "ERROR: Failed to extract application ID from output" >&2 + echo "Output was: $CREATE_APP_OUTPUT" >&2 @@ -207,3 +261 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - - # Create a resources list to track what we've created - RESOURCES=("Application: $APP_ID") + AWS_RESOURCES+=("$APP_ID") @@ -231 +282,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru