Questions tagged with Encryption

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Reduce KMS Decrypt API calls during DynamoDB replication

I currently have a DynamoDB global table set up with encryption at rest configured using an AWS managed key (not owned by Amazon, so KMS charges apply). My service that hits the DynamoDB table is only running in us-east-1, but the global table replicates data to us-west-2 as part of the disaster recovery strategy. Looking at recent months in AWS Costs Explorer, I noticed that there are significantly more KMS requests coming from us-west-2 than us-east-1: ``` US East (N. Virginia) AWS Key Management Service us-east-1-KMS-Requests $0.03 per 10000 KMS requests in US East (N. Virginia) 146,390,252.000 Requests US West (Oregon) AWS Key Management Service us-west-2-KMS-Requests $0.03 per 10000 KMS requests in US West (Oregon) 272,575,473.000 Requests ``` Looking at CloudTrail, it looks like a majority of these calls are Decrypt operations related to the DynamoDB replication, similar to: ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "arn": "arn:aws:sts::[account]:assumed-role/AWSServiceRoleForDynamoDBReplication/[id]", "invokedBy": "replication.dynamodb.amazonaws.com" }, "eventTime": "2022-11-16T04:26:41Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "replication.dynamodb.amazonaws.com", "userAgent": "replication.dynamodb.amazonaws.com", "requestParameters": { "encryptionContext": { "aws:dynamodb:tableName": "[table-name]" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "readOnly": true, "resources": [ { "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:[account]:key/[key-id]" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management" } ``` Since us-west-2 is really just a replication destination with no active services hitting it, it's curious to me that there are so many calls to Decrypt using the us-west-2 key as the resource, unless there is something in the replication process that encrypts it using the us-west-2 key prior to replication, it gets sent over, and then needs to be decrypted to finish the replication process and add it to the table? After coming across multi-region KMS replica keys, it seems like they could be a good candidate to address these large number of KMS requests, though not knowing where these Decrypt calls fall in the process makes it difficult to say for sure. Given this setup, I have the following questions: - Does a large number of KMS Decrypt API calls make sense for a backup region that only gets replications and doesn't really provide data to a service? - Does a multi-region KMS replica key make sense to help address these KMS API call counts? - Is there danger/issues with swapping the AWS managed KMS key to a multi-region KMS replica key on a large table (6,000,000,000 records, ~3TB in size)?
0
answers
0
votes
60
views
jkh
asked 14 days ago

Invalid certificate for AWS RDS in ap-east-1

# Issue Hi. I created the AWS RDS Postgres database in ap-east-1 (Hong Kong) region and tried connecting to the database from my Java app with the following configuration: ``` jdbc:postgresql://${database-hostname}:${database-port}/${database-name}?ssl=true&sslmode=verify-full&sslrootcert=${AWS_RDS_CERT_PATH}/${AWS_RDS_CERT_NAME} ``` But I got the error: `unable to find valid certification path to requested target` # Investigation Then I tried to fetch the certificate from my newly created RDS instance with the OpenSSL version `1.1.1f` using the following command: ``` echo "" | openssl s_client -starttls postgres -connect $DB_HOSTNAME:5432 -showcerts -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > certificate.pem ``` [certificate.pem](https://www.amazon.com/clouddrive/share/iXXIxJe9fyGjpkwF7ykqq7pszqgbyCahRe4RZbjRnFT) Next, I downloaded Asia Pacific (Hong Kong) [PEM certificate](https://www.amazon.com/clouddrive/share/Yiid38jeib4WcnePsYG2mg169QGsud8HoR33KjZ34GC) from the [AWS Documentation page](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and tried to verify the RDS certificate using the following command: ``` openssl verify -verbose -x509_strict -CAfile $AWS_RDS_CA_PEM certificate.pem ``` Where the `AWS_RDS_CA_PEM` environment variable contains a path to AWS Certificate. And got the following result: ``` CN = database-1.cmr1eqjbhlka.ap-east-1.rds.amazonaws.com, OU = RDS, O = Amazon.com, L = Seattle, ST = Washington, C = US error 20 at 0 depth lookup: unable to get local issuer certificate error certificate.pem: verification failed ``` So maybe it happens because the AWS RDS servers are compromised and someone trying to implement [MITM attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Then I tried to get the AWS CA certificate information by issuing the following command: `openssl x509 -in $AWS_RDS_CA_PEM -noout -text`. And the result shows the strange validity: ``` ... Validity Not Before: May 25 21:30:33 2021 GMT Not After : May 25 22:30:33 2061 GMT ... ``` I checked the certificate information using AWS CLI command and got the following result: ![AWS CLI certificate result](/media/postImages/original/IMDnoyySPJQDqp0hR6QxOp4g) Could you please let me know whether AWS RDS `ap-east-1` servers are compromised or if it is just an issue on the AWS Documentation page? or it is both?
0
answers
0
votes
29
views
asked 15 days ago

KMS events are not being excluded form CloudTrail Management Events

Hi everyone! I recently struggled with some CloudTrail costs in my account, to give some context, I enabled DynamoDB Global tables for two regions, using encryption with a CMK in the primary region and creating a replica of this key in the second one. The thing is, after setting up the global table, the CloudTrail costs started to significantly increasing, I notice that most of the events recorded were `Decrypt` events with the source IP address `replication.dynamodb.amazonaws.com` and the event source was `kms.amazonaws.com`. As you might guess, the trail wasn't excluding AWS KMS events for management events, and after changing the configuration I expected those costs to decrease again but they keep the same, also, the event history still shows management events from `kms.amazonaws.com`. **Is there something I might be missing?** This is the Terraform configuration I'm using for setting up CloudTrail. ``` resource "aws_cloudtrail" "security" { name = "security" s3_bucket_name = var.supervising_cloudtrail.s3_bucket_name s3_key_prefix = "audit" kms_key_id = var.supervising_cloudtrail.kms_key_arn enable_log_file_validation = true enable_logging = true is_multi_region_trail = true include_global_service_events = true insight_selector { insight_type = "ApiCallRateInsight" } event_selector { read_write_type = "All" include_management_events = true exclude_management_event_sources = ["kms.amazonaws.com"] data_resource { type = "AWS::Lambda::Function" values = ["arn:aws:lambda"] } data_resource { type = "AWS::S3::Object" values = ["arn:aws:s3:::"] } data_resource { type = "AWS::DynamoDB::Table" values = ["arn:aws:dynamodb"] } } } ```
1
answers
0
votes
57
views
Osain
asked a month ago