AWS ec2 documentation change
Summary
Enhanced script robustness with error handling, added AWS CLI/credentials validation, improved security group rule management, added explicit security warnings about open access, and automated cleanup process.
Security assessment
The changes add prominent security warnings about allowing 0.0.0.0/0 access (highlighted with ⚠️) and explicitly state this is unsafe for production. However, there's no evidence of fixing a specific vulnerability; rather, it improves security documentation and script safety.
Diff
diff --git a/ec2/latest/devguide/example_ec2_GettingStarted_065_section.md b/ec2/latest/devguide/example_ec2_GettingStarted_065_section.md index 3d2163b24..6dce5f3e4 100644 --- a//ec2/latest/devguide/example_ec2_GettingStarted_065_section.md +++ b//ec2/latest/devguide/example_ec2_GettingStarted_065_section.md @@ -36,0 +37,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + set -euo pipefail + @@ -48 +50 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$CACHE_NAME" ]; then + if [ -n "${CACHE_NAME:-}" ]; then @@ -51 +53 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$SG_RULE_6379" ] || [ -n "$SG_RULE_6380" ]; then + if [ -n "${SG_RULE_6379:-}" ] || [ -n "${SG_RULE_6380:-}" ]; then @@ -57,0 +60,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Validate AWS CLI is installed and configured + if ! command -v aws &> /dev/null; then + handle_error "AWS CLI is not installed or not in PATH" + fi + + # Check AWS credentials are configured + if ! aws sts get-caller-identity &> /dev/null; then + handle_error "AWS credentials are not configured or invalid" + fi + @@ -72 +84 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text) + --output text 2>/dev/null || echo "") @@ -82 +94,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \ + SG_RULE_6379="" + if SG_RULE_6379=$(aws ec2 authorize-security-group-ingress \ @@ -88,6 +101,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text 2>&1) - - # Check for errors in the output - if echo "$SG_RULE_6379" | grep -i "error" > /dev/null; then - # If the rule already exists, this is not a fatal error - if echo "$SG_RULE_6379" | grep -i "already exists" > /dev/null; then + --output text 2>&1); then + if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then + echo "Rule for port 6379 already exists, continuing..." + SG_RULE_6379="existing" + fi + else + if [[ "$SG_RULE_6379" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6379" == *"already exists"* ]]; then @@ -103 +117,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \ + SG_RULE_6380="" + if SG_RULE_6380=$(aws ec2 authorize-security-group-ingress \ @@ -109,6 +124,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text 2>&1) - - # Check for errors in the output - if echo "$SG_RULE_6380" | grep -i "error" > /dev/null; then - # If the rule already exists, this is not a fatal error - if echo "$SG_RULE_6380" | grep -i "already exists" > /dev/null; then + --output text 2>&1); then + if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then + echo "Rule for port 6380 already exists, continuing..." + SG_RULE_6380="existing" + fi + else + if [[ "$SG_RULE_6380" == *"InvalidGroup.Duplicate"* ]] || [[ "$SG_RULE_6380" == *"already exists"* ]]; then @@ -124,2 +140,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "SECURITY NOTE: The security group rules created allow access from any IP address (0.0.0.0/0)." - echo "This is not recommended for production environments. For production," + echo "⚠️ SECURITY WARNING: The security group rules created allow access from any IP address (0.0.0.0/0)." + echo "This is NOT RECOMMENDED for production environments. For production," @@ -126,0 +143 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + echo "Update the CIDR blocks in this script before using in production." @@ -131 +148 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - CREATE_RESULT=$(aws elasticache create-serverless-cache \ + if ! CREATE_RESULT=$(aws elasticache create-serverless-cache \ @@ -133,4 +150 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --engine valkey 2>&1) - - # Check for errors in the output - if echo "$CREATE_RESULT" | grep -i "error" > /dev/null; then + --engine valkey 2>&1); then @@ -153,5 +167,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \ - --serverless-cache-name "$CACHE_NAME" 2>&1) - - # Check for errors in the output - if echo "$DESCRIBE_RESULT" | grep -i "error" > /dev/null; then + if ! DESCRIBE_RESULT=$(aws elasticache describe-serverless-caches \ + --serverless-cache-name "$CACHE_NAME" 2>&1); then @@ -161,2 +172,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Extract status using grep and awk for more reliable parsing - CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}') + # Extract status using jq for reliable JSON parsing + if command -v jq &> /dev/null; then + CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | jq -r '.ServerlessCaches[0].Status // "UNKNOWN"' 2>/dev/null || echo "") + else + CACHE_STATUS=$(echo "$DESCRIBE_RESULT" | grep -o '"Status": "[^"]*"' | awk -F'"' '{print $4}' | head -n 1) + fi @@ -187 +202 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - ENDPOINT=$(aws elasticache describe-serverless-caches \ + if ! ENDPOINT=$(aws elasticache describe-serverless-caches \ @@ -190 +205,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --output text) + --output text 2>&1); then + handle_error "Failed to get cache endpoint: $ENDPOINT" + fi @@ -224 +241 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Prompt for cleanup + # Auto-confirm cleanup @@ -231 +248 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then + if [[ "${SG_RULE_6379:-}" != "existing" ]] || [[ "${SG_RULE_6380:-}" != "existing" ]]; then @@ -235,2 +252,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Do you want to clean up all created resources? (y/n): " - read -r CLEANUP_CHOICE + echo "Proceeding with cleanup..." + + CLEANUP_CHOICE="y" @@ -243,5 +261,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - DELETE_RESULT=$(aws elasticache delete-serverless-cache \ - --serverless-cache-name "$CACHE_NAME" 2>&1) - - # Check for errors in the output - if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then + if ! DELETE_RESULT=$(aws elasticache delete-serverless-cache \ + --serverless-cache-name "$CACHE_NAME" 2>&1); then @@ -255 +270 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$SG_RULE_6379" != "existing" ]; then + if [[ "${SG_RULE_6379:-}" != "existing" ]]; then @@ -257 +272 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws ec2 revoke-security-group-ingress \ + if ! aws ec2 revoke-security-group-ingress \ @@ -261 +276,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --cidr 0.0.0.0/0 + --cidr 0.0.0.0/0 2>&1; then + echo "WARNING: Failed to remove security group rule for port 6379" + fi @@ -264 +281 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ "$SG_RULE_6380" != "existing" ]; then + if [[ "${SG_RULE_6380:-}" != "existing" ]]; then @@ -266 +283 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - aws ec2 revoke-security-group-ingress \ + if ! aws ec2 revoke-security-group-ingress \ @@ -270 +287,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --cidr 0.0.0.0/0 + --cidr 0.0.0.0/0 2>&1; then + echo "WARNING: Failed to remove security group rule for port 6380" + fi @@ -274,7 +292,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - else - echo "Cleanup skipped. Resources will remain in your AWS account." - echo "To clean up later, run:" - echo "aws elasticache delete-serverless-cache --serverless-cache-name $CACHE_NAME" - if [ "$SG_RULE_6379" != "existing" ] || [ "$SG_RULE_6380" != "existing" ]; then - echo "And remove the security group rules for ports 6379 and 6380 from security group $SG_ID" - fi