I am having a bit of a hard time understand how can an IAM role be used to limit access to a Amazon EC2 instances.
I am currently looking into Cognito, and I was wondering if it could help me. I want to restrict the access of my EC2 instances (with that I mean contacting the Django Server on there) to only a specific group of people, with dynamic ips. So IP restriction is not an option.
If a user gets authenticated with Cognito and gets temporary credentials, and therefore assumes a specific IAM Role, I want him to be able to talk to that EC2-Django server from within my iOS app. If a request to the server doesn't have the IAM, I want Amazon to automatically block it. Is that possible or I have to do that server side?
Related
Please forgive my ignorance on this topic. I've been a developer for a long time, but there's a huge gap in my knowledge and experience when it comes to authentication & authorization protocols and proper handling of tokens.
We've got a whole homegrown suite that consists of:
4 web apps (2 in Ruby/Rails, 1 in Elixir/Phoenix, 1 single-page React)
1 image server (serverless app written as an AWS Lambda / API Gateway)
1 custom data API (also serverless Lambda / API Gateway)
We also have an Amazon Cognito User Pool connected to our backend identity provider to authenticate users and generate tokens.
All but one of these allow some form of anonymous access; the other is only available to logged in users. If a user is logged in, they all need to access the user's profile info from the ID token, preferably without initiating another auth flow. Our backend apps may also need to make use of the access token, but obviously we wouldn't be handing that out to to the SPA or public API consumers.
My first thought is to store the tokens in a key/value store on the backend, and have a short-lived, encrypted JWT containing a unique session ID set on the shared domain that all of the backend apps have access to, with the key stored in a config secret. By decoding the session ID, they can get what they need from the data store. The API would also refresh when necessary.
I also know that API Gateway can use a Cognito user pool as an authorizer, but I'm unclear how I would make that work while integrating it with the rest of our apps and requirements above. Sometimes requests to the API are made from the browser (in the React app, for example), and sometimes they come from the backend of one of the web apps.
The image server and API are used by our apps, but are also documented and accessible for other people to build their own applications on. But they would have to register their apps as OIDC clients to receive any profile info from logged in users.
I'd love some advice on how to make all of this work, or at least pointers toward resources that might help make it less dizzying.
Is there any service available that would allow someone to set up an OAuth callback service?
Example... I direct a user to Google to authenticate for Google Drive. This doesn't always originate from my website.. it could be from another application on a terminal, a user built website that's using my application, etc. The callback is www.callbackservice.com/callback/oauth (instead of something like www.mycompany.com/callback/oauth).
callbackservice.com now stores the OAuth 2.0 code for me to retrieve via cURL, etc..
Most of these services (at least google and ms) allow you to provide a session key (state) and credentials that could be used to retrieve the code. Then I just do another cURL to exchange for a token.
The purpose of this would be so that if for any reason my web server was down there would still be a service out there to keep things going. Or if my company was bought out they wouldn't need to rely on my web server to keep customers happy. They simply use their own systems.
Thanks for entertaining this.. I couldn't find anything about this online, which probably means that it isn't available for security reasons.
I am using AWS ES for the search on my iOS application. As of now, I use the Rest API for the serving the search queries to the application. The app calls the Rest API and my python server searches to serve the requests. I want to eliminate this Rest API server and want to implement the interaction between iOS and AWS ES directly. AWS iOS SDK does not provide service for ES. What shall I do for that?
I have looked into these resources but did not get much clarity,
Elasticsearch access policy - allow read from clients and read/write from Node.js server
How to secure access to AWS Elasticsearch from a mobile application
Any help would be appreciated.
You can make use of AWS Cognito, User Pools and Federated Access to provide fine grained access to AWS resources to your set of users.
Read more at this link: Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway
I won't recommend doing this though, especially for elastic search cause if any of the temporary credentials (STS tokens) are stored in an in-secure place (not a keychain), users will be able to delete or create indices on your elastic search cluster, as AWS does not provide fine grain control over the APIs exposed by elasticsearch itself.
To solve this problem, you can use API Gateway as a proxy to only the search endpoints of the indices you want to allow your clients to be able to search. You do not need a Lambda function or any EC2 instance in the middle to achieve this.
I've followed the instructions in this post http://mobile.awsblog.com/post/Tx371Y7CA0QJ95X/Simplifying-Token-Vending-Machine-Deployment-with-AWS-CloudFormation
And I can see that it's working somewhat, and i understand the overall concept of what TVM is and why it's needed, however I still have hard time understanding how this works in practicality. I read a post somewhere that anonymous token vending machine is designed for read-only and if I wanted to actually provide write access I need to use identity TVM.
In the demo app it makes me register my account on the cloudformation server i set up, but I don't understand how this works with say my own web app. I have a mobile app that connects to rails app where I need users to upload their profile images as well as post photo content. I already have the app running except for the integration part with the TVM (basically my aws credentials are embedded in the app which Amazon doesn't recommend)
So my question is how do i integrate an existing REST based iOS app with identity token vending machine to upload photos to S3? How can i integrate it without making users separately create an "account" for the identity token vending machine on top of registering for my app?
We recently launched Amazon Cognito, which obviates the need for the TVM in many cases, particularly in the "anonymous TVM" case. Through Cognito's unauthenticated access you can grant users of your application limited access privileges to various AWS resources. Cognito leverages existing functionality of IAM Roles and STS to deliver these credentials.
If you want to maintain the integration with your existing backend authentication solution, you will need to generate and maintain the list of identity ids for your application. You can read more about the APIs involved in our API documentation.
Your app can act as the TVM, mapping your user identities to the IAM Roles with the permissions they need. Then can use the AssumeRole calls on STS to create temporary credentials for these users. Your app then creates a S3Client object with these credentials and use it to upload the photo.
See the "Identity federation" and "Web identity federation" sections of the of IAM Roles documentation
The AWS Web Identity Federation Playground is a nice example app to see it at work.
CoudFormation will automate the creation, updates and deletion of AWS Resources, including EC2 Instances and IAM Roles, but will not be directly related to the user authentication.
I am using amazon S3 to provide IAP content.
Is there a "Safe" way to store the secretAccessKey inside my app so hackers can't use it to get the files?
The best way to do this is not to give out normal secret access keys at all.
First create an IAM user that has access to only what is needed, so that even if someone does get their hands on the credentials they can only access what you want them too (e.g. get files from a specific S3 bucket, but not modify them)
When the iOS app needs to access the S3 files it connects to a web server you control. That web server users STS to generate a set of credentials that will expire after the desired amount of time. These look like normal aws credentials (access key, secret, session id) but will eventually expire.
Amazon provide some reference implementations of these token vending machines and has an article discussing the setup in more detail.
Did you look for appropriate method using Keychain framework? Keychain Services Tasks for iOS