If a command such as mysql command remains in the shell in the code of lambda, the authentication information remains in the log.

If you type a command that leaves authentication information, such as the mysql command, in the shell in the lambda code, the authentication information will remain in the log.
What should I do to avoid leaving authentication information in the log?
Here is an example code:

 def lambda_handler(event, context):
    try:
        # all running EC2 instances
        ec2_resp=ec2.describe_instances(Filters=[{'Name':'instance-state-name', 'Values':['running']}])

        ec2_count=len(ec2_resp['Reservations'])
        ifec2_count == 0:
            logger.info ('No EC2 is running')

        # Get All InstanceID
        instances=[i["InstanceId"] for linec2_resp["Reservations"] for ir["Instances"]]
        US>ssm.send_command(
            InstanceIds=instances,
            DocumentName="AWS-RunShellScript",
            Parameters = {
                "commands": [
                    "mysql-u {username} --password={password}-e'DROP DATABASE db2';
                ],
                "executionTimeout": ["3600"]
            },
        )

    except Exception as:
        logger.error(e)
        raise

aws aws-lambda shell aws-ssm

2022-11-03 08:50

1 Answers

Not only Lambda, but also SSM RunCommand will have logs, and it may be in EC2.In other words, it is a problem when you include a password string in the command line as shellscript regardless of whether it is python or lambda.

Mysql himself describes it as an End User Guidelines for Password Security.

command line.
...
This is useful but not secure.

Another option is

Use the mysql_config_editor utility.This can store credentials in an encrypted login file named .mylogin.cnf.
command line.In this case, the client program interactively requests a password.
→ I can't use it this time because it's not interactive.
Stores the password in an optional file. For example, Unix, you can list the passwords in the client section of the .my.cnf file in your home directory.
Save the password to the MYSQL_PWD environment variable.
Specifying a MySQL password in this way is very dangerous and should not be used.

There seems to be , but considering security, the only option seems to be to save the file in EC2.

Alternatively, the password is currently

Lambda→SSM RunCommand→mysql

The reason is that it crosses functions with , so for example, you can save the password in SSM Parameters and retrieve it from EC2 with awscli without going through Lambda and SSM RunCommand.

mysql-u {username} --password=$(awssm get-parameter --name parameter name --with-decryption --query Parameter.Value --output text) -e'DROP DATABASE db2'

MySQL does not solve the problem of leaving passwords on command lines, but it does not remain in various AWS logs as you may have asked.

2022-11-03 08:50

If you have any answers or tips

Popular Tags

python x 4647

android x 1593

java x 1494

javascript x 1427

c x 927

c++ x 878

ruby-on-rails x 696

php x 692

python3 x 685

html x 656