AWS Security ChangesHomeSearch

AWS code-library documentation change

Service: code-library · 2026-05-01 · Documentation low

File: code-library/latest/ug/sts_example_wafv2_GettingStarted_052_section.md

Summary

Updated AWS WAFv2 example script with security hardening improvements including secure file permissions, JSON validation, error handling, and automated cleanup

Security assessment

The changes add security best practices to the example script but don't address a specific security vulnerability. Changes include: setting umask 077 for file permissions, secure log file handling (chmod 600), improved error handling with stderr redirection, JSON validation to prevent injection attacks, secure random ID generation, and removal of sensitive information disclosure (redacting lock token). These are proactive security improvements rather than fixes for existing vulnerabilities.

Diff

diff --git a/code-library/latest/ug/sts_example_wafv2_GettingStarted_052_section.md b/code-library/latest/ug/sts_example_wafv2_GettingStarted_052_section.md
index 7be10d9ab..a55292987 100644
--- a//code-library/latest/ug/sts_example_wafv2_GettingStarted_052_section.md
+++ b//code-library/latest/ug/sts_example_wafv2_GettingStarted_052_section.md
@@ -43 +43,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Set up logging
+    set -euo pipefail
+    
+    # Security: Restrict file permissions
+    umask 077
+    
+    # Set up logging with secure file handling
@@ -44,0 +50,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    touch "$LOG_FILE"
+    chmod 600 "$LOG_FILE"
@@ -57 +64 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to handle errors
+    # Function to handle errors securely
@@ -59,2 +66,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "ERROR: $1"
-        echo "Check the log file for details: $LOG_FILE"
+        local error_msg="$1"
+        echo "ERROR: $error_msg" >&2
+        echo "Check the log file for details: $LOG_FILE" >&2
@@ -65,4 +73,16 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to check command success
-    check_command() {
-        if echo "$1" | grep -i "error" > /dev/null; then
-            handle_error "$2: $1"
+    # Function to validate AWS CLI JSON output
+    validate_json() {
+        local json_string="$1"
+        if ! echo "$json_string" | jq empty 2>/dev/null; then
+            return 1
+        fi
+        return 0
+    }
+    
+    # Function to safely extract JSON values
+    extract_json_value() {
+        local json_string="$1"
+        local key_path="$2"
+        
+        if ! validate_json "$json_string"; then
+            return 1
@@ -69,0 +90,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        
+        echo "$json_string" | jq -r "$key_path" 2>/dev/null || return 1
@@ -72 +94 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to clean up resources
+    # Function to clean up resources securely
@@ -79 +101 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$DISTRIBUTION_ID" ] && [ -n "$WEB_ACL_ARN" ]; then
+        if [ -n "${DISTRIBUTION_ID:-}" ] && [ -n "${WEB_ACL_ARN:-}" ]; then
@@ -81,3 +103,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            DISASSOCIATE_RESULT=$(aws wafv2 disassociate-web-acl \
-                --resource-arn "arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID" \
-                --region us-east-1 2>&1)
+            local account_id
+            account_id=$(aws sts get-caller-identity --query Account --output text 2>/dev/null) || account_id=""
+            
+            if [ -z "$account_id" ]; then
+                echo "Warning: Could not retrieve AWS account ID"
+                return
+            fi
@@ -85,2 +111,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            if echo "$DISASSOCIATE_RESULT" | grep -i "error" > /dev/null; then
-                echo "Warning: Failed to disassociate Web ACL: $DISASSOCIATE_RESULT"
+            local disassociate_result
+            disassociate_result=$(aws wafv2 disassociate-web-acl \
+                --resource-arn "arn:aws:cloudfront::${account_id}:distribution/${DISTRIBUTION_ID}" \
+                --region us-east-1 2>&1) || true
+            
+            if echo "$disassociate_result" | grep -qi "error"; then
+                echo "Warning: Failed to disassociate Web ACL: $disassociate_result"
@@ -92 +123 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$WEB_ACL_ID" ] && [ -n "$WEB_ACL_NAME" ]; then
+        if [ -n "${WEB_ACL_ID:-}" ] && [ -n "${WEB_ACL_NAME:-}" ]; then
@@ -95,2 +126,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            # Get the latest lock token before deletion
-            GET_RESULT=$(aws wafv2 get-web-acl \
+            local get_result
+            get_result=$(aws wafv2 get-web-acl \
@@ -100 +131 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                --region us-east-1 2>&1)
+                --region us-east-1 2>&1) || true
@@ -102,2 +133,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            if echo "$GET_RESULT" | grep -i "error" > /dev/null; then
-                echo "Warning: Failed to get Web ACL for deletion: $GET_RESULT"
+            if echo "$get_result" | grep -qi "error"; then
+                echo "Warning: Failed to get Web ACL for deletion: $get_result"
@@ -106 +137,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
+                local latest_token
+                latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || latest_token=""
@@ -108,2 +140,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                if [ -n "$LATEST_TOKEN" ]; then
-                    DELETE_RESULT=$(aws wafv2 delete-web-acl \
