AWS Security ChangesHomeSearch

AWS ec2 documentation change

Service: ec2 · 2026-05-01 · Documentation low

File: ec2/latest/devguide/example_ec2_GettingStarted_065_section.md

Summary

Enhanced script robustness with error handling, added AWS CLI/credentials validation, improved security group rule management, added explicit security warnings about open access, and automated cleanup process.

Security assessment

The changes add prominent security warnings about allowing 0.0.0.0/0 access (highlighted with ⚠️) and explicitly state this is unsafe for production. However, there's no evidence of fixing a specific vulnerability; rather, it improves security documentation and script safety.

Diff

diff --git a/ec2/latest/devguide/example_ec2_GettingStarted_065_section.md b/ec2/latest/devguide/example_ec2_GettingStarted_065_section.md
index 3d2163b24..6dce5f3e4 100644
--- a//ec2/latest/devguide/example_ec2_GettingStarted_065_section.md
+++ b//ec2/latest/devguide/example_ec2_GettingStarted_065_section.md
@@ -36,0 +37,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    set -euo pipefail
+    
@@ -48 +50 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$CACHE_NAME" ]; then
+        if [ -n "${CACHE_NAME:-}" ]; then
@@ -51 +53 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$SG_RULE_6379" ] || [ -n "$SG_RULE_6380" ]; then
+        if [ -n "${SG_RULE_6379:-}" ] || [ -n "${SG_RULE_6380:-}" ]; then
@@ -57,0 +60,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    # Validate AWS CLI is installed and configured
+    if ! command -v aws &> /dev/null; then
+        handle_error "AWS CLI is not installed or not in PATH"
+    fi
+    
+    # Check AWS credentials are configured
+    if ! aws sts get-caller-identity &> /dev/null; then
+        handle_error "AWS credentials are not configured or invalid"
+    fi
+    
@@ -72 +84 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text)
+      --output text 2>/dev/null || echo "")
@@ -82 +94,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \
+    SG_RULE_6379=""
+    if SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \
@@ -88,6 +101,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text 2>&1)
-    
-    # Check for errors in the output
-    if echo "$SG_RULE_6379" | grep -i "error" > /dev/null; then
-        # If the rule already exists, this is not a fatal error
-        if echo "$SG_RULE_6379" | grep -i "already exists" > /dev/null; then
+      --output text 2>&1); then
+        if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then
+            echo "Rule for port 6379 already exists, continuing..."
+            SG_RULE_6379="existing"
+        fi
+    else
+        if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then
@@ -103 +117,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \
+    SG_RULE_6380=""
+    if SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \
@@ -109,6 +124,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text 2>&1)
-    
-    # Check for errors in the output
-    if echo "$SG_RULE_6380" | grep -i "error" > /dev/null; then
-        # If the rule already exists, this is not a fatal error
-        if echo "$SG_RULE_6380" | grep -i "already exists" > /dev/null; then
+      --output text 2>&1); then
+        if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then
+            echo "Rule for port 6380 already exists, continuing..."
+            SG_RULE_6380="existing"
+        fi
+    else
+        if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then
@@ -124,2 +140,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "SECURITY NOTE: The security group rules created allow access from any IP address (0.0.0.0/0)."
-    echo "This is not recommended for production environments. For production,"
+    echo "⚠️  SECURITY WARNING: The security group rules created allow access from any IP address (0.0.0.0/0)."
+    echo "This is NOT RECOMMENDED for production environments. For production,"
@@ -126,0 +143 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    echo "Update the CIDR blocks in this script before using in production."
@@ -131 +148 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    CREATE_RESULT=$(aws elasticache create-serverless-cache \
+    if ! CREATE_RESULT=$(aws elasticache create-serverless-cache \
@@ -133,4 +150 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --engine valkey 2>&1)
-    
-    # Check for errors in the output
-    if echo "$CREATE_RESULT" | grep -i "error" > /dev/null; then
+      --engine valkey 2>&1); then
@@ -153,5 +167,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \
-          --serverless-cache-name "$CACHE_NAME" 2>&1)
-        
-        # Check for errors in the output
-        if echo "$DESCRIBE_RESULT" | grep -i "error" > /dev/null; then
+        if ! DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \
+          --serverless-cache-name "$CACHE_NAME" 2>&1); then
@@ -161,2 +172,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        # Extract status using grep and awk for more reliable parsing
-        CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}')
+        # Extract status using jq for reliable JSON parsing
+        if command -v jq &> /dev/null; then
+            CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | jq -r '.ServerlessCaches[0].Status // "UNKNOWN"' 2>/dev/null || echo "")
+        else
+            CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}' | head -n 1)
+        fi
@@ -187 +202 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    ENDPOINT=$(aws elasticache describe-serverless-caches \
+    if ! ENDPOINT=$(aws elasticache describe-serverless-caches \
@@ -190 +205,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-      --output text)
+      --output text 2>&1); then
+        handle_error "Failed to get cache endpoint: $ENDPOINT"
+    fi
@@ -224 +241 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Prompt for cleanup
+    # Auto-confirm cleanup
@@ -231 +248 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then
+    if [[ "${SG_RULE_6379:-}" != "existing" ]] || [[ "${SG_RULE_6380:-}" != "existing" ]]; then
@@ -235,2 +252,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "Do you want to clean up all created resources? (y/n): "
-    read -r CLEANUP_CHOICE
+    echo "Proceeding with cleanup..."
+    
+    CLEANUP_CHOICE="y"
@@ -243,5 +261,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        DELETE_RESULT=$(aws elasticache delete-serverless-cache \
-          --serverless-cache-name "$CACHE_NAME" 2>&1)
-        
-        # Check for errors in the output
-        if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then
+        if ! DELETE_RESULT=$(aws elasticache delete-serverless-cache \
+          --serverless-cache-name "$CACHE_NAME" 2>&1); then
@@ -255 +270 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ "$SG_RULE_6379" != "existing" ]; then
+        if [[ "${SG_RULE_6379:-}" != "existing" ]]; then
@@ -257 +272 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws ec2 revoke-security-group-ingress \
+            if ! aws ec2 revoke-security-group-ingress \
@@ -261 +276,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-              --cidr 0.0.0.0/0
+              --cidr 0.0.0.0/0 2>&1; then
+                echo "WARNING: Failed to remove security group rule for port 6379"
+            fi
@@ -264 +281 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ "$SG_RULE_6380" != "existing" ]; then
+        if [[ "${SG_RULE_6380:-}" != "existing" ]]; then
@@ -266 +283 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            aws ec2 revoke-security-group-ingress \
+            if ! aws ec2 revoke-security-group-ingress \
@@ -270 +287,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-              --cidr 0.0.0.0/0
+              --cidr 0.0.0.0/0 2>&1; then
+                echo "WARNING: Failed to remove security group rule for port 6380"
+            fi
@@ -274,7 +292,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    else
-        echo "Cleanup skipped. Resources will remain in your AWS account."
-        echo "To clean up later, run:"
-        echo "aws elasticache delete-serverless-cache --serverless-cache-name $CACHE_NAME"
-        if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then
-            echo "And remove the security group rules for ports 6379 and 6380 from security group $SG_ID"
-        fi