How to Integrate AWS SSO with AWS Managed Elasticsearch Kibana Instance

Here we talk about how to integrate Amazon Web Services (AWS) Managed Elasticsearch (ES) Cluster with AWS Single Sign-On (SSO) service for user authentication.

Let’s talk a little about “What is Elasticsearch?”. Elasticsearch is a powerful search engine and a Log Analytics tool. Depending on your use case/requirement we can use Elasticsearch in either of the above-mentioned ways. For example, UK Government uses Elasticsearch’s search engine capability for searching through their archived documents.

You can read more about above-mentioned example using the following link below;

How AWS Managed ES helped various Customers ….

In this article, I won’t go be explaining ES as you might already know about it when you searched for this article and not to make this article a long lengthy one. But if you are not familiar, there are a lot of online resources that you can use to get to know about Elasticsearch.

#aws-elasticsearch #aws #aws sso #single sign-on

What is GEEK

Buddha Community

How to Integrate AWS SSO with AWS Managed Elasticsearch Kibana Instance

How to Integrate AWS SSO with AWS Managed Elasticsearch Kibana Instance

Here we talk about how to integrate Amazon Web Services (AWS) Managed Elasticsearch (ES) Cluster with AWS Single Sign-On (SSO) service for user authentication.

Let’s talk a little about “What is Elasticsearch?”. Elasticsearch is a powerful search engine and a Log Analytics tool. Depending on your use case/requirement we can use Elasticsearch in either of the above-mentioned ways. For example, UK Government uses Elasticsearch’s search engine capability for searching through their archived documents.

You can read more about above-mentioned example using the following link below;

How AWS Managed ES helped various Customers ….

In this article, I won’t go be explaining ES as you might already know about it when you searched for this article and not to make this article a long lengthy one. But if you are not familiar, there are a lot of online resources that you can use to get to know about Elasticsearch.

#aws-elasticsearch #aws #aws sso #single sign-on

Christa  Stehr

Christa Stehr

1598408880

How To Unite AWS KMS with Serverless Application Model (SAM)

The Basics

AWS KMS is a Key Management Service that let you create Cryptographic keys that you can use to encrypt and decrypt data and also other keys. You can read more about it here.

Important points about Keys

Please note that the customer master keys(CMK) generated can only be used to encrypt small amount of data like passwords, RSA key. You can use AWS KMS CMKs to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.

You must use and manage data keys outside of AWS KMS. KMS API uses AWS KMS CMK in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. To encrypt application data, use the server-side encryption features of an AWS service, or a client-side encryption library, such as the AWS Encryption SDK or the Amazon S3 encryption client.

Scenario

We want to create signup and login forms for a website.

Passwords should be encrypted and stored in DynamoDB database.

What do we need?

  1. KMS key to encrypt and decrypt data
  2. DynamoDB table to store password.
  3. Lambda functions & APIs to process Login and Sign up forms.
  4. Sign up/ Login forms in HTML.

Lets Implement it as Serverless Application Model (SAM)!

Lets first create the Key that we will use to encrypt and decrypt password.

KmsKey:
    Type: AWS::KMS::Key
    Properties: 
      Description: CMK for encrypting and decrypting
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: '*'
        - Sid: Allow administration of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyAdmin}
          Action:
          - kms:Create*
          - kms:Describe*
          - kms:Enable*
          - kms:List*
          - kms:Put*
          - kms:Update*
          - kms:Revoke*
          - kms:Disable*
          - kms:Get*
          - kms:Delete*
          - kms:ScheduleKeyDeletion
          - kms:CancelKeyDeletion
          Resource: '*'
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyUser}
          Action:
          - kms:DescribeKey
          - kms:Encrypt
          - kms:Decrypt
          - kms:ReEncrypt*
          - kms:GenerateDataKey
          - kms:GenerateDataKeyWithoutPlaintext
          Resource: '*'

The important thing in above snippet is the KeyPolicy. KMS requires a Key Administrator and Key User. As a best practice your Key Administrator and Key User should be 2 separate user in your Organisation. We are allowing all permissions to the root users.

