Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Category: Blogs

Categories
Blogs

Secure Uploads and Downloads in S3

Secure File Uploads and Downloads in S3 Using Presigned URLs

Amazon Simple Storage Service (S3) is a highly scalable object storage service used for storing and retrieving large amounts of data. While S3 provides a straightforward way to manage files, ensuring secure access to these files is crucial. One effective method to securely upload and download files from S3 is by using presigned URLs. This article delves into what presigned URLs are, how they work, and a hands-on demo.

S3 Presigned URL

Presigned URLs are URLs that provide temporary access to objects in S3 without requiring AWS credentials directly from the user. When you create a presigned URL, you essentially generate a URL that includes a signature, allowing anyone with the URL to perform specific actions (like upload or download) on the specified S3 object within a limited time frame.

 

When you create an S3 bucket, it is private by default, and it is up to you to change this setting based on your needs. If you want a user to upload or download files in a private bucket without making the bucket public or requiring AWS credentials or IAM permissions, you can create a presigned URL.

Presigned URLs work even if the bucket is public, but the main purpose of presigned URLs is to help you keep objects private while allowing limited and controlled access when necessary.

Requirements for Generating Presigned URLs

A presigned URL must be generated by an AWS user or an AWS application that has access to the bucket and the object in the bucket at the time of creation. When a user makes an HTTP call with the presigned URL, AWS processes the request as if it was performed by the entity that generated the presigned URL.

Usage and Expiration

Presigned URLs can be shared with temporarily authorized users to allow them to download or upload objects. They can only be used for the method specified when generating the URL. For example, a GET-presigned URL cannot be used for a PUT operation.

There is no default limit on the number of times a presigned URL can be used until it expires.

Get presigned URLs

A GET-presigned URL can be used directly in a browser or integrated into an application or webpage to download an object from an S3 bucket. It can be generated using the AWS Management Console, AWS CLI, or AWS SDK.

In the following, I will demonstrate how to generate a GET-presigned URL using the AWS Management Console.

Generating Get presigned URL with the console

Log in to the management console, in the search box, type s3 then select s3 under services.

In the s3 UI select Create Bucket.

In the create bucket UI, select a unique name for your bucket then Scroll down.

Make sure all public access is blocked.

We will leave the remaining settings as default, then scroll down and click Create Bucket.

Our s3 bucket has been successfully created.

Select your bucket then select upload.

In the upload UI, select add files

Select your file then click Upload.

Once our object has been successfully uploaded, remember our bucket is private since we blocked all public access.

Click the object you uploaded select the object URL then paste it into your Favorite browser.

This was expected, we could not access our object since our bucket is private. We will now leverage the s3 presigned URL to securely access our object without making our bucket public.

Still, in the object UI, select the drop-down object action. Then select Share with the presigned URL.

For time interval until the URL expires can be minutes to several hours, for this demo I will only give it 2 minutes. So, select minutes then for number of minutes, select two then click Create presigned URL.

The presigned URL is successfully created, copy the presigned URL then paste it to your browser.

Success now we can access our object.

Since we only gave two minutes for this demo, attempting to access our private object using the presigned URL after it has expired will result in an access denied message as shown bellow.

S3-presigned URLs provide a secure and efficient way to grant temporary access to Amazon S3 objects without exposing AWS credentials. They are easy to implement, allowing controlled, time-limited access for specific operations. This feature enhances data sharing and access management, ensuring security and flexibility in handling S3 resources.

This brings us to the end of this blog. Clean up.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

Amazon S3

Enhancing Data Integrity in Amazon S3 with Additional Checksums

In the security world, cryptography uses something called “hashing” to confirm that a file is unchanged. Usually, when a file is hashed, the hash result is published. Next, when a user downloads the file and applies the same hash method, the hash results, or checksums (a string of output that is a set size) are compared. This means if indeed the checksum of the downloaded file and the original file are the same, the two files are identical, confirming that there have been no unexpected changes — for example, file corruption, man-in-the-middle (MITM) attacks, etc. Since hashing is a one-way process, the hashed result cannot be reversed to expose the original data. 

