Amazon CloudFront key-pair creation - amazon-web-services

From my "Security Credentials", I can NOT create any more key pairs for my CloudFront setup.
I can only see my existing 2 key pairs and my deleted one. The "create" link is not present.
Do you have a reason for that?
How can I create key pairs without using this interface?
How can I bring back the feature to create key pair from that interface?

It's not possible to have more than two key pairs available for use at any one point in time, see Access Credential Rotation:
[...] you can have two credentials in an Active state at any point in time
so you can rotate them without impact to your application's
availability. The AWS Security Credentials page displays the current
state of each of the credentials you can rotate. The possible states:
Active—Can be used to secure requests to AWS.
Inactive—Can't be used, but can be moved back to the Active state.
Deleted—Can never be used again.
The first sentence is actually a bit misleading, insofar it applies to key pairs in the Inactive state as well, because these can be activated again.
As soon as you delete an inactive key, you will be able to create a new one.

Related

How to renew a cloudformation created API Gateway API Key

I've created users with API Keys in a cloudformation yaml file. We want to renew one API Key but an API Key is immutable so has to be deleted and regenerated. Deleting an API Key manually and then hoping that rerunning the cloudformation script is going to replace it with no other ill effects seems like risky business. What is the recommended way to do this (I'd prefer not to drop and recreate the entire stack for availability reasons and because I only want to renew one of our API keys, not all of them)?
The only strategy I can think of right now is
change the stack so that the name associated with the API Key in question is changed
deploy the stack (which should delete the old API Key and create the new one)
change the stack to revert the 1st change which should leave me with a changed API Key
with same name
deploy the stack
Clunky eh!
It is indeed a bit clunky, but manually deleting it, will not cause cloudformation to recreate the API key, since it has an internal state of the stack in which the key still exists.
You could simply change the resource name of the API key and update the stack, but this will only work if you can have duplicate names for API keys, which I doubt, but I could not find confirmation in the docs.
This leaves the only way to do it, in two steps (if you want to keep the same name). One to remove the old key, and a second update to create the new key. This can be achieved by simply commenting the corresponding lines in the first step and subsequently uncommenting them for the second step, or as you suggested, by changing the name of the API key and then changing it back.

What to use as a primary key with AWS Cognito for handling backups and recovery

For a little backstory, we're currently in the middle of migrating a Cognito user pool to a new one, due to several outdated configuration properties we need to update. To do this, we are planning on using a Cognito Lambda trigger to handle the migration.
However, the big problem we're running into is that we use the sub attribute as an ID for the user. According to AWS, this value is globally unique across all user pools. This means that we cannot migrate the sub attribute to a new pool, since it would then no longer be unique.
According to this question and answer, they indicate that the sub attribute is the correct attribute to use for a primary key. However, in the event of a disaster like a deleted or corrupted pool, using the sub attribute as a primary key doesn't work. If you import users to a backup pool, the sub's will be different and your primary key will be lost.
At this point, I should mention that we are using the Access token for the "groups", which does not contain any custom attributes, so adding the primary key to the custom attributes doesn't work for us.
So to finally get to my question, what should we be using for a primary key with AWS Cognito so we don't run into this pitfall again?

