security and consistency updates

mwunderl · mwunderl · commit 23732d844b43 · 2026-04-13T20:47:18.000Z
diff --git a/tuts/001-lightsail-gs/lightsail-gs.sh b/tuts/001-lightsail-gs/lightsail-gs.sh
@@ -3,10 +3,6 @@
 # Amazon Lightsail Getting Started CLI Script
 # This script demonstrates how to create and manage Lightsail resources using the AWS CLI
 
-# FIXES APPLIED:
-# 1. Added polling mechanism to check disk state before attaching
-# 2. Added polling mechanism to check snapshot state before proceeding with cleanup
-# 3. Set AWS_REGION variable to us-west-2 for consistent region usage
 
 # Set AWS region
 export AWS_REGION="us-west-2"
diff --git a/tuts/011-getting-started-batch-fargate/getting-started-batch-fargate.sh b/tuts/011-getting-started-batch-fargate/getting-started-batch-fargate.sh
@@ -3,9 +3,6 @@
 # AWS Batch Fargate Getting Started Script - Fixed Version
 # This script demonstrates creating AWS Batch resources with Fargate orchestration
 #
-# HIGH SEVERITY FIXES APPLIED:
-# 1. Added IAM role propagation delay after role creation
-# 2. Added resource state validation before deletion attempts
 
 set -e  # Exit on any error
 
diff --git a/tuts/018-ecs-ec2/ecs-ec2-getting-started.sh b/tuts/018-ecs-ec2/ecs-ec2-getting-started.sh
@@ -5,10 +5,6 @@
 # registering a task definition, and creating a service using the EC2 launch type.
 # Updated to match the tutorial draft with nginx web server and service creation.
 #
-# FIXES APPLIED:
-# - HIGH SEVERITY: Improved cleanup error handling with proper logging and retry logic
-# - MEDIUM SEVERITY: Dynamic region detection for CloudWatch logs
-# - LOW SEVERITY: Enhanced IAM role creation timing
 # - UPDATED: Changed from sleep task to nginx web server with service
 
 set -e  # Exit on any error
diff --git a/tuts/025-documentdb-gs/documentdb-gs.md b/tuts/025-documentdb-gs/documentdb-gs.md
diff --git a/tuts/037-emr-gs/emr-gs.sh b/tuts/037-emr-gs/emr-gs.sh
@@ -3,8 +3,6 @@
 # EMR Getting Started Tutorial Script
 # This script automates the steps in the Amazon EMR Getting Started tutorial
 
-# FIXED HIGH SEVERITY ISSUES:
-# 1. Added check for jq availability before attempting to use it for JSON parsing
 
 # Set up logging
 LOG_FILE="emr-tutorial.log"
diff --git a/tuts/043-amazon-mq-gs/amazon-mq-gs.sh b/tuts/043-amazon-mq-gs/amazon-mq-gs.sh
@@ -3,7 +3,6 @@
 # Amazon MQ Getting Started Script
 # This script creates an Amazon MQ broker and demonstrates connecting to it with a Java application
 
-# FIXES APPLIED:
 # - Added checks for Java and Maven installations before creating the Java application
 # - Generate secure password and store in AWS Secrets Manager instead of hardcoding
 
diff --git a/tuts/059-amazon-datazone-gs/amazon-datazone-gs.sh b/tuts/059-amazon-datazone-gs/amazon-datazone-gs.sh
@@ -3,9 +3,6 @@
 # Amazon DataZone Getting Started Script
 # This script automates the steps in the Amazon DataZone Getting Started tutorial
 
-# FIXES FOR HIGH SEVERITY ISSUES:
-# 1. Enhanced IAM role permissions for DataZone domain execution
-# 2. Improved asset type availability verification before asset creation
 
 # Setup logging
 LOG_FILE="datazone_script_v3_fixed.log"
diff --git a/tuts/069-aws-fault-injection-service-gs/aws-fault-injection-service-getting-started.sh b/tuts/069-aws-fault-injection-service-gs/aws-fault-injection-service-getting-started.sh
@@ -3,8 +3,6 @@
 # AWS FIS CPU Stress Test Tutorial Script
 # This script automates the steps in the AWS FIS CPU stress test tutorial
 
-# FIXED HIGH SEVERITY ISSUES:
-# 1. Date command compatibility issue - Replaced multiple date command attempts with a more robust
 #    approach using epoch time calculations that work across all Linux distributions
 
 # Set up logging
diff --git a/tuts/074-amazon-textract-gs/amazon-textract-getting-started.sh b/tuts/074-amazon-textract-gs/amazon-textract-getting-started.sh
@@ -3,10 +3,6 @@
 # Amazon Textract Getting Started Tutorial Script
 # This script demonstrates how to use Amazon Textract to analyze document text
 
-# FIXES APPLIED:
-# 1. Added proper exit code checking for AWS CLI commands
-# 2. Included temporary JSON files in cleanup_on_error function
-# 3. Added validation for AWS region configuration and Textract service availability
 
