Monday, September 9, 2024

AWS - Access Key ID vs Secret Access Key


https://chatgpt.com/share/48336e83-2376-439d-acd3-79ea2fe5b7d6

The term "Access Key ID" is not called "Secret Access Key ID" because the Access Key ID itself is not considered a secret. Here's the reasoning:

  1. Access Key ID: This is a public identifier for the credential. It is used to identify the user or service that is making requests to AWS. The Access Key ID is not secret, and it can be shared (for example, in logs) without compromising the security of your AWS resources.

  2. Secret Access Key: This is a private component that must be kept confidential. It works like a password and is used in combination with the Access Key ID to sign API requests. Anyone with access to both the Secret Access Key and Access Key ID can make authorized API requests, so the Secret Access Key must be kept secret.

  3. Session Token: In the case of temporary credentials from AWS STS (Security Token Service), the Session Token is also a secret and is used in conjunction with the Access Key ID and Secret Access Key to authenticate API requests for the session's duration.

Thus, the "Access Key ID" is the public-facing part that identifies the key, while the "Secret Access Key" and "Session Token" are sensitive, secret components. That's why the "Access Key ID" is named as it is—it's meant to be distinguishable from the actual secret that provides authentication.

AWS - Security Token Service (STS)


AWS STS (AWS Security Token Service) is a service that allows you to request temporary, limited-privilege credentials for users or services to access AWS resources. These credentials are often used in scenarios where you don't want to use long-term access keys, or when you need to provide short-term access to resources without creating permanent IAM users.

Here’s a breakdown of key concepts related to AWS STS:

Key Features of AWS STS:

  1. Temporary Security Credentials: STS provides credentials that are valid for a limited duration (from a few minutes to several hours). After they expire, they cannot be used to access AWS resources.

  2. Assume Roles: One of the most common uses of AWS STS is assuming roles. For example, you can allow a user or application to "assume" a role that gives it specific permissions, even if the user or app doesn't have those permissions by default. This is useful in cross-account scenarios, federated access, or when using roles to segregate access levels within the same account.

  3. Federation: AWS STS enables identity federation, which allows users from external systems (like corporate directories or external identity providers) to access AWS resources without the need to create IAM users for them. This is done via standard protocols like SAML 2.0 or OpenID Connect.

  4. Cross-Account Access: STS makes it easy to provide access to resources across different AWS accounts. A user in one account can assume a role in another account and gain access to resources, all without requiring the user to have an IAM user in the other account.

  5. Reduced Credential Exposure: Since STS tokens are temporary, they limit the risk if credentials are compromised. After the expiration time, the token cannot be reused.

Example Use Cases:

  • Delegating Access: You have a central administrative account, and you want to allow users from other AWS accounts to access your account’s resources. They can assume a role that you define in your account to temporarily gain the necessary permissions.
  • Third-Party Access: You can give third-party vendors temporary access to your resources by letting them assume a role through STS without needing long-term credentials.
  • Mobile Apps and IoT Devices: Instead of embedding long-term credentials in mobile or IoT devices, which can be insecure, you use STS to issue temporary credentials, which can be refreshed as needed.

Example of Using STS with AssumeRole:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/example-role --role-session-name session1

This command allows an identity to assume the role example-role in account 123456789012 and gain temporary credentials.

In summary, AWS STS is a powerful tool for managing short-term, secure access to AWS resources without the need for long-term credentials. It’s especially valuable in complex environments that require secure, time-bound access control, such as in cross-account access or federated identity setups.

AWS IAM Identity Policy - "Resource" discussion

https://chatgpt.com/share/a15d63d2-a124-4e5d-8195-830e27fb395d

Whether targeting a role or specific AWS resources is more common or advised depends on the context and the desired security model. Both approaches serve different purposes in AWS Identity and Access Management (IAM), and each has its own use cases:

1. Targeting an IAM Role (More common for users/roles):

  • Use Case: When you want to define a set of permissions for who can perform actions.

  • Common: This is a common practice for controlling permissions at a higher level. You assign policies to roles, and these roles are then assumed by users or services.

  • Advised: This approach is recommended when managing multiple users or services because you can easily modify or revoke permissions in one place (the role) without touching individual resources.

