AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2026-05-04 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/example_wafv2_GettingStarted_052_section.md

Summary

Enhanced script security measures including secure file permissions, error handling, JSON validation, and resource cleanup improvements

Security assessment

The changes implement multiple security best practices: 1) Setting umask 077 and chmod 600 for log files limits file access 2) Secure error handling prevents sensitive data leakage 3) JSON validation prevents injection attacks 4) Secure credential handling with account ID validation 5) Automatic cleanup reduces resource leakage risks. These changes directly address potential security weaknesses in script execution and resource management.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/example_wafv2_GettingStarted_052_section.md b/AmazonCloudFront/latest/DeveloperGuide/example_wafv2_GettingStarted_052_section.md
index fe36f71f4..c2b0112f9 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/example_wafv2_GettingStarted_052_section.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/example_wafv2_GettingStarted_052_section.md
@@ -41 +41,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Set up logging
+    set -euo pipefail
+    
+    # Security: Restrict file permissions
+    umask 077
+    
+    # Set up logging with secure file handling
@@ -42,0 +48,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+    touch "$LOG_FILE"
+    chmod 600 "$LOG_FILE"
@@ -55 +62 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to handle errors
+    # Function to handle errors securely
@@ -57,2 +64,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "ERROR: $1"
-        echo "Check the log file for details: $LOG_FILE"
+        local error_msg="$1"
+        echo "ERROR: $error_msg" >&2
+        echo "Check the log file for details: $LOG_FILE" >&2
@@ -63,4 +71,16 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to check command success
-    check_command() {
-        if echo "$1" | grep -i "error" > /dev/null; then
-            handle_error "$2: $1"
+    # Function to validate AWS CLI JSON output
+    validate_json() {
+        local json_string="$1"
+        if ! echo "$json_string" | jq empty 2>/dev/null; then
+            return 1
+        fi
+        return 0
+    }
+    
+    # Function to safely extract JSON values
+    extract_json_value() {
+        local json_string="$1"
+        local key_path="$2"
+        
+        if ! validate_json "$json_string"; then
+            return 1
@@ -67,0 +88,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
+        
+        echo "$json_string" | jq -r "$key_path" 2>/dev/null || return 1
@@ -70 +92 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Function to clean up resources
+    # Function to clean up resources securely
@@ -77 +99 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$DISTRIBUTION_ID" ] && [ -n "$WEB_ACL_ARN" ]; then
+        if [ -n "${DISTRIBUTION_ID:-}" ] && [ -n "${WEB_ACL_ARN:-}" ]; then
@@ -79,3 +101,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            DISASSOCIATE_RESULT=$(aws wafv2 disassociate-web-acl \
-                --resource-arn "arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID" \
-                --region us-east-1 2>&1)
+            local account_id
+            account_id=$(aws sts get-caller-identity --query Account --output text 2>/dev/null) || account_id=""
+            
+            if [ -z "$account_id" ]; then
+                echo "Warning: Could not retrieve AWS account ID"
+                return
+            fi
@@ -83,2 +109,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            if echo "$DISASSOCIATE_RESULT" | grep -i "error" > /dev/null; then
-                echo "Warning: Failed to disassociate Web ACL: $DISASSOCIATE_RESULT"
+            local disassociate_result
+            disassociate_result=$(aws wafv2 disassociate-web-acl \
+                --resource-arn "arn:aws:cloudfront::${account_id}:distribution/${DISTRIBUTION_ID}" \
+                --region us-east-1 2>&1) || true
+            
+            if echo "$disassociate_result" | grep -qi "error"; then
+                echo "Warning: Failed to disassociate Web ACL: $disassociate_result"
@@ -90 +121 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -n "$WEB_ACL_ID" ] && [ -n "$WEB_ACL_NAME" ]; then
+        if [ -n "${WEB_ACL_ID:-}" ] && [ -n "${WEB_ACL_NAME:-}" ]; then
@@ -93,2 +124,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            # Get the latest lock token before deletion
-            GET_RESULT=$(aws wafv2 get-web-acl \
+            local get_result
+            get_result=$(aws wafv2 get-web-acl \
@@ -98 +129 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                --region us-east-1 2>&1)
+                --region us-east-1 2>&1) || true
@@ -100,2 +131,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            if echo "$GET_RESULT" | grep -i "error" > /dev/null; then
-                echo "Warning: Failed to get Web ACL for deletion: $GET_RESULT"
+            if echo "$get_result" | grep -qi "error"; then
+                echo "Warning: Failed to get Web ACL for deletion: $get_result"
@@ -104 +135,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
+                local latest_token
+                latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || latest_token=""
@@ -106,2 +138,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                if [ -n "$LATEST_TOKEN" ]; then
-                    DELETE_RESULT=$(aws wafv2 delete-web-acl \
+                if [ -n "$latest_token" ]; then
