I have an api deployed in AWS Lamdba using cloudformation, I am connecting to database in it. Presently I am hardcoding the values.
The api call will be made 10000xs of time, will it be a good decision to use AWS Secret Manager to save the database connection details and or it is an overhead to the cost and performance.
Thank you.
Related
How in a work environment with different AWS environments say for example develop, staging and production is it best to store the AWS Access Key and Secret Key other than in the appsettings.json files in .Net Core? I know there is Secret Manager but not sure if that is the best way to store these two values. Looking for someone that may have done this specifically for production and how they handled this within their organization. Thanks for any information.
I believe that your application is running outside of AWS and that it needs to make API calls to AWS services, for example SQS. To make those API calls, your application needs AWS credentials.
Here are approaches for authenticating external applications in a machine-to-machine scenario. In your case, your client seems to need to be able to make arbitrary AWS service requests and that means using AWS signature v4 requests, signed using AWS credentials, which are ideally temporary, rotated credentials from STS rather than persistent credentials (such as IAM user credentials).
Typically, you would configure your application with a base set of IAM credentials that allow the application to assume an IAM role. That role itself, rather than the base credentials, would then give your application the permissions it needs to make SQS API calls etc.
The issue you face is how to securely store the base set of credentials. This is a problem that on-premise applications have had since day one, well before the cloud era, and there are various solutions, depending on the technology you're using.
Typically these credentials would be encrypted, not committed to code repos, and populated on the relevant, locked down application servers in some secure fashion. Some potentially useful resources:
Encrypting sections of a configuration file for an ASP.NET application
Use AWS Secrets Manager to store & read passwords in .Net Core apps
Securely store and retrieve sensitive info in .NET Core apps with Azure Key Vault
AWS Secret Manager securely stores your secrets until you retrieve them at runtime. If your going to be running your ASP.NET Core app in AWS, then AWS Secrets Manager is a great option, as it allows you to finely control the permissions associated with the AWS IAM roles running your apps.
Here are some faqs which were given from the AWS for secrets-manager service and which will clear your doubts also.
Here is the article which you can refer to for implementing secure secrets storage for .net core with AWS Secret Manager
I'm working on a Slack app which will have to store access token per each customer using the app (ex. 1000 teams using it = 1000 tokens). Token enables the app to access Slack API for customers workspace and will be used frequently every day.
App will be running on AWS, using Lambda's and DynamoDB.
What would be the best practice to store those access tokens securly?
I cannot find any strict recomendation for this scenario. Was thinking initially to put those in DynamoDB in a dedicated table but thinking now if I should use other AWS services for that use case. I've checked Secrets Manager but looks like a rather expensive option and not sure if it applies to my scenario.
Appreciate any suggestions.
I would probably use a dedicated DynamoDB table for this purpose. At a minimum, I would configure it to use a KMS CMK to encrypt the data at-rest, and also restrict access to the table through fairly granular IAM permissions in your AWS account. If you also wanted to encrypt each value separately you could look into client-side encryption.
Your findings on the Secrets Manager costs are a good point. You could also look at Systems Manager Parameter Store as an alternative that is generally cheaper than Secrets Manager. Secrets Manager does have the added security of being able to set an IAM resource policy on the secret itself.
Ultimately it's up to you to determine how secure your solution needs to be, and how much you are willing to pay for that. You could even spin up an AWS HSM to encrypt the values, but that would increase the cost by quite a bit.
I am developing the application where "form" plays an important role. I use the "form" for data collection from the users which I store it on DynamoDB and then these data should be displayed in my application synchronously or immediately after some trigger functions when the data has been inserted into the dynamoDB.
What is the best way to achieve this? How should I frame my infrastructure on the AWS Cloud? What are the services should I rely on?
For "realtime" applications you should use something like graphQL.
On AWS you can use: AWS App Sync
https://console.aws.amazon.com/appsync/home?region=us-east-1#/
There are multiple ways you can achieve this. However, one of most modernized way of building your applications today is using a Serverless Architecture. You can host your website on S3 and can go serverless with sample architecture as below
(Note: you can just replace the Amazon Aurora with Dynamo DB in the architecture reference)
You can create a server less application on AWS using following AWS services:
AWS Lambda: AWS Lambda is a compute service that lets you run code without provisioning or managing servers.
AWS API Gateway: Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale.
AWS S3: AWS S3 is Object storage built to store and retrieve any amount of data from anywhere
AWS DynamoDB: Amazon
DynamoDB is a fast and flexible nonrelational database service for
all applications that need consistent, single-digit millisecond latency at any scale.
AWS Route53: For creating and registering a domain name for the web app.
AWS IAM: AWS IAM for creating users,roles and policies.
AWS Cognito: for authentication, access control to your web app.
I currently have a mysql database on AWS RDS.
I am in need of accessing and looking up information on a daily basis of the data in that database via an external CRM.
In an ideal scenario, I could create an API on Lambda that would have access to the RDS instance and have that be my front facing API that my CRM API could hit up and lookup and work with my mysql data.
My question is... is this the best way to do it? Is there some sort of service out there that facilitates me creating an API or do I need to create an API from scratch...
Any suggestions? Thanks a bunch!
You will have to create your own AWS Lambda app, but there is a framework - the Serverless Framework which will make the whole endeavour much easier!
This Tutorial on Accessing RDS from AWS Lambda might help as well.
I'm building a mobile app that needs a backend that I've chosen to host using Amazon Web Services.
Their mobile SDKs provide APIs to work directly with the DynamoDB (making my app a thick client), including user authentication/authorization with their IAM service (which is what I'm going to use to track users). This makes it easy to say "user X wants their information. Here's their temporary access key. Oh, here's the information you requested."
However, if I used RDS as a backend database, I'd have to create web services (in PHP or Java/etc) that my app can talk to. Then I'd also have to implement the authentication/authorization myself within my web service (which I feel could get very messy). I'd also have to host the web service on an EC2 instance, as well as having the RDS instance. So my costs would increase.
The latter seems like it would be a lot of work, something which I could avoid by using DynamoDB (and its API) as my backend.
Am I correct in my reasoning here? Or is there an easy way to authenticate/authorize a PHP web service with an AWS RDS database?
I ask because I've only ever worked with relational databases before, so there would be a learning curve to get the NoSQL db running. Though hypothetically my plan is to eventually switch to a NoSQL db at some point in the future anyways due to my apps increasing demands.
Side note: I already have my database designed in MySQL.
There is no solution to use IAM directly with RDS because of the unavailability of fine-grained access control over RDS tables. Moreover IAM policies cannot be enforced dynamically (i.e. with an Identity Pool).
RDS is an unmanaged service, so it is not provided as a SaaS endpoint. DynamoDB is a REST service presented as a distributed key-value store and exposes endpoints to clients (AWS SDK is just a wrapper around them).
DynamoDB is born as a distributed service and can guarantee fine-grained control over data access, thus allowing concurrent access.