  • Example:

    
    "Resource": "arn:aws:iam::123456789012:role/MyRole"
    

Advantages:

  • Easier Management: You can centrally manage access by assigning or removing permissions from the role without having to modify each resource.

  • Scalability: If multiple users or services need the same set of permissions, it's easier to manage by assigning roles rather than specific resource-level permissions.

When to Use:

  • For multi-user or multi-service environments where permissions are broadly defined.

  • For complex environments where you want to delegate access to external entities (cross-account access, etc.).

  • When you need to limit actions based on who or what is trying to perform the action.

2. Targeting Specific AWS Resources (More common for resources):

  • Use Case: When you want to limit what resources can be accessed or acted upon.

  • Common: Resource-based policies are used when you need fine-grained control over specific AWS resources. This ensures that only designated users, roles, or services can access or modify those resources.

  • Advised: Targeting specific resources is more advisable for high-security environments, or where sensitive data and actions need strict control.

  • Example:

    
    "Resource": "arn:aws:s3:::my-bucket/my-object.txt"
    

Advantages:

  • Granular Control: You can enforce permissions on specific resources, ensuring tighter security.

  • Increased Security: You can prevent access to anything outside the explicitly defined resource, reducing the attack surface.

When to Use:

  • When you need to apply specific permissions to individual resources, like a particular S3 bucket, EC2 instance, or Lambda function.

  • When fine-grained permissions are necessary to ensure only specific actions are allowed on specific resources.

  • In cases where resources belong to sensitive environments or need to be tightly controlled.

Which is More Common?

  • IAM roles are generally more common in large-scale deployments and multi-service environments because they offer flexibility and ease of management.

  • Resource-based targeting is frequently used for controlling access to specific, high-security or sensitive resources.

Which is More Advised?

  • Targeting Roles is recommended when you want to manage permissions for who can perform actions (identity-based access control).

  • Targeting Specific Resources is more advisable when securing specific resources in high-security contexts (resource-based access control).

Best Practice:

In many cases, it's beneficial to combine both:

  • Use roles to manage who can access resources.

  • Use resource-level permissions to restrict what those roles (or identities) can do on specific resources.

For example, an S3 bucket might have a policy that allows only a specific IAM role to perform actions, and that role has a policy that allows specific users to assume it.

Tuesday, August 20, 2024

AWS Networking contd. - NACLs, Subnets, Security Groups

Discussion with ChatGPT about NACLs, Subnets, Security Groups

https://chatgpt.com/c/51ec2d12-d3ad-42e6-b20a-30470c0f442e

(Not a shared link. Have to be logged-in to chat.openai.com)

Monday, August 5, 2024

AWS Networking - Relationship between Region-VPC-AZ-Subnet-EC2

 





























Amongst the following entities - Region, VPC, AZ, Subnet, EC2, which of these are associated with Routing Tables and NACLs?

Routing Tables and Network Access Control Lists (NACLs) are associated with the following entities in AWS:

1. **VPC (Virtual Private Cloud)**:
   - **Routing Tables**: Each VPC has one or more routing tables that control the routing of traffic between the subnets within the VPC and the internet, or other VPCs. These routing tables determine where network traffic from the subnet is directed.
   - **NACLs (Network Access Control Lists)**: NACLs are optional layers of security that act as firewalls for controlling traffic into and out of subnets. You can apply NACLs to each subnet within a VPC, and they provide stateless filtering of ingress and egress traffic at the subnet level.

2. **Subnet**:
   - While subnets themselves don't directly contain routing tables or NACLs, they are associated with them:
     - Each subnet is associated with a routing table from its VPC to manage the flow of traffic out of the subnet.
     - NACLs can be applied to subnets to manage access and traffic flow into and out of the subnet.

**Regions** and **Availability Zones (AZs)** do not directly involve routing tables or NACLs, as these are specifically related to network configurations within VPCs. **EC2 Instances** are affected by these configurations but do not themselves contain or directly manage routing tables or NACLs.


What about Security Groups? Which entity or entities are those associated with?

