From a597819e8a964936e6bb9b45c6bcf084333502ad Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Wed, 21 Sep 2022 17:49:31 -0400 Subject: [PATCH 1/3] Lab 10-kms --- 10-kms/Practice-10.1/PlaintextFile | 1 + 10-kms/Practice-10.1/cmk_key.yml | 55 ++++++++++++++++++ 10-kms/Practice-10.1/encryptedFile | Bin 0 -> 174 bytes 10-kms/Practice-10.1/file.txt | 1 + 10-kms/Practice-10.1/scripts | 14 +++++ 10-kms/Practice-10.2/NewFile.txt | 1 + 10-kms/Practice-10.2/go.mod | 10 ++++ 10-kms/Practice-10.2/go.sum | 22 +++++++ .../Practice-10.2/s3_client_side_download.go | 55 ++++++++++++++++++ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ++++++++++++++++++ 10 files changed, 214 insertions(+) create mode 100644 10-kms/Practice-10.1/PlaintextFile create mode 100644 10-kms/Practice-10.1/cmk_key.yml create mode 100644 10-kms/Practice-10.1/encryptedFile create mode 100644 10-kms/Practice-10.1/file.txt create mode 100644 10-kms/Practice-10.1/scripts create mode 100644 10-kms/Practice-10.2/NewFile.txt create mode 100644 10-kms/Practice-10.2/go.mod create mode 100644 10-kms/Practice-10.2/go.sum create mode 100644 10-kms/Practice-10.2/s3_client_side_download.go create mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/PlaintextFile @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml new file mode 100644 index 00000000..704bbc4c --- /dev/null +++ b/10-kms/Practice-10.1/cmk_key.yml @@ -0,0 +1,55 @@ +Description: AWS CMK Key + +Resources: + myKey: + Type: 'AWS::KMS::Key' + Properties: + Description: A symmetric encryption KMS key + EnableKeyRotation: true + PendingWindowInDays: 20 + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Action: 'kms:*' + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:Create*' + - 'kms:Describe*' + - 'kms:Enable*' + - 'kms:List*' + - 'kms:Put*' + - 'kms:Update*' + - 'kms:Revoke*' + - 'kms:Disable*' + - 'kms:Get*' + - 'kms:Delete*' + - 'kms:ScheduleKeyDeletion' + - 'kms:CancelKeyDeletion' + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:DescribeKey' + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:ReEncrypt*' + - 'kms:GenerateDataKey' + - 'kms:GenerateDataKeyWithoutPlaintext' + Resource: '*' + + myAlias: + Type: 'AWS::KMS::Alias' + Properties: + AliasName: alias/ndambi + TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile new file mode 100644 index 0000000000000000000000000000000000000000..4630c9e4002f05385c117521b5cb0c22ac647e70 GIT binary patch literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 literal 0 HcmV?d00001 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/file.txt @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts new file mode 100644 index 00000000..f624bfba --- /dev/null +++ b/10-kms/Practice-10.1/scripts @@ -0,0 +1,14 @@ +aws kms encrypt \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --plaintext fileb://file.txt \ + --output text \ + --query CiphertextBlob | base64 \ + --decode > encryptedFile + +aws kms decrypt \ + --ciphertext-blob fileb://encryptedFile \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --output text \ + --query Plaintext | base64 \ + --decode > PlaintextFile + diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt new file mode 100644 index 00000000..158a0601 --- /dev/null +++ b/10-kms/Practice-10.2/NewFile.txt @@ -0,0 +1 @@ +Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod new file mode 100644 index 00000000..d6845094 --- /dev/null +++ b/10-kms/Practice-10.2/go.mod @@ -0,0 +1,10 @@ +module kms + +go 1.19 + +require ( + github.com/aws/aws-sdk-go v1.44.103 // indirect + github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect + github.com/aws/smithy-go v1.13.3 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect +) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum new file mode 100644 index 00000000..70c1397e --- /dev/null +++ b/10-kms/Practice-10.2/go.sum @@ -0,0 +1,22 @@ +github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= +github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= +github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= +github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= +github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go