For using an API from the dutch chamber of commerce, It's mandatory to install a TLS-certificate from the Dutch government. Only when the certificate is installed, It's possible to make authorized API-requests. The chamber of commerce has published an install guide here: https://developers.kvk.nl/support/documentation/manual-tls-certificate
We want to use this API in an application that's hosted with AWS amplify as backend with React as frontend. The most obvious approach was using AWS certificate manager, because it's integrated with Amplify. The problem we encounter using the certificate manager is that It's mandatory to provide a private key in PEM format to import a certificate (see picture). The thing is, there are no private keys given since the certificates are from the governments, and the manual does not describe what needs to be done in our case.(https://i.stack.imgur.com/uBXRl.png)
We tried to contact the chamber of commerce but our response was that it was not in their reach and we should try it elsewhere. Our only option as we see now is that we need to host a dedicated server to redirect the api requests and responses, but that would defeat our point of being serverless with Amplify.
AWS Certificate Manager is for certificates that you own. You would use that for the SSL/TLS certificate that matches the domain name that your application runs on.
The TLS certificate you are trying to use is not one that you own, it is one owned by the Dutch government, and you only have the public key info. You need to install that public key info onto your server in order to validate the TLS connections you make to the API you are connecting to. You aren't using it to serve a secure connection, you are using it to validate a secure connection.
The AWS ACM integration with AWS Amplify would not help you here, since that integration is specifically for serving a secure domain name, not for validating API calls your Amplify application is making.
Your Amplify backend will be built using AWS Lambda. It will be the Lambda function that performs the API calls to the Dutch government. You simply need to include the TLS certificate files in the Lambda deployment package that you upload to AWS, and then configure whatever HTTP library you are using in Lambda to make the API calls to use those files for TLS validation.
Related
I want to add a custom domain to the API Gateway using serverless framework but without "serverless-domain-manager" or any other plugin. I am looking for a more native way, maybe extending a resource in "serverless.yml"
All articles suggest that plugin, but it isn't the best for multi environment pipelines
https://www.serverless.com/blog/serverless-api-gateway-domain/
Doing it manually is not that complicated, here is the full explanation
Add a custom domain to all envs
Issue a certificate for the domain in the same region of serverless project, in my case us-east-2
Go to API Gateway > Custom domain names > Create, use Regional endpoint type if using HTTP APIs
In the created domain there is API Gateway domain name, you'll need to point a CNAME record to it
Finally go to API mappings and create the mappings, in my case main and prod with stage $default
API Gateway with a custom domain is configured to use TLS 1.2, and it supports some weak cipher. These weak ciphers are removed in TLS 1.3 which is only supported in CloudFront distributions at the moment.
Some security tools like AppScan raised these issues for me during the security testing of these APIs.
You can check the details here.
https://security.stackexchange.com/questions/254667/are-weak-cipher-suites-for-tls1-2-a-valid-concern
If security is concerned, I would suggest using a cloud front distribution in front of the API gateway.
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cloudfront-distribution/
Im very new to utilizing certs for authenticating API calls and was looking for a means of replicating the behavior of keytool on my local machine for sending a post request to a web API, I have been provided a .pem x509 cert and a .key private key
Ive looked into aws cert manager but im not so sure if it would be able to provide the cert for a lambda job run
What tools would be appropriate for me to handle providing the cert to a lambda job in the aws ecosystem for authenticating a POST rest API call?
In general words, you describe configuration values, one critically kept secret, which the lambda requires. Put the configuration values into AWS Secrets Manager. Use the [https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html]
(GetSecretValue) SecretsManager API call to pull the secret from within your lambda. If your lambda runs frequently, cache the API key and secret in memory for later runs to cut down on API calls and runtime.
we have setup a simple Node.js App on ElasticBeanstalk with an additional authentication Step on an Application Load Balancer in front of the app using AWS Cognito.
This is working just fine, Users get authenticated so that
the Application receives the headers x-amzn-oidc-accesstoken, x-amzn-oidc-identity and x-amzn-oidc-data forwarded by the ALB.
Now we need an authorization Step (ABAC - Attribute based Access) on the JWT supplied by the ALB.
The Application shall only be useable depending on an email attribute, contained in the headers.
How can we develop this locally and debug it? Headers are only supplied in AWS so they are not available without ALB. Is there any Framework to simulate or mock these Headers?
Thank you
I'm curious about the knowledge of other users, but as far as I know, it doesn't exist.
I think it's simple to test or debug by reusing the header information actually given by ALB as a local request.
I need to get elements from AWS dynamoDB and thrid party https service and merge those results in AWS appSyn and send back the result as graphQL response
Third party service which I am using, expects client side certificate. I am not finding proper AWS documents on how to pass agent using AWS appSync resolver.
I am also not finding documents to store certificate as secret in AWS secret manager.
Is there anyone faced similar problem? Or do you guys have any solution to it?
It depends on the size of your certificate - Secrets for AWS Secrets Manager have various limits such as length in bytes (7168 bytes) or characters (4096) see more here:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
But otherwise you should be able to store your certificate using AWS Secrets Manager.
See number item 3 in the following link: https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
Using HTTP Resolvers (or even Lambda Resolvers) you will be able to make http calls to AWS Secrets Manager to obtain the secret.
See links:
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-http-resolvers.html
Adding to Ashwin's answer, According to documentation, HTTP resolver supports only public endpoint at this point and does not seem to have ability to pass a certificate for app to app call
I'm struggling with the client cert and private key embedding or uploading, in order to authenticate with the AWS IoT endpoint assigned to my account. We are currently working in a solution in order to embed that ideal solution of the two certs and the private key at the gateway hardware which will forward the information sent by the sensor in a secure way.
I would like to know if there are any way to connect in the same way of Google IoT (JWT in the password field) o Azure (SAS token in password field) and not have to use the files: private key, CA certificate, certificate x509
The deviced I'm using are MQTT, so I can not use HTTP or similar
There are different possibilities using different protocols, see the Message Broker Protocols topic in the AWS IoT Developer guide: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html
Using the MQTT protocol directly, you have to use certificates, but if you use the MQTT + WebSocket option, you can either use a standard AWS Signature V4 header on the connect request, or you can use a custom authorizer (and your own header on the connect request).
Good starters for understanding those options are
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-authentication.html