Forem: harsh patel The latest articles on Forem by harsh patel (@harshhp). https://forem.com/harshhp https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2865274%2F146f3b5c-7836-4bcf-bba4-981e817a900c.png Forem: harsh patel https://forem.com/harshhp en When to Choose Cassandra in System Design harsh patel Wed, 04 Feb 2026 20:35:10 +0000 https://forem.com/harshhp/when-to-choose-cassandra-in-system-design-2b9m https://forem.com/harshhp/when-to-choose-cassandra-in-system-design-2b9m <h2> How It Achieves Massive Write Scalability (and What You Trade Off) </h2> <p>Designing large-scale systems often comes down to one uncomfortable truth:</p> <blockquote> <p><strong>You cannot optimize reads, writes, consistency, and simplicity all at once.</strong></p> </blockquote> <p>When your system is <strong>write-heavy</strong>—logs, metrics, events, feeds, IoT data—traditional databases often become the bottleneck. This is where Apache Cassandra becomes a compelling choice.</p> <p>This article explains:</p> <ol> <li><strong>When Cassandra is the right database</strong></li> <li><strong>Why it outperforms traditional databases for writes</strong></li> <li><strong>How its internal storage model enables that performance</strong></li> </ol> <h2> When Should You Choose Cassandra? </h2> <p>Cassandra is a strong choice when <strong>writes dominate your workload</strong> and availability matters more than strict consistency.</p> <h3> Choose Cassandra if: </h3> <ul> <li>You have <strong>very high write throughput</strong> (10k–100k+ writes/sec)</li> <li>Data arrives continuously (events, logs, metrics, tracking)</li> <li>You need <strong>horizontal scaling</strong> by adding nodes</li> <li>Downtime is unacceptable (multi-node, multi-DC availability)</li> <li>Your queries are predictable and can be modeled without JOINs</li> <li>Eventual or tunable consistency is acceptable</li> </ul> <h3> Avoid Cassandra if: </h3> <ul> <li>You need complex ad-hoc queries or JOINs</li> <li>You rely heavily on transactions across multiple rows/tables</li> <li>Reads must be extremely fast and strongly consistent</li> <li>Your dataset is small and doesn’t need horizontal scaling</li> </ul> <p>Cassandra is not a “general-purpose” database—it’s a <strong>specialized write-scaling machine</strong>.</p> <h2> Why Traditional Databases Struggle with Writes </h2> <p>Most relational databases (PostgreSQL, MySQL) use <strong>B-tree–based storage engines</strong>.</p> <h3> How writes work in traditional databases: </h3> <ul> <li>Data is updated <strong>in place</strong> </li> <li>Indexes must be updated immediately</li> <li>Writes trigger <strong>random disk I/O</strong> </li> <li>Locks, WAL flushes, and index maintenance add overhead</li> </ul> <p>This works well for mixed workloads, but at scale:</p> <ul> <li>Random disk seeks become expensive</li> <li>Index-heavy schemas slow down writes</li> <li>Vertical scaling hits hardware limits</li> <li>Sharding adds operational complexity</li> </ul> <p>In short: <strong>traditional databases optimize for reads first</strong>.</p> <h2> Why Cassandra Is Faster for Writes </h2> <p>Cassandra flips the design priorities.</p> <p>Instead of updating data in place, Cassandra uses a <strong>Log-Structured Merge Tree (LSM Tree)</strong>, which turns almost every write into a <strong>sequential append</strong>.</p> <h3> Key design choice: </h3> <blockquote> <p><strong>Never modify data in place. Always append.</strong></p> </blockquote> <p>Sequential disk writes are orders of magnitude faster than random writes, which is why Cassandra can sustain massive write throughput on modest hardware.</p> <h2> Cassandra’s Internal Storage Model (LSM Tree) </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqb1c0220a5xht0876v4u.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqb1c0220a5xht0876v4u.png" alt=" " width="800" height="382"></a></p> <p>Cassandra’s storage engine revolves around three core components.</p> <h3> 1. Commit Log (Durability First) </h3> <ul> <li>Every write is <strong>appended</strong> to the commit log</li> <li>Acts as a write-ahead log</li> <li>Ensures data isn’t lost if a node crashes</li> <li>Sequential disk I/O → very fast</li> </ul> <p>This step guarantees durability without slowing down the write path.</p> <h3> 2. Memtable (In-Memory Writes) </h3> <ul> <li>Writes are stored in an <strong>in-memory, sorted structure</strong> </li> <li>Sorted by primary key</li> <li>Multiple updates to the same key are merged in memory</li> <li>No disk I/O for each write</li> </ul> <p>This absorbs write bursts efficiently.</p> <h3> 3. SSTable (Immutable Disk Storage) </h3> <ul> <li>When the Memtable fills up, it is flushed to disk as an <strong>SSTable</strong> </li> <li>SSTables are: <ul> <li>Immutable</li> <li>Sorted by primary key</li> <li>Written sequentially</li> </ul> </li> </ul> <p>Because SSTables are never updated, Cassandra avoids random disk writes entirely.</p> <h2> How Cassandra Handles Updates and Deletes </h2> <p>Cassandra treats <strong>every change as a new write</strong>:</p> <ul> <li>Updates → new version with a higher timestamp</li> <li>Deletes → written as <strong>tombstones</strong> (delete markers)</li> </ul> <p>The “current state” of a row is determined by <strong>timestamps</strong>, not by overwriting data.</p> <p>This design enables fast writes but shifts cleanup work to the background.</p> <h2> Reading Data: The Trade-Off </h2> <p>Reads are more complex than writes:</p> <ol> <li>Check the <strong>Memtable</strong> (latest data)</li> <li>Use <strong>Bloom filters</strong> to identify relevant SSTables</li> <li>Read SSTables from <strong>newest to oldest</strong> </li> <li>Merge results to find the latest version</li> </ol> <p>Bloom filters help skip unnecessary disk reads, but reads are still slower than in well-indexed relational databases.</p> <p>This is the <strong>intentional trade-off</strong>.</p> <h2> Compaction: Paying the Cost Later </h2> <p>To prevent unlimited growth of SSTables and tombstones, Cassandra runs <strong>compaction</strong>:</p> <ul> <li>Merges multiple SSTables into fewer ones</li> <li>Resolves multiple versions of rows</li> <li>Removes deleted and expired data</li> <li>Improves read performance over time</li> </ul> <p>Cassandra makes writes cheap <strong>now</strong>, and pays the cost <strong>later</strong> via compaction.</p> <h2> Why This Design Scales So Well </h2> <p>Putting it all together:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Traditional DB</th> <th>Cassandra</th> </tr> </thead> <tbody> <tr> <td>In-place updates</td> <td>Append-only writes</td> </tr> <tr> <td>Random disk I/O</td> <td>Sequential disk I/O</td> </tr> <tr> <td>Write blocks reads</td> <td>Writes isolated from reads</td> </tr> <tr> <td>Hard to shard</td> <td>Built-in partitioning</td> </tr> <tr> <td>Vertical scaling</td> <td>Horizontal scaling</td> </tr> </tbody> </table></div> <p>Cassandra scales because:</p> <ul> <li>Writes are fast and predictable</li> <li>Nodes are independent (shared-nothing)</li> <li>Adding nodes increases total throughput</li> <li>Failures don’t stop the system</li> </ul> <h2> Final Takeaway </h2> <p>Cassandra is not faster because it’s “better”—it’s faster because it <strong>chooses a different set of trade-offs</strong>.</p> <blockquote> <p>If your system is write-heavy, highly available, and horizontally scalable, Cassandra’s LSM-based storage model can outperform traditional databases by an order of magnitude.</p> </blockquote> <p>But if reads, transactions, or flexibility matter more—choose something else.</p> <p><strong>Good system design is not about the best database.<br><br> It’s about the right database for the workload.</strong></p> architecture database performance systemdesign Finding Vulnerabilities on EC2 Instances Using AWS Inspector harsh patel Mon, 27 Oct 2025 02:31:48 +0000 https://forem.com/harshhp/finding-vulnerabilities-on-ec2-instances-using-aws-inspector-1940 https://forem.com/harshhp/finding-vulnerabilities-on-ec2-instances-using-aws-inspector-1940 <h2> Introduction </h2> <p>Amazon EC2 is one of the most widely used services on AWS for deploying applications in the cloud. However, as applications grow, so does the responsibility of keeping them secure.<br><br> That’s where <strong>Amazon Inspector</strong> comes in — an automated security assessment service that identifies vulnerabilities and deviations from best practices. It helps developers and security teams strengthen their application’s security posture before issues turn into real threats.</p> <h3> Architecture Overview </h3> <p>Here’s the high-level architecture of the setup we’ll build in this lab:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkn94sxds15qkqxoywfua.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkn94sxds15qkqxoywfua.png" alt=" " width="800" height="728"></a></p> <p>In this hands-on lab, we’ll use <strong>Amazon Inspector</strong> to detect and fix vulnerabilities in an EC2 instance. You’ll:</p> <ol> <li>Launch an EC2 instance with a custom IAM role and security group </li> <li>Install an outdated version of Node.js (to simulate a vulnerability) </li> <li>Enable Amazon Inspector and analyze its findings </li> <li>Apply remediations by closing an open port and updating Node.js </li> <li>Re-run Inspector to validate the fixes </li> </ol> <p>By the end, you’ll have practical experience identifying and resolving vulnerabilities on AWS — an essential skill for cloud engineers, developers, and anyone serious about cloud security.</p> <h2> Getting Started </h2> <p><strong>Amazon Inspector</strong> is a built-in AWS security assessment service that automatically scans workloads such as <strong>EC2 instances, container images, and Lambda functions</strong> for known vulnerabilities and network exposures.<br><br> It continuously monitors your environment and provides actionable findings categorized by severity — allowing you to prioritize and mitigate risks efficiently.</p> <h2> Create a Role and a Security Group </h2> <p>Before launching an EC2 instance, we’ll create:</p> <ul> <li>An <strong>IAM role</strong> for SSM access, allowing the instance to communicate with AWS Systems Manager.</li> <li>A <strong>security group</strong> with an intentionally open port (port 21) to simulate a network vulnerability.</li> </ul> <h3> Create the IAM Role </h3> <ol> <li>In the AWS Console, search for <strong>IAM</strong> and open the service. </li> <li>From the sidebar, select <strong>Roles → Create role</strong>. </li> <li>Under <strong>Trusted entity type</strong>, choose <strong>AWS service</strong>, and under <strong>Use case</strong>, select <strong>EC2</strong>. </li> <li>Attach the policy <strong>AmazonSSMManagedInstanceCore</strong>. </li> <li>Name the role <strong><code>ec2-ssm-role</code></strong>, scroll down, and click <strong>Create role</strong>.</li> </ol> <h3> Create the Security Group </h3> <ol> <li>In the AWS Console, search for <strong>Security groups</strong> under the EC2 service. </li> <li>Click <strong>Create security group</strong>. </li> <li>Name it <strong><code>ec2-sg</code></strong> and add a short description. </li> <li>Leave the default VPC selected. </li> <li>Under <strong>Inbound rules</strong>, add: <ul> <li> <strong>Type:</strong> SSH — <strong>Port:</strong> 22 — <strong>Source:</strong> Anywhere (IPv4) </li> <li> <strong>Type:</strong> Custom TCP — <strong>Port:</strong> 21 — <strong>Source:</strong> Anywhere (IPv4)</li> </ul> </li> <li>Click <strong>Create security group</strong>.</li> </ol> <blockquote> <p>⚠️ <strong>Note:</strong> Port 21 is used for FTP, which transmits credentials and data unencrypted. Leaving it open to “Anywhere” exposes your instance to significant security risks. Amazon Inspector will flag this later.</p> </blockquote> <h2> Create an EC2 Instance </h2> <p>We’ll now create an EC2 instance, attach the role and security group, and install an outdated version of Node.js.</p> <h3> Steps to Launch the Instance </h3> <ol> <li>In the AWS Console, open <strong>EC2 → Instances → Launch instances</strong>. </li> <li> <strong>Name and tags:</strong> Set the instance name as <code>ec2_inspect</code>. </li> <li> <strong>AMI:</strong> Choose <strong>Amazon Linux 2023 (kernel 6.1)</strong> (64-bit x86). </li> <li> <strong>Instance type:</strong> Select <strong>t2.micro</strong> (Free Tier). </li> <li> <strong>Key pair:</strong> Choose <strong>Proceed without a key pair</strong> (for this lab). </li> <li> <strong>Network settings:</strong> <ul> <li>Select <strong>Existing security group</strong> </li> <li>Choose <strong><code>ec2-sg</code></strong> </li> </ul> </li> <li> <strong>Storage:</strong> Keep the default <strong>8 GiB gp3</strong> volume. </li> <li> <strong>Advanced details:</strong> <ul> <li>Under <strong>IAM instance profile</strong>, choose <strong><code>ec2-ssm-role</code></strong> </li> </ul> </li> <li>Click <strong>Launch instance</strong>, then <strong>View all instances</strong> and wait until the instance state is <strong>Running</strong>.