From 5729d66b4e19f2da9b809d85249913527ed88a89 Mon Sep 17 00:00:00 2001 From: Elysa Hall Date: Mon, 9 Mar 2020 19:34:11 +0000 Subject: [PATCH] Periodic update - 03/09/20-05:58pm UTC --- doc_source/cli-configure-files.md | 13 +- doc_source/cli-configure-sso.md | 2 +- doc_source/cli-security-enforcing-tls.md | 126 +++++++++++++++++++ doc_source/cli-usage-output.md | 4 +- doc_source/cli-usage-parameters-prompting.md | 2 +- doc_source/document-history.md | 4 +- doc_source/index.md | 1 + doc_source/install-cliv2-mac.md | 97 ++++++++++++-- doc_source/install-macos.md | 9 ++ doc_source/security.md | 3 +- 10 files changed, 241 insertions(+), 20 deletions(-) create mode 100644 doc_source/cli-security-enforcing-tls.md diff --git a/doc_source/cli-configure-files.md b/doc_source/cli-configure-files.md index 74b3209..504da29 100644 --- a/doc_source/cli-configure-files.md +++ b/doc_source/cli-configure-files.md @@ -1,6 +1,13 @@ # Configuration and Credential File Settings -You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI\. The files are divided into sections that can be referenced by name\. These are called "profiles"\. Unless you specify otherwise, the CLI uses the settings found in the profile named `default`\. To use alternate settings, you can create and reference additional profiles\. You can also override an individual setting by either setting one of the supported environment variables, or by using a command line parameter\. +You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI\. Credentials are mainly comprised of the following two pieces of information: ++ The IAM user, see [Creating an IAM User in Your AWS Account](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) for more information\. ++ The access key attached to the IAM user, see [Managing Access Keys for IAM Users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for more information\. + +**Note** +You need to use the AWS console to create your preferred IAM user for first time AWS CLI configuration setup\. After setup is complete, you can create additional users through the AWS CLI\. + +The files are divided into sections that can be referenced by name\. These are called "profiles"\. Unless you specify otherwise, the CLI uses the settings found in the profile named `default`\. To use alternate settings, you can create and reference additional profiles\. You can also override an individual setting by either setting one of the supported environment variables, or by using a command line parameter\. + [Where Are Configuration Settings Stored?](#cli-configure-files-where) + [Global Settings](#cli-configure-files-global) + [S3 Custom Command Settings](#cli-configure-files-s3) @@ -125,7 +132,7 @@ ca_bundle = dev/apps/ca-certs/cabundle-2019mar05.pem *cli\_binary\_format* **This feature is available only with AWS CLI version 2\.** -The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. +The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. Specifies how the AWS CLI version 2 interprets binary input parameters\. It can be one of the following values: + **base64** – This is the default value\. An input parameter that is typed as a binary large object \(BLOB\) accepts a base64\-encoded string\. To pass true binary content, put the content in a file and provide the file's path and name with the `fileb://` prefix as the parameter's value\. To pass base64\-encoded text contained in a file, provide the file's path and name with the `file://` prefix as the parameter's value\. + **raw\-in\-base64\-out** – Provides backward compatibility with the AWS CLI version 1 behavior where binary values must be passed literally\. @@ -151,7 +158,7 @@ cli_follow_urlparam = false *cli\_pager* **This feature is available only with AWS CLI version 2\.** -The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. +The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. Specifies the pager program used for output\. By default, AWS CLI version 2 returns all output through your operating system’s default pager program\. Can be overridden by the AWS\_PAGER environment variable\. diff --git a/doc_source/cli-configure-sso.md b/doc_source/cli-configure-sso.md index 7d74150..669ed82 100644 --- a/doc_source/cli-configure-sso.md +++ b/doc_source/cli-configure-sso.md @@ -1,7 +1,7 @@ # Configuring the AWS CLI to use AWS Single Sign\-On **This feature is available only with AWS CLI version 2\.