Skip to content

Commit

Permalink
Periodic update - 03/09/20-05:58pm UTC
Browse files Browse the repository at this point in the history
  • Loading branch information
@elysahall
elysahall committed Mar 9, 2020
1 parent aeefa86 commit 5729d66
Show file tree
Hide file tree
Showing 10 changed files with 241 additions and 20 deletions.
13 changes: 10 additions & 3 deletions doc_source/cli-configure-files.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
# Configuration and Credential File Settings<a name="cli-configure-files"></a>

You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI\. The files are divided into sections that can be referenced by name\. These are called "profiles"\. Unless you specify otherwise, the CLI uses the settings found in the profile named `default`\. To use alternate settings, you can create and reference additional profiles\. You can also override an individual setting by either setting one of the supported environment variables, or by using a command line parameter\.
You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI\. Credentials are mainly comprised of the following two pieces of information:
+ The IAM user, see [Creating an IAM User in Your AWS Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for more information\.
+ The access key attached to the IAM user, see [Managing Access Keys for IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for more information\.

**Note**
You need to use the AWS console to create your preferred IAM user for first time AWS CLI configuration setup\. After setup is complete, you can create additional users through the AWS CLI\.

The files are divided into sections that can be referenced by name\. These are called "profiles"\. Unless you specify otherwise, the CLI uses the settings found in the profile named `default`\. To use alternate settings, you can create and reference additional profiles\. You can also override an individual setting by either setting one of the supported environment variables, or by using a command line parameter\.
+ [Where Are Configuration Settings Stored?](#cli-configure-files-where)
+ [Global Settings](#cli-configure-files-global)
+ [S3 Custom Command Settings](#cli-configure-files-s3)
Expand Down Expand Up @@ -125,7 +132,7 @@ ca_bundle = dev/apps/ca-certs/cabundle-2019mar05.pem

*cli\_binary\_format*
**This feature is available only with AWS CLI version 2\.**
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
Specifies how the AWS CLI version 2 interprets binary input parameters\. It can be one of the following values:
+ **base64** – This is the default value\. An input parameter that is typed as a binary large object \(BLOB\) accepts a base64\-encoded string\. To pass true binary content, put the content in a file and provide the file's path and name with the `fileb://` prefix as the parameter's value\. To pass base64\-encoded text contained in a file, provide the file's path and name with the `file://` prefix as the parameter's value\.
+ **raw\-in\-base64\-out** – Provides backward compatibility with the AWS CLI version 1 behavior where binary values must be passed literally\.
Expand All @@ -151,7 +158,7 @@ cli_follow_urlparam = false

*cli\_pager*
**This feature is available only with AWS CLI version 2\.**
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
Specifies the pager program used for output\. By default, AWS CLI version 2 returns all output through your operating system’s default pager program\.
Can be overridden by the AWS\_PAGER environment variable\.

Expand Down
2 changes: 1 addition & 1 deletion doc_source/cli-configure-sso.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Configuring the AWS CLI to use AWS Single Sign\-On<a name="cli-configure-sso"></a>

**This feature is available only with AWS CLI version 2\.**
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.

If your organization uses AWS Single Sign\-On \(AWS SSO\), your users can sign in to Active Directory, a built\-in AWS SSO directory, or [another iDP connected to AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) and get mapped to an AWS Identity and Access Management \(IAM\) role that enables you to run AWS CLI commands\. Regardless of which iDP you use, AWS SSO abstracts those distinctions away, and they all work with the AWS CLI as described below\. For example, you can connect Microsoft Azure AD as described in the blog article [The Next Evolution in AWS Single Sign\-On](http://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/)

Expand Down
126 changes: 126 additions & 0 deletions doc_source/cli-security-enforcing-tls.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
# Enforcing a TLS 1\.2 Minimum<a name="cli-security-enforcing-tls"></a>

To add increased security when communicating with AWS services, you should configure your AWS Command Line Interface to use TLS 1\.2 or later\. When you use the the AWS CLI, Python is used to set the TLS version\.

Based on your AWS CLI version, the steps you perform to enforce a TLS minimum of 1\.2 varies\.