</li> </ol> <h3> Install Node.js 14.x (Vulnerable Version) </h3> <p>Once the instance is running:</p> <ol> <li>Select your instance → click <strong>Connect → Connect</strong> again. </li> <li>Run the following commands: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>curl -O https://rpm.nodesource.com/pub_14.x/el/7/x86_64/nodejs-14.21.3-1nodesource.x86_64.rpm sudo yum install -y nodejs-14.21.3-1nodesource.x86_64.rpm </code></pre> </div> <blockquote> <p>This installs <strong>Node.js v14.x</strong>, which is outdated and contains known vulnerabilities — perfect for testing Amazon Inspector.</p> </blockquote> <p>You now have a running EC2 instance with:</p> <ul> <li>An open port (21) </li> <li>An outdated Node.js installation Both of which Amazon Inspector should detect as vulnerabilities.</li> </ul> <h2> Enable Amazon Inspector </h2> <p>Amazon Inspector continuously scans EC2 instances, ECR repositories, and Lambda functions for vulnerabilities. Let’s enable it for our environment.</p> <h3> Steps to Enable Inspector </h3> <ol> <li>Search for <strong>Amazon Inspector</strong> in the AWS Console and open it. </li> <li>Click <strong>Get Started → Activate Inspector</strong>. <ul> <li>This automatically creates a <strong>Service-Linked Role</strong> with permissions to scan AWS resources. </li> </ul> </li> <li>Wait <strong>3–5 minutes</strong> for activation. </li> <li>On the left sidebar, click <strong>Account management</strong>. <ul> <li>You’ll see scanning statuses for <strong>EC2</strong>, <strong>ECR</strong>, and <strong>Lambda</strong>. </li> </ul> </li> <li>Since we only need EC2 scanning, deactivate the others: <ul> <li>Click <strong>Actions → Amazon ECR scanning → Deactivate</strong> </li> <li>Click <strong>Actions → AWS Lambda scanning → Deactivate</strong> </li> </ul> </li> </ol> <h3> Viewing the Findings </h3> <ol> <li>In the left menu, click <strong>Instances</strong> — Amazon Inspector should automatically detect your EC2 instance (<code>ec2_inspect</code>). </li> <li>Click the <strong>Instance ID</strong> to open its findings.</li> </ol> <p>You’ll see results categorized by severity:</p> <ul> <li><strong>Critical</strong></li> <li><strong>High</strong></li> <li><strong>Medium</strong></li> </ul> <p>Examples from this lab:</p> <ul> <li> <strong>High:</strong> “Port 21 is reachable from an Internet Gateway - TCP” </li> <li> <strong>Critical:</strong> “CVE-2023-26136 - tough-cookie” (from outdated Node.js 14.x)</li> </ul> <p>Each finding includes a <strong>Remediation</strong> section — Inspector recommends removing open ports or updating vulnerable packages.<br><br> We’ll follow those recommendations next.</p> <h2> Viewing Amazon Inspector Findings </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fsmljege32sq1qvqcnn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fsmljege32sq1qvqcnn.png" alt=" " width="800" height="502"></a></p> <h2> Detailed Finding Analysis </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffkotay50gw92g2vy7hn2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffkotay50gw92g2vy7hn2.png" alt=" " width="800" height="1246"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsx9ew7scfb3s03rpamr8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsx9ew7scfb3s03rpamr8.png" alt=" " width="800" height="578"></a></p> <h2> Apply Remediation </h2> <p>Now, let’s fix the vulnerabilities Amazon Inspector identified.</p> <h3> Delete the Open Port (21) </h3> <ol> <li>Go to <strong>EC2 → Security Groups</strong> and open <strong><code>ec2-sg</code></strong>. </li> <li>Under the <strong>Inbound rules</strong> tab, click <strong>Edit inbound rules</strong>. </li> <li>Click <strong>Delete</strong> beside the rule for <strong>Port 21</strong>. </li> <li>Click <strong>Save rules</strong>.</li> </ol> <p>This immediately removes external FTP access and mitigates the “Network Reachability” issue.</p> <h3> Update Node.js to the Latest Version </h3> <ol> <li>Return to the <strong>EC2 → Instances → ec2_inspect</strong> dashboard. </li> <li>Click <strong>Connect → Connect</strong> again. </li> <li>Run the following commands: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>sudo rm -rf /etc/yum.repos.d/nodesource* sudo yum remove -y nodejs curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash . ~/.nvm/nvm.sh nvm install 16 </code></pre> </div> <ol> <li>Verify the version: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>node -v </code></pre> </div> <p>You should now see <strong>v16.x</strong>, which resolves the vulnerability found earlier.</p> <h3> Refresh Amazon Inspector </h3> <p>Inspector may take time to detect the changes, but you can speed this up:</p> <ol> <li>Go to the <strong>Amazon Inspector</strong> dashboard. </li> <li>Click <strong>General settings → Deactivate Inspector</strong>. <ul> <li>Type <code>deactivate</code> in the confirmation box. </li> </ul> </li> <li>After 5–7 minutes, refresh and <strong>Activate</strong> it again. </li> <li>Once reactivated, go to <strong>Instances → [your EC2 instance ID]</strong>.</li> </ol> <p>You’ll see that the vulnerabilities <strong>“Port 21 is reachable”</strong> and <strong>“CVE-2023-26136 - tough-cookie”</strong> are no longer present.<br><br> Your EC2 instance is now significantly more secure.</p> <h2> Validation and Results </h2> <p>After re-running Amazon Inspector:</p> <ul> <li>The <strong>High</strong> and <strong>Critical</strong> findings have disappeared. </li> <li>The security posture of your instance has improved. </li> <li>Any remaining minor findings can be further remediated as needed.</li> </ul> <p>This confirms that Amazon Inspector successfully detected and verified the fixes — exactly how it functions in real-world AWS environments.</p> <h2> Conclusion </h2> <p>Through this lab, we explored how <strong>Amazon Inspector</strong> strengthens cloud security by automatically detecting vulnerabilities in EC2 instances and providing actionable remediation guidance.</p> <p>We learned how to:</p> <ul> <li>Create IAM roles and security groups safely </li> <li>Simulate vulnerabilities using outdated software and open ports </li> <li>Use Amazon Inspector to detect risks </li> <li>Apply fixes and validate improvements </li> </ul> <blockquote> <p><strong>Key takeaway:</strong> Cloud security isn’t a one-time setup — it’s a continuous process.<br><br> By integrating Amazon Inspector into your workflows, you can proactively identify and patch vulnerabilities before they escalate.</p> </blockquote> <p><strong>Thanks for reading!</strong><br><br> If you found this guide useful, drop a ❤️ or share your experience with <strong>Amazon Inspector</strong> in the comments below.</p> aws security cloud devops Mastering AWS Key Management Service (KMS): A Practical Guide to Data Encryption harsh patel Sat, 25 Oct 2025 19:50:01 +0000 https://forem.com/harshhp/mastering-aws-key-management-service-kms-a-practical-guide-to-data-encryption-km3 https://forem.com/harshhp/mastering-aws-key-management-service-kms-a-practical-guide-to-data-encryption-km3 <h1> Getting Started with AWS Key Management Service (KMS) — Python Edition </h1> <p>We live in a digital world where protecting sensitive information is more critical than ever. One of the most effective ways to safeguard data is <strong>encryption</strong>. But encryption is only as strong as your <strong>key management</strong>. That’s where <strong>AWS Key Management Service (KMS)</strong> shines.</p> <p>In this hands-on lab, you’ll create and use a <strong>customer-managed KMS key</strong>, generate <strong>data keys</strong>, encrypt/decrypt data in Python, and integrate KMS with <strong>DynamoDB</strong>. You’ll also see how <strong>key policy</strong> adds a security layer beyond IAM permissions.</p> <h2> What You’ll Learn </h2> <ul> <li>Create a <strong>customer-managed KMS key</strong> </li> <li>Generate <strong>data keys</strong> with KMS (Python + boto3)</li> <li>Encrypt &amp; decrypt data locally with the <strong>plaintext data key</strong> </li> <li>Integrate KMS with <strong>DynamoDB (SSE-KMS)</strong> </li> <li>Use <strong>key policy</strong> to control access beyond IAM</li> </ul> <h2> Getting Started </h2> <p><strong>AWS KMS</strong> is a fully managed service to create and manage cryptographic keys for encrypting data inside and outside AWS. It integrates with services like <strong>S3, EBS, RDS, and DynamoDB</strong>, helping you meet compliance while keeping data secure.</p> <h2> Lab Setup (Pre-built Resources) </h2> <p>This lab includes a pre-created <strong>IAM user</strong> that can list DynamoDB tables and read from a specific table <code>Books</code>. We’ll use this user later to show how KMS encryption prevents access until the key policy allows it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkghpki2zovf6tqtwngra.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkghpki2zovf6tqtwngra.png" alt=" " width="800" height="407"></a></p> <h2> KMS Key Basics </h2> <p>A <strong>KMS key</strong> (a.k.a. CMK) is the root key used to:</p> <ul> <li>Generate &amp; encrypt <strong>data keys</strong> </li> <li>Encrypt small payloads (≤ 4 KB)</li> <li>Integrate with AWS services’ encryption</li> </ul> <p>Types of keys:</p> <ul> <li> <strong>AWS-managed keys</strong>: Created/managed by AWS (limited control)</li> <li> <strong>Customer-managed keys</strong>: Created/managed by you (full control, symmetric or asymmetric)</li> </ul> <p>We’ll use a <strong>symmetric customer-managed key</strong>.</p> <h2> Create a Customer-Managed Key </h2> <p>AWS Console → <strong>KMS</strong> → <strong>Customer managed keys</strong> → <strong>Create key</strong> </p> <ul> <li> <strong>Key type:</strong> Symmetric </li> <li> <strong>Key usage:</strong> Encrypt and decrypt </li> <li> <strong>Key material origin:</strong> KMS (recommended) </li> <li> <strong>Regionality:</strong> Single-region </li> <li> <strong>Alias:</strong> <code>myKey</code> </li> <li>Grant <strong>admin</strong> and <strong>usage</strong> permissions to your main user (e.g., <code>ed-user</code>) Finish the wizard.</li> </ul> <h2> Generate a Data Key (Python) </h2> <p>KMS keys don’t encrypt large blobs directly; instead, they <strong>generate data keys</strong>. You use the <strong>plaintext data key</strong> locally for encryption, discard it, and store only the <strong>encrypted data key</strong> (which you can decrypt later via KMS).</p> <h3> Prereqs </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pip install boto3 cryptography aws configure </code></pre> </div> <h3> Fetch your key ARN </h3> <p>Console → <strong>KMS → Customer managed keys → myKey</strong> → copy <strong>ARN</strong>.</p> <h3> Generate the key </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span><span class="p">,</span> <span class="n">binascii</span> <span class="n">kms</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">kms</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="n">cmk_arn</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;your-kms-key-arn&gt;</span><span class="sh">"</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">kms</span><span class="p">.</span><span class="nf">generate_data_key</span><span class="p">(</span><span class="n">KeyId</span><span class="o">=</span><span class="n">cmk_arn</span><span class="p">,</span> <span class="n">KeySpec</span><span class="o">=</span><span class="sh">"</span><span class="s">AES_256</span><span class="sh">"</span><span class="p">)</span> <span class="n">plaintext_key</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">Plaintext</span><span class="sh">"</span><span class="p">]</span> <span class="n">encrypted_data_key</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">CiphertextBlob</span><span class="sh">"</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Plaintext Data Key (hex):</span><span class="sh">"</span><span class="p">,</span> <span class="n">binascii</span><span class="p">.</span><span class="nf">hexlify</span><span class="p">(</span><span class="n">plaintext_key</span><span class="p">).</span><span class="nf">decode</span><span class="p">())</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Encrypted Data Key (hex):</span><span class="sh">"</span><span class="p">,</span> <span class="n">binascii</span><span class="p">.</span><span class="nf">hexlify</span><span class="p">(</span><span class="n">encrypted_data_key</span><span class="p">).</span><span class="nf">decode</span><span class="p">())</span> </code></pre> </div> <h2> Encrypt Data Using the Data Key (Python) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span><span class="p">,</span> <span class="n">binascii</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">padding</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.ciphers</span> <span class="kn">import</span> <span class="n">Cipher</span><span class="p">,</span> <span class="n">algorithms</span><span class="p">,</span> <span class="n">modes</span> <span class="n">plaintext_key_hex</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;your-plaintext-data-key-hex&gt;</span><span class="sh">"</span> <span class="n">key</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="nf">unhexlify</span><span class="p">(</span><span class="n">plaintext_key_hex</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Hello, this is my sensitive data.</span><span class="sh">"</span><span class="p">.