AWS - ACM - Certificate manager

 ACM - Certificate manager - 3-21-2021

Today's agendas

- ssl/TLS handshack
- CA - Certificate Authority

SSM ->
Secret Manager


Architecture
----------------

Team1

webApp(FrontEnd)
- Php, python
- Displays secret data
- user db connect to connect to database server.
  - DBURL=IP_of_DB_host
  - user=admin
  - password=welcome

At client side (https)
User enters
username=jay
age=25

Storage
- DB - MySQL, oracle or any other dbms
- WebApp retrive data from database


Global organization
- US
   - Dept1

   - Dept2
      - Team1
      - Team2
      - Team3
         - Dev
              - DB
    ----
                IP:
                User:
                PW:
         - Test
         - Prd

   - Dev3
- IN

- UK

Pawword keeping secret is a challange
- you can store locally, on the web and multiple place.
- if you have shared env, multiple people may see it.
- it is very important to keep secret info secret.

rather than hardcode the pw on the code, you can reference it.
AWS has an offering SSM parameter
if you want to maintain the parameter, meant to store to manage your parameters.
- config files.



SSM
------

1. Login to aws console
- kubernetes has config map, its similar to config map from kubernetes.
- sometime it may look like secret from k8s.

click on rds
- create database
- standard
- mysql
- free tier
db instance: database-1
master user: jay
pwd: welcome


you have to provie three info to your developer
server IP:
user:
password

how do you send this info to developer?
- rahter than sending through email or other instance message ssytem,
its a good idea to create a hirerarchy.
- give reference to the hirerarchy.
(de-couple - disconnect)

ssm parametres is specialize on parameterization.

SSM
-----
go to simple systmem manager (ssm) on aws

or search on parameter you will see system manager
- click on it .
- Go tp left pane and under application management, click on parameter store.
- Click on create parameter
- Parameter detaill
Name/Path: dbpass or /us/dept/team1_db_url    # all info about team1 is going to be stored here.

Tier:
standard (free for some time) can store upto 4 kb
advanced: can store upto 8kb

Type: string
Data Type:
value: db.eg.com:3306


Now, we store one parameter

add more more info
name: /IN/dept1/team1/db_pass
create a parameter
standard
string
datatype: text
value: welcome1

here anyone can see the password but we can encript
there is an option on type
rather than string, you can use secureString -> using KMS
specify the key

click on create
so we created two parameters, one URL and another is pw

create one more for different team
Name: /IN/dept1/

secureString
value: redhat2
create


now, how to retirve?

> aws ssm
> help
> aws ssm get-parametes
> aws ssm getpparameters --help
> aws ssm getpparameters --hnames /IN/dept1/team1/db_url

Note: you have to create a user with limited power


> aws ssm get-paramerts --names /IN/dept1/team1/db_pass

create account so that the user can go to kms and rective this info

How to see the encripted values?
> aws ssm get-permission --name  /IN/dept1/team1/db_pass --with-decription

Make sure, verify access level for user.

Can you get all parameters?
> aws ssm get-permission --name  /IN/dept1/team1/
you can't

You can get all parameters using the following command
> aws ssm get-parameters-by-path --path  /IN/dept1/team1
> aws ssm get-parameters-by-path --path  /IN/dept1/team1 --recrusive

Using, SDK- software development kid you can connect

You can use aws SDK library -> use functon/method and retrive.
- There is a library boto3 which you can use to connect.

> python
>>> import boto3
from here, you can connect to aws, vpc and other services
>>>

Go back to parameters
create
- click on advance

Name: /in/dept1/team2/my_pass

Type: string
value: redhat

parameter policy
you can add policy here.

create

click on parameter
- click on policy
parameter
- no expiration policy
- absoltte time
- relative time

notification policies
- set password notification, when pw expireing, expires and much more.

click save changes

this policy option is only available on advance option

What is the issue/concern?
- Lets say we have db password, and we are storing the password: welcome

ssh parameter not forcing you to encript.
- if you store in clean text, some one can see
- we need someone keep asking to rotate passsowrd witin certain time say 10 day, if not changed within 10 days, it will expires.
specify how long this value is valid.

who is going to do auditing?

if you have info very secure, we want to extra management, audit, who access, why access ...
say bank info -> who access, expire/change pw within 30 days

for secret info, we need extra control
so secret manager come into play.


DB_URL=IP
User: jay

we can store in ssm

but
pw: welcome
we store it in service manager

- pw need strong security
- audit
- policy


go to aws console and search secret manager
- it has very tight integration with rds - mysql, postgreSQL, amazon Aurira

This service is free for 30 days after tht they will carage

Create
store new secret
- creadential for rds

specify the rds database:

you can keep the password here.

or go to other type of secret
key value

passport: 12345
by default you have to useencription:

eveyrhint is encripted here.

you can click on plaintext and change the value.

new secret:
secret name: /IN/dept1/team1/db_pass

configure automatic rotatiaon
- disable automation reotation
- enable automatic rotation

select rotation interval: 30 days

how to notify
choose an AWS lambda function
create or specify the function here to notify user.

you can connect to iot device or any other ..

