AWS Managed Microsoft AD と オンプレAD で信頼関係を構築する (2020年5月版)

AWS Managed Microsoft AD(以後Microsoft AD)では既存のドメインと連携したい場合は信頼関係を構築します。 信頼関係を構築する手順については以前にDevelopsers.IOでも弊社加藤による記事が公開されているのですが、私からも改めて手順を紹介したいと思います。

AWS Managed Microsoft AD の制約について

具体的に明記されているドキュメントを見つけることはできなかったのですが、Microsoft ADはマネージドサービスである都合シングルフォレスト・シングルドメイン構成を強制されます。 このためMicrosoft ADと既存のドメインを連携させたい場合は信頼関係を構築する必要がでるわけです。

Microsoft ADでは「片方向」「双方向」の両方向の信頼関係を構築する事ができます。 信頼関係はドメインリソースへのアクセスに直結するため原則片方向とし必要の無い方向の信頼関係は構築しない様にするのが推奨されています。 (例外はAWS SSOで、AWS SSOを使用する際にMicrosft ADとオンプレADの信頼関係を構築する場合は双方向の信頼関係を結ぶ必要があります)

また、信頼関係の種類には「フォレスト信頼」と「外部信頼」の二種類ありますが、Microsoft ADでは両者の信頼関係をサポートしています。

AWS Managed Microsoft AD と オンプレAD で信頼関係を構築する

ここから本題に入ります。

検証環境について

本記事では以前の加藤の記事の内容を踏まえてMicrosoft ADとオンプレAD間で信頼関係を構築する手順を解説しようと思いますが、オンプレ環境を用意するのが難しかったため、別VPCをオンプレ環境に見立てVPC Peeringでオンプレ環境↔AWS環境間の接続を再現します。

#aws #active directory #microsoft ad

What is GEEK

Buddha Community

AWS Managed Microsoft AD と オンプレAD で信頼関係を構築する (2020年5月版)

AWS Managed Microsoft AD(以後Microsoft AD)では既存のドメインと連携したい場合は信頼関係を構築します。 信頼関係を構築する手順については以前にDevelopsers.IOでも弊社加藤による記事が公開されているのですが、私からも改めて手順を紹介したいと思います。

AWS Managed Microsoft AD の制約について

具体的に明記されているドキュメントを見つけることはできなかったのですが、Microsoft ADはマネージドサービスである都合シングルフォレスト・シングルドメイン構成を強制されます。 このためMicrosoft ADと既存のドメインを連携させたい場合は信頼関係を構築する必要がでるわけです。

Microsoft ADでは「片方向」「双方向」の両方向の信頼関係を構築する事ができます。 信頼関係はドメインリソースへのアクセスに直結するため原則片方向とし必要の無い方向の信頼関係は構築しない様にするのが推奨されています。 (例外はAWS SSOで、AWS SSOを使用する際にMicrosft ADとオンプレADの信頼関係を構築する場合は双方向の信頼関係を結ぶ必要があります)

また、信頼関係の種類には「フォレスト信頼」と「外部信頼」の二種類ありますが、Microsoft ADでは両者の信頼関係をサポートしています。

AWS Managed Microsoft AD と オンプレAD で信頼関係を構築する

ここから本題に入ります。

検証環境について

本記事では以前の加藤の記事の内容を踏まえてMicrosoft ADとオンプレAD間で信頼関係を構築する手順を解説しようと思いますが、オンプレ環境を用意するのが難しかったため、別VPCをオンプレ環境に見立てVPC Peeringでオンプレ環境↔AWS環境間の接続を再現します。

#aws #active directory #microsoft ad

How To Unite AWS KMS with Serverless Application Model (SAM)

The Basics

AWS KMS is a Key Management Service that let you create Cryptographic keys that you can use to encrypt and decrypt data and also other keys. You can read more about it here.

Important points about Keys

Please note that the customer master keys(CMK) generated can only be used to encrypt small amount of data like passwords, RSA key. You can use AWS KMS CMKs to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.

You must use and manage data keys outside of AWS KMS. KMS API uses AWS KMS CMK in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. To encrypt application data, use the server-side encryption features of an AWS service, or a client-side encryption library, such as the AWS Encryption SDK or the Amazon S3 encryption client.

Scenario

We want to create signup and login forms for a website.

Passwords should be encrypted and stored in DynamoDB database.

What do we need?

1. KMS key to encrypt and decrypt data
2. DynamoDB table to store password.
3. Lambda functions & APIs to process Login and Sign up forms.
4. Sign up/ Login forms in HTML.

Lets Implement it as Serverless Application Model (SAM)!