</span><span class="nf">encode</span><span class="p">()</span> <span class="n">padder</span> <span class="o">=</span> <span class="n">padding</span><span class="p">.</span><span class="nc">PKCS7</span><span class="p">(</span><span class="mi">128</span><span class="p">).</span><span class="nf">padder</span><span class="p">()</span> <span class="n">padded</span> <span class="o">=</span> <span class="n">padder</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="o">+</span> <span class="n">padder</span><span class="p">.</span><span class="nf">finalize</span><span class="p">()</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="p">(</span><span class="n">algorithms</span><span class="p">.</span><span class="nc">AES</span><span class="p">(</span><span class="n">key</span><span class="p">),</span> <span class="n">modes</span><span class="p">.</span><span class="nc">ECB</span><span class="p">())</span> <span class="n">encryptor</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">encryptor</span><span class="p">()</span> <span class="n">ct</span> <span class="o">=</span> <span class="n">encryptor</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">padded</span><span class="p">)</span> <span class="o">+</span> <span class="n">encryptor</span><span class="p">.</span><span class="nf">finalize</span><span class="p">()</span> <span class="n">encrypted_b64</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">ct</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Encrypted Data (base64):</span><span class="sh">"</span><span class="p">,</span> <span class="n">encrypted_b64</span><span class="p">)</span> </code></pre> </div> <h2> Decrypt the Data Key (Python) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span><span class="p">,</span> <span class="n">binascii</span> <span class="n">kms</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">kms</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="n">encrypted_data_key_hex</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;your-encrypted-data-key-hex&gt;</span><span class="sh">"</span> <span class="n">encrypted_data_key</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="nf">unhexlify</span><span class="p">(</span><span class="n">encrypted_data_key_hex</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">kms</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span><span class="n">CiphertextBlob</span><span class="o">=</span><span class="n">encrypted_data_key</span><span class="p">)</span> <span class="n">recovered_key</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">Plaintext</span><span class="sh">"</span><span class="p">]</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Recovered Plaintext Key (hex):</span><span class="sh">"</span><span class="p">,</span> <span class="n">binascii</span><span class="p">.</span><span class="nf">hexlify</span><span class="p">(</span><span class="n">recovered_key</span><span class="p">).</span><span class="nf">decode</span><span class="p">())</span> </code></pre> </div> <h2> Decrypt the Data (Python) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span><span class="p">,</span> <span class="n">binascii</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">padding</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.ciphers</span> <span class="kn">import</span> <span class="n">Cipher</span><span class="p">,</span> <span class="n">algorithms</span><span class="p">,</span> <span class="n">modes</span> <span class="n">plaintext_key_hex</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;your-plaintext-data-key-hex&gt;</span><span class="sh">"</span> <span class="n">key</span> <span class="o">=</span> <span class="n">binascii</span><span class="p">.</span><span class="nf">unhexlify</span><span class="p">(</span><span class="n">plaintext_key_hex</span><span class="p">)</span> <span class="n">encrypted_b64</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;your-encrypted-data-base64&gt;</span><span class="sh">"</span> <span class="n">ct</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">encrypted_b64</span><span class="p">)</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="p">(</span><span class="n">algorithms</span><span class="p">.</span><span class="nc">AES</span><span class="p">(</span><span class="n">key</span><span class="p">),</span> <span class="n">modes</span><span class="p">.</span><span class="nc">ECB</span><span class="p">())</span> <span class="n">decryptor</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="nf">decryptor</span><span class="p">()</span> <span class="n">padded_plain</span> <span class="o">=</span> <span class="n">decryptor</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">ct</span><span class="p">)</span> <span class="o">+</span> <span class="n">decryptor</span><span class="p">.</span><span class="nf">finalize</span><span class="p">()</span> <span class="n">unpadder</span> <span class="o">=</span> <span class="n">padding</span><span class="p">.</span><span class="nc">PKCS7</span><span class="p">(</span><span class="mi">128</span><span class="p">).</span><span class="nf">unpadder</span><span class="p">()</span> <span class="n">plain</span> <span class="o">=</span> <span class="n">unpadder</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="n">padded_plain</span><span class="p">)</span> <span class="o">+</span> <span class="n">unpadder</span><span class="p">.</span><span class="nf">finalize</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Decrypted Data:</span><span class="sh">"</span><span class="p">,</span> <span class="n">plain</span><span class="p">.</span><span class="nf">decode</span><span class="p">())</span> </code></pre> </div> <h2> Integrate KMS with DynamoDB (SSE-KMS) </h2> <p>Now we’ll integrate KMS with <strong>DynamoDB</strong> to encrypt table data at rest.</p> <h3> Create an encrypted table </h3> <p>Console → <strong>DynamoDB → Create table</strong> </p> <ul> <li> <strong>Table name:</strong> <code>Books</code> </li> <li> <strong>Partition key:</strong> <code>Author (String)</code> </li> <li> <strong>Sort key:</strong> <code>Book_Title (String)</code> </li> <li> <strong>Table settings:</strong> Customize → <strong>Encryption at rest:</strong> <strong>Customer managed key</strong> → pick <code>myKey</code> Create and wait until status is <strong>Active</strong>.</li> </ul> <h3> Add an item </h3> <p><strong>Explore table items → Create item</strong> </p> <ul> <li> <code>Author</code>: <code>Seth Godin</code> </li> <li> <code>Book_Title</code>: <code>The Dip</code> </li> </ul> <h2> Test Access with a Different IAM User </h2> <p>Even with read permissions, the user <strong>can’t read</strong> the table yet because the table is encrypted with your <strong>customer-managed key</strong>, and the <strong>key policy</strong> doesn’t permit this user to use the key.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63zvr7tsjmzwjfjtesy0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F63zvr7tsjmzwjfjtesy0.png" alt=" " width="800" height="719"></a></p> <h2> Modify the Key Policy to Grant Access </h2> <h3> Get the user’s ARN </h3> <p>Console → <strong>IAM → Users → IAMLabUser</strong> → copy <strong>ARN</strong>.</p> <h3> Edit the KMS key policy </h3> <p>Console → <strong>KMS → Customer managed keys → myKey → Switch to policy view → Edit</strong><br><br> Add this statement (replace <code>&lt;IAM_ARN&gt;</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow use of the key"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;IAM_ARN&gt;"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"kms:Encrypt"</span><span class="p">,</span><span class="w"> </span><span class="s2">"kms:Decrypt"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Save changes.</p> <h3> Verify as IAM user </h3> <p>Sign back in as <code>IAMLabUser</code> and <strong>Scan</strong> the <code>Books</code> table.<br><br> Now it works — because the user is allowed to <strong>use the KMS key</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnugqo9kc5ep10mx1mn86.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnugqo9kc5ep10mx1mn86.png" alt=" " width="800" height="733"></a></p> <h2> Wrap-Up </h2> <p>You just built a practical, secure workflow with AWS KMS — end to end and fully in Python:</p> <ul> <li>Created a <strong>customer-managed KMS key</strong> </li> <li>Generated, stored, and recovered <strong>data keys</strong> </li> <li>Encrypted/decrypted data locally with <strong>AES-256</strong> </li> <li>Secured <strong>DynamoDB</strong> with <strong>SSE-KMS</strong> </li> <li>Used <strong>key policy</strong> to gate access beyond IAM</li> </ul> aws security kms Getting Started with AWS Config: Monitor, Detect, and Remediate Non-Compliant Resources harsh patel Thu, 23 Oct 2025 21:48:32 +0000 https://forem.com/harshhp/getting-started-with-aws-config-monitor-detect-and-remediate-non-compliant-resources-439l https://forem.com/harshhp/getting-started-with-aws-config-monitor-detect-and-remediate-non-compliant-resources-439l <h1> Getting Started with AWS Config </h1> <p>AWS Config is a powerful management service that continuously monitors and records the configuration of your AWS resources. It helps ensure compliance by evaluating these resources and their relationships within a specific AWS Region. Whenever a resource deviates from the defined configuration rules, AWS Config flags it as non-compliant, allowing you to identify and remediate issues proactively.</p> <p>In this Cloud Lab, you’ll learn how to use AWS Config to enforce compliance on EC2 security groups. You’ll begin by creating an IAM role that grants AWS Config the necessary permissions to perform its operations. Next, you’ll configure AWS Config to monitor security groups in the us-east-1 (N. Virginia) Region. After that, you’ll define and apply Config Rules to evaluate compliance across your resources.</p> <p>Once AWS Config is set up, you’ll intentionally create non-compliant resources to observe how it detects and reports them. You’ll then configure remediation actions that automatically bring these resources back into compliance.</p> <p>By the end of this lab, you’ll be able to confidently use AWS Config to:</p> <ul> <li>Monitor AWS resources in real time </li> <li>Detect configuration drift or non-compliance </li> <li>Automatically enforce your organization’s security and governance policies</li> </ul> <h2> Architecture diagram </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbbyv1dxz8ro00uumqhu4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbbyv1dxz8ro00uumqhu4.png" alt=" " width="800" height="478"></a></p> <h2> 1. Create an IAM Role </h2> <p>An IAM role is an AWS identity with a set of defined permissions. Unlike a user, a role can be assumed by trusted entities, including AWS services, to gain temporary access for specific actions.</p> <p>Every role consists of:</p> <ul> <li>A trust policy — defines who can assume the role.</li> <li>A permissions policy — defines what those entities can do.</li> </ul> <p>In this step, you’ll create an IAM role for AWS Config, granting it permissions to monitor and manage AWS resources.</p> <h3> Steps to Create the IAM Role </h3> <ol> <li><p><strong>Open the IAM Console</strong><br><br> Search for “IAM” in the AWS Console and select it to open the dashboard.</p></li> <li><p><strong>Create a New Role</strong><br><br> Go to Roles → Create role.</p></li> <li><p><strong>Select the Trusted Entity</strong><br><br> Under Use case, search and select Config.<br><br> Click Next.</p></li> <li><p><strong>Attach Permissions</strong><br><br> The policy AWSConfigServiceRolePolicy will be automatically selected.<br><br> Click Next.</p></li> <li><p><strong>Review and Create</strong><br><br> The default name AWSServiceRoleForConfig will appear automatically.<br><br> Click Create role.</p></li> </ol> <blockquote> <p>⚠️ Note: If the error “A role with this name already exists” appears, use the existing service role instead of creating a new one.</p> </blockquote> <h2> 2. Start the Configuration Recorder </h2> <p>The Configuration Recorder is the core of AWS Config. It continuously tracks configuration changes for selected AWS resources.<br><br> In this step, you’ll enable it to monitor EC2 security groups within your Region.</p> <h3> Steps to Start the Configuration Recorder </h3> <ol> <li><p><strong>Open AWS Config</strong><br><br> Search for “Config” and select the service.<br><br> You’ll land on the AWS Config Home page.</p></li> <li><p><strong>Set Up AWS Config</strong><br><br> Click <em>Set up AWS Config</em> in the sidebar.</p></li> <li> <p><strong>Select Specific Resources</strong><br><br> Under Recording method, choose <em>Specific resource types</em>.<br><br> Add: </p> <ul> <li>AWS EC2 SecurityGroup → Frequency: Continuous</li> </ul> </li> <li><p><strong>Assign the IAM Role</strong><br><br> Under Data governance, choose <em>Select a role from your account</em> and pick the previously created role.</p></li> <li><p><strong>Configure Delivery Method</strong><br><br> Under Delivery method, select <em>Create a bucket</em>.<br><br> This S3 bucket will store all configuration logs.<br><br> Click <em>Next</em>.