Verify the integrity of an object uploaded to Amazon S3

We can use Amazon S3 features to upload an object with the checksum flag “On” with the checksum algorithm that is used to validate the data during upload (or download) — in this example, as SHA-256. Optionally, you may also specify the checksum value of the object. When Amazon S3 receives an object, it calculates the checksum by leveraging the algorithm that you specified. Now, if the two checksum values do not match, Amazon S3 will generate an error.

Types of Additional Checksums

Various checksum algorithms can be used for verifying data integrity. Some common ones include:

MD5: A widely used algorithm, but less secure against collision attacks.

SHA-256: Provides a higher level of security and is more resistant to collisions.

CRC32: A cyclic redundancy check that is fast but not suitable for cryptographic purposes.

Implementing Additional Checksums

Sign in to the Amazon S3 console. From the AWS console services search bar, enter S3. Under the services search results section, select S3.

Choose Buckets from the Amazon S3 menu on the left and then choose the Create Bucket button.

Enter a descriptive globally unique name for your bucket. The default Block Public Access setting is appropriate, so leave this section as is.

You can leave the remaining options as defaults, navigate to the bottom of the page, and choose Create Bucket.

Our bucket has been successfully created.

Upload a file and specify the checksum algorithm

Navigate to the S3 console and select the Buckets menu option. From the list of available buckets, select the bucket name of the bucket you just created.

Next, select the Objects tab. Then, from within the Objects section, choose the Upload button.

Choose the Add Files button and then select the file you would like to upload from your file browser.

Navigate down the page to find the Properties section. Then, select Properties and expand the section.

Under Additional checksums select the on option and choose SHA-256.

If your object is less than 16 MB and you have already calculated the SHA-256 checksum (base64 encoded), you can provide it in the Precalculated value input box. To use this functionality for objects larger than 16 MB, you can use the CLI or SDK. When Amazon S3 receives the object, it calculates the checksum by using the algorithm specified. If the checksum values do not match, Amazon S3 generates an error and rejects the upload, but this is optional.

Navigate down the page and choose the Upload button.

After your upload completes, choose the Close button.

Checksum Verification

Select the uploaded file by selecting the filename. This will take you to the Properties page.

Locate the checksum value: Navigate down the properties page and you will find the Additional checksums section.

This section displays the base64 encoded checksum that Amazon S3 calculated and verified at the time of upload.

Compare

To compare the object in your local computer, open a terminal window and navigate to where your file is.

Use a utility like Shasum to calculate the file. The following command performs a sha256 calculation on the same file and converts the hex output to base64: shasum -a 256 image.jpg | cut -f1 -d\ | xxd -r -p | base64

When comparing this value, it should match the value in the Amazon S3 console.

Run this code by replacing it with your image.

Congratulations! You have learned how to upload a file to Amazon S3, calculate additional checksums, and compare the checksum on Amazon S3 and your local file to verify data integrity.

This brings us to the end of this blog, thanks for reading, and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

AWS Key Management Service (KMS) Part Two

Unlocking the Power of AWS Key Management Service (KMS) Part Two

In today’s digital landscape, robust security solutions are essential as organizations migrate to the cloud. Encryption is crucial for protecting sensitive data in transit and at rest. Amazon Web Services (AWS) provides a comprehensive encryption solution with its Key Management Service (KMS). This article explores what AWS KMS is and how it can enhance your security posture. Additionally, we will demonstrate how to create KMS customer-managed keys and encrypt simple plain text data stay tuned.

What is KMS

AWS Key Management Service (KMS) is a managed service that makes it easy to create, manage, and control cryptographic keys used to encrypt your data. It provides centralized control over the encryption keys used to protect your data across a wide range of AWS services and in your applications. AWS KMS is designed to simplify key management and maintain a high level of security and compliance.