AWS: No Key Pairs Found

I have been given a key called Access.pem and I am trying to launch an AWS instance.
In Step 7: Review Instance Launch, when I attempt to launch the instance I get the following error:
No keys pairs found.
You don't have any key pairs. Please create a new key pair by selecting the
Create a new key pair option above to continue.
I have attempted to import my key pair with the steps outlined by amazon (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html)
This includes:
Placing Access.pem in ~/.ssh/authorized_keys
And importing the key via the Amazon EC2 console at https://console.aws.amazon.com/ec2/
In the second attempt when browsing for the key, the Access.pem key cannot be selected on my Mac. When I copy the contents, I am informed the key is too long.
How can I use this key?
A key-pair is often given to employees by their institution. As such I will assume this is the case. If you have exhausted all other options, I would contact your IT department to make sure they have added you.
Next time you log in (assuming you have been granted access), your company key-pairs should be available.
basically when we launch an instance there is option to create a new key pair, and after downloading the key pair save option marked as checked we can proceed to launch an instance. we can create a key pair from key pairs section from before. If you are sure that you have created a key pair as you mentioned "Access.pem" then be sure in which region you have created the key pair. If you create a key pair in the regin "us-east-1-a North Virginia" and if you try to launch an instance in other region like "us-east-2-a -Ohio" in this case you will not find the key pair. when launchin an ec2-instance or any other service that needs key pairs will not suggest the key pair (when the region is changed), check this things.
and while doing ssh from terminal if it is windows/mac/linux be sure you have set the permission of the pem file as 400. using like this "chmod 400 Access.pem"

Rotating keys and reactive reencypt data

I want to introduce key rotation to my system but for that reencryption is needed. It would be nice to do it reactively on some event, trigger etc., but I can't find anything like that at google documentation.
After a rotate event, I want to reencrypt data with the new key and destroy the old one.
Any ideas, how to achieve this goal?
As of right now, the best that you can do is write something that polls GetCryptoKey on regular intervals, checks to see if the primary version has changed, and then decrypts and reencrypts if it has.
We definitely understand the desire for eventing based on key lifecycle changes, and we've been thinking about the best way to accomplish that in the future. We don't have any plans to share yet, though.
When you rotate an encryption key (or when you enable scheduled rotation on a key), Cloud KMS does not automatically delete the old key version material. You can still decrypt data previously encrypted with the old key unless you manually disable/destroy that key version. You can read more about this in detail in the Cloud KMS Key rotation documentation.
While you may have business requirements, it's not a Cloud KMS requirement that you re-encrypt old data with the new key version material.
New data will be encrypted with the new key
Old data will be decrypted with the old key
At the time of this writing, Cloud KMS does not publish an event when a key is rotated. If you have a business requirement to re-encrypt all existing data with the new key, you could do one of the following:
Use Cloud Scheduler
Write a Cloud Function connected to Cloud Scheduler that invokes on a periodic basis. For example, if your keys rotate every 72 hours, you could schedule the cloud function to run every 24 hours. Happy to provide some sample code if that would help, but the OP didn't specifically ask for code.
Long-poll
Write a long-running function that polls the KMS API to check if the Primary crypto key has changed, and trigger your re-encryption when change is detected.

access credentials error in Copy Command in S3

I am facing access credentials error when i ran copy Command in S3.
my copy command is :
copy part from 's3://lntanbusamplebucket/load/part-csv.tbl'
credentials 'aws_access_key_id=D93vB$;yYq'
csv;
error message is:
error: Invalid credentials. Must be of the format: credentials 'aws_iam_role=...' or 'aws_access_key_id=...;aws_secret_access_key=...[;token=...]'
'aws_access_key_id=?;
aws_secret_access_key=?''
Could you please can any one explain what is aws_access_key_id and aws_secret_access_key ?
where we can see this?
Thanks in advance.
Mani
The access key you're using looks more like a secret key, they usually look something like "AKIAXXXXXXXXXXX".
Also, don't post them openly in StackOverflow questions. If someone gets a hold of a set of access keys, they can access your AWS environment.
Access Key & Secret Key are the most basic form of credentials / authentication used in AWS. One is useless without the other, so if you've lost one of the two, you'll need to regenerate a set of keys.
To do this, go into the AWS console, go to the IAM services (Identity and Access Management) and go into users. Here, select the user that you're currently using (probably yourself) and go to the Security Credentials tab.
Here, under Access keys, you can see which sets of keys are currently active for this user. You can only have 2 sets active at one time, so if there's already 2 sets present, delete one and create a new pair. You can download the new pair as a file called "credentials.csv" and this will contain your user, access key and secret key.