** -The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. +The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. If your organization uses AWS Single Sign\-On \(AWS SSO\), your users can sign in to Active Directory, a built\-in AWS SSO directory, or [another iDP connected to AWS SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) and get mapped to an AWS Identity and Access Management \(IAM\) role that enables you to run AWS CLI commands\. Regardless of which iDP you use, AWS SSO abstracts those distinctions away, and they all work with the AWS CLI as described below\. For example, you can connect Microsoft Azure AD as described in the blog article [The Next Evolution in AWS Single Sign\-On](http://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/) diff --git a/doc_source/cli-security-enforcing-tls.md b/doc_source/cli-security-enforcing-tls.md new file mode 100644 index 0000000..fb7482d --- /dev/null +++ b/doc_source/cli-security-enforcing-tls.md @@ -0,0 +1,126 @@ +# Enforcing a TLS 1\.2 Minimum + +To add increased security when communicating with AWS services, you should configure your AWS Command Line Interface to use TLS 1\.2 or later\. When you use the the AWS CLI, Python is used to set the TLS version\. + +Based on your AWS CLI version, the steps you perform to enforce a TLS minimum of 1\.2 varies\. + +**Topics** ++ [Configuring the AWS CLI version 1 to Enforce a TLS 1\.2 Minimum](#enforcing-tls-v1) ++ [Configuring the AWS CLI version 2 to Enforce a TLS 1\.2 Minimum](#enforcing-tls-v2) + +## Configuring the AWS CLI version 1 to Enforce a TLS 1\.2 Minimum + +In order to ensure the AWS CLI version 1 uses no lower than TLS 1\.2, you may need to recompile OpenSSL to enforce this minimum and then recompile Python to use the newly built OpenSSL\. + +### Determine Your Currently Supported Protocols + +First create a self\-signed certificate to use for the test server and the SDK using OpenSSL: + +``` +$ openssl req -subj '/CN=localhost' -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -days 365 +``` + +Then spin up a test server using OpenSSL: + +``` +$ openssl s_server -key key.pem -cert cert.pem -www +``` + +In a new terminal screen, create a virtual environment and install the SDK: + +``` +$ python3 -m venv test-env +source test-env/bin/activate +pip install botocore +``` + +Create a new Python script called check\.py that uses the SDK’s underlying HTTP library: + +``` +$ import urllib3 +URL = 'https://localhost:4433/' + +http = urllib3.PoolManager( + ca_certs='cert.pem', + cert_reqs='CERT_REQUIRED', +) +r = http.request('GET', URL) +print(r.data.decode('utf-8')) +``` + +Run your new script: + +``` +$ python check.py +``` + +This displays details about the connection made\. Search for "Protocol : " in the output\. If the output is "TLSv1\.2" or higher, the SDK defaults to TLS v1\.2 and higher\. If it is lower, you need to recompile OpenSSL and recompile Python\. + +However, even if your installation of Python defaults to TLS v1\.2 or higher, it is still possible for Python to renegotiate to a version lower than TLS v1\.2 if the server does not support TLS v1\.2\+\. To check that Python does not automatically renegotiate to lower versions, restart the test server with the following: + +``` +$ openssl s_server -key key.pem -cert cert.pem -no_tls1_3 -no_tls1_2 -www +``` + +Note if you are using an older version of OpenSSL, you may not have the `-no_tls_3` flag available\. If this is the case, remove the flag because the version of OpenSSL you are using does not support TLS v1\.3\. Then rerun the Python script: + +``` +$ python check.py +``` + +If your installation of Python correctly does not renegotiate for versions lower than TLS 1\.2, you should receive an SSL error: + +``` +$ urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='localhost', port=4433): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)'))) +``` + +If you are able to make a connection, then you need to recompile OpenSSL and Python to disable negotiation of protocols lower than TLS v1\.2\. + +### Compile OpenSSL and Python + + In order to ensure the SDK or CLI does not negotiate for anything lower than TLS 1\.2, you need to recompile OpenSSL and Python\. First copy the content below to create a script and run it: + +``` +#!/usr/bin/env bash +set -e + +OPENSSL_VERSION="1.1.1d" +OPENSSL_PREFIX="/opt/openssl-with-min-tls1_2" +PYTHON_VERSION="3.8.1" +PYTHON_PREFIX="/opt/python-with-min-tls1_2" + + +curl -O "https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz" +tar -xzf "openssl-$OPENSSL_VERSION.tar.gz" +cd openssl-$OPENSSL_VERSION +./config --prefix=$OPENSSL_PREFIX no-ssl3 no-tls1 no-tls1_1 no-shared +make > /dev/null +sudo make install_sw > /dev/null + + +cd /tmp +curl -O "https://www.python.org/ftp/python/$PYTHON_VERSION/Python-$PYTHON_VERSION.tgz" +tar -xzf "Python-$PYTHON_VERSION.tgz" +cd Python-$PYTHON_VERSION +./configure --prefix=$PYTHON_PREFIX --with-openssl=$OPENSSL_PREFIX --disable-shared > /dev/null +make > /dev/null +sudo make install > /dev/null +``` + +This compiles a version of Python that has a statically linked OpenSSL that does not automatically negotiate anything below TLS 1\.2\. This also installs OpenSSL in the `/opt/openssl-with-min-tls1_2` directory and install Python in the `/opt/python-with-min-tls1_2` directory\. Once you run this script, confirm installation of the new version of Python: + +``` +$ /opt/python-with-min-tls1_2/bin/python3 --version +``` + +This should print out: + +``` +$ Python 3.8.1 +``` + +To confirm this new version of Python does not negotiate lower than TLS 1\.2, rerun the steps from “Determine protocols supported” using the newly installed Python version \(i\.e\. /opt/python\-with\-min\-tls1\_2/bin/python3\)\. + +## Configuring the AWS CLI version 2 to Enforce a TLS 1\.2 Minimum + +AWS CLI version 2 uses an internal Python script that is compiled to use a minimum of TLS 1\.2 when the service it's talking to supports it\. No further steps are needed to enforce this minimum\. \ No newline at end of file diff --git a/doc_source/cli-usage-output.md b/doc_source/cli-usage-output.md index 04e48b1..1edcdd0 100644 --- a/doc_source/cli-usage-output.md +++ b/doc_source/cli-usage-output.md @@ -83,7 +83,7 @@ $ aws iam list-users --output json ## YAML Output Format **This feature is available only with AWS CLI version 2\.** -The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. +The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. [YAML](https://yaml.org) is a good choice for handling the output programmatically with services and tools that emit or consume [YAML](https://yaml.org)\-formatted strings, such as AWS CloudFormation with its support for [YAML\-formatted templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-formats.html)\. @@ -586,7 +586,7 @@ For more examples and the full spec of JMESPath, the underlying JSON\-processing ## How to Set the Output’s Default Pager Program **This feature is available only with AWS CLI version 2\.** -The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. +The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. AWS CLI version 2 provides the use of a client\-side pager program for output\. By default, this feature returns all output through your operating system’s default pager program\. Client\-side pagination occurs after any server\-side pagination you specify, see [Pagination](cli-usage-pagination.md)\. diff --git a/doc_source/cli-usage-parameters-prompting.md b/doc_source/cli-usage-parameters-prompting.md index 43af2ee..b73b1ca 100644 --- a/doc_source/cli-usage-parameters-prompting.md +++ b/doc_source/cli-usage-parameters-prompting.md @@ -1,7 +1,7 @@ # Having the AWS CLI Prompt You for Parameters **This feature is available only with AWS CLI version 2\.** -The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information about how to install the preview of version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. +The following feature is available only if you use AWS CLI version 2\. It isn't available if you run AWS CLI version 1\. For information on how to install version 2, see [Installing the AWS CLI version 2](install-cliv2.md)\. You can have the AWS CLI version 2 prompt you for parameters when you run a command\. On your command line, include `--cli-auto-prompt`\. diff --git a/doc_source/document-history.md b/doc_source/document-history.md index 8306402..f7090c3 100644 --- a/doc_source/document-history.md +++ b/doc_source/document-history.md @@ -10,8 +10,8 @@ The following table describes important additions to the *AWS Command Line Inter | [Updated to remove support for Python 2\.6 and 3\.3 from AWS CLI version 1](https://docs.aws.amazon.com/cli/latest/userguide/deprecate-old-python-versions.html) | As of January 10th, 2020, AWS CLI version 1 no longer supports using Python versions 2\.6 or 3\.3\. You must update to a newer version of Python to use AWS CLI version 1\.17 or later\. | January 10, 2020 | | [Developer preview release for AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) | Announcing preview release of AWS CLI version 2\. Added instructions about installing version 2\. Add Migration topic to discuss differences between versions 1 and 2\. | November 7, 2019 | | [Added support for AWS Single Sign\-On to AWS CLI named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) | AWS CLI version 2 adds support for creating a named profile that can directly login to an AWS SSO user account and get AWS temporary credentials for use in subsequent AWS CLI commands\. | November 7, 2019 | -| [Added support for AWS Single Sign\-On to AWS CLI named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) | AWS CLI version 2 adds support for creating a named profile that can directly login to an AWS SSO user account and get AWS temporary credentials for use in subsequent AWS CLI commands\. | November 7, 2019 | | [New MFA section](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-mfa) | Added a new section describing how to access the CLI using multi\-factor authentication and roles\. | May 3, 2019 | | [Update to "Using the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-using.html) | Major improvements and additions to the usage instructions and procedures\. | March 7, 2019 | | [Update to "Installing the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) | Major improvements and additions to the CLI installation instructions and procedures\. | March 7, 2019 | -| [Update to "Configuring the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) | Major improvements and additions to the CLI configuration instructions and procedures\. | March 7, 2019 | \ No newline at end of file +| [Update to "Configuring the CLI" section](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) | Major improvements and additions to the CLI configuration instructions and procedures\. | March 7, 2019 | +| [Added information regarding client\-side pagers for AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-pagination.html) | By default, AWS CLI version 2 uses the pager program `less` for all client\-side output\. | February 19, 20120 | \ No newline at end of file diff --git a/doc_source/index.md b/doc_source/index.md index 2057fae..29eea9c 100644 --- a/doc_source/index.md +++ b/doc_source/index.md @@ -76,6 +76,7 @@ Amazon's trademarks and trade dress may not be used in + [Data Protection in the AWS CLI](data-protection.md) + [Identity and Access Management for the AWS CLI](cli-security-iam.md) + [Compliance Validation for the AWS CLI](cli-security-compliance-validation.md) + + [Enforcing a TLS 1.2 Minimum](cli-security-enforcing-tls.md) + [Troubleshooting AWS CLI Errors](cli-chap-troubleshooting.md) + [Breaking Changes – Migrating from AWS CLI version 1 to version 2](cliv2-migration.md) + [AWS CLI User Guide Document History](document-history.md) \ No newline at end of file diff --git a/doc_source/install-cliv2-mac.md b/doc_source/install-cliv2-mac.md index 6be9bd4..6ab7c88 100644 --- a/doc_source/install-cliv2-mac.md +++ b/doc_source/install-cliv2-mac.md @@ -3,13 +3,14 @@ This section describes how to install, upgrade, and remove the AWS CLI version 2 on macOS\. **Important** -Because AWS CLI versions 1 and 2 use the same `aws` name for the command, your computer will find only the first one found in your search path if you have both installed\. If you previously had AWS CLI version 1 installed, then we recommend that you do one of the following to use AWS CLI version 2: +Because AWS CLI versions 1 and 2 use the same `aws` name for the command, your computer will find only the first one found in your search path if you have both installed\. If you previously had installed AWS CLI version 1, then we recommend that you do one of the following to use AWS CLI version 2: ***Recommended:*** Uninstall AWS CLI version 1 and use only AWS CLI version 2\. -Use your operating system's ability to create an alias or link with a different namef or one of the two `aws` commands\. For example, you could use [https://www.linux.com/tutorials/understanding-linux-links/](https://www.linux.com/tutorials/understanding-linux-links/) or [https://www.linux.com/tutorials/aliases-diy-shell-commands/](https://www.linux.com/tutorials/aliases-diy-shell-commands/) in Linux and macOS or []() in Windows\. +Use your operating system's ability to create an alias or sym link with a different name for one of the two `aws` commands\. For example, you could use [https://www.linux.com/tutorials/understanding-linux-links/](https://www.linux.com/tutorials/understanding-linux-links/) or [https://www.linux.com/tutorials/aliases-diy-shell-commands/](https://www.linux.com/tutorials/aliases-diy-shell-commands/) in Linux and macOS, or []() in Windows\. **Topics** + [Prerequisites](#cliv2-mac-prereq) -+ [Installing](#cliv2-mac-install) ++ [Installing using the macOS graphical interface](#cliv2-mac-install-gui) ++ [Installing using the macOS command line](#cliv2-mac-install-cmd) + [Confirming the installation](#cliv2-mac-install-confirm) + [Upgrading](#cliv2-mac-upgrade) + [Uninstalling](#cliv2-mac-remove) @@ -18,9 +19,7 @@ Use your operating system's ability to create an alias or link with a different + The AWS CLI version 2 has no dependencies on other software packages\. It has a self\-contained, embedded copy of all dependencies included in the installer\. You no longer need to install and maintain Python to use the AWS CLI\. + We support the AWS CLI version 2 on versions of macOS that are supported by Apple, including High Sierra \(10\.13\), Mojave \(10\.14\), and Catalina \(10\.15\)\. -## Installing - -You can install using either the graphical interface or the command line\. +You can install using either the graphical interface or the command line\. ## Installing using the macOS graphical interface @@ -30,13 +29,32 @@ To install using the standard macOS graphical interface and your browser, follow 1. Double\-click the downloaded file to launch the installer\. -1. Follow the on\-screen instructions\. +1. Follow the on\-screen instructions\. You can choose to install the AWS CLI version 2 in the following ways: + + **For all users on the computer \(requires `sudo`\)** + + You can install to any folder, or choose the recommended default folder of `/usr/local/aws-cli`\. + + The installer automatically creates a symbolic link \(symlink\) at `/usr/local/bin/aws` that links to main program in the installation folder you chose\. + + **For only the current user \(doesn't require `sudo`\)** + + You can install to any folder to which you have write permission\. + + You must manually create a symlink file in your `$PATH` that points to the actual `aws` and `aws_completer` programs\. You must run these commands at the command prompt\. Because standard user permissions typically don't allow writing to folders in the path, the installer in this mode doesn't try to add the symlinks\. You must manually create the symlinks after the installer finishes\. If your `$PATH`includes a folder you can write to, you can run the following command without `sudo` if you specify that folder as the target's path\. If you don't have a writable folder in your `$PATH`, then you must use `sudo` in the commands to get permissions to write to the specified target folder\. + + ``` + $ sudo ln -s /folder/installed/aws-cli/aws /folder/in/path/aws + $ sudo ln -s /folder/installed/aws-cli/aws_completer /folder/in/path/aws_completer + ``` -1. Follow the steps in the section [Confirming the installation](#cliv2-mac-install-confirm) below\. +1. You can view debug logs for the installation by pressing **CMD\+L** anywhere in the installer\. This opens up a log pane that enables you to filter and save the log\. The log file is also automatically saved to `/var/log/install.log`\. + +1. Follow the steps in the section [Confirming the installation](#cliv2-mac-install-confirm) below\. ## Installing using the macOS command line -You can also download and install from the command line\. +You can also download and install from the command line\. You can choose to install the AWS CLI version 2 in the following ways: ++ [For all users](#cliv2-mac-install-cmd-all-users) \- requires `sudo` ++ [For only the current user](#cliv2-mac-install-cmd-current-user) \- might require `sudo` to create symlink in folder in $PATH + +## To install for all users using the macOS command line + +If you have sudo permissions, you can install the AWS CLI version 2 for all users on the computer\. We provide the steps in one easy to copy and paste group\. See the descriptions of each line in the steps that follow\. @@ -59,7 +77,66 @@ $ sudo installer -pkg AWSCLIV2.pkg -target / $ sudo installer -pkg ./AWSCLIV2.pkg -target / ``` - You must specify the name of the package to install by using the `-pkg` parameter, and the drive to which to install the package by using the `-target /` parameter\. The files are installed to `/usr/local/aws-cli`, and a symlink is created in `/usr/local/bin`\. You must include `sudo` on the command to grant write permissions to those folders\. + You must specify the name of the package to install by using the `-pkg` parameter, and the drive to which to install the package by using the `-target /` parameter\. The files are installed to `/usr/local/aws-cli`, and a symlink is automatically created in `/usr/local/bin`\. You must include `sudo` on the command to grant write permissions to those folders\. + +1. You can view debug logs after installation is complete\. The logs are written to `/var/log/install.log`\. + +1. Follow the steps in the section [Confirming the installation](#cliv2-mac-install-confirm) below\. + +## To install for only the current user using the macOS command line + +If you have sudo permissions, you can install the AWS CLI version 2 for all users on the computer\. + +1. Download the file using the `curl` command\. The options on the following example command cause the downloaded file to be written to the current directory with the local name \. + + ``` + $ curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg" + ``` + + In this example, the `-o` option specifies the file name that the downloaded package is written to\. In the previous example, the file is written to `AWSCLIV2.pkg` in the current folder\. + +1. Before you can run the installer, you must create a file that specifies the folder to which the AWS CLI is installed\. This file is an XML formatted file that looks like the following example\. Leave all value as shown, expect you must replace the path */Users/myusername* in line 9 with the path to the folder you want the AWS CLI version 2 installed to\. *The folder must already exist, or the command fails\.* This XML example specifies that the installer is install the AWS CLI in the folder `/Users/myusername`, where it creates a folder named `aws-cli`\. + + ``` + + + + + + choiceAttribute + customLocation + attributeSetting + /Users/myusername + choiceIdentifier + default + + + + ``` + +1. Now you can run the standard macOS `installer` program with the following options: + + Specify the name of the package to install by using the `-pkg` parameter\. + + To specify a *current user only* installation, you must set the parameter `--target CurrentUserHomeDirectory`\. + + Specify the path \(relative to the current folder\) and name of the XML file that you created in the previous step in the `--applyChoiceChangesXML` parameter\. + + ``` + $ installer -pkg AWSCLIV2.pkg \ + -target CurrentUserHomeDirectory \ + -applyChoiceChangesXML choices.xml + ``` + + This installs the AWS CLI in the folder `/Users/myusername/aws-cli`\. + +1. Finally, you must create a symlink file in your `$PATH` that points to the actual `aws` and `aws_completer` programs\. Because standard user permissions typically don't allow writing to folders in the path, the installer in this mode doesn't try to add the symlinks\. You must manually create the symlinks after the installer finishes\. If your `$PATH`includes a folder you can write to, you can run the following command without `sudo` if you specify that folder as the target's path\. If you don't have a writable folder in your `$PATH`, then you must use `sudo` in the commands to get permissions to write to the specified target folder\. + + ``` + $ sudo ln -s /folder/installed/aws-cli/aws /folder/in/path/aws + $ sudo ln -s /folder/installed/aws-cli/aws_completer /folder/in/path/aws_completer + ``` + +1. You can view debug logs after installation is complete\. The logs are written to `/var/log/install.log`\. + +1. Follow the steps in the section [Confirming the installation](#cliv2-mac-install-confirm) below\. ## Confirming the installation diff --git a/doc_source/install-macos.md b/doc_source/install-macos.md index daec1d6..747abab 100644 --- a/doc_source/install-macos.md +++ b/doc_source/install-macos.md @@ -57,6 +57,15 @@ By default, the install script runs under the system's default version of Python $ sudo /usr/local/bin/python3.7 awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws ``` +1. Verify that the AWS CLI is installed correctly\. + + ``` + $ aws --version + aws-cli/1.17.4 Python/3.7.4 Darwin/18.7.0 botocore/1.13 + ``` + + If the program isn't found, [add it to your command line path](#awscli-install-osx-path)\. + To see an explanation of the `-i` and `-b` options, use the `-h` option\. ``` diff --git a/doc_source/security.md b/doc_source/security.md index 549fe5b..e0432a5 100644 --- a/doc_source/security.md +++ b/doc_source/security.md @@ -11,4 +11,5 @@ This documentation helps you understand how to apply the shared responsibility m **Topics** + [Data Protection in the AWS CLI](data-protection.md) + [Identity and Access Management for the AWS CLI](cli-security-iam.md) -+ [Compliance Validation for the AWS CLI](cli-security-compliance-validation.md) \ No newline at end of file ++ [Compliance Validation for the AWS CLI](cli-security-compliance-validation.md) ++ [Enforcing a TLS 1\.2 Minimum](cli-security-enforcing-tls.md) \ No newline at end of file