+                    local delete_result
+                    delete_result=$(aws wafv2 delete-web-acl \
@@ -111,2 +144,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                        --lock-token "$LATEST_TOKEN" \
-                        --region us-east-1 2>&1)
+                        --lock-token "$latest_token" \
+                        --region us-east-1 2>&1) || true
@@ -114,2 +147,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                    if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then
-                        echo "Warning: Failed to delete Web ACL: $DELETE_RESULT"
+                    if echo "$delete_result" | grep -qi "error"; then
+                        echo "Warning: Failed to delete Web ACL: $delete_result"
@@ -129,2 +162,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Generate a random identifier for resource names
-    RANDOM_ID=$(openssl rand -hex 4)
+    # Security: Trap EXIT to ensure cleanup on any exit
+    trap cleanup_resources EXIT
+    
+    # Generate a random identifier for resource names using secure method
+    RANDOM_ID=$(openssl rand -hex 4) || handle_error "Failed to generate random ID"
@@ -142 +178,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    CREATE_RESULT=$(aws wafv2 create-web-acl \
+    local create_result
+    create_result=$(aws wafv2 create-web-acl \
@@ -147,3 +184,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        --region us-east-1 2>&1)
-    
-    check_command "$CREATE_RESULT" "Failed to create Web ACL"
+        --tags Key=project,Value=doc-smith Key=tutorial,Value=aws-waf-gs \
+        --region us-east-1 2>&1) || handle_error "Failed to create Web ACL"
@@ -151,7 +187,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Extract Web ACL ID, ARN, and Lock Token from the Summary object
-    WEB_ACL_ID=$(echo "$CREATE_RESULT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)
-    WEB_ACL_ARN=$(echo "$CREATE_RESULT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4)
-    LOCK_TOKEN=$(echo "$CREATE_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
-    
-    if [ -z "$WEB_ACL_ID" ]; then
-        handle_error "Failed to extract Web ACL ID"
+    if ! validate_json "$create_result"; then
+        handle_error "Invalid JSON response from create-web-acl"
@@ -160,3 +191,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    if [ -z "$LOCK_TOKEN" ]; then
-        handle_error "Failed to extract Lock Token"
-    fi
+    # Extract Web ACL ID, ARN, and Lock Token from the response
+    WEB_ACL_ID=$(extract_json_value "$create_result" '.Summary.Id') || handle_error "Failed to extract Web ACL ID"
+    WEB_ACL_ARN=$(extract_json_value "$create_result" '.Summary.ARN') || handle_error "Failed to extract Web ACL ARN"
+    LOCK_TOKEN=$(extract_json_value "$create_result" '.Summary.LockToken') || handle_error "Failed to extract Lock Token"
@@ -165 +197 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    echo "Lock Token: $LOCK_TOKEN"
+    echo "Lock Token: [REDACTED]"
@@ -173 +204,0 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-    # Try to update with retries
@@ -178 +209,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        GET_RESULT=$(aws wafv2 get-web-acl \
+        local get_result
+        get_result=$(aws wafv2 get-web-acl \
@@ -182 +214 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            --region us-east-1 2>&1)
+            --region us-east-1 2>&1) || true
@@ -184,2 +216,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if echo "$GET_RESULT" | grep -i "error" > /dev/null; then
-            echo "Warning: Failed to get Web ACL for update: $GET_RESULT"
+        if echo "$get_result" | grep -qi "error"; then
+            echo "Warning: Failed to get Web ACL for update: $get_result"
@@ -193 +225,11 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4)
+        if ! validate_json "$get_result"; then
+            echo "Warning: Invalid JSON response from get-web-acl"
+            if [ "$i" -eq "$MAX_RETRIES" ]; then
+                handle_error "Invalid JSON response after $MAX_RETRIES attempts"
+            fi
+            sleep 2
+            continue
+        fi
+        
+        local latest_token
+        latest_token=$(extract_json_value "$get_result" '.WebACL.LockToken' 2>/dev/null) || true
@@ -195 +237 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if [ -z "$LATEST_TOKEN" ]; then
+        if [ -z "$latest_token" ]; then
@@ -204,3 +246,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        echo "Using lock token: $LATEST_TOKEN"
-        
-        UPDATE_RESULT=$(aws wafv2 update-web-acl \
+        local update_result
+        update_result=$(aws wafv2 update-web-acl \
@@ -210 +251 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            --lock-token "$LATEST_TOKEN" \
+            --lock-token "$latest_token" \
@@ -242 +283 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-            --region us-east-1 2>&1)
+            --region us-east-1 2>&1) || true
@@ -244 +285 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        if echo "$UPDATE_RESULT" | grep -i "WAFOptimisticLockException" > /dev/null; then
+        if echo "$update_result" | grep -qi "WAFOptimisticLockException"; then
@@ -247 +288 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-                handle_error "Failed to add string match rule after $MAX_RETRIES attempts: $UPDATE_RESULT"
+                handle_error "Failed to add string match rule after $MAX_RETRIES attempts"
@@ -251,2 +292,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru
-        elif echo "$UPDATE_RESULT" | grep -i "error" > /dev/null; then