**Topics**
+ [Configuring the AWS CLI version 1 to Enforce a TLS 1\.2 Minimum](#enforcing-tls-v1)
+ [Configuring the AWS CLI version 2 to Enforce a TLS 1\.2 Minimum](#enforcing-tls-v2)

## Configuring the AWS CLI version 1 to Enforce a TLS 1\.2 Minimum<a name="enforcing-tls-v1"></a>

In order to ensure the AWS CLI version 1 uses no lower than TLS 1\.2, you may need to recompile OpenSSL to enforce this minimum and then recompile Python to use the newly built OpenSSL\.

### Determine Your Currently Supported Protocols<a name="enforcing-tls-supported"></a>

First create a self\-signed certificate to use for the test server and the SDK using OpenSSL:

```
$ openssl req -subj '/CN=localhost' -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365
```

Then spin up a test server using OpenSSL:

```
$ openssl s_server -key key.pem -cert cert.pem -www
```

In a new terminal screen, create a virtual environment and install the SDK:

```
$ python3 -m venv test-env
source test-env/bin/activate
pip install botocore
```

Create a new Python script called check\.py that uses the SDK’s underlying HTTP library:

```
$ import urllib3
URL = 'https://localhost:4433/'

http = urllib3.PoolManager(
ca_certs='cert.pem',
cert_reqs='CERT_REQUIRED',
)
r = http.request('GET', URL)
print(r.data.decode('utf-8'))
```

Run your new script:

```
$ python check.py
```

This displays details about the connection made\. Search for "Protocol : " in the output\. If the output is "TLSv1\.2" or higher, the SDK defaults to TLS v1\.2 and higher\. If it is lower, you need to recompile OpenSSL and recompile Python\.

However, even if your installation of Python defaults to TLS v1\.2 or higher, it is still possible for Python to renegotiate to a version lower than TLS v1\.2 if the server does not support TLS v1\.2\+\. To check that Python does not automatically renegotiate to lower versions, restart the test server with the following:

```
$ openssl s_server -key key.pem -cert cert.pem -no_tls1_3 -no_tls1_2 -www
```

Note if you are using an older version of OpenSSL, you may not have the `-no_tls_3` flag available\. If this is the case, remove the flag because the version of OpenSSL you are using does not support TLS v1\.3\. Then rerun the Python script:

```
$ python check.py
```

If your installation of Python correctly does not renegotiate for versions lower than TLS 1\.2, you should receive an SSL error:

```
$ urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=4433): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)')))
```

If you are able to make a connection, then you need to recompile OpenSSL and Python to disable negotiation of protocols lower than TLS v1\.2\.

### Compile OpenSSL and Python<a name="enforcing-tls-compile"></a>

In order to ensure the SDK or CLI does not negotiate for anything lower than TLS 1\.2, you need to recompile OpenSSL and Python\. First copy the content below to create a script and run it:

```
#!/usr/bin/env bash
set -e

OPENSSL_VERSION="1.1.1d"
OPENSSL_PREFIX="/opt/openssl-with-min-tls1_2"
PYTHON_VERSION="3.8.1"
PYTHON_PREFIX="/opt/python-with-min-tls1_2"


curl -O "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"
tar -xzf "openssl-$OPENSSL_VERSION.tar.gz"
cd openssl-$OPENSSL_VERSION
./config --prefix=$OPENSSL_PREFIX no-ssl3 no-tls1 no-tls1_1 no-shared
make > /dev/null
sudo make install_sw > /dev/null


cd /tmp
curl -O "https://www.python.org/ftp/python/$PYTHON_VERSION/Python-$PYTHON_VERSION.tgz"
tar -xzf "Python-$PYTHON_VERSION.tgz"
cd Python-$PYTHON_VERSION
./configure --prefix=$PYTHON_PREFIX --with-openssl=$OPENSSL_PREFIX --disable-shared > /dev/null
make > /dev/null
sudo make install > /dev/null
```

This compiles a version of Python that has a statically linked OpenSSL that does not automatically negotiate anything below TLS 1\.2\. This also installs OpenSSL in the `/opt/openssl-with-min-tls1_2` directory and install Python in the `/opt/python-with-min-tls1_2` directory\. Once you run this script, confirm installation of the new version of Python:

```
$ /opt/python-with-min-tls1_2/bin/python3 --version
```

This should print out:

```
$ Python 3.8.1
```

To confirm this new version of Python does not negotiate lower than TLS 1\.2, rerun the steps from “Determine protocols supported” using the newly installed Python version \(i\.e\. /opt/python\-with\-min\-tls1\_2/bin/python3\)\.

