AWS Security ChangesHomeSearch

AWS code-library high security documentation change

Service: code-library · 2026-05-01 · Security-related high

File: code-library/latest/ug/s3_example_s3_GettingStarted_074_section.md

Summary

Enhanced S3 example script with security best practices: added credential redaction in outputs, strict file permissions (chmod 600), S3 bucket encryption, versioning, private ACL, server-side encryption for uploads, and improved error handling

Security assessment

Changes directly address security weaknesses: credential redaction prevents secrets leakage in logs (evidenced by sed filters), strict file permissions protect sensitive files, and S3 security settings (encryption/ACL) mitigate data exposure risks. These implement concrete security controls against credential leaks and unauthorized data access.

Diff

diff --git a/code-library/latest/ug/s3_example_s3_GettingStarted_074_section.md b/code-library/latest/ug/s3_example_s3_GettingStarted_074_section.md
index c252fa044..813714e3d 100644
--- a//code-library/latest/ug/s3_example_s3_GettingStarted_074_section.md
+++ b//code-library/latest/ug/s3_example_s3_GettingStarted_074_section.md
@@ -37,0 +38 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    set -euo pipefail
@@ -39 +40 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Set up logging
+    # Set up logging with restricted permissions
@@ -40,0 +42,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    touch "$LOG_FILE"
+    chmod 600 "$LOG_FILE"
@@ -57 +60 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            echo "$output"
+            echo "$output" | sed 's/\(aws_secret_access_key\|Authorization\|X-Amz-Security-Token\).*/\1=***REDACTED***/g'
@@ -76 +79 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$DOCUMENT_NAME" ] && [ -n "$BUCKET_NAME" ]; then
+        if [ -n "${DOCUMENT_NAME:-}" ] && [ -n "${BUCKET_NAME:-}" ]; then
@@ -78 +81 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws s3 rm "s3://$BUCKET_NAME/$DOCUMENT_NAME" || echo "Failed to delete document"
+            aws s3 rm "s3://${BUCKET_NAME}/${DOCUMENT_NAME}" || echo "Failed to delete document"
@@ -81 +84 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$BUCKET_NAME" ]; then
+        if [ -n "${BUCKET_NAME:-}" ] && [ "${BUCKET_IS_SHARED:-false}" = "false" ]; then
@@ -83 +86 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws s3 rb "s3://$BUCKET_NAME" --force || echo "Failed to delete bucket"
+            aws s3 rb "s3://${BUCKET_NAME}" --force || echo "Failed to delete bucket"
@@ -86,0 +90,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    # Set up trap for cleanup on exit
+    trap cleanup_on_error EXIT
+    
@@ -88,0 +95,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    if ! command -v aws &> /dev/null; then
+        echo "ERROR: AWS CLI is not installed."
+        exit 1
+    fi
+    
@@ -93 +104 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "$AWS_CONFIG_OUTPUT"
+        echo "$AWS_CONFIG_OUTPUT" | sed 's/\(aws_secret_access_key\|Authorization\).*/\1=***REDACTED***/g'
@@ -110 +120,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "$TEXTRACT_CHECK"
@@ -118 +128 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --query 'Stacks[0].Outputs[?OutputKey==`BucketName`].OutputValue' --output text 2>/dev/null)
+        --query 'Stacks[0].Outputs[?OutputKey==`BucketName`].OutputValue' --output text 2>/dev/null || echo "")
@@ -130,0 +141 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    if [ "$BUCKET_IS_SHARED" = false ]; then
@@ -132 +143 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    CREATE_BUCKET_OUTPUT=$(aws s3 mb "s3://$BUCKET_NAME" 2>&1)
+        CREATE_BUCKET_OUTPUT=$(aws s3 mb "s3://$BUCKET_NAME" --region "$AWS_REGION" 2>&1)
@@ -135,0 +147,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        
+        # Apply security settings to bucket
+        aws s3api put-bucket-versioning --bucket "$BUCKET_NAME" --versioning-configuration Status=Enabled 2>&1 || true
+        aws s3api put-bucket-encryption --bucket "$BUCKET_NAME" --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' 2>&1 || true
+        aws s3api put-bucket-acl --bucket "$BUCKET_NAME" --acl private 2>&1 || true
+        
@@ -136,0 +154 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    fi
@@ -140,3 +158 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "Sample document not found. Please provide a document to analyze."
-        echo "Enter the path to your document (must be an image file like PNG or JPEG):"
-        read -r DOCUMENT_PATH
+        echo "Sample document not found. Generating a sample document..."
@@ -144,4 +160,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ ! -f "$DOCUMENT_PATH" ]; then
-            echo "File not found: $DOCUMENT_PATH"
-            cleanup_on_error
-            exit 1
