From ad030b447a3c4b93cac46b0138e30cbeab0eba9e Mon Sep 17 00:00:00 2001 From: Takehiro Suzuki Date: Wed, 26 Jun 2024 08:37:58 +0900 Subject: [PATCH] fix (#402) --- README.md | 7 +++---- bin.sh | 2 +- docs/README_ja.md | 4 ++-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 9fd2b80d6..9b34bdc06 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ By using the [Agent functionality](./docs/AGENT.md), your chatbot can automatica - Open [CloudShell](https://console.aws.amazon.com/cloudshell/home) at the region where you want to deploy -- Run deployment via following commands +- Run deployment via following commands. If you have specific security policy, please also refer [Optional Parameters](#optional-parameters). ```sh git clone https://github.com/aws-samples/bedrock-claude-chat.git @@ -69,11 +69,10 @@ chmod +x bin.sh ``` - You will be asked if a new user or using v1. If so, enter `y`. -- After about 30 minutes, you will get the following output, which you can access from your browser ### Optional Parameters -You can now specify the following parameters during deployment to enhance security and customization: +You can specify the following parameters during deployment to enhance security and customization: - **--disable-self-register**: Disable self-registration (default: enabled). If this flag is set, you will need to create all users on cognito and it will not allow users to self register their accounts. - **--ipv4-ranges**: Comma-separated list of allowed IPv4 ranges. (default: allow all ipv4 addresses) @@ -98,7 +97,7 @@ Frontend URL: https://xxxxxxxxx.cloudfront.net The sign-up screen will appear as shown above, where you can register your email and log in. > [!Important] -> This deployment method allows anyone with the URL to sign up if optional parameters are not configured. For production use, we strongly recommend adding IP address restrictions and disabling self-signup to mitigate security risks (Defining the `allowed-signup-email-domains` to allow only your emails from your company domain to be able to sing-up to restrict the users). For ip address restriction use both `ipv4-ranges` and `ipv6-ranges` and to disable self-signup use `disable-self-register` when executing `./bin`. +> Without setting the optional parameter, this deployment method allows anyone who knows the URL to sign up. For production use, it is strongly recommended to add IP address restrictions and disable self-signup to mitigate security risks (you can define allowed-signup-email-domains to restrict users so that only email addresses from your company’s domain can sign up). Use both ipv4-ranges and ipv6-ranges for IP address restrictions, and disable self-signup by using disable-self-register when executing ./bin. ## Architecture diff --git a/bin.sh b/bin.sh index 81c3c0d27..07e5d6181 100755 --- a/bin.sh +++ b/bin.sh @@ -19,7 +19,7 @@ echo "!!! !!!" echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" echo "" while true; do -read -p "Are you a new user or already using v1.x of Bedrock Claude Chat? (y/N): " answer +read -p "Are you a new user starting with v1.x or later? (y/N): " answer case ${answer:0:1} in y|Y ) echo "Starting deployment..." diff --git a/docs/README_ja.md b/docs/README_ja.md index f15d4a0b3..2f991b2a2 100644 --- a/docs/README_ja.md +++ b/docs/README_ja.md @@ -45,7 +45,7 @@ - [CloudShell](https://console.aws.amazon.com/cloudshell/home)をデプロイしたいリージョン (ap-northeast-1 など) で開きます -- 下記のコマンドでデプロイ実行します +- 下記のコマンドでデプロイ実行します。もし何らかのセキュリティポリシーがある場合は[オプションのパラメータ](#オプションのパラメータ)もご覧ください。 ```sh git clone https://github.com/aws-samples/bedrock-claude-chat.git @@ -58,7 +58,7 @@ chmod +x bin.sh ### オプションのパラメータ -デプロイ時に以下のパラメータを指定することで、セキュリティとカスタマイズを強化できるようになりました。 +デプロイ時に以下のパラメータを指定することで、セキュリティとカスタマイズを強化できます。 - --disable-self-register: セルフ登録を無効にします(デフォルト: 有効)。このフラグを設定すると、Cognito 上で全てのユーザーを作成する必要があり、ユーザーが自分でアカウントを登録することはできなくなります。 - --ipv4-ranges: 許可する IPv4 範囲のカンマ区切りリスト。(デフォルト: 全ての IPv4 アドレスを許可)