AWS CloudFront tutorial | Create an AWS CloudFront Distribution | AWS Serverless

In this AWS CloudFront tutorial video, we’ll walk through the steps for creating an AWS CloudFront distribution to improve the performance of your web application. This video is part of the AWS Serverless series.

Included topics in this tutorial:

1. Intro to AWS CloudFront
2. What is AWS CloudFront
3. Create a CloudFront distribution
4. Request an SSL Certificate from ACM (Amazon Certificate Manager)
5. Associate SSL cert with CloudFront distribution
6. Configure CloudFront custom domain with AWS S3 and AWS Route 53
7. Verify CloudFront deployment

Subscribe: https://www.youtube.com/c/CloudPath/featured

#aws

How To Unite AWS KMS with Serverless Application Model (SAM)

The Basics

AWS KMS is a Key Management Service that let you create Cryptographic keys that you can use to encrypt and decrypt data and also other keys. You can read more about it here.

Important points about Keys

Please note that the customer master keys(CMK) generated can only be used to encrypt small amount of data like passwords, RSA key. You can use AWS KMS CMKs to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.

You must use and manage data keys outside of AWS KMS. KMS API uses AWS KMS CMK in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. To encrypt application data, use the server-side encryption features of an AWS service, or a client-side encryption library, such as the AWS Encryption SDK or the Amazon S3 encryption client.

Scenario

We want to create signup and login forms for a website.

Passwords should be encrypted and stored in DynamoDB database.

What do we need?

1. KMS key to encrypt and decrypt data
2. DynamoDB table to store password.
3. Lambda functions & APIs to process Login and Sign up forms.
4. Sign up/ Login forms in HTML.

Lets Implement it as Serverless Application Model (SAM)!

Lets first create the Key that we will use to encrypt and decrypt password.

KmsKey:
    Type: AWS::KMS::Key
    Properties: 
      Description: CMK for encrypting and decrypting
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: '*'
        - Sid: Allow administration of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyAdmin}
          Action:
          - kms:Create*
          - kms:Describe*
          - kms:Enable*
          - kms:List*
          - kms:Put*
          - kms:Update*
          - kms:Revoke*
          - kms:Disable*
          - kms:Get*
          - kms:Delete*
          - kms:ScheduleKeyDeletion
          - kms:CancelKeyDeletion
          Resource: '*'
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyUser}
          Action:
          - kms:DescribeKey
          - kms:Encrypt
          - kms:Decrypt
          - kms:ReEncrypt*
          - kms:GenerateDataKey
          - kms:GenerateDataKeyWithoutPlaintext
          Resource: '*'

The important thing in above snippet is the KeyPolicy. KMS requires a Key Administrator and Key User. As a best practice your Key Administrator and Key User should be 2 separate user in your Organisation. We are allowing all permissions to the root users.

So if your key Administrator leaves the organisation, the root user will be able to delete this key. As you can see **KeyAdmin **can manage the key but not use it and KeyUser can only use the key. ${KeyAdmin} and **${KeyUser} **are parameters in the SAM template.

You would be asked to provide values for these parameters during SAM Deploy.

#aws #serverless #aws-sam #aws-key-management-service #aws-certification #aws-api-gateway #tutorial-for-beginners #aws-blogs

Adding CloudFront and a Domain to Web-Enabled AWS S3 Bucket

In this article, we will create a CloudFront distribution and link it to a registered domain (microfrontends.info). We will work with AWS CloudFront, Route 53, S3, and Certificate Manager. This article builds over the previous article.

After we deployed to the web-enabled AWS S3 bucket, we can browse to the bucket through the following URL http://mfe1.s3-website-us-east-1.amazonaws.com/

You noticed that next to the URL it says “Not Secure”. This is because we are using HTTP instead of HTTPS. To be able to get a certificate, we need to create a CloudFront distribution, first. CloudFront, which is also known as CDN or Edge Servers, is responsible for Caching your content globally and provide less traffic travel. Let’s add AWS CloudFront to our S3 bucket.

#aws-cloudfront #aws-s3 #aws-route-53 #aws #cloudfront

AWS Secrets Manager: How to Manage Credentials in Python

Even though AWS enables fine-grained access control via IAM roles, sometimes in our scripts we need to use credentials to external resources, not related to AWS, such as API keys, database credentials, or passwords of any kind.

There are a myriad of ways of handling such sensitive data. In this article, I’ll show you an incredibly simple and effective way to manage that using AWS and Python.

#aws #aws-lambda #aws-services #pyt #python-tutorials #python-programming #serverless #tutorial

Serverless Integration and Distributed Tracing in Kumologica

Distributed tracing is a key aspect in the new world of serverless integration as it is one of the 3 pillars of observability i.e logs, metrics, and traces. Distributed tracing is often considered hard to implement in many enterprises because of multiple reasons as it comprises of several disparate components such as:

1. Instrumentation of service.
2. Context propagation.
3. Trace ingest.
4. Trace storage.
5. Trace retrieval and visualization.

Having a distributed tracing infrastructure is one part of the equation whereas instrumenting the application to enable trace ingestion is different from a set of tasks.

In this article, I am going to show you how a distributed tracing can be achieved in serverless integration with zero instrumentation and configuration. For this, we will be using X-Rayservice from AWS as the distributed tracing infrastructure and Kumologica for building the service that will be deployed as a Lambda.

AWS X-Ray would solve the infrastructure part by providing the capability to store, retrieve, and visualization of service graph but it doesn’t solve the pain point of implementing the instrumentation in your service. Though AWS gives the necessary instrumentation library to ingest the trace to X-Ray the developer still needs to understand the X-Ray SDK to apply the necessary instrumentation in his service. This is an extra effort for developers to put on top of building the actual business functionality.

Developers need not worry about this anymore as this problem is solved in Kumologica. Services that are developed on Kumologica doesn’t require any explicit instrumentation as it is taken care of by the underlying Kumologica runtime library. Every node used in Kumologica is by default instrumented to ingest the trace data. Based on the enablement of X-Ray for your service, the trace data will be ingested to the AWS X-Ray service.

#tutorial #integration #microservices #aws #serverless #mulesoft #aws lambda #low code #distributed tracing #kumologica

AWS KMS Use Case With Serverless Application Model (SAM): An End To End Solution

AWS KMS is a Key Management Service that lets you create Cryptographic keys that you can use to encrypt and decrypt data and also other keys. You can read more about it here.

Important Points About Keys

Please note that the CMK generated can only be used to encrypt a small amount of data like passwords, RSA keys. You can use AWS KMS customer master keys (CMKs) to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.

You must use and manage data keys outside of AWS KMS. KMS API uses AWS KMS customer master key (CMK) in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. To encrypt application data, use the server-side encryption features of an AWS service, or a client-side encryption library, such as the AWS Encryption SDK or the Amazon S3 encryption client.

#cloud #tutorial #aws #serverless #aws tutorial