+        # Create a simple PNG document using ImageMagick or convert
+        if command -v convert &> /dev/null; then
+            convert -size 400x300 xc:white -pointsize 20 -fill black -draw "text 50,50 'Sample Document'" "$DOCUMENT_NAME"
+            chmod 600 "$DOCUMENT_NAME"
+            echo "Generated sample document: $DOCUMENT_NAME"
+        else
+            # Fallback: create a minimal valid PNG using base64
+            echo "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==" | base64 -d > "$DOCUMENT_NAME"
+            chmod 600 "$DOCUMENT_NAME"
+            echo "Created minimal sample document: $DOCUMENT_NAME"
@@ -149,6 +170,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        
-        DOCUMENT_NAME=$(basename "$DOCUMENT_PATH")
-        echo "Using document: $DOCUMENT_PATH as $DOCUMENT_NAME"
-        
-        # Copy the document to the current directory
-        cp "$DOCUMENT_PATH" "./$DOCUMENT_NAME"
@@ -159 +175 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    UPLOAD_OUTPUT=$(aws s3 cp "./$DOCUMENT_NAME" "s3://$BUCKET_NAME/" 2>&1)
+    UPLOAD_OUTPUT=$(aws s3 cp "./$DOCUMENT_NAME" "s3://$BUCKET_NAME/" --sse AES256 2>&1)
@@ -170 +186 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    cat > document.json << EOF
+    cat > document.json << 'EOF'
@@ -173,2 +189,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        "Bucket": "$BUCKET_NAME",
-        "Name": "$DOCUMENT_NAME"
+        "Bucket": "BUCKET_PLACEHOLDER",
+        "Name": "DOCUMENT_PLACEHOLDER"
@@ -178,0 +195,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    sed -i.bak "s|BUCKET_PLACEHOLDER|$BUCKET_NAME|g; s|DOCUMENT_PLACEHOLDER|$DOCUMENT_NAME|g" document.json
+    rm -f document.json.bak
+    chmod 600 document.json
+    
@@ -180 +200 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    cat > features.json << EOF
+    cat > features.json << 'EOF'
@@ -182,0 +203 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    chmod 600 features.json
@@ -190,2 +211 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "$ANALYZE_OUTPUT"
-        cleanup_on_error
+        echo "$ANALYZE_OUTPUT" | sed 's/\(aws_secret_access_key\|Authorization\|Token\).*/\1=***REDACTED***/g'
@@ -195 +215 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Save the analysis results to a file
+    # Save the analysis results to a file with restricted permissions
@@ -196,0 +217 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    chmod 600 textract-analysis-results.json
@@ -205 +226 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    PAGES=$(echo "$ANALYZE_OUTPUT" | grep -o '"Pages": [0-9]*' | awk '{print $2}')
+    PAGES=$(echo "$ANALYZE_OUTPUT" | grep -o '"Pages": [0-9]*' | head -1 | awk '{print $2}')
@@ -211,8 +232,8 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Count different block types
-    PAGE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "PAGE"' | wc -l)
-    LINE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "LINE"' | wc -l)
-    WORD_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "WORD"' | wc -l)
-    TABLE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "TABLE"' | wc -l)
-    CELL_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "CELL"' | wc -l)
-    KEY_VALUE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "KEY_VALUE_SET"' | wc -l)
-    SIGNATURE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "SIGNATURE"' | wc -l)
+    # Count different block types using jq if available, fallback to grep
+    PAGE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "PAGE"' | wc -l || echo 0)
+    LINE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "LINE"' | wc -l || echo 0)
+    WORD_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "WORD"' | wc -l || echo 0)
+    TABLE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "TABLE"' | wc -l || echo 0)
+    CELL_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "CELL"' | wc -l || echo 0)
+    KEY_VALUE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "KEY_VALUE_SET"' | wc -l || echo 0)
+    SIGNATURE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "SIGNATURE"' | wc -l || echo 0)
@@ -241,4 +261,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "Do you want to clean up all created resources? (y/n): "
-    read -r CLEANUP_CHOICE
-    
-    if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then
@@ -254 +271,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        # Delete S3 bucket
+    # Delete S3 bucket (only if not shared)
+    if [ "$BUCKET_IS_SHARED" = false ]; then
@@ -259,0 +278 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    fi
@@ -265,3 +283,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    else
-        echo "Resources have been preserved."
-    fi
@@ -276,0 +293 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    trap - EXIT