</p></li> <li><p><strong>Skip Rule Selection</strong><br><br> On the Rules page, click <em>Next</em> without selecting any rules (we’ll add them later).</p></li> <li><p><strong>Review and Confirm</strong><br><br> Review your setup and click <em>Confirm</em>.<br><br> AWS Config will now record configuration changes for all security groups in your region.</p></li> </ol> <blockquote> <p>💡 If Config Is Already Enabled:<br><br> Go to Settings → Edit, select Specific resource types, and configure only AWS EC2 SecurityGroup for Continuous recording.</p> </blockquote> <h2> 3. Add AWS Config Rules </h2> <p>AWS Config Rules allow AWS Config to evaluate resources against compliance standards. AWS provides managed rules, and you can also create custom rules.</p> <p>In this lab, you’ll define managed rules to enforce your organization’s policy:</p> <ul> <li> <strong>restricted-ssh</strong> → Ensures no public SSH access (port 22) </li> </ul> <h3> Steps to Add AWS Config Rules </h3> <h4> Add the “restricted-ssh” Rule </h4> <ol> <li>From the AWS Config dashboard, select Rules → Add rule.</li> <li>Choose <em>Add AWS managed rule</em>.</li> <li>Search for and select <strong>restricted-ssh</strong>.</li> <li>Click <em>Next</em>, leave defaults, and click <em>Next</em> again.</li> <li>Review and click <em>Save</em>.</li> </ol> <p>This rule marks any EC2 security group that allows public SSH access as non-compliant.</p> <p>AWS Config will now begin evaluating resources against these rules.</p> <h2> 4. Provision EC2 Resources </h2> <p>Now, you’ll create EC2 resources that AWS Config can evaluate.<br><br> We’ll intentionally make one of them non-compliant to observe AWS Config’s detection capabilities.</p> <h3> Create a Security Group </h3> <ol> <li>Open the EC2 Dashboard → Search “EC2” in the console.</li> <li>Go to <em>Network &amp; Security → Security Groups</em>.</li> <li>Click <em>Create security group</em>.</li> <li>Set: <ul> <li>Name: MySecurityGroup </li> <li>Description: Security group allowing SSH access</li> </ul> </li> <li>Under <em>Inbound rules</em>, click <em>Add rule</em>: <ul> <li>Type: SSH </li> <li>Source: Anywhere-IPv4 (0.0.0.0/0)</li> </ul> </li> <li>Click <em>Create security group.</em> </li> </ol> <p>This configuration allows public SSH access — intentionally non-compliant per your rule.</p> <h3> Create an EC2 Instance </h3> <ol> <li>Go to <em>Instances → Launch instances.</em> </li> <li>Set the following: <ul> <li>Name: client </li> <li>AMI: Amazon Linux 2023 AMI </li> <li>Instance type: t2.micro </li> <li>Key pair: Proceed without key pair </li> <li>Network settings: Select existing security group → MySecurityGroup </li> <li>Storage: Default gp3</li> </ul> </li> <li>Click <em>Launch instance.</em> </li> <li>Wait for the instance status to show <em>Running.</em> </li> </ol> <p>AWS Config will now start evaluating these resources.</p> <h2> 5. Check the Resources’ Compliance </h2> <p>Now let’s verify if your security group comply with the defined rules.</p> <h3> Steps to Verify Compliance </h3> <ol> <li>Open AWS Config → Rules.</li> <li>Under restricted-ssh, look for 1 Noncompliant resource(s). If none appear, wait about a minute and refresh.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ueicid61040xe0lnvna.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ueicid61040xe0lnvna.png" alt=" " width="800" height="505"></a></p> <ol> <li>Click the restricted-ssh rule → view Resources in scope.</li> <li>Click the Resource ID to confirm it’s your MySecurityGroup.</li> <li>To view its details, click <em>View Configuration Item (JSON)</em>. You’ll find: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>json "ipPermissions": [ { "fromPort": 22, "ipProtocol": "tcp", "toPort": 22, "ipv4Ranges": [ { "cidrIp": "0.0.0.0/0" } ] } ] </code></pre> </div> <p>This shows that port 22 (SSH) is open to the public (0.0.0.0/0) — making the security group non-compliant.</p> <h2> 6. Add and Use a Remediation Action </h2> <p>Once AWS Config identifies non-compliance, you can fix it using remediation actions.<br><br> AWS Config integrates with AWS Systems Manager Automations to perform predefined remediation workflows.</p> <p>Here, you’ll create and execute a remediation action to automatically remove public SSH access from your EC2 security group.</p> <h3> Add the Remediation Action </h3> <ol> <li>Open AWS Config → Rules → restricted-ssh.</li> <li>Click <em>Actions → Manage remediation</em>.</li> <li>Under <em>Select remediation method</em>, choose <em>Manual remediation</em>.</li> <li>In <em>Remediation action details</em>, select <strong>AWS-DisablePublicAccessForSecurityGroup</strong>.</li> <li>For <em>Resource ID parameter</em>, choose <em>GroupId</em>.</li> <li>In <em>Parameters</em>, set: <ul> <li>IpAddressToBlock: 0.0.0.0/0</li> </ul> </li> <li>Click <em>Save changes.</em> </li> </ol> <h3> Use the Remediation Action </h3> <ol> <li>Open the restricted-ssh rule again.</li> <li>In <em>Resources in scope</em>, select the non-compliant security group.</li> <li>Click <em>Remediate.</em> </li> <li>Once the process completes, you’ll see “Action executed successfully.”</li> <li>Refresh the page — the resource should disappear from the non-compliant list.</li> <li>Finally, verify from the EC2 Dashboard → Security Groups that the inbound SSH rule allowing public access has been removed.</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwyl39lznaliqro2movui.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwyl39lznaliqro2movui.png" alt=" " width="800" height="403"></a></p> <p>You’ve successfully remediated your non-compliant resource.</p> <h2> Conclusion </h2> <p>In this Cloud Lab, you learned how to:</p> <ul> <li>Configure AWS Config to monitor and record resource changes </li> <li>Define compliance rules for security groups </li> <li>Detect and review non-compliant resources </li> <li>Apply remediation actions to automatically fix violations </li> </ul> <p>With AWS Config, you can continuously track, audit, and enforce configuration compliance — ensuring your AWS environment remains secure and aligned with organizational policies.</p> aws monitoring cloud AWS CloudFront Security Implementation Guide harsh patel Wed, 08 Oct 2025 18:42:39 +0000 https://forem.com/harshhp/aws-cloudfront-security-implementation-guide-bjm https://forem.com/harshhp/aws-cloudfront-security-implementation-guide-bjm <h2> Combining Origin Access Control (OAC) and Signed URLs with Trusted Key Groups </h2> <h2> Executive Summary </h2> <p>This guide provides a comprehensive implementation framework for securing Amazon S3 static assets through AWS CloudFront using <strong>Origin Access Control (OAC)</strong> and <strong>Signed URLs with Trusted Key Groups</strong>. This architecture establishes multiple security layers to protect sensitive content while maintaining optimal delivery performance.</p> <h2> Architecture Overview </h2> <p>This architecture establishes a <strong>two-layer security model</strong> where both end-user access and origin access are independently verified and protected.</p> <h3> User → CloudFront (Signed URLs) </h3> <ul> <li>Users must present a <strong>cryptographically signed URL</strong> containing an expiration timestamp. </li> <li> <strong>CloudFront validates</strong> the signature using <strong>public keys</strong> from <strong>trusted Key Groups</strong>. </li> <li>Any <strong>invalid or expired requests</strong> are <strong>rejected at the edge</strong>, preventing unauthorized access.</li> </ul> <h3> CloudFront → S3 (Origin Access Control) </h3> <ul> <li>CloudFront <strong>authenticates to S3</strong> using <strong>AWS Signature Version 4</strong>. </li> <li> <strong>S3 bucket policies</strong> ensure that requests <strong>only come from authorized CloudFront distributions</strong>. </li> <li> <strong>Direct access to S3 is blocked</strong>, enforcing all data delivery through CloudFront.</li> </ul> <h3> Security Layers </h3> <ul> <li> <strong>Viewer Authentication:</strong> Signed URL validation using RSA key pairs </li> <li> <strong>Edge Security:</strong> CloudFront distribution with restricted access policies </li> <li> <strong>Origin Authentication:</strong> OAC with SigV4 signing for S3 access </li> <li> <strong>Bucket Security:</strong> S3 bucket policies restricting access to specific CloudFront distributions</li> </ul> <h2> Implementation Specifications </h2> <h3> Phase 1: S3 Bucket Configuration </h3> <h4> 1.1 Create Private S3 Bucket (Console) </h4> <ol> <li>Navigate to <strong>Amazon S3 Console</strong> </li> <li>Click <strong>Create bucket</strong> </li> <li>Enter Bucket name: <code>demo-oac-secure-assets</code> </li> <li>Select <strong>AWS Region</strong> </li> <li>Under <strong>Block Public Access</strong>, select <strong>Block all public access</strong> </li> <li>(Optional) <strong>Enable Versioning</strong> for audit trail </li> <li>Click <strong>Create bucket</strong> </li> </ol> <h4> 1.2 Upload Sample Content (Console) </h4> <ol> <li>Select your newly created bucket </li> <li>Click <strong>Upload → Add files</strong> </li> <li>Select your static assets (HTML, CSS, JS, images) </li> <li>Click <strong>Upload</strong> </li> <li>Verify objects show <strong>No public access</strong> in the permissions column</li> </ol> <h3> Phase 2: Origin Access Control Setup </h3> <h4> 2.1 Create OAC Configuration (Console) </h4> <ol> <li>Navigate to <strong>CloudFront Console</strong> </li> <li>In left navigation, select <strong>Origin access</strong> </li> <li>Click <strong>Create control setting</strong> </li> <li>Configure: <ul> <li> <strong>Name:</strong> <code>secure-oac-configuration</code> </li> <li> <strong>Description:</strong> <em>Origin Access Control for secure S3 access</em> </li> <li> <strong>Signing protocol:</strong> <strong>SigV4</strong> </li> <li> <strong>Signing behavior:</strong> <strong>Always</strong> </li> </ul> </li> <li>Click <strong>Create</strong> </li> </ol> <h3> Phase 3: Cryptographic Key Management </h3> <h4> 3.1 Generate Key Pair Locally </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Generate 2048-bit RSA private key</span> openssl genrsa <span class="nt">-out</span> private_key.pem 2048 <span class="c"># Extract public key</span> openssl rsa <span class="nt">-in</span> private_key.pem <span class="nt">-pubout</span> <span class="nt">-out</span> public_key.pem <span class="c"># Set secure permissions</span> <span class="nb">chmod </span>600 private_key.pem </code></pre> </div> <h4> 3.2 Create CloudFront Public Key (Console) </h4> <ol> <li>In <strong>CloudFront Console</strong>, open <strong>Key management → Public keys</strong> </li> <li>Click <strong>Create public key</strong> </li> <li>Configure: <ul> <li> <strong>Name:</strong> <code>secure-content-key</code> </li> <li> <strong>Public key:</strong> paste contents of <code>public_key.pem</code> </li> </ul> </li> <li>Click <strong>Create public key</strong> </li> <li>Note the generated <strong>Key pair ID</strong> (format: <code>K123456789ABCDEF</code>)</li> </ol> <h4> 3.3 Establish Trusted Key Group (Console) </h4> <ol> <li>In <strong>CloudFront Console</strong>, open <strong>Key management → Key groups</strong> </li> <li>Click <strong>Create key group</strong> </li> <li>Configure: <ul> <li> <strong>Name:</strong> <code>trusted-key-group</code> </li> <li> <strong>Description:</strong> <em>Key group for signed URL validation</em> </li> <li> <strong>Public keys:</strong> select your created public key </li> </ul> </li> <li>Click <strong>Create key group</strong> </li> </ol> <h3> Phase 4: CloudFront Distribution Configuration </h3> <h4> 4.1 Create Distribution (Console) </h4> <ol> <li>Navigate to <strong>CloudFront Console</strong> → <strong>Create distribution</strong> </li> <li> <strong>Origin settings:</strong> <ul> <li> <strong>Origin domain:</strong> select your S3 bucket (<code>demo-oac-secure-assets.s3.amazonaws.com</code>) </li> <li> <strong>Origin path:</strong> <em>(Leave blank)</em> </li> <li> <strong>Name:</strong> <code>SecureS3Origin</code> </li> <li> <strong>Origin access:</strong> <strong>Origin access control settings (recommended)</strong> </li> <li> <strong>Select control setting:</strong> your created OAC </li> <li> <strong>Bucket policy:</strong> <strong>Yes, update the bucket policy</strong> </li> </ul> </li> </ol> <h4> 4.2 Configure Default Cache Behavior </h4> <ul> <li> <strong>Cache policy:</strong> <code>CachingOptimized</code> </li> <li> <strong>Viewer protocol policy:</strong> <strong>Redirect HTTP to HTTPS</strong> </li> <li> <strong>Restrict viewer access:</strong> <strong>Yes</strong> </li> <li> <strong>Trusted key groups:</strong> select your created key group </li> <li>Additional: <ul> <li> <strong>AWS WAF:</strong> Enable if required </li> <li> <strong>HTTP/2:</strong> Enabled </li> <li> <strong>IPv6:</strong> Enabled</li> </ul> </li> </ul> <h4> 4.3 Distribution Settings </h4> <ul> <li> <strong>Price class:</strong> choose based on geographic requirements </li> <li> <strong>Alternate domain name (CNAME):</strong> configure if using custom domain </li> <li> <strong>SSL certificate:</strong> default or custom ACM certificate </li> <li>Click <strong>Create distribution</strong> </li> <li>Wait for status to change from <strong>In Progress</strong> → <strong>Deployed</strong> </li> </ul> <h3> Phase 5: S3 Bucket Policy Implementation </h3> <h4> 5.1 Verify Automatic Policy Creation (Console) </h4> <ol> <li>Go to <strong>S3 Console</strong> → select bucket <strong><code>demo-oac-secure-assets</code></strong> → <strong>Permissions</strong> tab </li> <li>Verify an <strong>auto-generated bucket policy</strong> that allows CloudFront access via OAC </li> <li>If not present, apply the manual policy below</li> </ol> <h4> 5.2 Manual Bucket Policy (if required) </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowCloudFrontOACAccess"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cloudfront.amazonaws.