Leveraging the Security of AWS's Own APIs for Your App. Brian Wagner Solutions Architect Serverless Web Day June 23, 2016

Transcription

1 Leveraging the Security of AWS's Own APIs for Your App Brian Wagner Solutions Architect Serverless Web Day June 23, 2016

2 AWS API Requests

3 Access Key and Secret Key (access key and secret key have been modified for the purpose of this presentation)

4 Access Key and Secret Key [default] aws_access_key_id = AKIAIGQIO52K3ASNZCDA aws_secret_access_key = hackrohczd1yzkaa1rwc1sr3boc0covwmzjpskdh

5 Access Key and Secret Key [default] aws_access_key_id = AKIAIGQIO52K3ASNZCDA aws_secret_access_key = hackrohczd1yzkaa1rwc1sr3boc0covwmzjpskdh

6 Access Key and Secret Key [default] aws_access_key_id = AKIAIGQIO52K3ASNZCDA aws_secret_access_key = hackrohczd1yzkaa1rwc1sr3boc0covwmzjpskdh

7 WHY

8 Signing AWS API Requests >_

9 Why Requests Are Signed Verify the identity of the requestor Protect data in transit Protect against potential replay attacks

10 Verify the identity of the requestor unique

11 Protect data in transit GET HTTP/1.1 Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/ /us-east- 1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7 content-type: application/x-www-form-urlencoded; charset=utf-8 host: iam.amazonaws.com x-amz-date: T123600Z

12 Protect data in transit GET HTTP/1.1 Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/ /us-east- 1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7 content-type: application/x-www-form-urlencoded; charset=utf-8 host: iam.amazonaws.com x-amz-date: T123600Z

13 Protect against potential replay attacks 5 minutes

14 What about your API?

15 Benefits of signing requests Verify the identity of the requestor Protect data in transit Protect against potential replay attacks

16 Benefits of signing requests Verify the identity of the requestor Protect data in transit Protect against potential replay attacks Use IAM and access policies to authorize access to your APIs

17 Authorization: AWS_IAM

18 IAM and access policies to authorize access to your APIs { } "Effect": "Allow", "Action": "execute-api:invoke", "Resource": [ arn:aws:execute-api:us-east-1: :myapi/* ]

19 IAM and access policies to authorize access to your APIs { }, { } "Effect": "Allow", "Action": "execute-api:invoke", "Resource": [ arn:aws:execute-api:us-east-1: :myapi/* ] "Effect": "Deny", "Action": "execute-api:invoke", "Resource": [ arn:aws:execute-api:us-east-1: :myapi/admin/* ]

20 Securing your API

21

22

23

24

25

26

27

28

29

30

31

32

33

34 IAM and access policies to authorize access to your APIs { } "Version": " ", "Statement": [ { "Sid": "Stmt ", "Effect": "Allow", Action": "execute-api:invoke", "Resource": [ "arn:aws:execute-api:us-east-1: :4kp2myvxmf/*/get/pets" ] } ]

35 Access Key and Secret Key (access key and secret key have been modified for the purpose of this presentation)

36

37

38 How do my apps sign requests?

39 Cognito User and Federated Identities Cognito User Identities (Your User Pool) 1 Sign-in 3 2 Returns Access and ID Tokens Get AWS scoped credentials Cognito Federated Identities (Identity Pool) User 4 Access to your API API Gateway DynamoDB S3

40 Amazon Cognito Identity and Sync Amazon Cognito Identity Amazon Cognito Sync Your User Pool Federated Identities Data Synchronization k/v data Your own auth Guest Add sign-up and sign-in with a fully managed user directory Manage authenticated and guest users access to your AWS resources Synchronize user s data across devices and platforms via the cloud

41 API Gateway and IAM: Best Friends Forever Verify the identity of the requestor Protect data in transit Protect against potential replay attacks Use IAM and access policies to authorize access to your APIs +

42 Leveraging the Security of AWS's Own APIs for Your App Brian Wagner Solutions Architect Serverless Web Day June 23, 2016