Questions tagged with Encryption

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Can log destination work with KMS encrypted kinesis streams

I am following [AWS CloudWatch Logs - Setting up a new cross-account subscription](https://docs.amazonaws.cn/en_us/AmazonCloudWatch/latest/logs/Cross-Account-Log_Subscription-New.html) and I been able to get WAF logs from Account A to flow through to my Opensearch Cluster in Account B using the Documentation. But I want to extend it so that everything is doing Encryption at Rest or Server Side Encryption, but I am having an issue when I try to create a log destination where I get an error saying "Check if the destination is valid". I have the following setup: Data stream with Server-side encryption using KMS managed key IAM role called CWLtoKinesisRole with the following trusted Policy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "logs.us-east-1.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-12345" } } } ] } ``` and the following policy: ``` { "Statement": [ { "Action": "kinesis:PutRecord", "Effect": "Allow", "Resource": "arn:aws:kinesis:us-east-1:123456789123:stream/logs-recipient", "Sid": "" }, { "Action": [ "kms:GenerateDataKey", "kms:Encrypt", "kms:Decrypt" ], "Effect": "Allow", "Resource": "arn:aws:kms:*:123456789123:key/*", "Sid": "" } ], "Version": "2012-10-17" } ``` Then when I run: ``` aws logs put-destination \ --destination-name "testDestination" \ --target-arn "arn:aws:kinesis:region:123456789123:stream/logs-recipient" \ --role-arn "arn:aws:iam::123456789123:role/CWLtoKinesisRole" ``` I get `cloudwatch log destination: InvalidParameterException: Could not deliver test message to specified destination. Check if the destination is valid` Any direction on what I am missing here would be great, thanks Phil
1
answers
0
votes
22
views
asked 2 months ago

getSignedUrl - SignatureDoesNotMatch wit SSE-C encryption

my AWS config ``` AWS.config.update({ accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey, signatureVersion: 'v4' }); ``` Function upload and generate getSignedUrl ``` let sseKey = '12345678901234567890121234567890'; let md5 = crypto.createHash('md5').update(sseKey.toString(), 'utf8').digest('hex').toUpperCase(); S3.putObject({ Bucket: 'Bucket', Body: buff, Key: 'test_file.jpg', SSECustomerAlgorithm: 'AES256', SSECustomerKey: sseKey, SSECustomerKeyMD5: md5 }, (err,data) => { console.log("🚀 file: aws.js line 203 returnnewPromise data", data) if (err) return console.error(err.stack) S3.getSignedUrl('getObject', { Bucket: 'Bucket', Key: 'test_file.jpg', Expires: 6000, SSECustomerAlgorithm: 'AES256', SSECustomerKey: sseKey, SSECustomerKeyMD5: md5 }, (err, data) => { if (err) return console.error(err.stack) console.log(data) resolve(data) }) }) ``` I got the link like this ``` https://$BUCKET_PATH/test_file.jpg? X-Amz-Algorithm=AWS4-HMAC-SHA256& X-Amz-Credential=$SECRECT_CRE%2F20220821%2Fus-west-2%2Fs3%2Faws4_request& X-Amz-Date=20220821T022426Z& X-Amz-Expires=6000& X-Amz-Signature=5e7cd0362b2543140b46c025044c11c2da2202e7ca59811fecf1837b6cdd4713& X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption-customer-algorithm%3Bx-amz-server-side-encryption-customer-key%3Bx-amz-server-side-encryption-customer-key-md5& x-amz-server-side-encryption-customer-algorithm=AES256& x-amz-server-side-encryption-customer-key=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjEyMzQ1Njc4OTA%3D& x-amz-server-side-encryption-customer-key-MD5=tbeqTQ80K9Hdr45q0i%2FNNQ%3D%3D ``` copy link to browser get error ``` <Error> <Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> ``` I also use `https://www.npmjs.com/package/request` POST and set header params but not work ``` headers: { 'x-amz-server-side-encryption-customer-algorithm': 'AES256', 'x-amz-server-side-encryption-customer-key': encryptKey.toString('base64'), }, ``` Please help me , i dont know where problem . Thank you
1
answers
0
votes
55
views
asked 4 months ago

End-to-end encryption (to be or not to be)

Hi community, What is your position on end-to-end encryption (regardless of regulations), but from a practical security point of view. Scenario: classic scenario of a web service being front-ended by an application load balancer. No questions ask we do encryption in transit for the front end part. BUT for the communication between the load balancer and the server the security position of AWS seems to be "encrypt everything" but when i read AWS documentation from sysops perspective i get the following "Terminating secure connections at the load balancer and using HTTP on the backend might be sufficient for your application. Network traffic between AWS resources can't be listened to by instances that are not part of the connection" As a security Practioner, i will push for end to end encryption but i willl like to understand this other point of view from AWS that, when reading it might suggest that the encryption between the load balancer and the EC2 is optional. I am in security now but my background is sysadmin and when i talk to operations people i dont like to just "impose" security regulations/standards/policies etc ... I like to explain why its required from a technical security point of view. When it comes to our on-prem applications ... its easy to explain the risks. But in AWS its a little bit confusing for me to justify my point when they show me AWS documentation stating that it might be enough just by encrypting the front end part of the communications.
1
answers
0
votes
55
views
asked 4 months ago