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::demo-oac-secure-assets/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS:SourceArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:cloudfront::123456789012:distribution/E2ABCD1234EXAMPLE"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Replace placeholders:</strong></p> <ul> <li> <code>123456789012</code> → your AWS Account ID </li> <li> <code>E2ABCD1234EXAMPLE</code> → your CloudFront Distribution ID</li> </ul> <h2> Signed URL Generation Implementation </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdczy5ajrtgmhsnxa5ymz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdczy5ajrtgmhsnxa5ymz.png" alt=" " width="800" height="441"></a></p> <h3> Python Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">from</span> <span class="n">urllib.parse</span> <span class="kn">import</span> <span class="n">urlencode</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">serialization</span><span class="p">,</span> <span class="n">hashes</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.asymmetric</span> <span class="kn">import</span> <span class="n">padding</span> <span class="k">class</span> <span class="nc">CloudFrontSigner</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">key_pair_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">private_key_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">key_pair_id</span> <span class="o">=</span> <span class="n">key_pair_id</span> <span class="n">self</span><span class="p">.</span><span class="n">private_key_path</span> <span class="o">=</span> <span class="n">private_key_path</span> <span class="k">def</span> <span class="nf">_b64url_encode</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Base64 URL-safe encoding without padding</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">data</span><span class="p">).</span><span class="nf">decode</span><span class="p">().</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">+</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-</span><span class="sh">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">=</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">_</span><span class="sh">'</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">'</span><span class="s">/</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">~</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_sign_policy</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">policy</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Sign policy document using RSA private key</span><span class="sh">"""</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">private_key_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">key_file</span><span class="p">:</span> <span class="n">private_key</span> <span class="o">=</span> <span class="n">serialization</span><span class="p">.</span><span class="nf">load_pem_private_key</span><span class="p">(</span> <span class="n">key_file</span><span class="p">.</span><span class="nf">read</span><span class="p">(),</span> <span class="n">password</span><span class="o">=</span><span class="bp">None</span> <span class="p">)</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="n">policy</span><span class="p">,</span> <span class="n">padding</span><span class="p">.</span><span class="nc">PKCS1v15</span><span class="p">(),</span> <span class="n">hashes</span><span class="p">.</span><span class="nc">SHA1</span><span class="p">())</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_b64url_encode</span><span class="p">(</span><span class="n">signature</span><span class="p">)</span> <span class="k">def</span> <span class="nf">generate_signed_url</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">resource_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">expires_in</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">3600</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate CloudFront signed URL with custom policy</span><span class="sh">"""</span> <span class="n">expiration</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="o">+</span> <span class="n">expires_in</span> <span class="n">policy</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Statement</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Resource</span><span class="sh">"</span><span class="p">:</span> <span class="n">resource_url</span><span class="p">,</span> <span class="sh">"</span><span class="s">Condition</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">DateLessThan</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">AWS:EpochTime</span><span class="sh">"</span><span class="p">:</span> <span class="n">expiration</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="n">policy_json</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">policy</span><span class="p">,</span> <span class="n">separators</span><span class="o">=</span><span class="p">(</span><span class="sh">'</span><span class="s">,</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">:</span><span class="sh">'</span><span class="p">)).</span><span class="nf">encode</span><span class="p">()</span> <span class="n">policy_encoded</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_b64url_encode</span><span class="p">(</span><span class="n">policy_json</span><span class="p">)</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_sign_policy</span><span class="p">(</span><span class="n">policy_json</span><span class="p">)</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">resource_url</span><span class="si">}</span><span class="s">?Policy=</span><span class="si">{</span><span class="n">policy_encoded</span><span class="si">}</span><span class="s">&amp;Signature=</span><span class="si">{</span><span class="n">signature</span><span class="si">}</span><span class="s">&amp;Key-Pair-Id=</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">key_pair_id</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># Implementation Example </span><span class="n">signer</span> <span class="o">=</span> <span class="nc">CloudFrontSigner</span><span class="p">(</span> <span class="n">key_pair_id</span><span class="o">=</span><span class="sh">"</span><span class="s">K123456789ABCDEF</span><span class="sh">"</span><span class="p">,</span> <span class="n">private_key_path</span><span class="o">=</span><span class="sh">"</span><span class="s">/secure/keys/private_key.pem</span><span class="sh">"</span> <span class="p">)</span> <span class="n">signed_url</span> <span class="o">=</span> <span class="n">signer</span><span class="p">.</span><span class="nf">generate_signed_url</span><span class="p">(</span> <span class="n">resource_url</span><span class="o">=</span><span class="sh">"</span><span class="s">https://d123456789.cloudfront.net/secure-document.pdf</span><span class="sh">"</span><span class="p">,</span> <span class="n">expires_in</span><span class="o">=</span><span class="mi">7200</span> <span class="c1"># 2 hours validity </span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Signed URL:</span><span class="sh">"</span><span class="p">,</span> <span class="n">signed_url</span><span class="p">)</span> </code></pre> </div> <h3> Phase 6: Testing </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Test Scenario</th> <th>Expected Result</th> <th>Validation Steps</th> </tr> </thead> <tbody> <tr> <td>Direct S3 Access</td> <td>HTTP 403 Access Denied</td> <td>1) Copy S3 object URL → 2) Open in browser → 3) Verify <strong>Access Denied</strong> </td> </tr> <tr> <td>Unsigned CloudFront Access</td> <td>HTTP 403 Access Denied</td> <td>1) Copy CloudFront URL → 2) Access w/o params → 3) Verify <strong>Access Denied</strong> </td> </tr> <tr> <td>Valid Signed URL</td> <td>HTTP 200 OK</td> <td>1) Generate signed URL → 2) Open in browser → 3) Verify content loads</td> </tr> <tr> <td>Expired Signed URL</td> <td>HTTP 403 Access Denied</td> <td>1) Generate URL with past expiration → 2) Access → 3) Verify rejection</td> </tr> <tr> <td>Modified Signature</td> <td>HTTP 403 Access Denied</td> <td>1) Alter signature parameter → 2) Access → 3) Verify rejection</td> </tr> </tbody> </table></div> <h2> Results Comparison </h2> <h3> 🔒 Access Without Signed URL (Blocked) </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpb8x4lhty6z1ib3aei1l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpb8x4lhty6z1ib3aei1l.png" alt="Access Denied Screenshot" width="800" height="232"></a>)</p> <h3> ✅ Access With Signed URL (Successful) </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ktbfeaoi4638hkl1ogb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8ktbfeaoi4638hkl1ogb.png" alt="Access Allowed Screenshot" width="800" height="475"></a></p> aws cdn Beyond the Proxy: Building a Secure, Observable Serverless API with Amazon API Gateway harsh patel Sun, 05 Oct 2025 18:21:01 +0000 https://forem.com/harshhp/beyond-the-proxy-building-a-secure-observable-serverless-api-with-amazon-api-gateway-di2 https://forem.com/harshhp/beyond-the-proxy-building-a-secure-observable-serverless-api-with-amazon-api-gateway-di2 <h2> Introduction: Rethinking API Gateway </h2> <p>If you ask many developers what <strong>Amazon API Gateway</strong> is, they’ll often say,<br><br> “It’s a way to trigger Lambda functions with HTTP requests.” </p> <p>While that’s a common use case, this view undersells the service dramatically.</p> <p>In reality, API Gateway is a <strong>complete API management platform</strong>. It’s your first and most critical line of defense, capable of handling <strong>validation, transformation, authentication, throttling, and observability</strong> before your Lambda function even runs.<br><br> It shifts the burden of common API concerns from your code to a managed, scalable layer.</p> <p>To prove this, we’ll build <strong>TrailLog</strong> — a serverless API for logging hiking trips.<br><br> We won’t just connect endpoints; we’ll use API Gateway’s full potential to create a <strong>robust, secure, and observable</strong> API.</p> <h3> By the end of this guide, you will learn how to: </h3> <ul> <li> <strong>Validate &amp; Transform:</strong> Enforce data contracts at the gateway, keeping Lambda code clean. </li> <li> <strong>Secure Endpoints:</strong> Implement a custom Lambda authorizer for token-based access control. </li> <li> <strong>Achieve Observability:</strong> Gain deep insights into API performance with structured CloudWatch logs. </li> <li> <strong>Orchestrate a Governed API:</strong> Deploy a production-ready API with full visibility and control.</li> </ul> <h2> The Blueprint: TrailLog System Architecture </h2> <p>Our fully serverless architecture is designed for scalability and simplicity.<br><br> Each AWS service plays a clear role in this ecosystem.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Responsibility</th> </tr> </thead> <tbody> <tr> <td><strong>Amazon API Gateway (REST API)</strong></td> <td>The unified entry point — handles routing, validation, auth, and logging</td> </tr> <tr> <td><strong>AWS Lambda</strong></td> <td>Executes backend logic for creating and retrieving trips</td> </tr> <tr> <td><strong>Amazon DynamoDB</strong></td> <td>Stores all hiking data in a serverless NoSQL table</td> </tr> <tr> <td><strong>Amazon CloudWatch</strong></td> <td>Centralizes logs and metrics for monitoring and debugging</td> </tr> </tbody> </table></div> <p>This stack scales automatically with traffic, without managing or patching servers.</p> <h3> Architecture Diagram </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpzszbofr2njg9dnn6qli.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpzszbofr2njg9dnn6qli.png" alt=" " width="800" height="483"></a><br> <em>Client application sends incoming HTTPS REST requests to Amazon API Gateway, which triggers AWS Lambda functions for GET, POST, and DELETE operations. Lambda interacts with Amazon DynamoDB for data storage and sends logs to Amazon CloudWatch.</em></p> <h2> Foundation: Setting Up Permissions with IAM </h2> <p>All Lambda functions in TrailLog share a single IAM role named <strong><code>lambda-traillog-role</code></strong>,<br><br> configured via an inline policy that grants access to DynamoDB and CloudWatch logs.</p> <h3> IAM Role: <code>lambda-traillog-role</code> </h3> <p>All Lambda functions in TrailLog share a single IAM role named <code>lambda-traillog-role</code>.<br><br> This role is granted access to the DynamoDB table <strong>TrailLog</strong> through the following inline policy.