 # Set up logging
 LOG_FILE="textract-tutorial.log"
diff --git a/tuts/075-aws-database-migration-service-gs/aws-database-migration-service-gs.sh b/tuts/075-aws-database-migration-service-gs/aws-database-migration-service-gs.sh
@@ -4,18 +4,6 @@
 # This script automates the steps in the AWS DMS Getting Started tutorial
 # https://docs.aws.amazon.com/dms/latest/userguide/CHAP_GettingStarted.html
 
-# FIXES FOR HIGH SEVERITY ISSUES:
-# 1. Added creation of a custom DB subnet group for RDS instances instead of using the default one
-# 2. Modified the EC2 connection instructions to avoid displaying the password in plain text
-# 3. Updated MariaDB version from 10.6.14 to 10.6.22 (latest available in 10.6 series)
-# 4. Made data population and migration steps optional to allow infrastructure-only setup
-# 5. Added VPC limit checking with option to use existing VPC when limit is reached
-# 6. Moved optional step prompts to be contextual (just before each optional step)
-# 7. Fixed password generation to exclude RDS-invalid characters (/, @, ", space)
-# 8. Fixed PostgreSQL version from 16.1 to 16.9 (available version)
-# 9. Improved VPC and subnet selection with numbered menus
-# 10. Added EC2 instance type validation and automatic selection based on AZ availability
-# 11. Changed default instance type from t2.xlarge to smaller, more available types
 
 # Set up logging
 LOG_FILE="dms_tutorial_$(date +%Y%m%d_%H%M%S).log"
diff --git a/tuts/079-aws-iot-device-defender-gs/aws-iot-device-defender-gs.md b/tuts/079-aws-iot-device-defender-gs/aws-iot-device-defender-gs.md
@@ -143,10 +143,19 @@ aws iam put-role-policy \
           "iot:SetV2LoggingOptions",
           "iot:SetLoggingOptions",
           "iot:AddThingToThingGroup",
-          "iot:PublishToTopic",
-          "iam:PassRole"
+          "iot:PublishToTopic"
         ],
         "Resource": "*"
+      },
+      {
+        "Effect": "Allow",
+        "Action": "iam:PassRole",
+        "Resource": "*",
+        "Condition": {
+          "StringEquals": {
+            "iam:PassedToService": "iot.amazonaws.com"
+          }
+        }
       }
     ]
   }'
diff --git a/tuts/079-aws-iot-device-defender-gs/aws-iot-device-defender-gs.sh b/tuts/079-aws-iot-device-defender-gs/aws-iot-device-defender-gs.sh
@@ -90,10 +90,19 @@ create_iam_role() {
                             "iot:SetV2LoggingOptions",
                             "iot:SetLoggingOptions",
                             "iot:AddThingToThingGroup",
-                            "iot:PublishToTopic",
-                            "iam:PassRole"
+                            "iot:PublishToTopic"
                         ],
                         "Resource": "*"
+                    },
+                    {
+                        "Effect": "Allow",
+                        "Action": "iam:PassRole",
+                        "Resource": "*",
+                        "Condition": {
+                            "StringEquals": {
+                                "iam:PassedToService": "iot.amazonaws.com"
+                            }
+                        }
                     }
                 ]
             }'
@@ -331,7 +340,7 @@ if [ "$HAS_FINDINGS" = true ]; then
     
     # Use a more reliable date format for the API call
     START_TIME=$(date -u -d 'today' '+%Y-%m-%dT%H:%M:%S.000Z')
-    END_TIME=$(date -u -d 'tomorrow' '+%Y-%m-%dT%H:%M:%S.000Z')
+    END_TIME=$(date -u '+%Y-%m-%dT%H:%M:%S.000Z')
     
     MITIGATION_TASKS=$(aws iot list-audit-mitigation-actions-tasks \
       --start-time "$START_TIME" \
@@ -484,6 +493,12 @@ if [[ $CLEANUP_CHOICE =~ ^[Yy]$ ]]; then
     echo "Deleting mitigation action..."
     aws iot delete-mitigation-action --action-name "EnableErrorLoggingAction"
     