Key features of AWS KMS include:

Centralized Key Management: Manage encryption keys centrally, controlling their lifecycle from creation to deletion.

Integration with AWS Services: Seamlessly integrate with various AWS services like Amazon S3, Amazon EBS, and Amazon RDS to facilitate encryption.

Scalability: Handle a vast number of keys efficiently, scaling with your needs.

Access Control and Policies: Utilize AWS Identity and Access Management (IAM) policies and KMS-specific key policies for fine-grained access control.

Audit and Compliance: Leverage AWS CloudTrail to log all key usage and management activities, aiding in compliance and visibility.

Encryption Using the CMK

Create CMK on AWS. This will be the key that will be used to encrypt your data.

Encode your message with Base64. This common step in most encryption procedures ensures that binary data can be transported over channels without modification.

Encrypt your message using the CMK by calling the AWS KMS encrypt command.

let’s proceed as follows.

Log in to the management console and in the search box, type KMS then select key management service under services.

In the KMS dashboard on the left side of the navigation pane, click customer managed keys. 

Then in the customer-managed keys dashboard, click Create key.

We will create a symmetric key and key usage will be encrypt and decrypt. Make sure these options are selected then click the advanced options dropdown button.

in the advanced option, we have an option of selecting single region and multi-region keys. For this demo, we will move with the single region keys. But in case you want to use your key for multi-region, you can select that option and then click next.

An alias is a friendly name you can give your key, so under an alias, I will call my key demokms-alias. We will use this alias in the API call for encrypting and decrypting our data. Click next.

Next, we will define a key administrator, I will select one of the I AM users and make him admin for this KMS key we are creating. Make sure the box on allow key administrators to delete this key is checked.

Next, we will define key usage permission so here we select I AM users and AWS services we want to use this KMS key. You do this by just ticking the boxes and then click next.

Review your key creation.

In the review section, we can see a key policy was generated for us depending on the boxes we ticked.
Click Finish to finish creating your key.

Congratulations, we have successfully created our KMS key.

We will now use this created KMS key to encrypt plain text data.
We will leverage cloud shell to achieve this, so open cloud shell environment. When your cloud shell is ready, then you can echo some text documents as shown.

When we list the contents of our terminal we can see the text file.

Then to encrypt our data we will run the below command.

Listing contents of our we can see our rdspaswwad.txt. encrypted.

When we cat the contents of the encrypted file, we can now not see the plain text.

Run this command to decrypt your encrypted file.

Listing contents a gain we can see our decrypted data.

When we cat the contents of our encrypted file, we can now again read our plain text since it has been decrypted.

Thats it. To now delete our KMS key, remember you cannot immediately delete a KMS key but only schedule the key deletion period.
This is to avoid accidentally deleting keys that are in use.
So, select your kms key click the key action drop-down button then select schedule key deletion.

For the key deletion period, select 7 days then check the confirmation box that you want to schedule key deletion. Then select schedule key deletion.

And that’s it we have successfully scheduled our key for deletion.

Conclusion

AWS KMS provides a secure manageable solution for handling cryptographic keys in the cloud. It simplifies encryption, enhances data protection, and ensures efficient key management aiding in security and compliance.
This brings us to the end of this blog, thanks for reading, and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

AWS Security Hub

Enhancing Cloud Security with AWS Security Hub

Introduction

In the error of cloud computing, security remains supreme for organizations around the world. With the increasing of sophisticated cyber threats, organizations must adopt robust security measures to safeguard their data and infrastructure. AWS security hub emerges as a comprehensive solution to address these challenges by providing a centralized platform for managing security across the AWS cloud.

What is AWS Security Hub?

AWS Security Hub provides you with a comprehensive view of your security state. It provides a centralized, aggregated, and prioritized overview of security findings and compliance status in a standard format for a single AWS account and multiple AWS accounts. It helps you analyze your security trends and identify the highest-priority security issues.

