Unanswered Questions tagged with Encryption

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

  • 1
  • 12 / page

Reduce KMS Decrypt API calls during DynamoDB replication

I currently have a DynamoDB global table set up with encryption at rest configured using an AWS managed key (not owned by Amazon, so KMS charges apply). My service that hits the DynamoDB table is only running in us-east-1, but the global table replicates data to us-west-2 as part of the disaster recovery strategy. Looking at recent months in AWS Costs Explorer, I noticed that there are significantly more KMS requests coming from us-west-2 than us-east-1: ``` US East (N. Virginia) AWS Key Management Service us-east-1-KMS-Requests $0.03 per 10000 KMS requests in US East (N. Virginia) 146,390,252.000 Requests US West (Oregon) AWS Key Management Service us-west-2-KMS-Requests $0.03 per 10000 KMS requests in US West (Oregon) 272,575,473.000 Requests ``` Looking at CloudTrail, it looks like a majority of these calls are Decrypt operations related to the DynamoDB replication, similar to: ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "arn": "arn:aws:sts::[account]:assumed-role/AWSServiceRoleForDynamoDBReplication/[id]", "invokedBy": "replication.dynamodb.amazonaws.com" }, "eventTime": "2022-11-16T04:26:41Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "replication.dynamodb.amazonaws.com", "userAgent": "replication.dynamodb.amazonaws.com", "requestParameters": { "encryptionContext": { "aws:dynamodb:tableName": "[table-name]" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT" }, "responseElements": null, "readOnly": true, "resources": [ { "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:[account]:key/[key-id]" } ], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management" } ``` Since us-west-2 is really just a replication destination with no active services hitting it, it's curious to me that there are so many calls to Decrypt using the us-west-2 key as the resource, unless there is something in the replication process that encrypts it using the us-west-2 key prior to replication, it gets sent over, and then needs to be decrypted to finish the replication process and add it to the table? After coming across multi-region KMS replica keys, it seems like they could be a good candidate to address these large number of KMS requests, though not knowing where these Decrypt calls fall in the process makes it difficult to say for sure. Given this setup, I have the following questions: - Does a large number of KMS Decrypt API calls make sense for a backup region that only gets replications and doesn't really provide data to a service? - Does a multi-region KMS replica key make sense to help address these KMS API call counts? - Is there danger/issues with swapping the AWS managed KMS key to a multi-region KMS replica key on a large table (6,000,000,000 records, ~3TB in size)?
0
answers
0
votes
60
views
jkh
asked 13 days ago

Invalid certificate for AWS RDS in ap-east-1

# Issue Hi. I created the AWS RDS Postgres database in ap-east-1 (Hong Kong) region and tried connecting to the database from my Java app with the following configuration: ``` jdbc:postgresql://${database-hostname}:${database-port}/${database-name}?ssl=true&sslmode=verify-full&sslrootcert=${AWS_RDS_CERT_PATH}/${AWS_RDS_CERT_NAME} ``` But I got the error: `unable to find valid certification path to requested target` # Investigation Then I tried to fetch the certificate from my newly created RDS instance with the OpenSSL version `1.1.1f` using the following command: ``` echo "" | openssl s_client -starttls postgres -connect $DB_HOSTNAME:5432 -showcerts -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > certificate.pem ``` [certificate.pem](https://www.amazon.com/clouddrive/share/iXXIxJe9fyGjpkwF7ykqq7pszqgbyCahRe4RZbjRnFT) Next, I downloaded Asia Pacific (Hong Kong) [PEM certificate](https://www.amazon.com/clouddrive/share/Yiid38jeib4WcnePsYG2mg169QGsud8HoR33KjZ34GC) from the [AWS Documentation page](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) and tried to verify the RDS certificate using the following command: ``` openssl verify -verbose -x509_strict -CAfile $AWS_RDS_CA_PEM certificate.pem ``` Where the `AWS_RDS_CA_PEM` environment variable contains a path to AWS Certificate. And got the following result: ``` CN = database-1.cmr1eqjbhlka.ap-east-1.rds.amazonaws.com, OU = RDS, O = Amazon.com, L = Seattle, ST = Washington, C = US error 20 at 0 depth lookup: unable to get local issuer certificate error certificate.pem: verification failed ``` So maybe it happens because the AWS RDS servers are compromised and someone trying to implement [MITM attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack). Then I tried to get the AWS CA certificate information by issuing the following command: `openssl x509 -in $AWS_RDS_CA_PEM -noout -text`. And the result shows the strange validity: ``` ... Validity Not Before: May 25 21:30:33 2021 GMT Not After : May 25 22:30:33 2061 GMT ... ``` I checked the certificate information using AWS CLI command and got the following result: ![AWS CLI certificate result](/media/postImages/original/IMDnoyySPJQDqp0hR6QxOp4g) Could you please let me know whether AWS RDS `ap-east-1` servers are compromised or if it is just an issue on the AWS Documentation page? or it is both?
0
answers
0
votes
28
views
asked 15 days ago
  • 1
  • 12 / page