new file mode 100644 index 00000000..096e6e33 --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_download.go @@ -0,0 +1,55 @@ +package main + +import ( + "fmt" + "io/ioutil" + "log" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" + "os" +) + +var ( + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess := session.New(&aws.Config{ + Region: aws.String("us-east-1"),}) + + client := s3crypto.NewDecryptionClient(sess) + + input := &s3.GetObjectInput{ + Bucket: &bucket, + Key: &key, + } + + result, err := client.GetObject(input) + // Aside from the S3 errors, here is a list of decryption client errors: + // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm + // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm + // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB + // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. + // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. + if err != nil { + log.Fatal(err) + } + + // Let's read the whole body from the response + b, err := ioutil.ReadAll(result.Body) + if err != nil { + log.Fatal(err) + } + //fmt.Println(string(b)) + + file, err := os.Create("NewFile.txt") + if err != nil { + fmt.Println(err) + return + } + fmt.Fprintf(file, "%v\n", string(b)) +} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go new file mode 100644 index 00000000..7f885b6b --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_upload.go @@ -0,0 +1,55 @@ +/* +Licensed under the MIT-0 license https://github.com/aws/mit-0 +*/ +package main + +import ( + "log" + "strings" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/kms" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" +) + +var ( + cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess, err := session.NewSession(&aws.Config{ + Region: aws.String("us-east-1"), + Credentials: credentials.NewSharedCredentials("", "default"), + }) + // This is our key wrap handler, used to generate cipher keys and IVs for + // our cipher builder. Using an IV allows more “spontaneous” encryption. + // The IV makes it more difficult for hackers to use dictionary attacks. + // The key wrap handler behaves as the master key. Without it, you can’t + // encrypt or decrypt the data. + keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) + // This is our content cipher builder, used to instantiate new ciphers + // that enable us to encrypt or decrypt the payload. + builder := s3crypto.AESGCMContentCipherBuilder(keywrap) + // Let's create our crypto client! + client := s3crypto.NewEncryptionClient(sess, builder) + + input := &s3.PutObjectInput{ + Bucket: &bucket, + Key: &key, + Body: strings.NewReader("Test Client-Side encryption"), + } + + _, err = client.PutObject(input) + // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. + // The s3crypto client can also return some errors: + // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN + if err != nil { + log.Fatal(err) + } +} + From c9056754893bbf19830f5f0c788e9f8d1e9af36f Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Thu, 22 Sep 2022 10:57:05 -0400 Subject: [PATCH 2/3] removing files --- 10-kms/Practice-10.1/PlaintextFile | 1 - 10-kms/Practice-10.1/cmk_key.yml | 55 ------------------ 10-kms/Practice-10.1/encryptedFile | Bin 174 -> 0 bytes 10-kms/Practice-10.1/file.txt | 1 - 10-kms/Practice-10.1/scripts | 14 ----- 10-kms/Practice-10.2/NewFile.txt | 1 - 10-kms/Practice-10.2/go.mod | 10 ---- 10-kms/Practice-10.2/go.sum | 22 ------- .../Practice-10.2/s3_client_side_download.go | 55 ------------------ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ------------------ 10 files changed, 214 deletions(-) delete mode 100644 10-kms/Practice-10.1/PlaintextFile delete mode 100644 10-kms/Practice-10.1/cmk_key.yml delete mode 100644 10-kms/Practice-10.1/encryptedFile delete mode 100644 10-kms/Practice-10.1/file.txt delete mode 100644 10-kms/Practice-10.1/scripts delete mode 100644 10-kms/Practice-10.2/NewFile.txt delete mode 100644 10-kms/Practice-10.2/go.mod delete mode 100644 10-kms/Practice-10.2/go.sum delete mode 100644 