AWS Security ChangesHomeSearch

AWS code-library medium security documentation change

Service: code-library · 2026-05-01 · Security-related medium

File: code-library/latest/ug/sts_example_pinpoint_GettingStarted_049_section.md

Summary

Enhanced example script with security improvements: added secure file handling (umask 0077, shredding temp files), input validation, resource tracking for cleanup, error handling to stderr, and security best practices documentation.

Security assessment

The changes implement concrete security controls: 1) Secure file permissions (umask 0077) prevents unauthorized access to generated files 2) Temporary file shredding reduces sensitive data leakage risk 3) Input validation prevents malformed/insecure resource names 4) Error redirection to stderr improves secure logging. These directly mitigate potential local file exposure and data residue vulnerabilities.

Diff

diff --git a/code-library/latest/ug/sts_example_pinpoint_GettingStarted_049_section.md b/code-library/latest/ug/sts_example_pinpoint_GettingStarted_049_section.md
index df4e2a094..94c5afb01 100644
--- a//code-library/latest/ug/sts_example_pinpoint_GettingStarted_049_section.md
+++ b//code-library/latest/ug/sts_example_pinpoint_GettingStarted_049_section.md
@@ -45 +45 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Usage: ./2-cli-script-final-working.sh [--auto-cleanup]
+    # Usage: ./aws-end-user-messaging-gs.sh [--auto-cleanup]
@@ -47,5 +47,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Check for auto-cleanup flag
-    AUTO_CLEANUP=false
-    if [[ "${1:-}" == "--auto-cleanup" ]]; then
-        AUTO_CLEANUP=true
-    fi
+    set -uo pipefail
+    
+    # Security: Set secure umask for created files
+    umask 0077
@@ -54 +53,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    LOG_FILE="aws-end-user-messaging-push-script-$(date +%Y%m%d-%H%M%S).log"
+    LOG_DIR="./aws-eump-logs"
+    mkdir -p "$LOG_DIR"
+    LOG_FILE="$LOG_DIR/aws-end-user-messaging-push-script-$(date +%Y%m%d-%H%M%S).log"
@@ -60,0 +62,30 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    # Security: Track created resources for cleanup
+    declare -a TEMP_FILES=()
+    declare -a AWS_RESOURCES=()
+    
+    # Cleanup function with improved security
+    cleanup() {
+        local exit_code=$?
+        echo "Cleaning up temporary resources..."
+        
+        # Remove temporary files securely
+        for temp_file in "${TEMP_FILES[@]+"${TEMP_FILES[@]}"}"; do
+            if [ -f "$temp_file" ]; then
+                shred -vfz -n 3 "$temp_file" 2>/dev/null || rm -f "$temp_file"
+            fi
+        done
+        
+        # Optionally delete AWS resources
+        if [ "${DELETE_AWS_RESOURCES:-false}" = "true" ]; then
+            for resource in "${AWS_RESOURCES[@]+"${AWS_RESOURCES[@]}"}"; do
+                echo "Deleting AWS resource: $resource"
+                aws pinpoint delete-app --application-id "$resource" 2>/dev/null || \
+                    echo "Warning: Failed to delete application $resource"
+            done
+        fi
+        
+        exit "$exit_code"
+    }
+    
+    trap cleanup EXIT INT TERM
+    
@@ -68,2 +99,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            echo "ERROR: Command failed: $cmd"
-            echo "Error details: $output"
+            echo "ERROR: Command failed: $cmd" >&2
+            echo "Error details: $output" >&2
@@ -72 +103 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                echo "Ignoring error and continuing..."
+                echo "Ignoring error and continuing..." >&2
@@ -75,2 +106 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                cleanup_on_error
-                exit 1
+                return 2
@@ -83,15 +112,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to clean up resources on error
-    cleanup_on_error() {
-        echo "Error encountered. Cleaning up resources..."
-        
-        if [ -n "${APP_ID:-}" ]; then
-            echo "Deleting application with ID: $APP_ID"
-            aws pinpoint delete-app --application-id "$APP_ID" 2>/dev/null || echo "Failed to delete application"
-        fi
-        
-        # Clean up any created files
-        rm -f gcm-message.json apns-message.json
-        
-        echo "Cleanup completed."
-    }
-    
@@ -104,3 +119,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            echo "ERROR: AWS CLI is not installed. Please install it first."
-            echo "Visit: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html"
-            exit 1
+            echo "ERROR: AWS CLI is not installed. Please install it first." >&2
+            echo "Visit: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" >&2
+            return 1
@@ -113 +128 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        # Check if AWS CLI is configured