you can disable this feature and click next - review the summary



code they suported

you have java, javav2, js, c# python3, ruby, Go

you can generate code and give it to developer.


click on store to cfeate

now this vaule is stored in secret manager.

we provide this code to folks who create/develop frontend.

if you review the code, say python3, you will not see the password.
password is coming from secret database

ust developing software/application is not only solution. there are other factors to think as well, such as
- you have to plan small componenet
- perofrmance, latercy, security



ACM
lets go back and review Asymmetric key
lets say we have a serverA with ip .100

we have a client c1 and want to store a password to the server.


how pw can be shared
yesterday we discussed server can create key and keep private cert and shared public key

in https client get public key from server using https
client then use its own csymetric key and encript the data.
- now, enccript this info and send it to server.
- now server gets it. now client has client symetric key now, on client can send data, and server cna decript the data.

in theory
if you data is encripted using mymmetric key, need same symmetric key
if you are using public key to  to encript, private key can decript.


man in the middle attach?
how?

lets say we have a server

serverA .100 -ip

all package from internet go from client

lets say

request always comes from client.
- client creates package and includes server ip
- package always goes through the network
- device forward the packages and reached to the server
- server see where package is coming in from.
- you see the destination package
- what hacker do
when pacakge is goint to the network
- they redirect the package to their laptop (using route poisioning)
- This time, they use concept called ip cloning (physing),
- they give sam eip to this system.
when pkg reached to laptop, it think this is the server 100.

as you know
web site cloning - use this tool to colone the website.

now, hacker has same ip so they send ther own kye and send it to client

- client feel it cam efrom read server.
hacker system gets the same copy of the ckey.
- hacker lock the password with key.

this is called physing attach (man in the middle attach)
- with this kind of technique, they can hack

client feel they are connected to real server. and hacker get acces to your system/account.
hackers can fake it out the ip.

how to safe guard from physing attack?
how client come to know hpw public key is coming from hacker or real side server key.

how to transfer keys betweek server and client.

- using help of theird company (CA-certificate authotrity)
- using browser

what thses company do
- I will share your public key with client and they will confirm its you.
if hacker try to attach, they will be prompted and connecttion is disconnected

how?

create a document with
- create a package/document - countyr, org, system host, public key
and send this document to third party company such as verisign
- company sign (verisign, godaddy)
- I will put my identity (all browser in the world, know me, my internal certificate or the fingerprint.
- sign CRT to the server.

client get entire detail through the browser.

say hacker tries to break into

hacker can send CSR to CA, CA ask for domain /company info, when CA gets the request, none of the famous CA, does not sign without domain name. Thats the reason, it is recommended, don't use the IP address, use host or ip addess.

Note: these CA companies charge you fee.

CA sign the certificate with dns/domain name.

you need signin certificate.

self sign certificate is not famous. browser alerts.

this entire set up is pki - public key infrastructure.

CRT -> ssh certificate - full proof security.

go to your browser, setting, search for certificate
got o security, you will see t here..


CA
- create public key
- create CSR

send to CA
- valid for a year mostly

every year you have to pay.

its hard to mange thats why aws came with ACM
- creates CRS
- Sign CTR (ssl ..)
- If expired, renew automatically
- Entire process is free...

This method id Amazon certificate manager

go to aws console
- certificate manager
- request a certificate or import a certificate (they manage, you ca)
--> click on create request
- request a public certificate (certified by browser/os)
- click on request a certificate.

add domain


Lab:
- alunch two web servers
go and use ami and launch two instances
tag: web-acm
all traffic
launch

create a load balancer
ELB (provides dns name)

need to encript the connection from client to elb.

get certificate from godaddy or verisign or go to acm to create

now, go to load balancer
- classic lb
name: elb-acm

protocol : https port 443

[front end port for elb is 443. ]
- click next
configure security settings

certificate type:

- choose a certificate from acm
- choose from IAM
- upload a cerrificate to IAM

select first option

attach two of the instances, review and attach



go to route53 -> hosted zone
- create a record,
recrd name: lb
record type
nameL : cname
record type:

copy long name - alias to make short.

> nsllookup lb ...


load balaner connected to two instanaces.

get the URL and paste on browser and page is displyed.

you can give smaller url to cusomter.'




client is the one who connect to the ELB. what we will do it , change the elb setting and change from http: 80 to https:443

request a certificate
aws certificate..
add domain name

you can add wild card certificate -> thiey charge you more fee.

validate method
dns validation
or email validattion

select dns

next next
configm

review, you have to add entry to domain.


now, go back to ACM
'acm has created crt and issue by amazon.

we need a certificate, manage.provison by acm.
- apply certificate to ELB

now, go back to ELB
click on listenrer
- edit
protocol

https

ssl certificate
change, select ACM -> select the certificate and save.

now, your load balancer can be connected using https

now, you have public key and CA.

everytime, encript/decript is cpu intensive.

in this design, your internal server are not secure. but your ELB is.

if you have sub domain, you may have to create a new certificate.

validate -> add entry to dns
create a new recrord,
copy and paste the record name


create record at dns


once change your cerftificate is changed, you have to update your elb.
open you elb, go to listener and change port and certificate

now go to your page
myname.domain.com

now, page is displayed without any alert.