## Configuring the AWS CLI version 2 to Enforce a TLS 1\.2 Minimum<a name="enforcing-tls-v2"></a>

AWS CLI version 2 uses an internal Python script that is compiled to use a minimum of TLS 1\.2 when the service it's talking to supports it\. No further steps are needed to enforce this minimum\.
4 changes: 2 additions & 2 deletions doc_source/cli-usage-output.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ $ aws iam list-users --output json
## YAML Output Format<a name="yaml-output"></a>

**This feature is available only with AWS CLI version 2\.**
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.

[YAML](https://yaml.org) is a good choice for handling the output programmatically with services and tools that emit or consume [YAML](https://yaml.org)\-formatted strings, such as AWS CloudFormation with its support for [YAML\-formatted templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-formats.html)\.

Expand Down Expand Up @@ -586,7 +586,7 @@ For more examples and the full spec of JMESPath, the underlying JSON\-processing
## How to Set the Output’s Default Pager Program<a name="cli-usage-output-pager"></a>

**This feature is available only with AWS CLI version 2\.**
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.

AWS CLI version 2 provides the use of a client\-side pager program for output\. By default, this feature returns all output through your operating system’s default pager program\. Client\-side pagination occurs after any server\-side pagination you specify, see [Pagination](cli-usage-pagination.md)\.

Expand Down
2 changes: 1 addition & 1 deletion doc_source/cli-usage-parameters-prompting.md
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Having the AWS CLI Prompt You for Parameters<a name="cli-usage-parameters-prompting"></a>

**This feature is available only with AWS CLI version 2\.**
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.
The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\.

You can have the AWS CLI version 2 prompt you for parameters when you run a command\. On your command line, include `--cli-auto-prompt`\.

Expand Down
4 changes: 2 additions & 2 deletions doc_source/document-history.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ The following table describes important additions to the *AWS Command Line Inter
| [Updated to remove support for Python 2\.6 and 3\.3 from AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/userguide/deprecate-old-python-versions.html) | As of January 10th, 2020, AWS CLI version 1 no longer supports using Python versions 2\.6 or 3\.3\. You must update to a newer version of Python to use AWS CLI version 1\.17 or later\. | January 10, 2020 |
| [Developer preview release for AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) | Announcing preview release of AWS CLI version 2\. Added instructions about installing version 2\. Add Migration topic to discuss differences between versions 1 and 2\. | November 7, 2019 |
| [Added support for AWS Single Sign\-On to AWS CLI named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) | AWS CLI version 2 adds support for creating a named profile that can directly login to an AWS SSO user account and get AWS temporary credentials for use in subsequent AWS CLI commands\. | November 7, 2019 |
| [Added support for AWS Single Sign\-On to AWS CLI named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) | AWS CLI version 2 adds support for creating a named profile that can directly login to an AWS SSO user account and get AWS temporary credentials for use in subsequent AWS CLI commands\. | November 7, 2019 |
| [New MFA section](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa) | Added a new section describing how to access the CLI using multi\-factor authentication and roles\. | May 3, 2019 |
| [Update to "Using the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-using.html) | Major improvements and additions to the usage instructions and procedures\. | March 7, 2019 |
| [Update to "Installing the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) | Major improvements and additions to the CLI installation instructions and procedures\. | March 7, 2019 |
| [Update to "Configuring the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) | Major improvements and additions to the CLI configuration instructions and procedures\. | March 7, 2019 |
| [Update to "Configuring the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) | Major improvements and additions to the CLI configuration instructions and procedures\. | March 7, 2019 |
| [Added information regarding client\-side pagers for AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-pagination.html) | By default, AWS CLI version 2 uses the pager program `less` for all client\-side output\. | February 19, 20120 |
1 change: 1 addition & 0 deletions doc_source/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ Amazon's trademarks and trade dress may not be used in
+ [Data Protection in the AWS CLI](data-protection.md)
+ [Identity and Access Management for the AWS CLI](cli-security-iam.md)
+ [Compliance Validation for the AWS CLI](cli-security-compliance-validation.md)
+ [Enforcing a TLS 1.2 Minimum](cli-security-enforcing-tls.md)
+ [Troubleshooting AWS CLI Errors](cli-chap-troubleshooting.md)
+ [Breaking Changes – Migrating from AWS CLI version 1 to version 2](cliv2-migration.md)
+ [AWS CLI User Guide Document History](document-history.md)
Loading

0 comments on commit 5729d66

Please sign in to comment.