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DDBWriteTrailLog"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"dynamodb:PutItem"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:dynamodb:us-east-1:579273601939:table/TrailLog"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DDBReadTrailLog"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"dynamodb:GetItem"</span><span class="p">,</span><span class="w"> </span><span class="s2">"dynamodb:Scan"</span><span class="p">,</span><span class="w"> </span><span class="s2">"dynamodb:Query"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:dynamodb:us-east-1:579273601939:table/TrailLog"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DDBDescribeForChecks"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"dynamodb:DescribeTable"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:dynamodb:us-east-1:579273601939:table/TrailLog"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This role is attached to all Lambda functions in the project.</p> <h2> Deep Dive 1: The <code>POST /trips</code> Endpoint — Validation &amp; Transformation </h2> <p>The first endpoint demonstrates API Gateway’s ability to offload validation and data transformation<br><br> before invoking the backend logic.</p> <h3> DynamoDB Table: TrailLog </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td><strong>Partition Key</strong></td> <td> <code>tripId</code> (String)</td> </tr> <tr> <td><strong>Billing Mode</strong></td> <td>Pay-per-request</td> </tr> </tbody> </table></div> <h3> Lambda Function: <code>create-trip</code> (Python 3.12) </h3> <p>This Lambda function remains simple because API Gateway enforces all validation upfront.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">uuid</span><span class="p">,</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="kn">from</span> <span class="n">decimal</span> <span class="kn">import</span> <span class="n">Decimal</span><span class="p">,</span> <span class="n">InvalidOperation</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">TABLE_NAME</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="c1"># API Gateway has already validated input; focus on core logic. </span> <span class="n">trip_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="n">item</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">tripId</span><span class="sh">"</span><span class="p">:</span> <span class="n">trip_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">userId</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">userId</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">trailName</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">trailName</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">date</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">date</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">distanceKm</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">distanceKm</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">durationMin</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">durationMin</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">elevationGainM</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">elevationGainM</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">notes</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">notes</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> <span class="sh">"</span><span class="s">createdAt</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">()</span> <span class="o">+</span> <span class="sh">"</span><span class="s">Z</span><span class="sh">"</span> <span class="p">}</span> <span class="n">table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">Item</span><span class="o">=</span><span class="n">item</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">201</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">tripId</span><span class="sh">"</span><span class="p">:</span> <span class="n">trip_id</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h3> The API Gateway Configuration: Non-Proxy Integration </h3> <p>Disabling Lambda Proxy Integration gives us control over request handling and validation.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setting</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td><strong>Integration Type</strong></td> <td>Lambda Function</td> </tr> <tr> <td><strong>Proxy Integration</strong></td> <td>Disabled</td> </tr> <tr> <td><strong>Validator</strong></td> <td>Body &amp; Params</td> </tr> <tr> <td><strong>Model</strong></td> <td><code>TripCreate</code></td> </tr> </tbody> </table></div> <h4> Request Model: <code>TripCreate</code> </h4> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"object"</span><span class="p">,</span><span class="w"> </span><span class="nl">"required"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"userId"</span><span class="p">,</span><span class="w"> </span><span class="s2">"trailName"</span><span class="p">,</span><span class="w"> </span><span class="s2">"date"</span><span class="p">,</span><span class="w"> </span><span class="s2">"distanceKm"</span><span class="p">,</span><span class="w"> </span><span class="s2">"durationMin"</span><span class="p">,</span><span class="w"> </span><span class="s2">"elevationGainM"</span><span class="p">],</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"userId"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">},</span><span class="w"> </span><span class="nl">"trailName"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">},</span><span class="w"> </span><span class="nl">"date"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pattern"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^[0-9]{4}-[0-9]{2}-[0-9]{2}$"</span><span class="p">},</span><span class="w"> </span><span class="nl">"distanceKm"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"number"</span><span class="p">},</span><span class="w"> </span><span class="nl">"durationMin"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"integer"</span><span class="p">},</span><span class="w"> </span><span class="nl">"elevationGainM"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"integer"</span><span class="p">},</span><span class="w"> </span><span class="nl">"notes"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now, any malformed input (for example, an invalid date format or incorrect type)<br><br> is rejected <strong>at the gateway</strong>, saving Lambda invocations and improving reliability.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqi0o2ie9ziqazvwa66g.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzqi0o2ie9ziqazvwa66g.png" alt=" " width="800" height="593"></a><br> <em>Successfully created a new hiking trip via the <code>POST /trips</code> endpoint, returning a 201 status and generated <code>tripId</code>.</em></p> <h2> Deep Dive 2: The <code>GET /trips/{tripId}</code> Endpoint — Simple Proxy Integration </h2> <p>For simple reads, we use <strong>Lambda Proxy Integration</strong> to pass the entire request context directly to Lambda.</p> <h3> Lambda Function: <code>get-trip</code> </h3> <p>This function extracts <code>tripId</code> from the path and fetches the corresponding item from DynamoDB.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">boto3</span><span class="p">,</span> <span class="n">decimal</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">TABLE_NAME</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">_to_native</span><span class="p">(</span><span class="n">x</span><span class="p">):</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">decimal</span><span class="p">.</span><span class="n">Decimal</span><span class="p">):</span> <span class="k">return</span> <span class="nf">int</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">if</span> <span class="n">x</span> <span class="o">%</span> <span class="mi">1</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">else</span> <span class="nf">float</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">return</span> <span class="n">x</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">trip_id</span> <span class="o">=</span> <span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">pathParameters</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">tripId</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">trip_id</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Missing tripId</span><span class="sh">"</span><span class="p">}</span> <span class="n">res</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">get_item</span><span class="p">(</span><span class="n">Key</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">tripId</span><span class="sh">"</span><span class="p">:</span> <span class="n">trip_id</span><span class="p">})</span> <span class="n">item</span> <span class="o">=</span> <span class="n">res</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Item</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Not found</span><span class="sh">"</span><span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="nf">_to_native</span><span class="p">(</span><span class="n">item</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <h4> Test Request </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl https://&lt;api-id&gt;.execute-api.us-east-1.amazonaws.com/dev/trips/&lt;tripId&gt; </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54ask7wwg2vuy6o9m39o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54ask7wwg2vuy6o9m39o.png" alt=" " width="800" height="615"></a><br> <em>Fetched detailed hiking trip data successfully using the <code>GET /trips/{tripId}</code> endpoint.</em></p> <h2> Deep Dive 3: Security and Observability — <code>/secure/admin/stats</code> </h2> <p>This administrative endpoint combines two advanced API Gateway features:<br><br> <strong>custom token authorization</strong> and <strong>centralized CloudWatch observability</strong>.</p> <h3> 1. Securing the Route with a Lambda Authorizer </h3> <p>We use a <strong>custom Lambda authorizer</strong> to protect the <code>/secure/admin/stats</code> route.</p> <h4> Authorizer Function: <code>lambda-authorizer</code> </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">DEMO_TOKEN</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Bearer trail123</span><span class="sh">"</span> <span class="n">token</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">authorizationToken</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">).</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">token</span> <span class="o">==</span> <span class="n">DEMO_TOKEN</span><span class="p">:</span> <span class="n">effect</span><span class="p">,</span> <span class="n">role</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Allow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="n">effect</span><span class="p">,</span> <span class="n">role</span> <span class="o">=</span> <span class="sh">"</span><span class="s">Deny</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">guest</span><span class="sh">"</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">principalId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">trail-admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">policyDocument</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2012-10-17</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Statement</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">execute-api:Invoke</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Effect</span><span class="sh">"</span><span class="p">:</span> <span class="n">effect</span><span class="p">,</span> <span class="sh">"</span><span class="s">Resource</span><span class="sh">"</span><span class="p">:</span> <span class="n">event</span><span class="p">[</span><span class="sh">"</span><span class="s">methodArn</span><span class="sh">"</span><span class="p">]</span> <span class="p">}]</span> <span class="p">},</span> <span class="sh">"</span><span class="s">context</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="n">role</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Any request without <code>X-Auth-Token: Bearer trail123</code> will receive a <strong>403 Forbidden</strong> response.</p> <h3> 2. Stats Aggregation Function: <code>admin-stats</code> </h3> <p>This function aggregates trip statistics across all records.<br><br> It’s invoked only if the authorizer grants access.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span><span class="p">,</span> <span class="n">os</span><span class="p">,</span> <span class="n">boto3</span><span class="p">,</span> <span class="n">decimal</span> <span class="n">dynamodb</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">resource</span><span class="p">(</span><span class="sh">"</span><span class="s">dynamodb</span><span class="sh">"</span><span class="p">)</span> <span class="n">table</span> <span class="o">=</span> <span class="n">dynamodb</span><span class="p">.</span><span class="nc">Table</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">TABLE_NAME</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">_n</span><span class="p">(</span><span class="n">x</span><span class="p">):</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">x</span><span class="p">,</span> <span class="n">decimal</span><span class="p">.