+                if [ -n "$latest_token" ]; then
+                    local delete_result
+                    delete_result=$(aws wafv2 delete-web-acl \
@@ -113,2 +146,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                        --lock-token "$LATEST_TOKEN" \
-                        --region us-east-1 2>&1)
+                        --lock-token "$latest_token" \
+                        --region us-east-1 2>&1) || true
@@ -116,2 +149,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                    if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then
-                        echo "Warning: Failed to delete Web ACL: $DELETE_RESULT"
+                    if echo "$delete_result" | grep -qi "error"; then
+                        echo "Warning: Failed to delete Web ACL: $delete_result"
@@ -131,2 +164,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Generate a random identifier for resource names
-    RANDOM_ID=$(openssl rand -hex 4)
+    # Security: Trap EXIT to ensure cleanup on any exit
+    trap cleanup_resources EXIT
+    
+    # Generate a random identifier for resource names using secure method
+    RANDOM_ID=$(openssl rand -hex 4) || handle_error "Failed to generate random ID"
@@ -144 +180,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    CREATE_RESULT=$(aws wafv2 create-web-acl \
+    local create_result
+    create_result=$(aws wafv2 create-web-acl \
@@ -149,3 +186 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --region us-east-1 2>&1)
-    
-    check_command "$CREATE_RESULT" "Failed to create Web ACL"
+        --region us-east-1 2>&1) || handle_error "Failed to create Web ACL"
@@ -153,7 +188,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Extract Web ACL ID, ARN, and Lock Token from the Summary object
-    WEB_ACL_ID=$(echo "$CREATE_RESULT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
-    WEB_ACL_ARN=$(echo "$CREATE_RESULT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4)
-    LOCK_TOKEN=$(echo "$CREATE_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
-    
-    if [ -z "$WEB_ACL_ID" ]; then
-        handle_error "Failed to extract Web ACL ID"
+    if ! validate_json "$create_result"; then
+        handle_error "Invalid JSON response from create-web-acl"
@@ -162,3 +192,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    if [ -z "$LOCK_TOKEN" ]; then
-        handle_error "Failed to extract Lock Token"
-    fi
+    # Extract Web ACL ID, ARN, and Lock Token from the response
+    WEB_ACL_ID=$(extract_json_value "$create_result" '.Summary.Id') || handle_error "Failed to extract Web ACL ID"
+    WEB_ACL_ARN=$(extract_json_value "$create_result" '.Summary.ARN') || handle_error "Failed to extract Web ACL ARN"
+    LOCK_TOKEN=$(extract_json_value "$create_result" '.Summary.LockToken') || handle_error "Failed to extract Lock Token"
@@ -167 +198 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "Lock Token: $LOCK_TOKEN"
+    echo "Lock Token: [REDACTED]"
@@ -175 +205,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Try to update with retries
@@ -180 +210,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        GET_RESULT=$(aws wafv2 get-web-acl \
+        local get_result
+        get_result=$(aws wafv2 get-web-acl \
@@ -184 +215 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            --region us-east-1 2>&1)
+            --region us-east-1 2>&1) || true
@@ -186,2 +217,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if echo "$GET_RESULT" | grep -i "error" > /dev/null; then
-            echo "Warning: Failed to get Web ACL for update: $GET_RESULT"
+        if echo "$get_result" | grep -qi "error"; then
+            echo "Warning: Failed to get Web ACL for update: $get_result"
@@ -195 +226,11 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
+        if ! validate_json "$get_result"; then
+            echo "Warning: Invalid JSON response from get-web-acl"
+            if [ "$i" -eq "$MAX_RETRIES" ]; then
+                handle_error "Invalid JSON response after $MAX_RETRIES attempts"
+            fi
+            sleep 2
+            continue
+        fi
+        
+        local latest_token
+        latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || true
@@ -197 +238 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -z "$LATEST_TOKEN" ]; then
+        if [ -z "$latest_token" ]; then
@@ -206,3 +247,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "Using lock token: $LATEST_TOKEN"
-        
-        UPDATE_RESULT=$(aws wafv2 update-web-acl \
+        local update_result
+        update_result=$(aws wafv2 update-web-acl \
@@ -212 +252 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            --lock-token "$LATEST_TOKEN" \
+            --lock-token "$latest_token" \
@@ -244 +284 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            --region us-east-1 2>&1)
+            --region us-east-1 2>&1) || true
@@ -246 +286 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if echo "$UPDATE_RESULT" | grep -i "WAFOptimisticLockException" > /dev/null; then
+        if echo "$update_result" | grep -qi "WAFOptimisticLockException"; then
@@ -249 +289 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                handle_error "Failed to add string match rule after $MAX_RETRIES attempts: $UPDATE_RESULT"
+                handle_error "Failed to add string match rule after $MAX_RETRIES attempts"
@@ -253,2 +293,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        elif echo "$UPDATE_RESULT" | grep -i "error" > /dev/null; then
-            handle_error "Failed to add string match rule: $UPDATE_RESULT"