I am using AWS ES for the search on my iOS application. As of now, I use the Rest API for the serving the search queries to the application. The app calls the Rest API and my python server searches to serve the requests. I want to eliminate this Rest API server and want to implement the interaction between iOS and AWS ES directly. AWS iOS SDK does not provide service for ES. What shall I do for that?
I have looked into these resources but did not get much clarity,
Elasticsearch access policy - allow read from clients and read/write from Node.js server
How to secure access to AWS Elasticsearch from a mobile application
Any help would be appreciated.
You can make use of AWS Cognito, User Pools and Federated Access to provide fine grained access to AWS resources to your set of users.
Read more at this link: Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway
I won't recommend doing this though, especially for elastic search cause if any of the temporary credentials (STS tokens) are stored in an in-secure place (not a keychain), users will be able to delete or create indices on your elastic search cluster, as AWS does not provide fine grain control over the APIs exposed by elasticsearch itself.
To solve this problem, you can use API Gateway as a proxy to only the search endpoints of the indices you want to allow your clients to be able to search. You do not need a Lambda function or any EC2 instance in the middle to achieve this.
Related
Please forgive my ignorance on this topic. I've been a developer for a long time, but there's a huge gap in my knowledge and experience when it comes to authentication & authorization protocols and proper handling of tokens.
We've got a whole homegrown suite that consists of:
4 web apps (2 in Ruby/Rails, 1 in Elixir/Phoenix, 1 single-page React)
1 image server (serverless app written as an AWS Lambda / API Gateway)
1 custom data API (also serverless Lambda / API Gateway)
We also have an Amazon Cognito User Pool connected to our backend identity provider to authenticate users and generate tokens.
All but one of these allow some form of anonymous access; the other is only available to logged in users. If a user is logged in, they all need to access the user's profile info from the ID token, preferably without initiating another auth flow. Our backend apps may also need to make use of the access token, but obviously we wouldn't be handing that out to to the SPA or public API consumers.
My first thought is to store the tokens in a key/value store on the backend, and have a short-lived, encrypted JWT containing a unique session ID set on the shared domain that all of the backend apps have access to, with the key stored in a config secret. By decoding the session ID, they can get what they need from the data store. The API would also refresh when necessary.
I also know that API Gateway can use a Cognito user pool as an authorizer, but I'm unclear how I would make that work while integrating it with the rest of our apps and requirements above. Sometimes requests to the API are made from the browser (in the React app, for example), and sometimes they come from the backend of one of the web apps.
The image server and API are used by our apps, but are also documented and accessible for other people to build their own applications on. But they would have to register their apps as OIDC clients to receive any profile info from logged in users.
I'd love some advice on how to make all of this work, or at least pointers toward resources that might help make it less dizzying.
I am new to Amazon Mobile Hub as a backend. Before this I was using Parse which essentially did everything for me. In Amazon Mobile Hub, for sign in, there is a custom sign in option. The info for this particular option on the amazon website is as follows:
'If you have an existing authentication process, you can use your own backend to authenticate your users. This involves interaction between your end user device, your backend for authentication, and Amazon Cognito. Learn more about authenticating your own users.'
I am really confused with this. So is there no option for creating a custom user database in amazon web services? If so, what kind of external services would I have to use (like Outh 0 or something). If so could anyone direct me to any seminar which explains about custom user database.
Can Amazon's Identity and Access Management help me in this? The documentation for this service only gives code in java and I am an ios developer so I am having problems in understanding this.
If anyone has ever used parse the I am looking for something like the users class in Parse.
Vishisht,
For the custom identity provider, the Mobile Hub generated iOS Sample App does not have a fully documented solution yet. When creating the project in the Mobile Hub console and enabling “Custom” sign in, Mobile Hub is simply creating a “Developer provider name” associated with the default Cognito Identity Pool created for that project.
For Cognito Developer Authenticated Identities, you do need to create your own backend service to handle your end-user identities.Using developer authenticated identities involves interaction between the end-user device (a Mobile Hub generated sample app, perhaps), your backend for authentication, and Amazon Cognito.
The authentication server is a simple application designed to store user credentials in a secure manner and provides an OpenID Connect token to authenticated users. The authentication server can be built using AWS resources such as a web server running on an EC2 instance or an application running on an Elastic Beanstalk environment. The following blog is an end-to-end solution for building the backend authentication server and using the sample Cognito code from Github to directly interact with the backend server. Unfortunately, the sample authentication service IS only written in Java.
Integrating Amazon Cognito using developer authenticated identities: An end-to-end example:
https://mobile.awsblog.com/post/Tx3E3NJURV1LNV1/Integrating-Amazon-Cognito-using-developer-authenticated-identities-An-end-to-en
Btw – I have used Parse and AWS or Mobile Hub does not have anything like the “Users” class. However, with Cognito Identity and Sync, you do have control over user profiles, allows multiple providers per user, and allows you to sync user profiles between devices. The Cognito Identity and Cognito Sync examples are integrated into the Mobile Hub generated sample apps through the “User Data Storage” feature.
Is Google Cloud Endpoints only intended for App Engine use, or can it be used from anywhere, including our rails app running on Amazon EC2?
You can send requests to an endpoint from any client or server you like. At the end of the day, it's just HTTP. The endpoint code has to run on Google's servers, but anyone can call it. One of the major use cases is to provide backends for mobile apps.
I am currently trying to use amazon s3 for uploading images from IOS app with a Rails Back-end.
I currently don't understand how security works. In their docs
http://docs.aws.amazon.com/mobile/sdkforios/developerguide/s3transfermanager.html
it's not clear to me how to upload/destroy safely objects in sync with the back-end. For instance, in order to post/destroy, I was expecting a mechanism of asking a signature to the Rails server, and only then be able to upload the image to amazon. But I can't find this kind of mechanism.
Has someone gone through this kind with aws?
If you are using your server to generate temporary credentials for the AWS Mobile SDK, we recommend the following approach:
Generate the access key, secret key, and session token on your server. You have many language options including Java, .NET, PHP, Ruby, Python, and Node.js.
Implement your credentials provider by conforming to AWSCredentialsProvider. Take a look at the implementations of AWSWebIdentityCredentialsProvider and AWSCognitoCredentialsProvider as examples. This credentials provider should:
Retrieve the access key, secret key, and session key from your server.
Persist them locally until they expire.
Return the credentials when requested.
Re-retrieve them from your server if they are expired.
Initiate the credentials refreshing process when - refresh is called.
I encourage you to take a look at Amazon Cognito Identity. With Amazon Cognito, you can create unique end user identifiers for accessing AWS cloud services by using public login providers such as Amazon, Facebook, Google, and any OpenID Connect compatible provider, or by using your own user identity system. It covers many of the custom server use cases, and it is easier to use and manage.
I am having a bit of a hard time understand how can an IAM role be used to limit access to a Amazon EC2 instances.
I am currently looking into Cognito, and I was wondering if it could help me. I want to restrict the access of my EC2 instances (with that I mean contacting the Django Server on there) to only a specific group of people, with dynamic ips. So IP restriction is not an option.
If a user gets authenticated with Cognito and gets temporary credentials, and therefore assumes a specific IAM Role, I want him to be able to talk to that EC2-Django server from within my iOS app. If a request to the server doesn't have the IAM, I want Amazon to automatically block it. Is that possible or I have to do that server side?