</span><span class="n">Decimal</span><span class="p">):</span> <span class="k">return</span> <span class="nf">int</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">if</span> <span class="n">x</span> <span class="o">%</span> <span class="mi">1</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">else</span> <span class="nf">float</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="k">return</span> <span class="n">x</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">scan</span> <span class="o">=</span> <span class="n">table</span><span class="p">.</span><span class="nf">scan</span><span class="p">(</span><span class="n">ProjectionExpression</span><span class="o">=</span><span class="sh">"</span><span class="s">tripId, distanceKm, durationMin, elevationGainM</span><span class="sh">"</span><span class="p">)</span> <span class="n">items</span> <span class="o">=</span> <span class="n">scan</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Items</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="n">total</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">items</span><span class="p">)</span> <span class="n">km</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="nf">_n</span><span class="p">(</span><span class="n">i</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">distanceKm</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">items</span><span class="p">)</span> <span class="n">mins</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="nf">_n</span><span class="p">(</span><span class="n">i</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">durationMin</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">items</span><span class="p">)</span> <span class="n">gain</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="nf">_n</span><span class="p">(</span><span class="n">i</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">elevationGainM</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">items</span><span class="p">)</span> <span class="n">stats</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">totalTrips</span><span class="sh">"</span><span class="p">:</span> <span class="n">total</span><span class="p">,</span> <span class="sh">"</span><span class="s">totalKm</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="nf">float</span><span class="p">(</span><span class="n">km</span><span class="p">),</span> <span class="mi">2</span><span class="p">),</span> <span class="sh">"</span><span class="s">totalHours</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="nf">float</span><span class="p">(</span><span class="n">mins</span><span class="p">)</span> <span class="o">/</span> <span class="mf">60.0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="sh">"</span><span class="s">totalElevationM</span><span class="sh">"</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">gain</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">stats</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h4> Test Request </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer trail123"</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/secure/admin/stats"</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft937yf6xogmd6xjacnlw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft937yf6xogmd6xjacnlw.png" alt=" " width="800" height="618"></a></p> <p><em>Access denied without a valid token — API Gateway blocking unauthorized requests using the custom Lambda authorizer.</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv6k7jwre1tia6k4njmf7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv6k7jwre1tia6k4njmf7.png" alt=" " width="800" height="605"></a><br> <em>Authorized admin access to <code>/secure/admin/stats</code> returning aggregated trail statistics.</em></p> <h2> The Crown Jewel: Deep Observability with CloudWatch </h2> <p>To gain complete visibility into API behavior, enable both <strong>Execution Logs</strong> and <strong>Access Logs</strong> in Amazon API Gateway.<br><br> These logs provide the foundation for debugging, performance monitoring, and request analytics.</p> <h3> Create a Log Group for Access Logs </h3> <p>Before enabling access logging, create a dedicated <strong>CloudWatch Log Group</strong> where API Gateway will push structured log entries.<br><br> This ensures all API requests are tracked consistently and stored centrally.</p> <p><strong>Steps:</strong></p> <ol> <li>Open <strong>CloudWatch Console → Log groups → Create log group</strong>. </li> <li>Enter the name: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> /apigw/traillog/dev </code></pre> </div> <ol> <li>(Optional) Set the <strong>retention</strong> period to 7, 30, or 90 days depending on your monitoring needs. </li> <li>Note down the log group ARN — you’ll use it in your API Gateway stage configuration: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> arn:aws:logs:us-east-1:579273601939:log-group:/apigw/traillog/dev </code></pre> </div> <ol> <li>Ensure API Gateway has permission to write logs by attaching this managed policy to its execution role: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flqjxpw3tet47m748wtsp.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flqjxpw3tet47m748wtsp.png" alt=" " width="800" height="387"></a><br><br> <em>CloudWatch log group <code>/apigw/traillog/dev</code> created to store structured access logs from API Gateway.</em></p> <h3> 1. Execution Logs </h3> <p>Execution logs trace the <strong>internal request flow</strong> through API Gateway —<br><br> from input validation and mapping templates to Lambda invocation and response transformation.<br><br> They’re your primary tool for <strong>debugging and tracing</strong> how API Gateway processes a request.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>Log Group</strong></td> <td><code>API-Gateway-Execution-Logs_{restApiId}/dev</code></td> </tr> <tr> <td><strong>Purpose</strong></td> <td>Traces internal request flow and mapping templates</td> </tr> <tr> <td><strong>Best For</strong></td> <td>Debugging authorization, validation, or mapping issues</td> </tr> </tbody> </table></div> <p>Ensure your API stage has <strong>CloudWatch execution logging enabled</strong> and that API Gateway can push logs.<br><br> Attach the following managed policy to grant permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs </code></pre> </div> <h3> 2. Access Logs </h3> <p>Access logs summarize <strong>each API request and response</strong> in a structured JSON format.<br><br> These are invaluable for analytics, performance tracking, and auditing user behavior.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Property</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>Log Group ARN</strong></td> <td><code>arn:aws:logs:us-east-1:579273601939:log-group:/apigw/traillog/dev</code></td> </tr> <tr> <td><strong>Purpose</strong></td> <td>Capture per-request analytics and response metadata</td> </tr> <tr> <td><strong>Best For</strong></td> <td>Monitoring latency, traffic, and client behavior</td> </tr> </tbody> </table></div> <h4> Access Log Format Template </h4> <p>To enable structured access logs, open your API Gateway stage and set the log format using the following JSON template.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.requestId"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.identity.sourceIp"</span><span class="p">,</span><span class="w"> </span><span class="nl">"time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.requestTime"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.httpMethod"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.resourcePath"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="err">$context.status</span><span class="p">,</span><span class="w"> </span><span class="nl">"integrationStatus"</span><span class="p">:</span><span class="w"> </span><span class="err">$context.integration.status</span><span class="p">,</span><span class="w"> </span><span class="nl">"userAgent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.identity.userAgent"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authorizer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.authorizer.role"</span><span class="p">,</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"$context.error.message"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Once redeployed, every request will produce:</p> <ul> <li> <strong>Execution Logs:</strong> Detailed traces for debugging. </li> <li> <strong>Access Logs:</strong> High-level JSON entries for analytics.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff7py52wla3gs29uriild.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff7py52wla3gs29uriild.png" alt=" " width="800" height="403"></a><br> <em>API Gateway Execution Logs showing Lambda invocation flow, request mapping, and response transformation details.</em></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuca57j4lgvxnl22nbqum.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuca57j4lgvxnl22nbqum.png" alt=" " width="800" height="429"></a><br> <em>Structured JSON access logs capturing requestId, method, path, status, and authorizer context for analytics.</em></p> <h2> Conclusion: You’ve Built More Than an API </h2> <p>TrailLog isn’t just a CRUD backend. It’s a <strong>governed, secure, and observable API platform</strong> built with managed AWS services.</p> <p><strong>Key Takeaways</strong></p> <ul> <li> <strong>Pre-Lambda Validation:</strong> Offload schema checks to API Gateway for cleaner, cheaper code. </li> <li> <strong>Custom Authorization:</strong> Implement fine-grained security without burdening business logic. </li> <li> <strong>Structured Logging:</strong> Use CloudWatch for comprehensive visibility and debugging. </li> </ul> <p>By embracing these patterns, you can use <strong>Amazon API Gateway</strong> not just as a trigger mechanism, but as a <strong>complete API management engine</strong> — the foundation of scalable, production-ready serverless systems.</p> aws serverless apigateway cloud Managing Data Access with Amazon S3 Access Points harsh patel Thu, 18 Sep 2025 23:48:11 +0000 https://forem.com/harshhp/managing-data-access-with-amazon-s3-access-points-3p5l https://forem.com/harshhp/managing-data-access-with-amazon-s3-access-points-3p5l <p>Amazon S3 Access Points are a powerful feature that simplify how organizations control and manage access to their data. Instead of relying solely on complex bucket policies, Access Points allow you to create dedicated entry points with tailored permissions. This provides more flexibility, especially when working with teams, applications, or VPCs that require different levels of access.</p> <p>In today's world where secure and efficient data handling is critical, mastering S3 Access Points sets you apart as someone who understands not just storage, but also governance and access control in the cloud.</p> <p>In this Cloud Lab, we'll explore:</p> <ul> <li>Creating an S3 bucket for sensitive data</li> <li>Configuring a VPC-bound S3 Access Point</li> <li>Testing access from both an allowed VPC and a default VPC using AWS Lambda</li> <li>Understanding how these controls enforce network-level security</li> </ul> <p>By the end, you'll have hands-on experience with S3 Access Points and the skills to design secure data access patterns for real-world cloud applications.</p> <h2> Step 1: Create an S3 Bucket </h2> <p>The first step is to provision an Amazon S3 bucket that will act as the primary storage location for sensitive documents. We'll later use S3 Access Points to control how this data is accessed and processed.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydbuz3ps4v0d5jzero7b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydbuz3ps4v0d5jzero7b.png" alt=" " width="502" height="227"></a></p> <h3> Creating the S3 Bucket </h3> <ol> <li>Navigate to the AWS Management Console and search for S3.</li> <li>Select the S3 service from the results.</li> <li>Click <strong>Create bucket</strong>.</li> <li>Enter a globally unique name in the format: <code>s3-bucket-&lt;random_text&gt;</code> </li> <li>Replace <code>&lt;random_text&gt;</code> with any string that ensures uniqueness across AWS accounts.</li> <li>Under <strong>Block Public Access</strong> settings, make sure <strong>Block all public access</strong> is selected.</li> <li>Scroll down and click <strong>Create bucket</strong> to finalize.</li> </ol> <p>At this point, your S3 bucket is ready to securely store documents.</p> <h3> Uploading the Document </h3> <ol> <li>Create a simple text file called <code>sampledata.txt</code> on your local machine (e.g., with content like "This is sensitive organizational data.").</li> <li>In the S3 Dashboard, select the newly created bucket (<code>s3-bucket-&lt;random_text&gt;</code>).</li> <li>Click <strong>Upload → Add files</strong>, and choose the <code>sampledata.txt</code> file.</li> <li>Click <strong>Upload</strong> to complete the process.</li> </ol> <p><strong>Outcome</strong>: You now have a secure S3 bucket with a sensitive file in place, ready to be accessed and controlled using Amazon S3 Access Points.