Is there any way so that I can trace quick sort algorithm in Turkik without access key and id of amazon services?
Related
The requirement is:
A technical user creates a DB backup from postgreSQL (pg_dump)
The technical user uploads the file to a bucket in the closes AWS region
the technical user gets an URL that should expire every week
technical user user sends the URL to 2-4 people with little IT knowledge: the non-technical user
non-technical user downloads the file accessing the temporary URL and replace it into a Docker Container Bind Volume local location
Constrains:
AWS technical user doesn't have permissions to generate AIM access key nor secret key
AWS S3 must be used as the organization uses AWS and strategically the purpose will be to have everything centralized in AWS infrastructure
I am following this documentation about presigned object URL
What do you suggest?
I suggest to create Iam user and consume the credentials with an small application (server side). There is Api already created by aws to connect any programming language. Personally I use symfony you have bundles to connect to s3 directly. Under my perspective I recommending you to create a simple interface to upload the backup and provide access to people with roles according to your necessities.
What is the best way to secure a connection between an Elasticsearch cluster hosted on Elastic Cloud and a backend given that we have hundreds of thousands of users and that I want to handle the authorization logic on the backend itself not on Elasticsearch?
Is it better to create a "system" user in the native realm with all the read and write accesses (it looks like the user feature is intended for real end-users) or to use other types of authentication (but SAML, PKI or Kerberos are also end-user oriented)? Or using other security means like IP based?
I'm used to Elasticsearch service on AWS where authorization is based on IAM roles so I'm a bit lost here.
edit: 18 months later, there's no definitive answer on this, if I had to do it again, I would probably end up using JWT.
I'm a newbie in AWS infrastructure, and I can't figure out how to build auth process which I want.
I want to have something similar to what other cloud storages, like Box, Dropbox, Onedrive have:
developer registeres OAuth app with a set of permissions
client with one click can give a consent for this app to have listed permissions on his own account and it's content, eternally, until consent is deliberately withdrawn
Now, as far as I understand, client should go to console and create a user, create a role for him, then send this user's id and key to my app, which is not that convinient. I'm looking for a most easy and simple way to do that.
I've tested "Login with Amazon" + "Amazon Cognito", but it turned out as a completely opposite mechanism: client should set up Login, link it to Cognito, to provide me one click access.
So, is it even possible? Which is the best way to implement such auth process?
There isn't a way to do what you're trying to do, and I would suggest that there's a conceptual problem with comparing Amazon S3 to Dropbox, Box, or Onedrive -- it's not the same kind of service.
S3 is a service that you could use to build a service like those others (among other purposes, of course).
Amazon Simple Storage Service (Amazon S3), provides developers and IT teams with secure, durable, highly-scalable cloud storage.
https://aws.amazon.com/s3/
Note the target audience -- "developers and IT teams" -- not end-users.
Contrast that with Amazon Cloud Drive, another service from Amazon -- but not part of AWS.
The Amazon Cloud Drive API and SDKs for Android and iOS enable your users to access the photos, videos, and documents that they have saved in the Amazon Cloud Drive, and provides you the ability to interact with millions of Amazon customers. Access to the free Amazon Cloud Drive API and SDKs for Android and iOS enable you to place your own creative spin on how users upload, view, edit, download, and organize their digital content using your app.
https://developer.amazon.com/public/apis/experience/cloud-drive/
The only way for your app to access your app's user's bucket would be for the user to configure and provide your app with a key and secret, or to configure their bucket policy to allow the operation by your app's credentials, or to create an IAM role and allow your app to assume it on their behalf, or something similar within the authentication and authorization mechanisms in AWS... none of which sound like a good idea.
There's no OAuth mechanism for allowing access to resources in an AWS account.
I have the following use-case that I am seeking a solution for:
Our website shares files to our clients. The files are stored on a 3rd party cloud service, the file access permissions on our website. When a client on our site requests a file that he has permission to see, it will be served directly from the cloud service (instead of through our own webserver, using our CPU, RAM and bandwidth).
I see services like Amazon S3 and Google Cloud Storage use an approach with a signed URL with a timeout for this purpose, but I would prefer a solution where that URL is only available to the client who requested the resource (and not everyone who has the link during the lifecycle of the URL). The reason for this is that it feels wrong to rely on a duration based un an arbitrary length instead of utilizing a one-time token or in any other way validate the access to the resource before the request is completed.
Does any of the major services provide a feature that would allow for this? Or is it considered "safe enough" to protect sensitive data behind a random URL + timeout period (to me it feels like the answer to the latter is "no")?
I am exploring IAM Roles. I am wondering how roles can be accessed on behalf of a user on EC2.
Any help is highly appreciated.
Thanks
You usually do not have to do anything special after launching an EC2 instance with an IAM Role for Amazon EC2 (I figure from your duplicate questions, that you've already done this), conceptually all you have to do are the following steps:
create an IAM role for EC2
configure IAM policies for that role to match your use case
launch an EC2 isntance with your IAM role
use IAM role aware tools, which will pick up the credentials from the role automatically
Let me stress the last aspect again: you do not need to do anything but configure the required IAM credentials on the role and IAM role aware tools will pick the resulting credentials up automatically from the EC2 instance metadata!
If you really must (but you shouldn't, see next paragraph), you could do the same yourself as explained in Retrieving Security Credentials from Instance Metadata.
In particular, you should use AWS only by one of the following means for everything but highly special use cases:
Command Line Usage
Unix/Linux/Windows - use the AWS Command Line Interface, which is a unified tool to manage your AWS services.
see Option #3 within AWS Credentials regarding the IAM role support
Windows only - use the AWS Tools for Windows PowerShell , which lets developers and administrators manage their AWS services from the Windows PowerShell scripting environment.
see section IAM Roles for EC2 Instances and the AWS Tools for Windows PowerShell within AWS Credentials regarding the IAM role support
Programmatic Usage
Use the appropriate AWS SDK for your language of choice, see Tools for Amazon Web Services for an extensive listing of what's available.
see each SDK's documentation for details regarding the IAM role support (again, it will just work once you have implemented steps 1-3 above correctly).