**Security Groups** in AWS are primarily associated with the following entities:

1. **EC2 Instances**:
   - Security Groups are used to control inbound and outbound traffic at the instance level. They act as a virtual firewall for EC2 instances to regulate allowable traffic.

2. **VPC (Virtual Private Cloud)**:
   - Security Groups are defined at the VPC level and can be associated with any instance in that VPC. While they are created within a VPC, their rules apply to instances they are attached to, not subnets.

Unlike NACLs, which are associated at the subnet level and provide stateless filtering, Security Groups provide stateful filtering and are associated directly with instances, such as EC2 instances, RDS instances, and Elastic Load Balancers within the VPC. This means they remember the state of traffic flows and can automatically allow return traffic without additional rules.

So all network security instruments - Security Groups, Routing Tables, NACLs are defined at the VPC level?

Yes, that's correct! All these network security instruments—Security Groups, Routing Tables, and Network Access Control Lists (NACLs)—are defined at the VPC level in AWS. Here's how each operates within the VPC:

1. **Security Groups**: These are associated with individual instances within the VPC, such as EC2 instances. They control inbound and outbound traffic at the instance level and are stateful, meaning they track the state of network connections.

2. **Routing Tables**: These define the rules for traffic routing within the VPC and between the VPC and other networks. Each subnet in a VPC is associated with a routing table that determines where network traffic is directed.

3. **NACLs (Network Access Control Lists)**: These provide a layer of security that acts as a firewall for controlling traffic into and out of subnets. NACLs are stateless, so they do not keep track of the state of network connections and each packet is processed individually.

All three instruments are configured at the VPC level but apply at different scopes—Security Groups at the instance level, Routing Tables at the subnet level, and NACLs at the subnet level—to provide comprehensive network security and routing management within a VPC.

Saturday, June 1, 2024

Workflow Engine Principles

https://temporal.io/blog/workflow-engine-principles

https://share.transistor.fm/s/65974dd6

Join Jason for another round of “Build Things on Purpose.” This time Jason is joined by Maxim Fateev and Samar Abbas, co-founders of Temporal, to talk about the software and solutions they are developing for orchestrating micro services. Maxim and Samar talk about their joint work in the past on various projects to include the Cadence project, which has laid the foundation for what they are continuing to do at Temporal. Check out this “Build Things” conversation as Maxim and Samar go into the details on the nature of their work at Temporal!

Durable Execution

https://orkes.io/blog/why-your-applications-need-durable-execution/

https://materializedview.io/p/durable-execution-justifying-the-bubble

First heard about it in a podcast featuring Temporal's CEO

System Design: 11 basic & essential concepts

Below is from a post by Kartikeya Sapra on LinkedIn

11 basic & essential concepts:

1. Scalability
- Ensures systems can handle increased load and grow efficiently.

Link → https://lnkd.in/dD-GZpVq

2. Latency vs Throughput
- Balances speed and capacity in system performance.

Link → https://lnkd.in/dscK9g3E

3. CAP Theorem
- Explains the trade-offs between consistency, availability, and partition tolerance in distributed systems.

Link → https://lnkd.in/dFpgDSnY

4. ACID Transactions
- Guarantees reliable database processing through atomicity, consistency, isolation, and durability.

Link → https://lnkd.in/dkkmMu_D

5. Rate Limiting
- Controls the amount of incoming and outgoing traffic to prevent overload and abuse.

Link → https://lnkd.in/dY9NqRG9

6. API Design
- Ensures APIs are user-friendly, efficient, and maintainable.

Link → https://lnkd.in/dTgxGa5i

7. Strong vs Eventual Consistency
- Balances the need for immediate data consistency versus eventual data accuracy in distributed systems.

Link → https://lnkd.in/dQDwa7TQ

8. Distributed Tracing
- Helps monitor and debug complex, distributed systems by tracking requests across multiple services.

Link → https://lnkd.in/dA-3swq2

9. Synchronous vs Asynchronous Communications
- Determines how systems interact, either waiting for responses (synchronous) or continuing independently (asynchronous).

Link → https://lnkd.in/dx2nFDgR

10. Batch Processing vs Stream Processing
- Differentiates between processing large volumes of data at once (batch) and processing data in real-time (stream).

