AWS code-library high security documentation change
Summary
Added multiple security enhancements to ECS example: CIDR restriction warnings, JSON validation, user-data script validation, IMDSv2 enforcement, secure placeholder handling, CloudWatch logging, and automated cleanup
Security assessment
Changes explicitly address security vulnerabilities: 1) Warning about open HTTP access (0.0.0.0/0) with CIDR restriction advice, 2) JSON validation prevents malformed trust policies, 3) User-data script validation prevents execution errors, 4) IMDSv2 enforcement (HttpTokens=required) mitigates SSRF risks, 5) Secure placeholder handling prevents injection attacks, 6) Added logging for monitoring. Comments include 'SECURITY FIX' tags and warnings.
Diff
diff --git a/code-library/latest/ug/sts_example_ecs_GettingStarted_018_section.md b/code-library/latest/ug/sts_example_ecs_GettingStarted_018_section.md index 2aff7c30b..0aa63952b 100644 --- a//code-library/latest/ug/sts_example_ecs_GettingStarted_018_section.md +++ b//code-library/latest/ug/sts_example_ecs_GettingStarted_018_section.md @@ -282 +282,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Add HTTP access rule for nginx web server + # Add HTTP access rule for nginx web server with restricted CIDR + # SECURITY FIX: Restrict access to specific CIDR if available, otherwise document the risk + log "WARNING: Security group allows HTTP (port 80) from 0.0.0.0/0 - restrict this in production" @@ -332,0 +335,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # SECURITY FIX: Validate JSON before using + if ! jq empty ecs-instance-trust-policy.json 2>/dev/null; then + log "ERROR: Invalid JSON in trust policy" + rm -f ecs-instance-trust-policy.json + exit 1 + fi + @@ -373,0 +383,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # SECURITY FIX: Validate user data script before use + if ! bash -n ecs-user-data.sh 2>/dev/null; then + log "ERROR: Invalid user data script" + rm -f ecs-user-data.sh + exit 1 + fi + @@ -382,0 +399,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + --monitoring Enabled=false \ + --metadata-options HttpTokens=required,HttpPutResponseHopLimit=1 \ @@ -386,0 +405 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + rm -f ecs-user-data.sh @@ -390,0 +410 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + log "Instance metadata options: IMDSv2 enforced with hop limit 1" @@ -415,0 +436 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + rm -f ecs-user-data.sh @@ -427 +448 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - cat > task-definition.json << EOF + cat > task-definition.json << 'EOF' @@ -429 +450 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - "family": "$TASK_FAMILY", + "family": "TASK_FAMILY_PLACEHOLDER", @@ -443 +464,9 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - ] + ], + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group": "/ecs/nginx-task", + "awslogs-region": "REGION_PLACEHOLDER", + "awslogs-stream-prefix": "ecs" + } + } @@ -450,0 +480,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Replace placeholders securely + sed -i "s|TASK_FAMILY_PLACEHOLDER|$TASK_FAMILY|g" task-definition.json + sed -i "s|REGION_PLACEHOLDER|$AWS_REGION|g" task-definition.json + @@ -453,0 +487 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + rm -f task-definition.json @@ -462,0 +497 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + rm -f task-definition.json @@ -466,0 +502 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + log "Task definition includes CloudWatch Logs configuration for monitoring" @@ -568,0 +605 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + log "Security improvements: IMDSv2 enforced, JSON validation, input sanitization, CloudWatch Logs configured" @@ -603,4 +640 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Do you want to clean up all created resources? (y/n): " - read -r CLEANUP_CHOICE - - if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then + log "Auto-confirming cleanup - proceeding with resource cleanup" @@ -609,13 +642,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - else - log "Resources left running. Remember to clean them up manually to avoid charges." - echo "" - echo "To clean up manually later, run these commands:" - echo " aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" - echo " aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" - echo " aws ecs delete-cluster --cluster $CLUSTER_NAME" - echo " aws ec2 terminate-instances --instance-ids $INSTANCE_ID" - echo " aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID" - echo " aws ec2 delete-key-pair --key-name $KEY_PAIR_NAME" - fi - - log "Script execution completed"