10-kms/Practice-10.2/s3_client_side_download.go delete mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/PlaintextFile +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml deleted file mode 100644 index 704bbc4c..00000000 --- a/10-kms/Practice-10.1/cmk_key.yml +++ /dev/null @@ -1,55 +0,0 @@ -Description: AWS CMK Key - -Resources: - myKey: - Type: 'AWS::KMS::Key' - Properties: - Description: A symmetric encryption KMS key - EnableKeyRotation: true - PendingWindowInDays: 20 - KeyPolicy: - Version: 2012-10-17 - Id: key-default-1 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" - Action: 'kms:*' - Resource: '*' - - Sid: Allow administration of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:Create*' - - 'kms:Describe*' - - 'kms:Enable*' - - 'kms:List*' - - 'kms:Put*' - - 'kms:Update*' - - 'kms:Revoke*' - - 'kms:Disable*' - - 'kms:Get*' - - 'kms:Delete*' - - 'kms:ScheduleKeyDeletion' - - 'kms:CancelKeyDeletion' - Resource: '*' - - Sid: Allow use of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:DescribeKey' - - 'kms:Encrypt' - - 'kms:Decrypt' - - 'kms:ReEncrypt*' - - 'kms:GenerateDataKey' - - 'kms:GenerateDataKeyWithoutPlaintext' - Resource: '*' - - myAlias: - Type: 'AWS::KMS::Alias' - Properties: - AliasName: alias/ndambi - TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile deleted file mode 100644 index 4630c9e4002f05385c117521b5cb0c22ac647e70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/file.txt +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts deleted file mode 100644 index f624bfba..00000000 --- a/10-kms/Practice-10.1/scripts +++ /dev/null @@ -1,14 +0,0 @@ -aws kms encrypt \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --plaintext fileb://file.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > encryptedFile - -aws kms decrypt \ - --ciphertext-blob fileb://encryptedFile \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --output text \ - --query Plaintext | base64 \ - --decode > PlaintextFile - diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt deleted file mode 100644 index 158a0601..00000000 --- a/10-kms/Practice-10.2/NewFile.txt +++ /dev/null @@ -1 +0,0 @@ -Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod deleted file mode 100644 index d6845094..00000000 --- a/10-kms/Practice-10.2/go.mod +++ /dev/null @@ -1,10 +0,0 @@ -module kms - -go 1.19 - -require ( - github.com/aws/aws-sdk-go v1.44.103 // indirect - github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect - github.com/aws/smithy-go v1.13.3 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect -) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum deleted file mode 100644 index 70c1397e..00000000 --- a/10-kms/Practice-10.2/go.sum +++ /dev/null @@ -1,22 +0,0 @@ -github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= -github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= -github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= -github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go deleted file mode 100644 index 096e6e33..00000000 --- a/10-kms/Practice-10.2/s3_client_side_download.go +++ /dev/null @@ -1,55 +0,0 @@ -package main - -import ( - "fmt" - "io/ioutil" - "log" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" - "os" -) - -var ( - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess := session.New(&aws.Config{ - Region: aws.String("us-east-1"),}) - - client := s3crypto.NewDecryptionClient(sess) - - input := &s3.GetObjectInput{ - Bucket: &bucket, - Key: &key, - } - - result, err := client.GetObject(input) - // Aside from the S3 errors, here is a list of decryption client errors: - // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm - // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm - // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB - // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. - // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. - if err != nil { - log.Fatal(err) - } - - // Let's read the whole body from the response - b, err := ioutil.ReadAll(result.Body) - if err != nil { - log.Fatal(err) - } - //fmt.Println(string(b)) - - file, err := os.Create("NewFile.txt") - if err != nil { - fmt.Println(err) - return - } - fmt.Fprintf(file, "%v\n", string(b)) -} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go deleted file mode 100644 index 7f885b6b..00000000 --- a/10-kms/Practice-10.2/s3_client_side_upload.go +++ /dev/null @@ -1,55 +0,0 @@ -/* -Licensed under the MIT-0 license https://github.com/aws/mit-0 -*/ -package main - -import ( - "log" - "strings" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/kms" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" -) - -var ( - cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess, err := session.NewSession(&aws.Config{ - Region: aws.String("us-east-1"), - Credentials: credentials.NewSharedCredentials("", "default"), - }) - // This is our key wrap handler, used to generate cipher keys and IVs for - // our cipher builder. Using an IV allows more “spontaneous” encryption. - // The IV makes it more difficult for hackers to use dictionary attacks. - // The key wrap handler behaves as the master key. Without it, you can’t - // encrypt or decrypt the data. - keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) - // This is our content cipher builder, used to instantiate new ciphers - // that enable us to encrypt or decrypt the payload. - builder := s3crypto.AESGCMContentCipherBuilder(keywrap) - // Let's create our crypto client! - client := s3crypto.NewEncryptionClient(sess, builder) - - input := &s3.PutObjectInput{ - Bucket: &bucket, - Key: &key, - Body: strings.NewReader("Test Client-Side encryption"), - } - - _, err = client.PutObject(input) - // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. - // The s3crypto client can also return some errors: - // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN - if err != nil { - log.Fatal(err) - } -} - From d08f51dbb5d6b9d6dfb47a4b83057cd240e557ba Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Wed, 12 Oct 2022 17:42:49 -0400 Subject: [PATCH 3/3] Lab-18 Step Function --- 18-step-functions/Practice-18.2/stack.yml | 65 +++++++ 18-step-functions/Practice-18.3/stack.yml | 205 ++++++++++++++++++++++ 2 files changed, 270 insertions(+) create mode 100644 18-step-functions/Practice-18.2/stack.yml create mode 100644 18-step-functions/Practice-18.3/stack.yml diff --git a/18-step-functions/Practice-18.2/stack.yml b/18-step-functions/Practice-18.2/stack.yml new file mode 100644 index 00000000..4e185ece --- /dev/null +++ b/18-step-functions/Practice-18.2/stack.yml @@ -0,0 +1,65 @@ +Description: Lamda State machine + +Resources: + LambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: lambda.amazonaws.com + Action: "sts:AssumeRole" + MyLambdaFunction: + Type: AWS::Lambda::Function + Properties: + Handler: "index.handler" + Role: !GetAtt [ LambdaExecutionRole, Arn ] + Code: + ZipFile: | + exports.handler = (event, context, callback) => { + callback(null, "Hello AWS"); + }; + Runtime: "nodejs12.x" + Timeout: "25" + StatesExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + Service: + - !Sub states.${AWS::Region}.amazonaws.com + Action: "sts:AssumeRole" + Path: "/" + Policies: + - PolicyName: StatesExecutionPolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "lambda:InvokeFunction" + Resource: "*" + StateMachine: + Type: AWS::StepFunctions::StateMachine + Properties: + DefinitionString: + !Sub + - |- + { + "Comment": "A Hello AWS using an AWS Lambda Function", + "StartAt": "HelloAWS", + "States": { + "HelloAWS": { + "Type": "Task", + "Resource": "${lambdaArn}", + "End": true + } + } + } + - {lambdaArn: !GetAtt [ MyLambdaFunction, Arn ]} + RoleArn: !GetAtt [ StatesExecutionRole, Arn ] diff --git a/18-step-functions/Practice-18.3/stack.yml b/18-step-functions/Practice-18.3/stack.yml new file mode 100644 index 00000000..78f86be2 --- /dev/null +++ b/18-step-functions/Practice-18.3/stack.yml @@ -0,0 +1,205 @@ +Description: Step Function and S3 events + +Parameters: + TrailName: + Type: String + Default: LSME-Trail + BucketName: + Type: String + Default: lsme-bucket + +Resources: + LambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: lambda.amazonaws.com + Action: "sts:AssumeRole" + MyLambdaFunction: + Type: AWS::Lambda::Function + Properties: + Handler: "index.handler" + Role: !GetAtt [ LambdaExecutionRole, Arn ] + Code: + ZipFile: | + exports.handler = (event, context, callback) => { + callback(null, "Hello AWS"); + }; + Runtime: "nodejs12.x" + Timeout: "25" + StatesExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + Service: + - !Sub states.