Lets first create the Key that we will use to encrypt and decrypt password.

KmsKey:
    Type: AWS::KMS::Key
    Properties: 
      Description: CMK for encrypting and decrypting
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: '*'
        - Sid: Allow administration of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyAdmin}
          Action:
          - kms:Create*
          - kms:Describe*
          - kms:Enable*
          - kms:List*
          - kms:Put*
          - kms:Update*
          - kms:Revoke*
          - kms:Disable*
          - kms:Get*
          - kms:Delete*
          - kms:ScheduleKeyDeletion
          - kms:CancelKeyDeletion
          Resource: '*'
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyUser}
          Action:
          - kms:DescribeKey
          - kms:Encrypt
          - kms:Decrypt
          - kms:ReEncrypt*
          - kms:GenerateDataKey
          - kms:GenerateDataKeyWithoutPlaintext
          Resource: '*'

The important thing in above snippet is the KeyPolicy. KMS requires a Key Administrator and Key User. As a best practice your Key Administrator and Key User should be 2 separate user in your Organisation. We are allowing all permissions to the root users.

So if your key Administrator leaves the organisation, the root user will be able to delete this key. As you can see **KeyAdmin **can manage the key but not use it and KeyUser can only use the key. ${KeyAdmin} and **${KeyUser} **are parameters in the SAM template.

You would be asked to provide values for these parameters during SAM Deploy.

#aws #serverless #aws-sam #aws-key-management-service #aws-certification #aws-api-gateway #tutorial-for-beginners #aws-blogs

Managed Entitlements in AWS License Manager

AWS License Manager is a service that helps you easily manage software licenses from vendors such as Microsoft, SAP, Oracle, and IBM across your Amazon Web Services (AWS) and on-premises environments. You can define rules based on your licensing agreements to prevent license violations, such as using more licenses than are available. You can set the rules to help prevent licensing violations or notify you of breaches. AWS License Manager also offers automated discovery of bring your own licenses (BYOL) usage that keeps you informed of all software installations and uninstallations across your environment and alerts you of licensing violations.

License Manager can manage licenses purchased in AWS Marketplace, a curated digital catalog where you can easily find, purchase, deploy, and manage third-party software, data, and services to build solutions and run your business. Marketplace lists thousands of software listings from independent software vendors (ISVs) in popular categories such as security, networking, storage, machine learning, business intelligence, database, and DevOps.

#aws license manager #aws marketplace #aws re:invent #aws

AWS Cost Allocation Tags and Cost Reduction

Bob had just arrived in the office for his first day of work as the newly hired chief technical officer when he was called into a conference room by the president, Martha, who immediately introduced him to the head of accounting, Amanda. They exchanged pleasantries, and then Martha got right down to business:

“Bob, we have several teams here developing software applications on Amazon and our bill is very high. We think it’s unnecessarily high, and we’d like you to look into it and bring it under control.”

Martha placed a screenshot of the Amazon Web Services (AWS) billing report on the table and pointed to it.

“This is a problem for us: We don’t know what we’re spending this money on, and we need to see more detail.”

Amanda chimed in, “Bob, look, we have financial dimensions that we use for reporting purposes, and I can provide you with some guidance regarding some information we’d really like to see such that the reports that are ultimately produced mirror these dimensions — if you can do this, it would really help us internally.”

“Bob, we can’t stress how important this is right now. These projects are becoming very expensive for our business,” Martha reiterated.

“How many projects do we have?” Bob inquired.

“We have four projects in total: two in the aviation division and two in the energy division. If it matters, the aviation division has 75 developers and the energy division has 25 developers,” the CEO responded.

Bob understood the problem and responded, “I’ll see what I can do and have some ideas. I might not be able to give you retrospective insight, but going forward, we should be able to get a better idea of what’s going on and start to bring the cost down.”

The meeting ended with Bob heading to find his desk. Cost allocation tags should help us, he thought to himself as he looked for someone who might know where his office is.

#aws #aws cloud #node js #cost optimization #aws cli #well architected framework #aws cost report #cost control #aws cost #aws tags

Hire AWS Developer

Looking to Hire Professional AWS Developers?

The technology inventions have demanded all businesses to use and manage cloud-based computing services and Amazon is dominating the cloud computing services provider in the world.

Hire AWS Developer from HourlyDeveloper.io & Get the best amazon web services development. Take your business to excellence with our best AWS developer that will serve you the benefit of different cloud computing tools.

Consult with experts: https://bit.ly/2CWJgHyAWS Development services

#hire aws developer #aws developers #aws development company #aws development services #aws development #aws