Key Features of AWS Security Hub

  • Centralized security monitoring
  • Continuous security assessment
  • Prioritized alerting
  • Custom insights and compliance checks: 
  • Integration with third-party security tools
  • Automation
  • Security scores and summary dashboards

Benefits of AWS Security Hub

  • Simplified security operations: It provides a centralized view, simplifying security operations, and enabling faster response to threats.
  • Enhanced threat visibility: By integrating with various AWS security services and third-party tools, it provides a wide range of security insights, ensuring comprehensive visibility into potential threats and vulnerabilities.
  • Proactive risk mitigation: The continuous and automated compliance checks of AWS Security Hub allow organizations to proactively identify and remediate security gaps, reducing the risk of breaches, data leaks, and compliance violations.
  • Simplified compliance management: AWS Security Hub simplifies compliance management by aligning with industry-standard frameworks and providing pre-built compliance checks. It simplifies reporting, and audits, and ensures compliance with regulatory requirements.
  • Efficient collaboration: AWS Security Hub enables seamless collaboration between security teams by providing a centralized and shared view of security findings, allowing them to work together on analysis, remediation, and incident response.

Demo on how to enable AWS Security Hub?

Sign in to the management console and navigate to the security hub console. Then click on Go to security hub.

Before you can enable the security hub, you must first enable recording for the relevant resources in AWS Config.

Then Select the relevant Recording strategy and Recording frequency as per your requirements.

Configure Override settings to override the recording frequency for specific resource types or exclude specific resource types from recording and create a new IAM Role or select the existing IAM Role for AWS Config in Data governance.

Remember AWS Config needs an S3 bucket to store configuration history and configuration snapshots. Configure S3 bucket details, then click on Next.

AWS Config Managed Rules provide a set of predefined rules that you can use to evaluate the compliance of your AWS resources according to best practices and security standards. Select the AWS-managed rules as per your requirements and click on Next.

Review AWS Config details and click on Confirm to finish the AWS Config setup.

Select the Security standards as per your requirement from built-in security standards and click on Enable Security Hub to finish the setup.

Once setup is complete, you’ll be directed to the Security Hub dashboard. Here, you can access a unified view of security findings, compliance status, and actionable insights across your AWS accounts. Explore the dashboard in detail and familiarize yourself with the available features and navigation options.

Once you enable an AWS Security Hub, it will take some time to complete the initial analysis and to appear the results on the dashboard. This is because AWS Security Hub needs to scan your entire AWS environment to identify all the relevant resources to the standard.

After the initial analysis is done, AWS Security Hub will continue to scan your AWS environment regularly to identify any new resources or modifications to existing resources. The results will be posted on the dashboard in real time. You can then check the findings and prioritize the remediation of the threats/vulnerabilities detected.

Below are some sample reports from the AWS Security Hub dashboard.

Security score from AWS Security Hub summary.

Findings from all linked Regions are visible from the aggregation Region

Track New findings over time by severity and the provider, and see the top resources at risk across multiple resource types.

Security score for specific security standards

Conclusion

AWS Security Hub is an essential component in securing AWS cloud infrastructure by providing a comprehensive and centralized view of security posture. As the cloud landscape evolves, AWS Security Hub remains a pivotal tool for enhancing cloud security posture, enabling organizations to proactively identify and mitigate security risks.

This brings us to the end of this blog. Clean up.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!

Categories
Blogs

SSM Session Manager

SSM Session Manager

Go Bastion-less: Unleashing the power of SSM Session Manager

SSM Session Manager

In the sphere of cloud infrastructure management, the move towards a Bastion-less environment has emerged as a transformative strategy. Central to this paradigm shift is the Systems Manager Session Manager, a tool that revolutionizes remote access, security, and operational efficiency.

Understanding Bastion-less Architecture

Traditionally, a Bastion Host stands as an intermediary gateway for accessing and managing resources within a private subnet in a VPC. While Bastion Host (jump server) provided a layer of security, it also introduced complexity, management overhead, and additional costs.

