I have a server, which should provide temporary AWS credentials to the client. The credentials will be transmitted using HTTPS.
The client should be able to upload S3 files, as well as download them. The concern I have is the following:
I have multiple users accessing ONLY their own directory: /Users/someUser/myfile.png
You can set policies to allow or deny S3 in general, but you can't grant only the access to a specific path.
What should I do about this? Will the HTTPS transmission be enough?
Then my second question.
If I hear "temporary credentials", I have a key in mind, that is valid for a couple of hours and then expires. But I'm not sure if IAM is really built for that.
Should I provide the same credentials for all users?
Or do I generate a key-pair for each client?
The server runs with PHP, the client with Objective-C.
You can specify permissions on a path in Amazon S3. For more details see the following:
Using IAM Policies
Also, if you want to create "temporary credentials" you can use the AWS Security Token Service. This service allows you to create credentials that last from 1 - 36 hours and you can put a policy on those credentials to limit their access. For more details about the service see:
Security Token Service API Reference
Finally, there is an article written for the AWS Mobile SDKs that does something similar. It has a server to issue temporary credentials to users that use an Amazon S3 bucket. It limits the users to a "sub-folder" of the bucket and also limits their actions. You can read and this sample here:
Credential Management for Mobile Applications
Hope this helps you get to the information you need.
Related
im trying to find the best solution on a API that im developing, basically in my API i store images on s3 private buckets, and in the private buckets i need to be displayed on a mobile app.
I have 2 solutions but are not the best in my view:
1) Send the images in base64.
Problem: Need to change the app to read the base64 images since before was reading by accessing a url.
2) Access the private bucket authenticating in app using s3 credentials
Problem: Not completelly secure, exposing the credentials saving in the app.
Does someone cross by the same situation? Any idea.
If your users do not login and you want to share the same content to all users of your app, then your mobile app should:
Use the AWS Security Token Service (STS) to generate a set of temporary credentials using AssumeRole - AWS Security Token Service
The Role should be pre-configured to have permissions to access the S3 bucket
Send the temporary credentials to the mobile app
The mobile app can then use those credentials to access the private content in Amazon S3
If, instead, your users authenticate to your application, then you will probably want to control which objects they can access in S3. For this, the flow would be:
Users authenticate to the application
When they wish to access an object, your back-end application verifies whether they are entitled to access an object
If they are permitted, then the app should generate an Amazon S3 pre-signed URLs, which is a time-limited URL that grants access to a private object
Ive recently started looking into authenticating with azure active directory using client credentials grant with public/private certificates as detailed here: https://learn.microsoft.com/en-gb/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
Im running an external PHP/LEMP server outside of the azure hosting platform etc etc.
I've managed to get the connection to azure ad working successfully as seen below:
The question is more how we do the credential storage so i can actually do the authorisation. The ironic thing is, i need to store these credentials so i can access ones stored securely within the key vault! So im just wondering does anyone have any recommendations for storing of the:
Tennant ID
Client ID
Scope Uri (i guess i should include this to, as it's an id/guid as such)
Is it safe to store these values as plain text within a sites database?
Would you recommend environment variables? Just wondering what peoples approach is to this.
Many thanks!
I would suggest you store these variables in Key Vault, that's the most secure option. However, then obviously you need keys to access Key Vault.
If you were running your web app in Azure then this would be easy. You can use managed identity to give your web app an identity, and grant this access to KV, done. As your running outside of Azure, the next best method would be to generate a service principal that authenticates with a certificate, grant this service principal access to key vault, then store the private key on your web server and use this to auth. See here for details on creating a service principal.
I have a plan to develop an online file manager application to manage(add/edit/update/copy/delete) my client's(My business clients) server files. Instead of using Filezila or any such FTP applications. Because there is no such options to track the file changes history in those applications.
My idea is
Placing an agent file in production server (http://example-client-site.com/file-manager-api.php)
Call the agent file (file-manager-api.php) from my project management system, which is hosted online. (http://example-proj-mgmt.com)
So i can access the production server files from my project management system like REST API , without connecting through FTP.
My question is, what are the security issues in the way of access the server through URL REST API method ?
