Tagged: home

Serving Data Securely from S3 bucket using cloud front

When it comes to serving data from S3 buckets using CloudFront, there are numerous tutorials available. However, security is a crucial aspect that needs to be taken care of. There are two ways to achieve this.

  • Public Access
  • Private Access

Public Access

Creating a public bucket and mapping it with CloudFront is all that is required for this approach.

Ref: https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/


Private Access

If you want to protect your data, you have several options to choose from. Let’s take a look at the restrictions at each component level.

A. S3 level: Creating a bucket with no public access is the first step.

B. CloudFront level: There are a few solutions to achieve private access:

Solution 1:

  • Create a bucket with no public access
  • Create a CloudFront distribution with Origin Access Control (OAC). This will generate a policy, which you can copy and paste into the S3 bucket policy. It means that you are granting permission to CloudFront to access the S3 bucket.
  • CloudFront will provide a URL (with or without CNAME) to the S3 content you are serving.

Access Control:

1. If you apply access restrictions, CloudFront will expect a signed URL/signed cookie for each request, or it will deny the request.

2. steps for Signed URL

– Generate a public-private key pair on your local machine.
– Create an origin access group at CloudFront and upload public keys.
– Attach that group to the distribution so that it can decrypt the request and check the parameter (which we will send after signing).
– For each signed URL, you can generate a URL of your content and sign the parameters and append them to the URL. CloudFront will decrypt and validate them as the request expires.
– There are libraries available to create signed URLs for a normal URL. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CreateURL_PHP.html

At the application level, you need to do much so that each request is signed or you can use signed cookies as well.

More about signed URL

2. Alternatively, you can invoke Lambda on each request, write your custom logic for authenticating the request, and process or deny it.

3. Or, you can simply apply WAF and set a rule to check custom headers, which can be manipulated but can be set up at the server level. For example, a referrer check or any custom header.

using WAF, It is the simplest and easiest way for a NOT A full proof but better than nothing solution.

Takeaway from : The Phoneix project

The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win

Gene Kim , Kevin Behr , George Spafford

Book Link : https://www.goodreads.com/en/book/show/17255186-the-phoenix-project

Takeaway Learning

Success is not delivering a feature; success is learning how to solve the customer’s problem.

Technical Debt comes from taking shortcuts, which may make sense in the short-term. But like financial debt, the compounding interest costs grow over time. If an organisation doesn’t pay down its technical debt, every calorie in the organisation can be spent just paying interest, in the form of unplanned work.

Outcome matters, Being able to take needless work out of the system is more important than being able to put more work into the system. You need to know what matters to the achievement of the business objectives.

Any improvements made anywhere besides the bottleneck are an illusion.

Theory of Constraints, showed us how any improvements
made anywhere besides the bottleneck are an illusion. Astonishing, but
true! Any improvement made after the bottleneck is useless, because it
will always remain starved, waiting for work from the bottleneck. And
any improvements made before the bottleneck merely results in more
inventory piling up at the bottleneck

The job of Operations is to ensure the fast, predictable, and uninterrupted flow of planned work that delivers value to the business while minimizing the
impact and disruption of unplanned work, so you can provide stable,
predictable, and secure IT service.

Out of three way, The First Way , helps us understand how to create fast flow of work as it moves from
Development into IT Operations, because that’s what’s between the busi-
ness and the customer. The Second Way shows us how to shorten and
amplify feedback loops, so we can fix quality at the source and avoid
rework. And the Third Way shows us how to create a culture that si-
multaneously fosters experimentation, learning from failure, and un-
derstanding that repetition and practice are the prerequisites to mastery.

The 80/20 rule, Figure out Twenty percent of the changes pose eighty percent of the risk.

Preventive Maintenance, One of the problems of prevention is that you rarely know about the disasters you averted.

kanban board, so need ful to see wip, to figure out the work flow and constraint, is spending all his cycles on features, instead of stability, security, scalability, manageability, operability, continuity, and all those other beautiful ’itties.

Unplanned Work, it’s so important to know where your unplanned work is coming from. It comes at the cost of planned work.

The best step in understanding a new product or service is to figure
out if it is fundamentally value-creating or value-destroying.

Improving daily work is even more important than doing daily work

Experiment “If you can’t out-experiment and beat your competitors in time to market and agility, you are sunk. Features are always a gamble. If you’re lucky, ten percent will get the desired benefits. So the faster you
can get those features to market and test them, the better off you’ll be.
Incidentally, you also pay back the business faster for the use of capital,
which means the business starts making money faster, too.

Understanding customer needs and wants:
Do we know what to build?
Product portfolio: Do we have the right products?
R&D effectiveness: Can we build it effectively?
Time to market: Can we ship it soon enough to matter?
Sales pipeline: Can we convert products to interested prospects?
Customer on-time delivery: Are customers getting what we promised
Customer retention: Are we gaining or losing customers?
Sales forecast accuracy: Can we factor this into our sales planning

The only thing more dangerous than a developer is a developer con-
spiring with Security. The two working together gives us means, motive,
and opportunity.

The best way to kill everyone’s enthusiasm and support is to prevent them from doing what they need to do.