AWS cognito documentation change
Summary
Enhanced example script with security best practices: added input validation, secure resource creation, improved error handling, secure credential management, and automated cleanup.
Security assessment
Changes focus on security improvements like restrictive umask (0077), secure password generation (openssl), credential clearing (unset), stronger password policy (12 chars + symbols), token revocation, and input validation. However, no evidence indicates these address a specific vulnerability.
Diff
diff --git a/cognito/latest/developerguide/cognito-identity-provider_example_cognito_identity_provider_GettingStarted_066_section.md b/cognito/latest/developerguide/cognito-identity-provider_example_cognito_identity_provider_GettingStarted_066_section.md index ba9a32859..6adb10f02 100644 --- a//cognito/latest/developerguide/cognito-identity-provider_example_cognito_identity_provider_GettingStarted_066_section.md +++ b//cognito/latest/developerguide/cognito-identity-provider_example_cognito_identity_provider_GettingStarted_066_section.md @@ -44 +44,6 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Set up logging + set -euo pipefail + + # Security: Set restrictive umask + umask 0077 + + # Set up logging with secure permissions @@ -45,0 +51,2 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + touch "$LOG_FILE" + chmod 600 "$LOG_FILE" @@ -56,3 +63,3 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if echo "$output" | grep -i "error" > /dev/null; then - echo "ERROR: Command failed: $cmd" - echo "Output: $output" + if echo "$output" | grep -qi "error\|failed"; then + echo "ERROR: Command failed: $cmd" >&2 + echo "Output: $output" >&2 @@ -63,0 +71,12 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Function to check AWS CLI return code + check_aws_error() { + local exit_code=$? + local cmd=$1 + + if [ $exit_code -ne 0 ]; then + echo "ERROR: AWS CLI command failed with exit code $exit_code: $cmd" >&2 + cleanup_on_error + exit "$exit_code" + fi + } + @@ -66 +85 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Error encountered. Attempting to clean up resources..." + echo "Error encountered. Attempting to clean up resources..." >&2 @@ -68,3 +87,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$DOMAIN_NAME" ] && [ -n "$USER_POOL_ID" ]; then - echo "Deleting user pool domain: $DOMAIN_NAME" - aws cognito-idp delete-user-pool-domain --user-pool-id "$USER_POOL_ID" --domain "$DOMAIN_NAME" + if [ -n "${DOMAIN_NAME:-}" ] && [ -n "${USER_POOL_ID:-}" ]; then + echo "Deleting user pool domain: $DOMAIN_NAME" >&2 + aws cognito-idp delete-user-pool-domain \ + --user-pool-id "$USER_POOL_ID" \ + --domain "$DOMAIN_NAME" 2>/dev/null || true @@ -73,3 +94,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - if [ -n "$USER_POOL_ID" ]; then - echo "Deleting user pool: $USER_POOL_ID" - aws cognito-idp delete-user-pool --user-pool-id "$USER_POOL_ID" + if [ -n "${USER_POOL_ID:-}" ]; then + echo "Deleting user pool: $USER_POOL_ID" >&2 + aws cognito-idp delete-user-pool \ + --user-pool-id "$USER_POOL_ID" 2>/dev/null || true @@ -78,0 +101,26 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Set trap for cleanup on exit + trap cleanup_on_error EXIT ERR + + # Validate AWS CLI is installed and configured + if ! command -v aws &> /dev/null; then + echo "ERROR: AWS CLI is not installed" >&2 + exit 1 + fi + + # Validate jq is installed + if ! command -v jq &> /dev/null; then + echo "ERROR: jq is not installed" >&2 + exit 1 + fi + + # Validate openssl is installed + if ! command -v openssl &> /dev/null; then + echo "ERROR: openssl is not installed" >&2 + exit 1 + fi + + if ! aws sts get-caller-identity &> /dev/null; then + echo "ERROR: AWS CLI is not configured or credentials are invalid" >&2 + exit 1 + fi + @@ -86 +134,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Generate random identifier for resource names + # Validate region format + if ! [[ "$AWS_REGION" =~ ^[a-z]{2}-[a-z]+-[0-9]{1}$ ]]; then + echo "ERROR: Invalid AWS region format: $AWS_REGION" >&2 + exit 1 + fi + + # Generate random identifier for resource names using secure method @@ -87,0 +142,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + if [ -z "$RANDOM_ID" ]; then + echo "ERROR: Failed to generate random identifier" >&2 + exit 