Please give me some idea to overcome the security issues.
Thanks in advance :)
The Concept is good, I only have concerned with security. What you can do is you can keep something like Token or Authorization key or such, where only authorized users can access it, as the concerned is REST API.
Authorization (Tokn key)
Protect Against Cross-site Request Forgery
Insecure Direct Object References
URL Validations
Secure Parsing & Strong Typing
Validate Incoming Content-types
JSON Encoding
Message Integrity
I am not entirely sure if this is the question I should be asking so feel free to submit edits.
I am developing a desktop app I plan to distribute and use amazon Polly to read text the user enters. I am having trouble understanding how to securely allow users to access the service under our program without exposing the access key.
I saw in a previous example that I should create a request to use the resource, have the access and secret access key in a server and it sign the request. Then send it back to the user on the desktop application.
If this is correct could someone explain and give me a simple example of how to accomplish this in python? Thank you. :)
Here is what I have so far that I would like to be on the code clients download:
from boto3 import client
import boto3
import StringIO
from contextlib import closing
polly = boto3.client(
'polly',
region_name='us-east-1',
aws_access_key_id='I_want_to_protect_this',
aws_secret_access_key='I_also_want_to_protect_this'
)
response = polly.synthesize_speech(
Text="Good Morning. My Name is Rajesh. I am Testing Polly AWS Service For Voice Application.",
OutputFormat="mp3",
VoiceId="Raveena")
print(response)
if "AudioStream" in response:
with closing(response["AudioStream"]) as stream:
data = stream.read()
fo = open("pollytest.mp3", "w+")
fo.write( data )
fo.close()
The correct approach for providing people with access to AWS services and resources stored on AWS is to take a client/server approach.
The client in your case is a Desktop application, but it could equally be a mobile app or a web app. The client is basically untrusted and should not be given any credentials for accessing AWS.
The server is an application running somewhere (typically on Amazon EC2 or AWS Lambda) that receives requests from the client, applies business logic (eg verifying the user's identity and determining what actions they are permitted to take) and calls AWS services.
Then there are two approaches to making calls to AWS:
The server can make all the calls to AWS (using credentials that are available only to the server) and pass back results to the client. This isolates the client from AWS and allows you to insert custom business logic within the server. (eg When you use Netflix, your TV doesn't call AWS directly.) Or...
The server can verify the identity of the client (eg the user logs into the client app, which sends the login details to server) by consulting a database of authorized application users, generate temporary AWS credentials, pass them back to the client and then the client can call AWS directly. (eg Many mobile apps do this to talk with Amazon S3.)
The temporary AWS credentials can be generated by the server by calling the AWS Security Token Service and specifying the permissions and duration sought. STS will then return a set of time-limited credentials that have the desired permissions. The client application can use these credentials to call AWS services (eg Amazon Polly as per your code sample).
This way, no credentials are stored in the client code and the server controls whether the client is permitted to access AWS, which API calls can be used and how long the access should be granted.
I have a small site/web application where registered users can see some files that I periodically prepare for them; I store these files in separate directories and every user can only see and download their own files.
Now, I'm moving these directories to Google Drive and I would keep functionalities like file listing and downloading.
Reading the official docs I found some interesting examples about file download/upload, but all of them talk about authorization that user must give in order to access to their Drive and this is not what I'm looking for, I don't want access to their Drive!
As I can see, the doc is not contempling the case that someone may want to give (read-only) access to own Drive. But maybe I'm missing something...
Basically, I need the list of files on my Drive account and, if requested, a way to download one (or more). The only one that has the auth to Drive account is my server, users will send request from it.
Is it possible? I think yes, but I can't find any docs about that. How can I authorize my server?
I think you're looking for the Using OAuth 2.0 for Web Server Applications where you'll be using service accounts to achieve your goal.
"This document explains how web server applications use the Google API
Client Library for PHP to implement OAuth 2.0 authorization to access
Google APIs. OAuth 2.0 allows users to share specific data with an
application while keeping their usernames, passwords, and other
information private. For example, an application can use OAuth 2.0 to
obtain permission from users to store files in their Google Drives."
The snippets are in PHP too, so it works in your favor.