2

Is there a safe way to delete all of an AWS SSM runRemoteScript directory as part of execution? Details below.

We've got a very robust AWS SSM setup working involving a python app that polls AWS, grabs the instances you want based on tags, and then issues remote commands to it via SSM. If you give it a command, it uses runShellScript to simply execute what you want. If you specify a file, it uploads a single shell script (requires bash), sets its attributes to public, and then, on the remote side, executes curl https://domain/file.sh | /bin/bash using AWS' runShellScript.

However, if you specify a directory at the command line, it uploads the entire directory to S3 and then issues a runRemoteScript command and automatically executes autorun.sh on the remote side. Of course, autorun.sh can contain anything we want. I typically use it to python3 uploaded_script.py and call it good.

One of the current tasks is to set up tripwire (Open Source, so everything is local on the individual machines). For those unaware, it encrypts its database and configuration files using passphrases. I've got 32 byte random passphrases created and can issue them, but in order to do so (I think), I have to send them in the upload so the scripts know what passphrases to use at the command line for report generation. We don't want to leave the passphrases lying around, hence my question.

Is there a safe way to just delete all of the files in question while guaranteeing that I'm not going to somehow trash another, potentially random directory?

My idea is in the autorun.sh script to put at the very bottom: rm -f *.ini

But, me being paranoid, I want to somehow guarantee I'm deleting ONLY what I want to be deleting.

I would like to manually specify the directory of the downloaded contents, but the path contains the InstanceId, which the script doesn't have.

Thoughts on how to maintain security while automating this task?

If I could simply (and safely!) wipe the ENTIRE contents of /var/lib/amazon/ssm/<InstanceId>/document/orchestration/<CommandID>, I gladly would, but then I'd have to know how to get the InstanceId during script execution, too.

UtahJarhead
  • 908
  • 7
  • 14

0 Answers0