Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day

Leveraging the Security of AWS's Own APIs

for Your App

Brian Wagner

Solutions Architect

Serverless Web Day

June 23, 2016

AWS API Requests

Access Key and Secret Key

(access key and secret key have been modified for the purpose of this presentation)


[default]

aws_access_key_id = AKIAIGQIO52K3ASNZCDA

aws_secret_access_key = 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


[default]




[default]



WHY

Signing AWS API Requests

>_

Why Requests Are Signed

Verify the identity of the requestor

Protect data in transit

Protect against potential replay attacks


unique


GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1

Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-

1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date,

Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7

content-type: application/x-www-form-urlencoded; charset=utf-8

host: iam.amazonaws.com

x-amz-date: 20150830T123600Z


GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1

Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-

1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date,

Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7

content-type: application/x-www-form-urlencoded; charset=utf-8

host: iam.amazonaws.com

x-amz-date: 20150830T123600Z


5 minutes

What about your API?

Benefits of signing requests




Benefits of signing requests




Use IAM and access policies to authorize access to your APIs

Authorization: AWS_IAM

IAM and access policies to authorize access to your APIs

{

"Effect": "Allow",

"Action": "execute-api:Invoke",

"Resource": [

“arn:aws:execute-api:us-east-1:111222333444:myapi/*”

]

}


{

"Effect": "Allow",


"Resource": [

“arn:aws:execute-api:us-east-1:111222333444:myapi/*”

]

},

{

"Effect": "Deny",


"Resource": [

“arn:aws:execute-api:us-east-1:111222333444:myapi/admin/*”

]

}

Securing your API

https://4kp2myvxmf.execute-api.us-east-1.amazonaws.com/prod/pets/


{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1466674972000",

"Effect": "Allow",

“Action": "execute-api:Invoke",

"Resource": [

"arn:aws:execute-api:us-east-1:111222333444:4kp2myvxmf/*/GET/pets"

]

}

]

}


(access key and secret key have been modified for the purpose of this presentation)

https://docs.aws.amazon.com/es_es/general/latest/gr/sigv4-signed-

request-examples.html#sig-v4-examples-get-query-string

How do my apps sign requests?

API Gateway

Cognito User and Federated Identities

Cognito User

Identities(Your User Pool)

User

Sign-in1

Returns Access

and ID Tokens2

Cognito Federated

Identities(Identity Pool)

Get AWS scoped

credentials

3

Access

to your API

4

DynamoDB S3

Manage authenticated

and guest users’ access

to your AWS resources

Federated Identities

Synchronize user’s data

across devices and

platforms via the cloud

Data Synchronization

Add sign-up and sign-in

with a fully managed

user directory

Your User Pool

GuestYour own auth

Amazon Cognito Identity Amazon Cognito Sync

Amazon Cognito Identity and Sync

k/v data




Use IAM and access policies to authorize access to your APIs

API Gateway and IAM: Best Friends Forever

+

Leveraging the Security of AWS's Own APIs

for Your App

Brian Wagner

Solutions Architect

Serverless Web Day

June 23, 2016

Date post:	08-Feb-2017
Category:	Technology
Upload:	aws-germany
View:	183 times
Download:	0 times

Leveraging the Security of AWS's Own APIs for Your App - AWS Serverless Web Day

Technology