leveraging the security of aws's own apis for your app - aws serverless web day
Post on 08-Feb-2017
183 Views
Preview:
TRANSCRIPT
Leveraging the Security of AWS's Own APIs
for Your App
Brian Wagner
Solutions Architect
Serverless Web Day
June 23, 2016
AWS API Requests
Access Key and Secret Key
(access key and secret key have been modified for the purpose of this presentation)
Access Key and Secret Key
[default]
aws_access_key_id = AKIAIGQIO52K3ASNZCDA
aws_secret_access_key = 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
Access Key and Secret Key
[default]
aws_access_key_id = AKIAIGQIO52K3ASNZCDA
aws_secret_access_key = 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
Access Key and Secret Key
[default]
aws_access_key_id = AKIAIGQIO52K3ASNZCDA
aws_secret_access_key = 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
WHY
Signing AWS API Requests
>_
Why Requests Are Signed
Verify the identity of the requestor
Protect data in transit
Protect against potential replay attacks
Verify the identity of the requestor
unique
Protect data in transit
GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-
1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date,
Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
content-type: application/x-www-form-urlencoded; charset=utf-8
host: iam.amazonaws.com
x-amz-date: 20150830T123600Z
Protect data in transit
GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-
1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date,
Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
content-type: application/x-www-form-urlencoded; charset=utf-8
host: iam.amazonaws.com
x-amz-date: 20150830T123600Z
Protect against potential replay attacks
5 minutes
What about your API?
Benefits of signing requests
Verify the identity of the requestor
Protect data in transit
Protect against potential replay attacks
Benefits of signing requests
Verify the identity of the requestor
Protect data in transit
Protect against potential replay attacks
Use IAM and access policies to authorize access to your APIs
Authorization: AWS_IAM
IAM and access policies to authorize access to your APIs
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": [
“arn:aws:execute-api:us-east-1:111222333444:myapi/*”
]
}
IAM and access policies to authorize access to your APIs
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": [
“arn:aws:execute-api:us-east-1:111222333444:myapi/*”
]
},
{
"Effect": "Deny",
"Action": "execute-api:Invoke",
"Resource": [
“arn:aws:execute-api:us-east-1:111222333444:myapi/admin/*”
]
}
Securing your API
https://4kp2myvxmf.execute-api.us-east-1.amazonaws.com/prod/pets/
IAM and access policies to authorize access to your APIs
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1466674972000",
"Effect": "Allow",
“Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-east-1:111222333444:4kp2myvxmf/*/GET/pets"
]
}
]
}
Access Key and Secret Key
(access key and secret key have been modified for the purpose of this presentation)
https://docs.aws.amazon.com/es_es/general/latest/gr/sigv4-signed-
request-examples.html#sig-v4-examples-get-query-string
How do my apps sign requests?
API Gateway
Cognito User and Federated Identities
Cognito User
Identities(Your User Pool)
User
Sign-in1
Returns Access
and ID Tokens2
Cognito Federated
Identities(Identity Pool)
Get AWS scoped
credentials
3
Access
to your API
4
DynamoDB S3
Manage authenticated
and guest users’ access
to your AWS resources
Federated Identities
Synchronize user’s data
across devices and
platforms via the cloud
Data Synchronization
Add sign-up and sign-in
with a fully managed
user directory
Your User Pool
GuestYour own auth
Amazon Cognito Identity Amazon Cognito Sync
Amazon Cognito Identity and Sync
k/v data
Verify the identity of the requestor
Protect data in transit
Protect against potential replay attacks
Use IAM and access policies to authorize access to your APIs
API Gateway and IAM: Best Friends Forever
+
Leveraging the Security of AWS's Own APIs
for Your App
Brian Wagner
Solutions Architect
Serverless Web Day
June 23, 2016
top related