By using AWS re:Post, you agree to the Terms of Use
/Well-Architected Framework/

Well-Architected Framework

AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. Based on six pillars — operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability — AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures, and implement designs that can scale over time.

Recent questions

see all
1/18

EC2s Development and Production Environments, Isolation, VPN, API GW, Private and Public Endpoints with RDS and Data Sanitization

Hi Everyone, I have the following idea for an infrastructure architecture in AWS but I believe that I need some help with clarifying several issues which I believe, the best answers to will come from here. I am thinking about the following layout: In production: 1. an EC2 with Apache that provides service portal for web users 2. an RDS for the sake of the portal 3. another EC2 with Apache and business-logic php application as CRM 4. the same RDS will be used by the CRM application as well In development: The same layout, with 1 EC2 for web client services, 1 EC2 for the sake of developing the CRM and an RDS for the data I thought about using two different VPCs for the sake of this deployment. I need data replication with sanitization from the production RDS to the development RDS (thinking either by SQL procedures or other method, didn't think about that yet, but I know I need it to be like that since I have no desire to enable my developers to work with real client data). Both the production and development CRM EC2s are exposing Web APIs Both the production and development service portals are exposing Web APIs Both the production and development CRM and service portal are web accessible For the development environment I want to enable access (Web and Web APIs) only through VPN, hence, I want my developers to connect with VPN clients to the development VPC with VPN and work against both EC2s on-top of that connection. I also want them to be able to test all APIs and thinking about setting an API Gateway on that private endpoint. For the production environment, I want to enable access (Web and Web APIs) to the CRM EC2 through VPN, hence, I want my business units to connect with their VPN clients to a production VPN gateway, and work against the CRM on-top of that connection. I don't want to expose my CRM to the world. For the production environment, I want to enable everyone on the internet (actually, not everyone, I want to Geo-Block access to the service portal, hence, I do believe I need Amazon CDN services enabled for that cause) to access the service portal, still, I want to enable an API Gateway for the Web APIs that are exposed by this service portal EC2. I've been reading about Amazon API gateway (and API Gateway Cache) and it's resource policy and VPC endpoints with their own security groups and Amazon Route 53 resolver for the sake of VPN connections. I also been reading lots about Amazon virtual private gateway and a private and public endpoints, but, I still can't figure-out with element comes to play where and how the interactions should be design for those elements. I believe I also need Amazon KMS for the keys, certificates and passwords, but, I'm still trying to figure out the right approach for the above, so, I'm leaving the KMS part for the end. of course I'm thinking about security at the top of my concerns, so, I do believe all connectivity's should be harden in-between the elements, is only using ACLs is the right way to go!? I would really appreciate the help
1
answers
0
votes
30
views
asked 5 days ago

Cognito logout endpoint doesn't support options, so how can CORS preflight work?

Hi, I am having issues getting my spring security OAuth Client test project to logout a user from Cognito. Background Information: I have a Java Spring test project set up to get familiar with Authentication using OAuth / OIDC with Cognito. It is based on this tutorial: https://spring.io/guides/tutorials/spring-boot-oauth2/ I have a Cognito User Pool set up with appropriate API Client settings for "Authorization code grant" flow. This works very well except I wanted to logout from Cognito as well as Spring session, as I want to be able to login as another user. So I then added a LogoutSuccessHandler to my spring config to cause a redirect to the Cognito logout end point. It was done as shown here: https://rieckpil.de/oidc-logout-with-aws-cognito-and-spring-security/ Apparently this has worked for some people. The problem: It largely works. My Spring session is invalidated, and logout returns a redirect to the browser to Cognito Logout endpoint along with what I believe to be the correct parameters. However the browser (same for Firefox and Chrome) then makes a preflight Cors call to the Cognito logout end point and this will result in a 404 as "OPTIONS" is not supported on the end point. Example: 1. Request to my application to logout: URL GET to http://localhost:8080/logout With session cookie etc 2. My test service response Redirect to: Location: https://cortexo.auth.eu-west-2.amazoncognito.com/logout?client_id=<ClientId>&logout_uri=http://localhost:8080 Relevant response headers (yes they are very stupidly open for testing): Access-Control-Allow-Headers: Content-type,responseType Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS Access-Control-Allow-Origin: * Access-Control-Max-Age: 3600 If I manually browse to this redirected URL (copy and paste into browser bar) then Cognito will logout and redirect back to my project as expected. However the browser when following the redirect, first attempts to do a Cors preflight check to the URL by calling with an OPTIONS call. This results in a browser reported error: "Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource." I believe the reason for this is that if you do an OPTIONS call to the Logout end point it will result in a 404 (not found) error and the end point documentation confirms that only GET is supported. The questions are: 1. I'm curious as to why the tutorial for Spring OAuth logout has worked for some others 2. Is this approach the right one? Am I missing something? 3. Any suggestions on how I can I work around this (still using Spring Security OAuth Client, as Spring Security is what we are using in our real projects)? Thanks
1
answers
0
votes
38
views
asked 9 days ago

KMS policy for cross account cloudtrail

Hi, i have cloudtrail enabled for the organization in the root account. An s3 bucket in a security account (with kms enabled). All logs from all accounts are hitting the bucket! I know need to enable KMS for cloudtrail, im trying to follow the below guide in terraform: [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html]() Using the below code: ``` resource "aws_kms_key" "cloudtrail" { description = "KMS for cloudtrail" deletion_window_in_days = 7 is_enabled = true enable_key_rotation = true policy = <<POLICY { "Sid": "Enable CloudTrail Encrypt Permissions", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "kms:GenerateDataKey*", "Resource": "${aws_kms_key.cloudtrail.arn}", # THIS IS THE LINE THAT FAILS! "Condition": { "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": [ "arn:aws:cloudtrail:*:xxx:trail/*", "arn:aws:cloudtrail:*:xx:trail/*", ] }, "StringEquals": { "aws:SourceArn": "arn:aws:cloudtrail:eu-west-2:xxx:trail/organization_trail" } } } POLICY } ``` But getting an error that the ``` Error: Self-referential block │ │ on kms-cloudtrail.tf line 16, in resource "aws_kms_key" "cloudtrail": │ 16: "Resource": "${aws_kms_key.cloudtrail.arn}", │ │ Configuration for aws_kms_key.cloudtrail may not refer to itself. ``` Im guessing i get the error because the KMS doesnt exist yet so it cant reference it? So is the document wrong? or am miss understanding something regarding it? Any help would be great!
2
answers
0
votes
44
views
asked 20 days ago

Popular users

see all
1/18