Link → https://lnkd.in/dqGFQppV

11. Fault Tolerance
- Ensures systems remain operational despite failures or errors.

Link → https://lnkd.in/dzKWh4ju

Sunday, March 24, 2024

AI Book - Deep Learning for Coders with Fastai and PyTorch: AI Applications Without a PhD

Deep Learning for Coders with Fastai and PyTorch: AI Applications Without a PhD

https://course.fast.ai/Resources/book.html

testcontainers.com

https://testcontainers.com/

An open source framework for providing throwaway, lightweight instances of databases, message brokers, web browsers, or just about anything that can run in a Docker container.

Sunday, February 25, 2024

c2pa.org - Coalition for Content Provenance and Authenticity

https://c2pa.org/

The Coalition for Content Provenance and Authenticity (C2PA) addresses the prevalence of misleading information online through the development of technical standards for certifying the source and history (or provenance) of media content. C2PA is a Joint Development Foundation project, formed through an alliance between Adobe, Arm, Intel, Microsoft and Truepic.

Tuesday, December 12, 2023

Leetcode type problem - Sub-Arrays problem

 Generate number of sub arrays with a particular sum: E.g. nums = [1,1,1] with sum 2

arr = [1,1,1]
SUM =2
#arr = [1,2,2,3,4,5]
#SUM = 5

sub_arrays = []
arr = arr.sort

arr.each_with_index do |n, index|
  if n == SUM
    sub_arrays << [n]
    next
  end
  rest_of_array = arr[(index+1)..-1]
  temp_arr = [n]

  rest_of_array.each do |m|
    temp_arr << m
    if temp_arr.sum == SUM
      # We found a sub_array!
      sub_arrays << temp_arr
      # There might be duplicates of m, so let us remove m from temp_arr and continue
      temp_arr = temp_arr[0..temp_arr.length-2]
    end
    if temp_arr.sum < SUM
      # do nothing; we can continue to add more elements
    end
    if temp_arr.sum > SUM
      # discard all elements except n
      temp_arr = [n]
    end
  end
end

puts sub_arrays.to_s

Sunday, December 10, 2023

Cryptography Foundations

 Below is an excerpt from the book - Securing Cloud Applications (manning.com)


Tuesday, November 21, 2023

Optimizing HTML to PDF in Node.js

https://blog.logrocket.com/optimizing-html-pdf-node-js

The complete guide to Kubernetes cost management in 2023

https://www.spectrocloud.com/blog/the-complete-guide-to-kubernetes-cost-management

State of Cloud Security

https://www.datadoghq.com/state-of-cloud-security/

Amazon’s free courses on generative AI

https://www.aboutamazon.com/news/aws/aws-free-ai-skills-training-courses

The Architecture Of Serverless Data Systems

https://jack-vanlightly.com/blog/2023/11/14/the-architecture-of-serverless-data-systems

Load Shedding for High Traffic Systems

https://www.codereliant.io/load-shedding/

React Server Components: A comprehensive guide

https://blog.logrocket.com/react-server-components-comprehensive-guide/

Developing an effective CI/CD pipeline for frontend apps

https://blog.logrocket.com/best-practices-ci-cd-pipeline-frontend

Wednesday, October 11, 2023

Rails and JS - No Build for JS

https://world.hey.com/dhh/you-can-t-get-faster-than-no-build-7a44131c

We're making it using vanilla ES6 with import maps for Hotwire, and vanilla CSS with nesting and variables for styling. All running on a delightfully new simple asset pipeline called Propshaft. 

Saturday, September 16, 2023

Rails: class_attribute

https://chat.openai.com/c/388e1263-46a6-4406-b16d-8094b8232dfb

In essence, whenever you find yourself thinking, "I need a class-level configuration that should have a default, but I also want the flexibility to customize it for certain subclasses or instances," class_attribute is a tool you might consider using.

Rails - ActiveRecord - inverse_of

https://chat.openai.com/share/e8f26c7d-d539-4ba9-93b3-52f702ca8909

Rails: Join multiple nested associations

Join multiple nested associations:

https://gist.github.com/abhionlyone/84dec0aa7a5d30b9e2bc6d7bd2094f20

Followers

Blog Archive