The Aspire AWS KMS encryption provider uses keys created in KMS to encrypt and decrypt the data. The secrets will be encrypted with KMS encryption mechanisms, and stored in the Aspire Configuration indexes once encrypted. When Aspire needs the secret value, it calls KMS decrypt mechanism to obtain the value back.
To enable AWS KMS Encryption, you must change your Aspire Settings file on the encryptionProvider section to point to the KMS encryption provider jar:
Code Block | ||
---|---|---|
| ||
"encryptionProvider": {
"_comments_implementation": [
"Maven coordinates of the encryption provider",
"default is: com.accenture.aspire:aspire-encryption-provider"
],
"implementation": "com.accenture.aspire:aspire-aws-kms-encryption-provider"
}, |
There are two ways of configuring the encryption provider through Properties or Settings File (click each link to see more details)
Regardless of which way it is used to configure the provider, the following parameters will be used:
...
(Optional) If the KMS service must be accessed through the assumption of an IAM role, specify the role ARN. Role Assumption is recommended so the base account won't have direct access to the resources.
If not specified, the base account will be used to execute the encryption/decryption calls directly.
...
app needs to be set up to mitigate DDoS attacks and other similar issues related to security findings (Jira vulnerability issue.)
A quick and straightforward solution can be done by a Nginx server, which is set up as a proxy server for Aspire.
Aspire should not be available outside the website directly, but always using Nginx or a similar technology (Apache, AWS WAF, etc.)
Nginx will be set up as a proxy server with HTTPS certificates, request limit and other necessary security.
Internally, Aspire 5 and internals apps can be connected directly (localhost:50505).
We will avoid with this approach to have some limitations between internal applications.
Install Nginx server
Install Aspire 5
You can limit the rate at which NGINX accepts incoming requests to a value typical for real users. For example, you might decide that a real user accessing a login page can only make a request every 1 second.
You can configure NGINX to allow a single client IP address to attempt POST requests to API endpoints only every 1 second (equivalent to 60 requests per minute):
To enable POST requests limitations, open nginx.conf and put:
Code Block | ||
---|---|---|
| ||
http {
# Maps ip address to $limit variable if request is of type POST
map $request_method $limit {
default |
When creating a KMS key for Aspire, make sure to include the following properties:
Key Policy:
You can add or remove permissions to this policy if needed, but make sure it still have the Encrypt, Decrypt and DescribeKey ones for the user or role that Aspire will use.
Code Block | ||
---|---|---|
| ||
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions","; POST "Effect": "Allow", $binary_remote_addr; } # Creates 10mb zone in memory for "Principal": { "AWS": "arn:aws:iam::[account_id]:root" storing binary ips and limit requests to 60 per minute. limit_req_zone $limit zone=one:10m rate=60r/m; ... server { ... }, location / { "Action": "kms:*", ... #limit post request 60 requests "Resource": "*"per minutes limit_req zone=one; } } |
You can limit the number of connections that can be opened by a single client IP address, again to a value appropriate for real users. For example, you can allow each client IP address to open no more than 10 connections to the ASPIRE 5 area:
Code Block |
---|
server { {# ... location / { "Sid": "Allow use oflimit_conn the key",addr 10; # ... } } |
More can be found directly in Nginx documentation .
To configure an HTTPS connection needs to be prepared SSL certifications for the current domain or IP, here is example only for localhost.
Code Block |
---|
server { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]" listen },443 ssl; server_name "Action": [localhost; keepalive_timeout "kms:Encrypt",70; ssl_certificate "kms:Decrypt",certs/localhost.crt; ssl_certificate_key certs/localhost.rsa; "kms:DescribeKey" ssl_protocols TLSv1 ],TLSv1.1 TLSv1.2; ssl_session_cache "Resource": "*"shared:SSL:1m; } ] } |
Save the policy specified above into a file called policy.json, fill in the [ account_id ] , [ role/user ] and [ role_id/user_id ] details and execute (inside the same folder where the policy file was created):
Code Block | ||
---|---|---|
| ||
aws kms create-key --policy file://policy.json --description "Aspire Encryption key" > newKey |
on the file newKey you will see a json with the details of your new key. Copy the Key ARN and configure it as Aspire Properties
Optionally, you can create an alias for your key to help AWS administrators to know what this kms key is for
...
language | bash |
---|
...
ssl_session_timeout 5
...
} |
More can be found directly in the Nginx documentation.
First Line of Defense: Blocking Bad POST Requests Using NGINX Rate Limiting.
The three most important AWS WAF rate-based rules
...