${AWS::Region}.amazonaws.com + Action: "sts:AssumeRole" + Path: "/" + Policies: + - PolicyName: StatesExecutionPolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "lambda:InvokeFunction" + Resource: "*" + StateMachine: + Type: AWS::StepFunctions::StateMachine + Properties: + DefinitionString: + !Sub + - |- + { + "Comment": "A Hello AWS using an AWS Lambda Function", + "StartAt": "HelloAWS", + "States": { + "HelloAWS": { + "Type": "Task", + "Resource": "${lambdaArn}", + "End": true + } + } + } + - {lambdaArn: !GetAtt [ MyLambdaFunction, Arn ]} + RoleArn: !GetAtt [ StatesExecutionRole, Arn ] + + S3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: !Ref BucketName + NotificationConfiguration: + EventBridgeConfiguration: + EventBridgeEnabled: true + S3BucketPolicy: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - + Sid: 'AWSCloudTrailAclCheck20150319' + Effect: Allow + Principal: + Service: [cloudtrail.amazonaws.com] + Action: s3:GetBucketAcl + Resource: !Sub arn:aws:s3:::${S3Bucket} + Condition: + StringEquals: + aws:SourceArn: !Sub "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/${Trail}" + - + Sid: 'AWSCloudTrailAclWrite20150319' + Effect: Allow + Principal: + Service: [cloudtrail.amazonaws.com] + Action: s3:PutObject + Resource: !Sub arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: bucket-owner-full-control + aws:SourceArn: !Sub "arn:aws:cloudTrail:${AWS::Region}:${AWS::AccountId}:trail/${Trail}" + CloudWatchLogGroup: + Type: AWS::Logs::LogGroup + Properties: + RetentionInDays: 7 + CloudWatchLogStream: + Type: AWS::Logs::LogStream + Properties: + LogGroupName: !Ref CloudWatchLogGroup + LogStreamName: "CloudWatchLogStream" + CloudWatchLogRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + Service: [cloudtrail.amazonaws.com] + Action: "sts:AssumeRole" + Path: "/" + Policies: + - PolicyName: CloudTrailRoleForCLoudWatch_desmond + PolicyDocument: + Statement: + - Effect: Allow + Action: [ + 'logs:CreateLogStream', + 'logs:PutLogEvents' + ] + Resource: + - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:${CloudWatchLogGroup}:log-stream:${AWS::AccountId}_CloudTrail_${AWS::Region}*" + Trail: + Type: AWS::CloudTrail::Trail + DependsOn: + - CloudWatchLogGroup + - CloudWatchLogRole + Properties: + S3BucketName: !Ref S3Bucket + IsLogging: true + TrailName: !Ref TrailName + IsMultiRegionTrail: true + EnableLogFileValidation: true + CloudWatchLogsLogGroupArn: !GetAtt CloudWatchLogGroup.Arn + CloudWatchLogsRoleArn: !GetAtt CloudWatchLogRole.Arn + IncludeGlobalServiceEvents: true + EventSelectors: + - DataResources: + - Type: AWS::S3::Object + Values: + - !Sub "arn:${AWS::Partition}:s3" + IncludeManagementEvents: true + ReadWriteType: All + EventBridge: + Type: AWS::Events::Rule + DependsOn: + - EventBridgeIAMExecutionRole + Properties: + Description: "An event rule to trigger state machine from s3 file upload" + Name: "s3EventRule" + EventPattern: + source: + - "aws.s3" + detail-type: + - 'Object Created' + detail: + bucket: + name: + - !Ref S3Bucket + Targets: + - + Arn: + !Join [ '', [ 'arn:aws:states:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', stateMachine, ':', !GetAtt StateMachine.Name ] ] + Id: "StateMachine" + RoleArn: !GetAtt EventBridgeIAMExecutionRole.Arn + EventBridgeIAMExecutionRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: !Sub events.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + Policies: + - PolicyName: PutEventsDestinationBus + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: + - 'states:StartExecution' + Resource: + - !Join [ '', [ 'arn:aws:states:', !Ref 'AWS::Region', ':', !Ref 'AWS::AccountId', ':', stateMachine, ':', !GetAtt StateMachine.Name ] ] +