If a command such as mysql command remains in the shell in the code of lambda, the authentication information remains in the log.

Asked 1 years ago, Updated 1 years ago, 368 views

If you type a command that leaves authentication information, such as the mysql command, in the shell in the lambda code, the authentication information will remain in the log.
What should I do to avoid leaving authentication information in the log?
Here is an example code:

 def lambda_handler(event, context):
    try:
        # all running EC2 instances
        ec2_resp=ec2.describe_instances(Filters=[{'Name':'instance-state-name', 'Values':['running']}])

        ec2_count=len(ec2_resp['Reservations'])
        ifec2_count == 0:
            logger.info ('No EC2 is running')

        # Get All InstanceID
        instances=[i["InstanceId"] for linec2_resp["Reservations"] for ir["Instances"]]
        US>ssm.send_command(
            InstanceIds=instances,
            DocumentName="AWS-RunShellScript",
            Parameters = {
                "commands": [
                    "mysql-u {username} --password={password}-e'DROP DATABASE db2';
                ],
                "executionTimeout": ["3600"]
            },
        )

    except Exception as:
        logger.error(e)
        raise

aws aws-lambda shell aws-ssm

2022-11-03 08:50

1 Answers

Not only Lambda, but also SSM RunCommand will have logs, and it may be in EC2.In other words, it is a problem when you include a password string in the command line as shellscript regardless of whether it is python or lambda.

Mysql himself describes it as an End User Guidelines for Password Security.

    Use the -pour_pass or --password=your_pass option on the
  • command line.
    ...
    This is useful but not secure.

Another option is

  • Use the mysql_config_editor utility.This can store credentials in an encrypted login file named .mylogin.cnf.
    • Use the -p or --password option without specifying a password value on the
  • command line.In this case, the client program interactively requests a password.
    → I can't use it this time because it's not interactive.
  • Stores the password in an optional file. For example, Unix, you can list the passwords in the client section of the .my.cnf file in your home directory.
  • Save the password to the MYSQL_PWD environment variable.
    Specifying a MySQL password in this way is very dangerous and should not be used.

There seems to be , but considering security, the only option seems to be to save the file in EC2.

Alternatively, the password is currently

Lambda→SSM RunCommand→mysql

The reason is that it crosses functions with , so for example, you can save the password in SSM Parameters and retrieve it from EC2 with awscli without going through Lambda and SSM RunCommand.

mysql-u {username} --password=$(awssm get-parameter --name parameter name --with-decryption --query Parameter.Value --output text) -e'DROP DATABASE db2'

MySQL does not solve the problem of leaving passwords on command lines, but it does not remain in various AWS logs as you may have asked.

2022-11-03 08:50

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

495 No exact matches in call to instance method 'append'

520 Scrap text information after the "View More" button when searching in the Yahoo! News search window

493 The method of the class of the application that I am creating in Typescript does not work as I expected.

928 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

515 PHP ssh2_scp_send fails to send files as intended

© 2024 OneMinuteCode. All rights reserved.