1 + fi + @@ -91,0 +151,11 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + # Validate resource names don't exceed limits + if [ ${#USER_POOL_NAME} -gt 128 ]; then + echo "ERROR: User pool name exceeds maximum length of 128 characters" >&2 + exit 1 + fi + + if [ ${#APP_CLIENT_NAME} -gt 128 ]; then + echo "ERROR: App client name exceeds maximum length of 128 characters" >&2 + exit 1 + fi + @@ -103 +173 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --policies '{"PasswordPolicy":{"MinimumLength":8,"RequireUppercase":true,"RequireLowercase":true,"RequireNumbers":true,"RequireSymbols":false}}' \ + --policies '{"PasswordPolicy":{"MinimumLength":12,"RequireUppercase":true,"RequireLowercase":true,"RequireNumbers":true,"RequireSymbols":true}}' \ @@ -105,6 +175,10 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --mfa-configuration OFF) - - check_error "$USER_POOL_OUTPUT" "create-user-pool" - - # Extract the User Pool ID - USER_POOL_ID=$(echo "$USER_POOL_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) + --mfa-configuration OFF \ + --user-attribute-update-settings '{"AttributesRequireVerificationBeforeUpdate":["email"]}' \ + --account-recovery-setting 'RecoveryMechanisms=[{Name=verified_email,Priority=1}]' \ + --deletion-protection INACTIVE \ + --region "$AWS_REGION" \ + 2>&1) + check_aws_error "create-user-pool" + + # Extract the User Pool ID using jq for safety + USER_POOL_ID=$(echo "$USER_POOL_OUTPUT" | jq -r '.UserPool.Id // empty') @@ -112 +186,7 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Failed to extract User Pool ID" + echo "ERROR: Failed to extract User Pool ID" >&2 + exit 1 + fi + + # Validate User Pool ID format + if ! [[ "$USER_POOL_ID" =~ ^[a-z]{2}-[a-z]+-[0-9]+_[a-zA-Z0-9]+$ ]]; then + echo "ERROR: Invalid User Pool ID format: $USER_POOL_ID" >&2 @@ -117,0 +198,5 @@ There's more on GitHub. Find the complete example and learn how to set up and ru + USER_POOL_ARN=$(echo "$USER_POOL_OUTPUT" | jq -r '.UserPool.Arn // empty') + aws cognito-idp tag-resource \ + --resource-arn "$USER_POOL_ARN" \ + --tags project=doc-smith,tutorial=amazon-cognito-gs + @@ -122 +207 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - # Step 2: Create an App Client + # Step 2: Create an App Client with enhanced security @@ -128,7 +213,17 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_REFRESH_TOKEN_AUTH \ - --callback-urls '["https://localhost:3000/callback"]') - - check_error "$APP_CLIENT_OUTPUT" "create-user-pool-client" - - # Extract the Client ID - CLIENT_ID=$(echo "$APP_CLIENT_OUTPUT" | grep -o '"ClientId": "[^"]*' | cut -d'"' -f4) + --explicit-auth-flows ALLOW_REFRESH_TOKEN_AUTH ALLOW_USER_PASSWORD_AUTH \ + --callback-urls '["https://localhost:3000/callback"]' \ + --allowed-o-auth-flows 'code' \ + --allowed-o-auth-scopes 'openid' 'email' 'profile' \ + --allowed-o-auth-flows-user-pool-client \ + --prevent-user-existence-errors ENABLED \ + --enable-token-revocation \ + --access-token-validity 1 \ + --id-token-validity 1 \ + --refresh-token-validity 30 \ + --token-validity-units 'AccessToken=hours,IdToken=hours,RefreshToken=days' \ + --region "$AWS_REGION" \ + 2>&1) + check_aws_error "create-user-pool-client" + + # Extract the Client ID using jq for safety + CLIENT_ID=$(echo "$APP_CLIENT_OUTPUT" | jq -r '.UserPoolClient.ClientId // empty') @@ -136 +231,8 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - echo "Failed to extract Client ID" + echo "ERROR: Failed to extract Client ID" >&2 + cleanup_on_error + exit 1 + fi + + # Validate Client ID format + if ! [[ "$CLIENT_ID" =~ ^[a-z0-9]{26}$ ]]; then + echo "ERROR: Invalid Client ID format: $CLIENT_ID" >&2 @@ -147,3 +249,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --domain "$DOMAIN_NAME") - - check_error "$DOMAIN_OUTPUT" "create-user-pool-domain" + --domain "$DOMAIN_NAME" \ + --region "$AWS_REGION" \ + 2>&1) + check_aws_error "create-user-pool-domain" @@ -155,3 +258,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --user-pool-id "$USER_POOL_ID") - - check_error "$USER_POOL_DETAILS" "describe-user-pool" + --user-pool-id "$USER_POOL_ID" \ + --region "$AWS_REGION" \ + 2>&1) + check_aws_error "describe-user-pool" @@ -164,3 +268,4 @@ There's more on GitHub. Find the complete example and learn how to set up and ru - --client-id "$CLIENT_ID")