On the contrary, a Baston-less, architecture eliminates the need for a dedicated Bastion Host. Instead, access to instances in the private subnets is managed by secure tools like SSM Session Manager streamlining remote access workflows and bolstering security workflow.

In this blog article, we’ll showcase a streamlined approach to accessing your EC2 instance in a private subnet without the need for a key pair or Bastion Host, all thanks to AWS Systems Manager’s Session Manager. You’ll discover how to leverage a new browser-based interactive shell alongside the command-line interface (CLI) for efficient management of both Windows and Linux instances. With the Session Manager options offered by AWS System Manager, this can be achieved through a simplified configuration, making remote access and management a simple task.

Configuration with Bastion Host

Drawbacks of Bastion Host and Key-pair

Security: It requires SSH access firstly to reach itself and then to reach other instances. This is not secure as if someone has opened unauthorized access, it can lead to destruction depending on the level of access a user gains.

Access: To access the Bastion Host and other instances using the key-pair method, you require a sensitive file that should have limited access. However, securely storing and sharing this file, especially within a team, poses a security challenge.

Cost: It’s an additional machine that incurs extra costs.

Manageability: Securing key pairs and maintaining regular bastion patching requires additional management overhead.

Now all the above issues are mostly eliminated with the session manager approach and hence you get the following for a good reason:

Security: Session Manager communicates securely with instances through the SSM Agent using an encrypted tunnel that originates from the instance. eliminating the need for a bastion host. This means you don’t have to manually configure SSH keys or open inbound ports.

Controlled Access: You use IAM policies and users to control access to your instances and don’t need to distribute SSH keys.

Auditability: Command and response logs can be directed to Amazon CloudWatch and an S3 bucket. Additionally, you can configure SNS notifications to alert you when a new session begins.

Session Manager in Action

To allow Session Manager access to our instance will need to attach the following IAM role: AmazonSSMManagedInstanceCore. This policy grants instances the permissions needed for core Systems Manager functionality.

Session Manager in Action

For demo purpose, we will launch an EC2 instance without a key pair. For the security group, we will not open port 22 for SSH. Let’s proceed as follows.

Log in to the management console navigate to the EC2 console then click Launch Instance and under name give your Instance a name.

For application and OS images, select the QuickStart tab then select Amazon Linux2 AMI since it comes with the SSM agent already installed. Scroll down.

For instance, move within the free tier by selecting t2. Micro. For key-pair, select the drop-down button and select move without key pair. Remember we don’t need a key pair since we will be using a session manager.

Under Networking, select edit. Move with the default VPC then for Auto-assign-Public IP, select the drop-down button then select disable. We will not assign a public IP address to this Instance. Scroll down.

Under the firewall and security group, we will not open port 22. So, click create security group then uncheck port 22. Scroll down to Advanced settings then expand.

Under advanced settings, under the I AM instance profile, click Create New IAM profile.

You will be brought to the I AM console then click Create Role.

Select AWS service then EC2. Click next.

Select amazonssmManageginstancecore then click next.

Give your role a name, then review and click Create.

This role has been created, go back to the EC2 console and select it.

These are the only settings we need, scroll down and click Launch instance.

Once the instance has been launched, go to the Systems Manager console by typing SSM in the search box then select Systems Manager.

In the Systems Manager console on the left side of the panel select Session Manager then click Start Session.

Give your session a name, then under Target instances, your instance will appear. Select it then select next.

Leave all default settings and click start session.

There we go, we have logged into our instance.

Remember we didn’t open port 22 and did not allocate any key pair to our Instance.

This brings us to the end of this blog, thanks for reading, and stay tuned for more.

If you have any questions concerning this article or have an AWS project that requires our assistance, please reach out to us by leaving a comment below or email us at sales@accendnetworks.com.

Thank you!