+    # Reset audit configuration
+    echo "Resetting IoT Device Defender audit configuration..."
+    aws iot update-account-audit-configuration \
+      --audit-check-configurations '{"LOGGING_DISABLED_CHECK":{"enabled":false}}' 2>&1 | grep -qi "error" && echo "Warning: Failed to disable audit check"
+    aws iot delete-account-audit-configuration --delete-scheduled-audits 2>&1 | grep -qi "error" && echo "Warning: Failed to delete audit configuration"
+    
     # Delete SNS topic
     echo "Deleting SNS topic..."
     aws sns delete-topic --topic-arn "$TOPIC_ARN"
diff --git a/tuts/085-amazon-ecs-service-connect/amazon-ecs-service-connect.sh b/tuts/085-amazon-ecs-service-connect/amazon-ecs-service-connect.sh
@@ -9,7 +9,12 @@ set -e  # Exit on any error
 # Configuration
 SCRIPT_NAME="ECS Service Connect Tutorial"
 LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log"
-REGION=$(aws configure get region)
+REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}}
+if [ -z "$REGION" ]; then
+    echo "ERROR: No AWS region configured."
+    echo "Set one with: aws configure set region us-east-1"
+    exit 1
+fi
 ENV_PREFIX="tutorial"
 CLUSTER_NAME="${ENV_PREFIX}-cluster"
 NAMESPACE_NAME="service-connect"
@@ -208,8 +213,23 @@ create_iam_roles() {
     if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then
         log "IAM role ecsTaskExecutionRole exists"
     else
-        log "ERROR: ecsTaskExecutionRole does not exist. Please create it first."
-        exit 1
+        log "Creating ecsTaskExecutionRole..."
+        aws iam create-role \
+            --role-name ecsTaskExecutionRole \
+            --assume-role-policy-document '{
+                "Version": "2012-10-17",
+                "Statement": [{
+                    "Effect": "Allow",
+                    "Principal": {"Service": "ecs-tasks.amazonaws.com"},
+                    "Action": "sts:AssumeRole"
+                }]
+            }' >/dev/null 2>&1
+        aws iam attach-role-policy \
+            --role-name ecsTaskExecutionRole \
+            --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy >/dev/null 2>&1
+        track_resource "ROLE:ecsTaskExecutionRole"
+        log "Created ecsTaskExecutionRole"
+        sleep 10
     fi
     
     # Check if ecsTaskRole exists, create if not
@@ -263,7 +283,7 @@ create_task_definition() {
     "containerDefinitions": [
         {
             "name": "nginx",
-            "image": "nginx:latest",
+            "image": "public.ecr.aws/docker/library/nginx:latest",
             "portMappings": [
                 {
                     "containerPort": 80,
@@ -447,33 +467,38 @@ cleanup_resources() {
         
         case "$resource_type" in
             "SERVICE")
-                # Scale service to 0 first
-                aws ecs update-service --cluster "$CLUSTER_NAME" --service "$resource_id" --desired-count 0 >/dev/null 2>&1 || true
-                # Wait for service to scale down
+                aws ecs update-service --cluster "$CLUSTER_NAME" --service "$resource_id" --desired-count 0 2>&1 | grep -qi "error" && log "Warning: Failed to scale down service $resource_id"
                 aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" 2>/dev/null || true
-                # Delete service
-                aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$resource_id" >/dev/null 2>&1 || true
+                aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$resource_id" --force 2>&1 | grep -qi "error" && log "Warning: Failed to delete service $resource_id"
                 ;;
             "TASK_DEF")
-                # Deregister all revisions of the task definition
-                TASK_DEF_ARNS=$(aws ecs list-task-definitions --family-prefix "$resource_id" --query 'taskDefinitionArns' --output text)
+                TASK_DEF_ARNS=$(aws ecs list-task-definitions --family-prefix "$resource_id" --query 'taskDefinitionArns' --output text 2>/dev/null)
                 for arn in $TASK_DEF_ARNS; do
                     aws ecs deregister-task-definition --task-definition "$arn" >/dev/null 2>&1 || true
                 done
                 ;;
+            "ROLE")
+                aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true
+                aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id"
+                ;;
             "IAM_ROLE")
-                # Detach policies and delete role
-                aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" >/dev/null 2>&1 || true
-                aws iam delete-role --role-name "$resource_id" >/dev/null 2>&1 || true
+                aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true
+                aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id"
                 ;;
             "CLUSTER")
-                aws ecs delete-cluster --cluster "$resource_id" >/dev/null 2>&1 || true
+                aws ecs delete-cluster --cluster "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete cluster $resource_id"
                 ;;
             "SG")
-                aws ec2 delete-security-group --group-id "$resource_id" >/dev/null 2>&1 || true
+                for attempt in 1 2 3 4 5; do
+                    if aws ec2 delete-security-group --group-id "$resource_id" 2>/dev/null; then
+                        break
+                    fi
+                    log "Security group $resource_id still has dependencies, retrying in 30s ($attempt/5)..."
+                    sleep 30
+                done
                 ;;
             "LOG_GROUP")
-                aws logs delete-log-group --log-group-name "$resource_id" >/dev/null 2>&1 || true
+                aws logs delete-log-group --log-group-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete log group $resource_id"
                 ;;
             "NAMESPACE")
                 # First, delete any services in the namespace

Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,6 @@`
`3`	`3`	`# AWS Batch Fargate Getting Started Script - Fixed Version`
`4`	`4`	`# This script demonstrates creating AWS Batch resources with Fargate orchestration`
`5`	`5`	`#`
`6`		`-# HIGH SEVERITY FIXES APPLIED:`
`7`		`-# 1. Added IAM role propagation delay after role creation`
`8`		`-# 2. Added resource state validation before deletion attempts`
`9`	`6`
`10`	`7`	`set -e # Exit on any error`
`11`	`8`