+        # Verify credentials are set (check for credential env vars or config file)
@@ -115,3 +130,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            echo "ERROR: AWS CLI is not configured or credentials are invalid."
-            echo "Please run 'aws configure' to set up your credentials."
-            exit 1
+            echo "ERROR: AWS CLI credentials are not configured or invalid." >&2
+            echo "Please configure credentials via environment variables, credential file, or 'aws configure'" >&2
+            return 1
@@ -126,0 +142,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        
+        return 0
@@ -141 +158 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to extract JSON values
+    # Function to extract JSON values safely
@@ -147 +164 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            echo "$json" | jq -r ".$key"
+            echo "$json" | jq -r ".ApplicationResponse.$key // empty" 2>/dev/null || echo ""
@@ -149,2 +166,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            # Fallback to grep method
-            echo "$json" | grep -o "\"$key\": \"[^\"]*" | cut -d'"' -f4 | head -n1
+            # Fallback to grep method with better validation
+            echo "$json" | grep -o "\"$key\": \"[^\"]*" | cut -d'"' -f4 | head -n1 || echo ""
@@ -159,10 +176,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if ! aws pinpoint get-apps &> /dev/null; then
-            echo "WARNING: Unable to list Pinpoint applications. Please ensure you have the following IAM permissions:"
-            echo "- mobiletargeting:GetApps"
-            echo "- mobiletargeting:CreateApp"
-            echo "- mobiletargeting:DeleteApp"
-            echo "- mobiletargeting:UpdateGcmChannel"
-            echo "- mobiletargeting:UpdateApnsChannel"
-            echo "- mobiletargeting:SendMessages"
-            echo ""
-            echo "Continuing anyway..."
+        if ! aws pinpoint get-apps > /dev/null 2>&1; then
+            echo "WARNING: Unable to list Pinpoint applications." >&2
+            echo "Please ensure you have appropriate IAM permissions for Pinpoint operations." >&2
+            echo "Required permissions:" >&2
+            echo "  - mobiletargeting:GetApps" >&2
+            echo "  - mobiletargeting:CreateApp" >&2
+            echo "  - mobiletargeting:DeleteApp" >&2
+            echo "  - mobiletargeting:UpdateGcmChannel" >&2
+            echo "  - mobiletargeting:UpdateApnsChannel" >&2
+            echo "  - mobiletargeting:SendMessages" >&2
@@ -173,0 +191,30 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    # Function to validate input parameters
+    validate_input() {
+        local app_name=$1
+        
+        # Validate app name length and characters
+        if [ ${#app_name} -gt 64 ]; then
+            echo "ERROR: Application name exceeds maximum length of 64 characters" >&2
+            return 1
+        fi
+        
+        if ! [[ "$app_name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+            echo "ERROR: Application name contains invalid characters" >&2
+            return 1
+        fi
+        
+        return 0
+    }
+    
+    # Function to create secure temporary files
+    create_temp_file() {
+        local temp_file
+        temp_file=$(mktemp) || {
+            echo "ERROR: Failed to create temporary file" >&2
+            return 1
+        }
+        chmod 600 "$temp_file"
+        TEMP_FILES+=("$temp_file")
+        echo "$temp_file"
+    }
+    
@@ -175 +222,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    validate_aws_cli
+    if ! validate_aws_cli; then
+        exit 1
+    fi
+    
@@ -182,0 +233,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    # Validate input
+    if ! validate_input "$APP_NAME"; then
+        exit 1
+    fi
+    
@@ -188 +243,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    check_error "$CREATE_APP_OUTPUT" "create-app"
+    
+    if ! check_error "$CREATE_APP_OUTPUT" "create-app"; then
+        exit 1
+    fi
@@ -194,5 +252 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    if [ "$USE_JQ" = "true" ]; then
-        APP_ID=$(echo "$CREATE_APP_OUTPUT" | jq -r '.ApplicationResponse.Id')
-    else
-        APP_ID=$(echo "$CREATE_APP_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4 | head -n1)
-    fi
+    APP_ID=$(extract_json_value "$CREATE_APP_OUTPUT" "Id")
@@ -201,2 +255,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "ERROR: Failed to extract application ID from output"
-        echo "Output was: $CREATE_APP_OUTPUT"
+        echo "ERROR: Failed to extract application ID from output" >&2
+        echo "Output was: $CREATE_APP_OUTPUT" >&2
@@ -207,3 +261 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    
-    # Create a resources list to track what we've created
-    RESOURCES=("Application: $APP_ID")
+    AWS_RESOURCES+=("$APP_ID")
@@ -231 +282,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru