Security considerations for Synthetics canaries – Amazon CloudWatch

Security considerations for Synthetics

The trace sections explain security issues that you should consider when creating and running canaries in Synthetics .

Use secure connections

Because canary yellow code and the results from canary test runs can contain sensitive data, do not have your canary yellow get in touch to endpoints over unencrypted connections. Always use code connections, such as those that begin with https:// .

Canary naming considerations

The Amazon Resource Name ( ARN ) of a canary is included in the user-agent header as a part of outbound calls made from the Puppeteer-driven Chromium browser that is included as a part of the CloudWatch Synthetics wrapper library. This helps identify CloudWatch Synthetics canary yellow traffic and relate it back to the canaries that are making calls.

The canary yellow ARN includes the canary name. Choose fink names that do not reveal proprietary information .
additionally, be certain to point your canaries only at websites and endpoints that you control .

Secrets in canary code

We recommend that you do n’t include secrets, such as access keys or database credentials, in your canary reservoir code. For more information about how to use AWS Secrets Manager to help keep your secrets dependable, see What is AWS Secrets Manager ? .

Permissions considerations

We recommend that you restrict access to resources that are created or used by CloudWatch Synthetics. Use nasty permissions on the Amazon S3 buckets where canaries store test run results and other artifacts, such as logs and screenshots .
similarly, keep tight permissions on the locations where your canary yellow source code is stored, so that no drug user by chance or maliciously deletes the Lambda layers or Lambda functions used for the fink .
To help make certain you run the canary code you intend, you can use object versioning on the Amazon S3 bucket where your canary code is stored. then when you specify this code to run as a fink, you can include the aim versionId as part of the way, as in the stick to examples .

Stack traces and exception

By default, CloudWatch Synthetics canaries capture any exception thrown by your canary yellow handwriting, no count whether the handwriting is custom or is from a blueprint. CloudWatch Synthetics logs both the exception message and the stack trace to three locations :

  • back into the CloudWatch Synthetics service to speed up debugging when you describe test runs
  • Into CloudWatch Logs according to the shape that your Lambda functions are created with
  • Into the Synthetics logarithm file, which is a plaintext file that is uploaded to the Amazon S3 location specified by the measure you set for the resultsLocation of the canary yellow

If you want to send and store less information, you can capture exceptions before they return to the CloudWatch Synthetics wrapper library .
You can besides have request URLs in your errors. CloudWatch Synthetics scans for any URLs in the mistake thrown by your script and redacts restricted URL parameters from them based on the restrictedUrlParameters configuration. If you are logging error messages in your script, you can use getSanitizedErrorMessage to redact URLs before logging .

Scope your IAM roles

We recommend that you do not configure your canary yellow to visit potentially malicious URLs or endpoints. Pointing your canary yellow to untrusted or strange websites or endpoints could expose your Lambda affair code to malicious user ’ mho scripts. Assuming a malicious web site can break out of Chromium, it could have access to your Lambda code in a similar direction to if you connected to it using an internet browser .
Run your Lambda function with an IAM execution function that has scoped-down permissions. This direction, if your Lambda function is compromised by a malicious script, it is limited in the actions it can take when running deoxyadenosine monophosphate your canary ’ randomness AWS account .
When you use the CloudWatch cabinet to create a canary, it is created with a scoped-down IAM execution character .

Sensitive data redaction

CloudWatch Synthetics captures URLs, condition code, failure reason ( if any ), and headers and bodies of requests and responses. This enables a fink exploiter to understand, monitor, and debug canaries .
The configurations described in the follow sections can be set at any point in canary yellow execution. You can besides choose to apply unlike configurations to different synthetics steps .

Request URLs

By default option, CloudWatch Synthetics log request URLs, status codes, and the status reason for each URL in canary logs. Request url can besides appear in canary yellow execution reports, HAR files, and so on. Your request url might contain sensitive question parameters, such as access tokens or passwords. You can redact sensitive information from being logged by CloudWatch Synthetics .
To redact medium information, set the shape property restrictedUrlParameters. For more information, see SyntheticsConfiguration course. This causes CloudWatch Synthetics to redact URL parameters, including way and question argument values, based on restrictedUrlParameters before logging. If you are logging URLs in your script, you can use getSanitizedUrl ( url, stepConfig = nothing ) to redact URLs before logging. For more information, see SyntheticsLogHelper class.


By default, CloudWatch Synthetics does n’t log request/response headers. For UI canaries, this is the default behavior for canaries using runtime adaptation syn-nodejs-puppeteer-3.2 and later .
If your headers do n’t contain medium information, you can enable headers in HAR file and HTTP reports by setting the includeRequestHeaders and includeResponseHeaders properties to true. You can enable all headers but choose to restrict values of sensitive header keys. For example, you can choose to entirely redact Authorization headers from artifacts produced by canaries .

Request and response body

By nonpayment, CloudWatch Synthetics does n’t log the request/response body in canary logs or reports. This information is peculiarly useful for API canaries. Synthetics captures all HTTP requests and can show headers, request and reaction bodies. For more information, see executeHttpStep ( stepName, requestOptions, [ recall ], [ stepConfig ] ). You can choose to enable request/response body by setting the includeRequestBody and includeResponseBody properties to true .

Leave a Reply

Your email address will not be published.