</p> <h2> Step 2: Create a VPC-Bound Access Point </h2> <p>Amazon S3 Access Points make it easier to define fine-grained permissions, ensuring that specific applications, users, or roles get only the access they need. This is particularly useful in environments where multiple teams or services share the same dataset.</p> <p>In this step, we'll create an S3 Access Point bound to a specific VPC. This ensures that sensitive data stored in our bucket is accessible only through that VPC.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqxdggtwqarmbezsm8rhy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqxdggtwqarmbezsm8rhy.png" alt=" " width="544" height="572"></a></p> <h3> Step 2.1: Create the VPC </h3> <ol> <li>In the AWS Management Console, search for <strong>VPC</strong> and open the service.</li> <li>From the left menu, select <strong>Your VPCs → Create VPC</strong>.</li> <li>Under <strong>Resources to create</strong>, choose <strong>VPC and more</strong>.</li> <li>In the <strong>Name tag auto-generation</strong> field, replace the default value with <code>org</code>.</li> <li>Configure the following: <ul> <li><strong>Number of public subnets → 0</strong></li> <li><strong>Number of private subnets → 2</strong></li> <li><strong>VPC endpoints → Select S3 Gateway</strong></li> </ul> </li> <li>Click <strong>Create VPC</strong>.</li> <li>Once provisioned, click <strong>View VPC</strong> and copy the VPC ID for later use.</li> </ol> <h3> Step 2.2: Create the Access Point </h3> <ol> <li>Open the S3 service in the AWS Console.</li> <li>From the left menu, select <strong>Access Points</strong> for general purpose buckets.</li> <li>Click <strong>Create access point</strong>.</li> <li>Name it: <code>vpc-bound-access-point</code> </li> <li>Under <strong>Bucket name</strong>, select the S3 bucket created earlier.</li> <li>Under <strong>Network origin</strong>, choose <strong>Virtual private cloud (VPC)</strong>.</li> <li>Paste the VPC ID of the <code>org-vpc</code>.</li> <li>Ensure <strong>Block all public access</strong> is enabled.</li> <li>Add the following policy (replace <code>&lt;Account ID&gt;</code> with your AWS account ID and <code>&lt;VPC ID&gt;</code> with the ID you copied in the previous step): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:us-east-1:&lt;Account ID&gt;:accesspoint/vpc-bound-access-point/object/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SourceVpc"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&lt;VPC ID&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Click <strong>Create access point.</strong> </p> <p><strong>Outcome:</strong> The Access Point now enforces that objects in the bucket can only be retrieved from the <code>org-vpc</code>. </p> <h2> Step 3: Test the VPC-Bound Access Point </h2> <p>To validate the policy behavior, we'll create an AWS Lambda function. First, we'll deploy it inside the <code>org-vpc</code> and confirm access. Then, we'll move it to the default VPC to ensure access is denied. </p> <blockquote> <p><strong>Note:</strong> This step assumes you have a basic IAM role (e.g., <code>LambdaExecutionRole</code>) with permissions for Lambda and S3 access. You may need to create this role first if it doesn't exist. </p> </blockquote> <h3> Step 3.1: Create a Lambda Function in org-vpc </h3> <ol> <li>In the AWS Console, search for <strong>Lambda</strong>. </li> <li>Go to <strong>Functions → Create function → Author from scratch</strong>. </li> <li>Configure: <ul> <li> <strong>Function name:</strong> <code>accesspoint_function</code> </li> <li> <strong>Runtime:</strong> Python 3.11 </li> <li> <strong>Execution role:</strong> Use an existing role → <code>LambdaExecutionRole</code> </li> </ul> </li> <li>Expand <strong>Advanced settings → Enable VPC → Select:</strong> <ul> <li> <strong>VPC:</strong> <code>org-vpc</code> </li> <li> <strong>Subnets:</strong> Select the two private subnets (e.g., <code>org-subnet-private1-us-east-1a</code>, <code>org-subnet-private2-us-east-1b</code>) </li> <li> <strong>Security group:</strong> Default </li> </ul> </li> <li>Click <strong>Create function</strong>. </li> </ol> <h3> Step 3.2: Add the Lambda Code </h3> <p>Replace the default code in the Lambda function editor with the following Python code.<br><br> (Remember to replace <code>&lt;Account ID&gt;</code> with your actual AWS account ID.)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">botocore.client</span> <span class="kn">import</span> <span class="n">Config</span> <span class="c1"># Initialize S3 client </span><span class="n">s3</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">s3</span><span class="sh">'</span><span class="p">,</span> <span class="n">config</span><span class="o">=</span><span class="nc">Config</span><span class="p">(</span><span class="n">signature_version</span><span class="o">=</span><span class="sh">'</span><span class="s">s3v4</span><span class="sh">'</span><span class="p">))</span> <span class="k">def</span> <span class="nf">getObject</span><span class="p">(</span><span class="n">bucket</span><span class="p">,</span> <span class="n">key</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nf">get_object</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">bucket</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">key</span><span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="sh">'</span><span class="s">Body</span><span class="sh">'</span><span class="p">].</span><span class="nf">read</span><span class="p">().</span><span class="nf">decode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">return</span> <span class="n">data</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="k">return</span> <span class="nf">getObject</span><span class="p">(</span> <span class="sh">"</span><span class="s">arn:aws:s3:us-east-1:&lt;Account ID&gt;:accesspoint/vpc-bound-access-point</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sampledata.txt</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <h3> Step 3.3: Test from org-vpc </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dgwq0gwfhfhos2zig20.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0dgwq0gwfhfhos2zig20.png" alt=" " width="562" height="581"></a></p> <ol> <li>Click <strong>Deploy</strong> to save your code changes. </li> <li>Click <strong>Test</strong> to configure a test event. Use the default "Hello World" template and give it a name. </li> <li>Click <strong>Test</strong> to run the function. </li> </ol> <p><strong>Result:</strong> The execution should succeed. The file contents will appear in the function's logs because the Lambda function runs inside the allowed VPC. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegux4vtqn8g86wqwiiu8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fegux4vtqn8g86wqwiiu8.png" alt=" " width="800" height="353"></a></p> <h3> Step 3.4: Test from Default VPC </h3> <ol> <li>In the Lambda function, go to the <strong>Configuration</strong> tab and select the <strong>VPC</strong> section. </li> <li>Click <strong>Edit.</strong> </li> <li>Switch the VPC to the <strong>default VPC</strong> and select two of its subnets. </li> <li>Select the <strong>default security group.</strong> </li> <li>Click <strong>Save.</strong> </li> <li>Wait for the network changes to apply, then click <strong>Test</strong> again to run the function. </li> </ol> <p><strong>Result:</strong> The function execution will now fail with an error like <strong>AccessDenied</strong> or <strong>403 Forbidden.</strong> No data is retrieved because the Access Point policy correctly restricts access to only the <code>org-vpc</code>. </p> <h2> Conclusion </h2> <p>Amazon S3 Access Points provide a powerful mechanism for implementing fine-grained access control to your S3 data. By binding access points to specific VPCs, you can enforce network-level security that complements traditional IAM policies. This approach is particularly valuable in multi-tenant environments, compliance scenarios, or when you need to isolate data access to specific network segments. </p> <p>This hands-on exercise demonstrated how to: </p> <ul> <li>Create a secure S3 bucket with sensitive data. </li> <li>Configure a VPC-bound access point with appropriate policies. </li> <li>Test access patterns from both allowed and restricted networks. </li> </ul> <p>This knowledge empowers you to design more secure and manageable data access patterns in your AWS environments, ensuring that your sensitive data remains protected while still being accessible to authorized services and applications. </p> aws s3 devops cloud Connecting Multi-VPC Applications Using AWS Transit Gateway harsh patel Sun, 16 Feb 2025 19:38:00 +0000 https://forem.com/harshhp/connecting-multi-vpc-applications-using-aws-transit-gateway-30go https://forem.com/harshhp/connecting-multi-vpc-applications-using-aws-transit-gateway-30go <p>Deploying a React App Across Multiple VPCs Using AWS Transit Gateway</p> <p><strong>Introduction</strong></p> <p>If you're working with AWS and need to connect multiple VPCs efficiently, AWS Transit Gateway is your best bet! It acts as a centralized hub, making it easier to route traffic between multiple VPCs without the complexity of VPC peering.</p> <p>In this guide, we'll deploy a React application where the frontend and backend live in separate VPCs. These VPCs will be connected using AWS Transit Gateway, allowing smooth communication between services. Let’s dive in! </p> <p><strong>Prerequisites</strong></p> <ul> <li>An AWS account with admin access</li> <li>Basic knowledge of AWS Networking (VPCs, Subnets, Route Tables)</li> <li>Familiarity with React and MySQL</li> </ul> <p><strong>Architecture Overview</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mpsae348j6vacp5w9ma.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mpsae348j6vacp5w9ma.png" alt=" " width="800" height="643"></a><br> Here’s what we’re building:</p> <ul> <li>Frontend VPC → Hosts the React application</li> <li>Backend VPC → Runs a MySQL database</li> <li>AWS Transit Gateway → Connects both VPCs</li> <li>Transit Gateway Attachments → Link each VPC to the Transit Gateway</li> <li>Routing Tables → Manage traffic flow between VPCs</li> <li>Security Groups → Control access</li> </ul> <p><strong>Step 1: Create Two VPCs</strong></p> <ol> <li>Go to AWS VPC Console.</li> <li>Click Create VPC and name it FrontendVPC (CIDR: 10.0.0.0/16).</li> <li>Create BackendVPC (CIDR: 10.1.0.0/16).</li> <li>Add public and private subnets in both VPCs:</li> </ol> <p><code>FrontendVPC Public: 10.0.1.0/24<br> FrontendVPC Private: 10.0.2.0/24<br> BackendVPC Public: 10.1.1.0/24<br> BackendVPC Private: 10.1.2.0/24<br> </code></p> <p><strong>Step 2: Set Up AWS Transit Gateway</strong></p> <ol> <li>Go to AWS Transit Gateway Console.</li> <li>Click Create Transit Gateway, name it, and enable DNS support.</li> <li>Once created, note the Transit Gateway ID.</li> </ol> <p><strong>Step 3: Attach VPCs to Transit Gateway</strong></p> <ol> <li>In Transit Gateway Attachments, create:</li> <li>Attachment for FrontendVPC</li> <li>Attachment for BackendVPC</li> </ol> <p><strong>Step 4: Configure Route Tables</strong></p> <p>1.Modify each VPC’s route table:<br> 2.Associate these routes with the correct subnets.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ilnd5zd5ipphmqlbmz4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1ilnd5zd5ipphmqlbmz4.png" alt=" " width="800" height="432"></a></p> <p><strong>Step 5: Deploy the Frontend Application</strong></p> <ol> <li>Launch an EC2 instance in FrontendVPC public subnet.</li> <li><p>Install Node.js and React:<br> <code>sudo yum install -y mysql-server<br> sudo systemctl start mysqld<br> sudo mysql_secure_installation<br> mysql -u root -p -e "CREATE DATABASE app_db;"</code></p></li> <li><p>Allow inbound HTTP traffic (port 3000) via security groups.</p></li> </ol> <p><strong>Step 6: Deploy the Backend and MySQL Database</strong></p> <ol> <li>Launch an EC2 instance in BackendVPC private subnet.</li> <li>Install MySQL and set up a database: <code>sudo yum install -y mysql-server sudo systemctl start mysqld sudo mysql_secure_installation mysql -u root -p -e "CREATE DATABASE app_db;"</code> </li> <li>Set up a backend API using Express.js: <code>npm install express mysql node server.js</code> </li> <li>Allow MySQL traffic (port 3306) from FrontendVPC in security groups.</li> </ol> <p><strong>Step 7: Open and Test the Application</strong></p> <ol> <li>Retrieve the Public IP Address of the frontend EC2 instance.</li> <li>Open a browser and go to: <code>ping &lt;Backend-EC2-Private-IP&gt; curl http://&lt;Backend-EC2-Private-IP&gt;:&lt;Backend-Port&gt;</code> </li> <li><p>Test frontend-backend connectivity:<br> <code>sudo yum install -y mysql-server<br> sudo systemctl start mysqld<br> sudo mysql_secure_installation<br> mysql -u root -p -e "CREATE DATABASE app_db;"</code></p></li> <li><p>If something fails, check:</p></li> </ol> <ul> <li>Route Tables for correct routing.</li> <li>Security Groups for inbound/outbound traffic.</li> <li>Transit Gateway Attachments for proper linking.</li> </ul> <p>This architecture allows for <strong>scalability, security</strong>, and <strong>efficient communication</strong> between VPCs.</p> aws vpc devops cloud