Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amazon CloudFront + Lamba + KMS issues

0

Hello,

I am encountering issues with Amazon KMS when decrypting a URI string - it works for some people and for others it does not work. I have been debugging it for the past 2 days and I just can't seem to resolve it. I will explain the set-up we have implemented below:

EC2 Server - the server is based in Europe (London)

CloudFront - we have a CF server with a Lambda function associated to it. The CF event is "Origin Request" and the "Lambda Function ARN" is only allowing from us-east-1 and not any other region. From documentation and research, I have found that Lambda association support is only allowed from a couple of regions.

Lamba Function - this is located in the us-east-1 region only and its purpose is to read the URI and decrypt it. However, I have sent the encrypted URI to 11 people and for 7 people it has worked, whereas for the remaining it has shown 404 - page not found. The test users are located in Europe, Asia, and the UK. However, I must say; when I have been in a coffee shop the encrypted URI hasn't worked for me, but when I am outside the coffee shop, it has worked. The function location is only in the us-east-1 region.

KMS - In the application code, I am using the KMS client, where I am encrypting the URI (please see below links). The key_id that I am using is located in EU (London). I have tried the key_id from us-east-1, but I am having no luck with it, as it keeps showing a 404 page. When testing the URI on Lambda function, it throws out an error about the key_id being a master key, or not associated with the current region. However, when I did try creating the Lambda function in EU (London), the decrypt test feature location in AWS console did work for the Lamba function.

Link1: https://d1up5da8tlmkbe.cloudfront.net/documents_property/AQICAHgshrfZl4LaOespINIFyQEOYUvNuzRHsjXyjm6IF2gVOwEDTzIAl6u11UkUD2p%2FDzi8AAAAgzCBgAYJKoZIhvcNAQcGoHMwcQIBADBsBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDMqI%2FRP8PWaCUs%2FohgIBEIA%2F4QFRCWEh%2F0%2FH%2F7A9lcMSEaEkUZ%2F3BrmWA%2F4HmcasLVSCw2os1ge5PJwGGalw672ZwBvdaxxnQhMgmAcs7q%2F3

Link2: https://d1up5da8tlmkbe.cloudfront.net/documents_property/AQICAHgshrfZl4LaOespINIFyQEOYUvNuzRHsjXyjm6IF2gVOwF2BeACnec%2B%2BMdbhdbR7LGHAAAAlzCBlAYJKoZIhvcNAQcGoIGGMIGDAgEAMH4GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMiUdCGt4YzKvo2vUOAgEQgFHaTj5pXBHUwWqvpwN3nZAfPE7wMd2rdgMwO457KEs54cWJ2YrBUW4SI5AN7CrAb1b2YUACNEzlZs0288xTmhwE2SByADL%2B%2FTBb6mQGZ4SF3lY%3D

Some questions:

  1. Is their any AWS firewall rules when connecting through coffee shops?
  2. Is their any AWS firewall rules for security when connecting through Asia or not recognised locations?

Other:

  • I feel if CF allowed Lambda function association from EU (London) it may resolve the issue, as the key_id I am using is located in the EU (London)

Any help would be appreciated, as it has been driving me insane - much appreciated and thank you.

Edited by: camkhan on Apr 13, 2019 11:22 AM

Edited by: camkhan on Apr 13, 2019 11:23 AM

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English
asked 7 years ago426 views
1 Answer
0

I have resolved the issue, but there is an architectural bug on Amazon for the encryption key being used.

  • Your logic behind the key detection to use for decrypting the URI is wrong and does not work as it is supposed to. For some users, it is pointing to the correct region key and others it is not.

  • CF should auto-detect the region key that is coming in upon requesting a URI, but it is routing some users to the default region determined in your logic.

However, this has been resolved by telling the KMS client to always use a particular region encryption key. This is not the correct way of doing things from a solutions architect point of view.

answered 7 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content