The Aspire app needs to be setup to mitigate DDOS attacks and other similar issues related to findings Jira vulnerability issue.
Quick and straightforward solution can be done by Nginx server, which is setup as proxy server to Aspire.
Prerequisite:
Install Nginx server
Install Aspire 5
Aspire should be not available out site directly but always using Nginx or similar technology (Apache, AWS WAF ...).
Nginx will be setup as proxy server with https certificates, request limit and other necessary security.
Internally Aspire 5 with cooperation with internals apps can be connected directly (localhost:50505).
We will avoid with this approach to have some limitations between internal applications.
To enable POST requests limitations open nginx.conf and put:
http {
# Maps ip address to $limit variable if request is of type POST
map $request_method $limit {
default "";
POST $binary_remote_addr;
}
# Creates 10mb zone in memory for storing binary ips and limit requests to 60 per minute.
limit_req_zone $limit zone=one:10m rate=60r/m;
...
server {
...
location / {
...
#limit post request 60 requests per minutes
limit_req zone=one;
}
}
There are two ways of configuring the encryption provider through Properties or Settings File (click each link to see more details)
Regardless of which way it is used to configure the provider, the following parameters will be used:
| Parameter | Required | Default | Description |
|---|---|---|---|
| roleARN | no | null | (Optional) If the KMS service must be accessed through the assumption of an IAM role, specify the role ARN. Role Assumption is recommended so the base account won't have direct access to the resources. If not specified, the base account will be used to execute the encryption/decryption calls directly. |
| keyARN | yes | N/A | The KMS key ARN. |
| region | yes | N/A | The AWS region on which the KMS service will be used |
| accessKey | no | null | (Optional) Specify the access key if static credentials must be used for the base account. If this is not specified the Default Credential Provider Chain will be used. |
| secretKey | no | null | (Optional) Specify the secret key if static credentials must be used for the base account. If this is not specified the Default Credential Provider Chain will be used. |
How to create a KMS Key suitable for Aspire?
When creating a KMS key for Aspire, make sure to include the following properties:
- Symmetric key: allows aspire to encrypt and decrypt secrets using the key
- Permissions: The user or role to be used by Aspire should be granted the kms:Encrypt, kms:Decrypt and kms:DescribeKey permissions.
Key Policy:
You can add or remove permissions to this policy if needed, but make sure it still have the Encrypt, Decrypt and DescribeKey ones for the user or role that Aspire will use.
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[account_id]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[account_id]:[role/user]/[role_id/user_id]"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
Create kms key with aws cli
Save the policy specified above into a file called policy.json, fill in the [ account_id ] , [ role/user ] and [ role_id/user_id ] details and execute (inside the same folder where the policy file was created):
aws kms create-key --policy file://policy.json --description "Aspire Encryption key" > newKey
on the file newKey you will see a json with the details of your new key. Copy the Key ARN and configure it as Aspire Properties
Optionally, you can create an alias for your key to help AWS administrators to know what this kms key is for
aws kms create-alias --target-key-id [key_id_taken_from_newKey_file] --alias-name alias/aspire5-encryption-key
Overview
Content Tools
Copyright © 2024 Accenture
