abiydv

## aws-security-notes.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                abiydv
                / aws-security-notes.md
            
            
              Created
              January 16, 2021 03:40
            
              
                Quick reference for AWS Security speciality certification
              
          
    KMS


Highly available key generation, storage, management, and auditing solution to encrypt or digitally sign data within applications or control the encryption of data across AWS services.
Enable Private DNS Name makes the standard AWS KMS DNS hostname (https://kms.region.amazonaws.com) resolve to VPC endpoint.
Supports Symmetric (256-bit key that is used for encryption and decryption) and Asymmetric CMKs (an RSA key pair that is used for encryption and decryption or signing and verification but not both, or an elliptic curve (ECC) key pair that is used for signing and verification).
Asymmetric customer managed CMKs - the key material can only be generated within AWS KMS HSMs and no option for automatic key rotation.
Symmetric CMKs and the private keys of Asymmetric CMKs never leave AWS KMS unencrypted and AWS KMS does not store, manage, or track data keys.
Cryptographic Operations

Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyPair, `GenerateDataKeyPai


## presigned-upload-curl.sh
curl -v "https://mybucket.s3.amazonaws.com/"  \
-F "key=path/to/file.txt" \
-F "AWSAccessKeyId=access_key" \
-F "x-amz-security-token=security_token" \
-F "policy=base64_encoded_policy" \
-F "signature=signature" \
-F "file=@file.txt"

## file-upload
curl -F "firstname=John" -F"lastname=Doe" "https://httpbin.org/post" -F"file=@file.txt"
{
  "args": {},
  "data": "",
  "files": {
    "file": "This is a test file\n"
  },
  "form": {
    "firstname": "John",
    "lastname": "Doe"

## s3-bulk-upload.tf
# This is an example to bulk upload files to S3
#   A local source directory and sample pattern are provided as variables.
#   All matching files are uploaded to S3

locals {
  file_list = toset(fileset(var.source_path, var.source_file_pattern))

  # If you use terragrunt, use this local block instead to ignore
  #  the .terragrunt-source-manifest file it adds to each directory.
  # This is useful if there is no common pattern to files.

## blackbox.yaml
modules:

  http_2xx:
    prober: http
    timeout: 5s
    http:
      valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
      valid_status_codes: []
      method: GET
      preferred_ip_protocol: "ip4"

## bitbucket-pipelines.yml
image: hashicorp/terraform:1.0.7

definitions:
  scripts:
    - script: &aws-context
        export AWS_REGION=REPLACE_WITH_REGION_TO_USE;
        export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token;
        export AWS_ROLE_SESSION_NAME=build-session;
        export AWS_ROLE_ARN=REPLACE_WITH_ROLE_ARN_TO_USE;
        echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token

## promql.sh
# PromQL query to calculate how much CPU a particular pod is consuming on a particular instance
# Labels available after this query - ec2 and pod
#
# Required: node_exporter exposing node_cpu* metrics
#           cadvisor exposing container_cpu* metrics
#

sum(label_replace(rate(container_cpu_usage_seconds_total{cluster="k8s"}[1m]),
    "ec2", "$1", "instance", "(.+):.+")) by (ec2, pod) / ignoring (pod) group_left
sum(label_replace(rate(node_cpu_seconds_total{cluster="k8s"}[1m]),

## bitbucket-pipelines.yml
# Bitbucket pipelines currently do not offer a way to specify a condition
# to only trigger jobs based on the target branch.
#
# See this - https://jira.atlassian.com/browse/BCLOUD-17859
#
# You need to use '**' filter to trigger the pipeline on every PR, and
# then filter for your specific branch in the pipeline
#
# Another problem with Bitbucket pipelines is there is no ability to "reject"
# a pipeline execution, so a manual trigger step is not very helpful as a

## homebrew.sh
#
# Error seen when trying to install something with brew or even update formula
#

% brew update
fatal: Could not resolve HEAD to a revision
Already up-to-date.

% git -C $(brew --repo homebrew/core) checkout master
Branch 'master' set up to track remote branch 'master' from 'origin'.

## base.auto.tfvars
role_arn = {
    development = "arn:aws:iam::123456789012:role/TFRole"
    production  = "arn:aws:iam::123456789013:role/TFRole"
}
	curl -v "https://mybucket.s3.amazonaws.com/" \
	-F "key=path/to/file.txt" \
	-F "AWSAccessKeyId=access_key" \
	-F "x-amz-security-token=security_token" \
	-F "policy=base64_encoded_policy" \
	-F "signature=signature" \
	-F "file=@file.txt"
	curl -F "firstname=John" -F"lastname=Doe" "https://httpbin.org/post" -F"file=@file.txt"
	{
	"args": {},
	"data": "",
	"files": {
	"file": "This is a test file\n"
	},
	"form": {
	"firstname": "John",
	"lastname": "Doe"
	# This is an example to bulk upload files to S3
	# A local source directory and sample pattern are provided as variables.
	# All matching files are uploaded to S3

	locals {
	file_list = toset(fileset(var.source_path, var.source_file_pattern))

	# If you use terragrunt, use this local block instead to ignore
	# the .terragrunt-source-manifest file it adds to each directory.
	# This is useful if there is no common pattern to files.
	modules:

	http_2xx:
	prober: http
	timeout: 5s
	http:
	valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
	valid_status_codes: []
	method: GET
	preferred_ip_protocol: "ip4"
	image: hashicorp/terraform:1.0.7

	definitions:
	scripts:
	- script: &aws-context
	export AWS_REGION=REPLACE_WITH_REGION_TO_USE;
	export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token;
	export AWS_ROLE_SESSION_NAME=build-session;
	export AWS_ROLE_ARN=REPLACE_WITH_ROLE_ARN_TO_USE;
	echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
	# PromQL query to calculate how much CPU a particular pod is consuming on a particular instance
	# Labels available after this query - ec2 and pod
	#
	# Required: node_exporter exposing node_cpu* metrics
	# cadvisor exposing container_cpu* metrics
	#

	sum(label_replace(rate(container_cpu_usage_seconds_total{cluster="k8s"}[1m]),
	"ec2", "$1", "instance", "(.+):.+")) by (ec2, pod) / ignoring (pod) group_left
	sum(label_replace(rate(node_cpu_seconds_total{cluster="k8s"}[1m]),
	# Bitbucket pipelines currently do not offer a way to specify a condition
	# to only trigger jobs based on the target branch.
	#
	# See this - https://jira.atlassian.com/browse/BCLOUD-17859
	#
	# You need to use '**' filter to trigger the pipeline on every PR, and
	# then filter for your specific branch in the pipeline
	#
	# Another problem with Bitbucket pipelines is there is no ability to "reject"
	# a pipeline execution, so a manual trigger step is not very helpful as a
	#
	# Error seen when trying to install something with brew or even update formula
	#

	% brew update
	fatal: Could not resolve HEAD to a revision
	Already up-to-date.

	% git -C $(brew --repo homebrew/core) checkout master
	Branch 'master' set up to track remote branch 'master' from 'origin'.
	role_arn = {
	development = "arn:aws:iam::123456789012:role/TFRole"
	production = "arn:aws:iam::123456789013:role/TFRole"
	}