So if your key Administrator leaves the organisation, the root user will be able to delete this key. As you can see **KeyAdmin **can manage the key but not use it and KeyUser can only use the key. ${KeyAdmin} and **${KeyUser} **are parameters in the SAM template.

You would be asked to provide values for these parameters during SAM Deploy.

#aws #serverless #aws-sam #aws-key-management-service #aws-certification #aws-api-gateway #tutorial-for-beginners #aws-blogs

Elastic Changes Licences for Elasticsearch and Kibana: AWS Forks Both

Elastic recently announced licensing changes to Elasticsearch and Kibana, with the company moving away from the Apache 2.0 license (APLv2) and adopting the Server Side Public License (SSPL) and the Elastic License. Amazon reacted with a plan to maintain a fork of both Elasticsearch and Kibana under the previous license.

While Elastic suggested that they are still committed to open source and that the licence approach is similar to the one chosen by MongoDB last year, the SSPL is not recognized as an open source license by the Open Source Initiative. To address concerns and comments from the community, Elastic followed up with two more articles that contained additional license change clarifications and an explanation of why they felt they had to change.

#aws #elasticsearch #kibana #aws forks

Rory  West

Rory West

1622206030

AWS Instance Scheduler Ultimate Cheat Sheet For Devs

AWS Instance Scheduler is a popular option for saving up a large portion of the cost of computing services in situations where there are predictable planned times for operating compute services. In other words, since no clients are accessing particular environments during the period, it’s normal for development environments or workloads to be shut down during non-working times.

By evaluating when the instances are more widely used, you can implement more complex schedules, or even apply an always-stopped schedule and then start up the instances when you need them.

In this article, we will cover a step-by-step guide to create an AWS schedule and apply it to several instances.

Solution Overview

This CloudFormation template creates an environment for the AWS Instance Scheduler. The solution uses the following AWS services:

#aws #aws-cost-optimization #aws-instance-scheduler #aws-savings #aws-guide

Rusty  Shanahan

Rusty Shanahan

1598155740

Elasticsearch 7.x Backup — “Snapshot & Restore” on AWS S3

In 2016 I wrote an Article about Elasticsearch Backup, it had and still has quite good interests from people. I decided to start a new series of articles with the Backup topic as the main argument.

The old article covered Snapshot & Restore functionalities based on Elasticsearch 2.4.x and the upcoming version, the 5.0. As it was 4 years ago I choose to refresh this tutorial and making it the first of a series of more.

I will prepare a small article on how to use the snapshot & restore functionality with different cloud-provider. This article is based on Elasticsearch 7.x, it doesn’t mean it couldn’t work on older versions but I focused on the latest one.

Elasticsearch Snapshot & Restore

Elasticsearch has a smart solution to backup single indices or entire clusters to remote shared filesystem or S3 or HDFS. The snapshot ES creates does not so resource consuming and is relatively small.

The idea behind these snapshots is that they are not “archive” in a strict sense, these snapshots can only be read by a version of Elasticsearch that is capable to read the index version stored inside the snapshot.

So you can follow this quick scheme if you want to restore ES snapshots :

  • A snapshot of an index created in 6.x can be restored to 7.x.
  • A snapshot of an index created in 5.x can be restored to 6.x.
  • A snapshot of an index created in 2.x can be restored to 5.x.
  • A snapshot of an index created in 1.x can be restored to 2.x.

Snapshots of indices created with ES 1.x cannot be restored to 5.x or 6.x, snapshots of indices created in 2.x cannot be restored to 6.x or 7.x, and snapshots of indices created in 5.x cannot be restored to 7.x or 8.x.

#elasticsearch-snapshot #elasticsearch-plugins #elasticsearch #backup #elasticsearch-backup #aws