I'm reading the AWS docs and am a little confused as to why x.509 certificates are associated to specific IAM Users in AWS. I can't really find an answer so I feel I'm missing something.
Can anyone tell me why this is? I've done my Googling and read up on the documents but it seems that the logic behind why this is, is implied.
As far as I know, this is legacy functionality, no longer serving any useful purpose. Many years ago, X.509 certificates were used to sign requests for AWS SOAP APIs.
All of these are likely deprecated if not gone entirely.
In some cases -- like EC2 -- the SOAP functionality was deprecated and later completely removed from the API and SDKs in late 2015.
So this IAM feature would only be used for legacy systems using other AWS services that still support the old SOAP APIs that expect X.509-based authentication, assuming there are any. If there are, the documentation has long since been deleted or is buried, as is the case for S3, which only supports SOAP over HTTPS these days, and appears to expect Access Keys rather than certificates.
Perhaps SimpleDB still supports the old SOAP API. SimpleDB? One of the original Amazon Web Services like SQS and S3, SimpleDB was -- sort of, kind of, in a manner of speaking, loosely -- a predecessor to DynamoDB... it was quite an innovation back in its day, and it is still alive though perhaps not well, and you will be hard-pressed to find anyone talk about it, or find much evidence of it in the AWS documentation, though it's there if you know where to look. SimpleDB hasn't been deployed in any AWS region that launched after about 2013.
Related
I have searched the World wide web and the official AWS documentation for a solution to implement the mTLS over Imap connection in AWS Workmail.
Unfortunately, without any luck, I did not find any information. I have spoken with tech support over at AWS, and they did not give me the relevant information.
It seems like they do not support this feature on Workmail, the only place where they do support it is on AWS API Gateway.
I'm really out of options; I'm not very familiar with the AWS environment and would like to know if someone has done this configuration in the past and how it can be done. It does look like a simple thing that many other email servers do support (such as Microsoft Exchange)
I'm developing an Android app that needs to work with an existing Amazon Web Service RDS database as well as an S3 bucket server also on AWS. My issue is that I'm struggling to find much in the way on guidance on the best approach to do so.
Currently the best thing I've found is Amazon's Amplify, the alternatives so far being SQLiteOpenHelper (seemingly unideal given that it looks to work almost exclusively with local databases, but an interesting caching option) and using Apache, which seems bad as it is extremely manual and largely deprecated.
Am I correct in then concluding Amplify is the best direction to take, or am I missing something big (it feels this way), in which case advice on how better to research this task would be immensely appreciated.
Amplify allows you to connect your app with any kind of datasource using AppSync, which is a GraphQL service managed, via resolvers that connects to anything that you want.
AppSync provides a GraphQL API including features like request and response mapping, authentication, cache and other useful things. Here you can have an overview about how it works https://aws.amazon.com/blogs/mobile/appsync-microservices/.
About how to use S3, Amplify can help with it, using amplify/cli is easy to add that resource, just running amplify add storage, as explained here https://docs.amplify.aws/lib/storage/getting-started/q/platform/android/.
As far as I understand, there are only three ways to access AWS resources:
Management Console (browser)
AWS CLI
AWS SDK (in various programming languages)
However, why did not AWS provide REST APIs and their reference document so that we can interact with AWS resources directly using a REST client like Postman?
I think they are using REST APIs behind the scenes (All the above three interactions actively use REST API I guess).
Thanks in advance.
There is REST API documentation available as well. Its just that AWS officially encourages the use of more abstract methods such as using CLI and SDK since its easier to use as well as they are maintained by AWS.
Also using the sdk or cli is encouraged because they are perfectly interfaced with the aws rest api with extensive testing and covering all cases. And you don't need to focus on stuff like what headers you need to attach or what should be the request body format. Users can focus on writing their own business logic.
The only source I could find for documentation of rest api are the official docs which I have linked below. Since the direct use of rest api is not preferred hence no commonly available tutorials. I don't think there is anything extra which can be accomplished using the rest api which the cli or sdk doesn't already offer.
A more practical example would be aws s3 cli. It has a lot of underlying implementation which speeds up the process of uploading and downloading, like establishing 10 network connections in parallel to utilize the complete network bandwidth etc. This you would have to implement yourself if you are directly using the api.
Some Examples:
S3 REST API
EC2 REST API
Similarly there is API documentation available for every service.
I am hosting my reactJs app on cloudFront, Lambda is the backend.
I am integrating with 3-party oauth2 server, which supports only the authorization code grand type. I need to handle the callback with authorization code. My problem is that the callback will be directed to the cloudFront address, like this:
https://dicla0olcdd7.cloudfront.net/callback?code=ss540azzC7xL6nCJDWto
Do you think it is a safe approach? I am a bit worried that the code is send to a service out of my control. The code should never rich any place out of my app, right?
What other solutions do I have?
thx.
CloudFront has received certifications of compliance with relevant security standards for processing credit card and healthcare data.
CloudFront is compliant with the PCI DSS and HIPAA standards.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/compliance.html
It thus stands to reason that transient authentication tokens should also be quite safe traversing that network.
Customer data and privacy are of utmost concern to AWS. Your concern is valid but goes against using any platform as a service.
Many enterprises, before moving to any cloud infrastructure raised similar concerns about data, security and privacy, but ultimately the SLAs and security commitments enforced by AWS, along with the long term cost benefits override any of these concerns.
The only way to resolve this concern is to host your own data center, which is probably not the way you want to go.
I would like to leverage AWS IoT to offer a service to my customers. Customers can be both "thing" owners or data consumers. The added value is given by computational stuff on the platform. Is such a scenario possible? I would like to implement a REST API to let users register their own things and maintain the association with Customers and things, but I don't want the thing to require my Amazon credentials in order to push data. Is such a scenario possible?
You could issue individual certificates for each of your customers. AWS IOT already supports this.
AWS can generate the certificates for you or you could generate and sign your own certificates. You'll probably prefer to issue your own certificates since allows you to fine control your customers accesses, this feature is also supported by AWS Iot. To generate and sign your certificates you could use tools such as openSSL.
AWS IoT already supports REST API out of the box
Last step is how you'll charge your customers. You can create a rule that will copy all messages to a lambada function that will work as an aggregator and count how much messages each of your customers sent. This last step is a little bit tricky since you'll have to know the device names of your customers.