From d1b055b1f5e9bce319d8bb705ec1961331831ffc Mon Sep 17 00:00:00 2001 From: fidelis-ogunsanmi Date: Tue, 26 Jul 2022 12:02:40 -0400 Subject: [PATCH] added changes --- 10-kms/10-1-1.yaml | 44 +++++++++++++++++++++++++++ 10-kms/10-1-2.yaml | 54 ++++++++++++++++++++++++++++++++++ 10-kms/10-2-1.rb | 29 ++++++++++++++++++ 10-kms/exec.sh | 30 +++++++++++++++++++ 10-kms/ruby-tutorial.rb | 15 ++++++++++ 10-kms/secrets.decrypted.json | 6 ++++ 10-kms/secrets.encrypted.json | Bin 0 -> 358 bytes 10-kms/secrets.json | 6 ++++ 8 files changed, 184 insertions(+) create mode 100644 10-kms/10-1-1.yaml create mode 100644 10-kms/10-1-2.yaml create mode 100644 10-kms/10-2-1.rb create mode 100755 10-kms/exec.sh create mode 100644 10-kms/ruby-tutorial.rb create mode 100644 10-kms/secrets.decrypted.json create mode 100644 10-kms/secrets.encrypted.json create mode 100644 10-kms/secrets.json diff --git a/10-kms/10-1-1.yaml b/10-kms/10-1-1.yaml new file mode 100644 index 00000000..98c638a8 --- /dev/null +++ b/10-kms/10-1-1.yaml @@ -0,0 +1,44 @@ +"AWSTemplateFormatVersion": "2010-09-09" + +Resources: + KMSKey: + Type: AWS::KMS::Key + Properties: + KeyPolicy: + Statement: + - Sid: "Enable IAM User Permissions" + Effect: Allow + Principal: + AWS: !Sub arn:aws:iam::${AWS::AccountId}:root + Action: kms:* + Resource: '*' + - Sid: "Enable Key Administration" + Effect: Allow + Principal: + AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:user/fidelis.ogunsanmi.labs' + Action: + - 'kms:Create*' + - 'kms:Describe*' + - 'kms:Enable*' + - 'kms:List*' + - 'kms:Put*' + - 'kms:Update*' + - 'kms:Revoke*' + - 'kms:Disable*' + - 'kms:Get*' + - 'kms:Delete*' + - 'kms:ScheduleKeyDeletion' + - 'kms:CancelKeyDeletion' + Resource: '*' + - Sid: "Usage KMS key" + Effect: Allow + Principal: + AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:user/fidelis.ogunsanmi.labs' + Action: + - 'kms:DescribeKey' + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:ReEncrypt*' + - 'kms:GenerateDataKey' + - 'kms:GenerateDataKeyWithoutPlaintext' + Resource: '*' \ No newline at end of file diff --git a/10-kms/10-1-2.yaml b/10-kms/10-1-2.yaml new file mode 100644 index 00000000..53ef2275 --- /dev/null +++ b/10-kms/10-1-2.yaml @@ -0,0 +1,54 @@ +"AWSTemplateFormatVersion": "2010-09-09" + +Resources: + KMSKey: + Type: AWS::KMS::Key + Properties: + KeyPolicy: + Statement: + - Sid: "Enable IAM User Permissions" + Effect: Allow + Principal: + AWS: !Sub arn:aws:iam::${AWS::AccountId}:root + Action: kms:* + Resource: '*' + - Sid: "Enable Key Administration" + Effect: Allow + Principal: + AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:user/fidelis.ogunsanmi.labs' + Action: + - 'kms:Create*' + - 'kms:Describe*' + - 'kms:Enable*' + - 'kms:List*' + - 'kms:Put*' + - 'kms:Update*' + - 'kms:Revoke*' + - 'kms:Disable*' + - 'kms:Get*' + - 'kms:Delete*' + - 'kms:ScheduleKeyDeletion' + - 'kms:CancelKeyDeletion' + Resource: '*' + - Sid: "Usage KMS key" + Effect: Allow + Principal: + AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:user/fidelis.ogunsanmi.labs' + Action: + - 'kms:DescribeKey' + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:ReEncrypt*' + - 'kms:GenerateDataKey' + - 'kms:GenerateDataKeyWithoutPlaintext' + Resource: '*' + + KMSKeyAlias: + Type: AWS::KMS::Alias + Properties: + AliasName: alias/KeyToFidelisHeart + TargetKeyId: !Ref KMSKey + +Outputs: + KMSKeyID: + Value: !Ref KMSKey \ No newline at end of file diff --git a/10-kms/10-2-1.rb b/10-kms/10-2-1.rb new file mode 100644 index 00000000..5b90964c --- /dev/null +++ b/10-kms/10-2-1.rb @@ -0,0 +1,29 @@ +require 'aws-sdk-s3' +Aws.config[:ssl_ca_bundle] = '/usr/local/etc/openssl/cert.pem' + +bucket_name = 'stelligent-fidelis-ogunsanmi' +object_key = 'secret.json' +region = 'us-west-2' +kms_key_id = '2955639b-67e9-49c0-94da-19764781d57e' +object_content = File.read(object_key) + +s3_encryption_client = Aws::S3::EncryptionV2::Client.new( + region: region, + kms_key_id: kms_key_id, + key_wrap_schema: :kms_context, + content_encryption_schema: :aes_gcm_no_padding, + security_profile: :v2 + ) + + s3_encryption_client.put_object( + bucket: bucket_name, + key: object_key, + body: object_content + ) + + response = s3_encryption_client.get_object( + bucket: bucket_name, + key: object_key + ) + + puts response.body.read \ No newline at end of file diff --git a/10-kms/exec.sh b/10-kms/exec.sh new file mode 100755 index 00000000..2f32d5bf --- /dev/null +++ b/10-kms/exec.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +PROFILE="labmfa" +TEMPLATE="10-1-2.yaml" +STACK_NAME="fideliskms" +KEY_ID="alias/KeyToFidelisHeart" +PLAIN_TEXT="fileb://secrets.json" +REGION="us-east-1" + +# deploy the stack +# aws cloudformation deploy --template-file $TEMPLATE \ +# --stack-name $STACK_NAME --profile $PROFILE \ +# --capabilities CAPABILITY_NAMED_IAM \ +# --region $REGION + +# encrypting plaintext into ciphertext +# aws kms encrypt --key-id $KEY_ID \ +# --plaintext $PLAIN_TEXT \ +# --output text --query CiphertextBlob \ +# --region $REGION --profile $PROFILE \ +# | base64 --decode > secrets.encrypted.json + +# decrypting ciphertext into plaintext +aws kms decrypt --ciphertext-blob fileb://secrets.encrypted.json \ + --output text --query Plaintext \ + | base64 --decode > secrets.decrypted.json + + +# upload file to s3 with sse enabled +# aws s3 cp s3:// --sse aws:kms --sse-kms-key-id "" \ No newline at end of file diff --git a/10-kms/ruby-tutorial.rb b/10-kms/ruby-tutorial.rb new file mode 100644 index 00000000..d3d8bd67 --- /dev/null +++ b/10-kms/ruby-tutorial.rb @@ -0,0 +1,15 @@ +# using the aws sdk for ruby in your program +# add a require statement to the top of your ruby source file +require 'aws-sdk' + +# creating an s3 resource +s3 = Aws::S3::Resource.new(region: 'us-west-2') + +# creating a bucket +my_bucket = s3.bucket('my_bucket') +my_bucket.create + +# add a file +name = File.basename 'my_file' +obj = s3.bucket('my_bucket').object(name) +obj.upload_file('my_file') \ No newline at end of file diff --git a/10-kms/secrets.decrypted.json b/10-kms/secrets.decrypted.json new file mode 100644 index 00000000..13a7c089 --- /dev/null +++ b/10-kms/secrets.decrypted.json @@ -0,0 +1,6 @@ +{ + "mongoUsername": "mongo-user", + "mongoPassword": "IRrE!jwcJkz5wGFb$Sx*$N@8^", + "googleApiKey": "81cc9770-c3be-44d2-a18d-9039db1f062b", + "facebookApiKey": "6b494a8e-f9a2-4774-8cb9-281bd73e9270" +} \ No newline at end of file diff --git a/10-kms/secrets.encrypted.json b/10-kms/secrets.encrypted.json new file mode 100644 index 0000000000000000000000000000000000000000..c0a4599ac9a62af3081cb1256d299ad2fe96a469 GIT binary patch literal 358 zcmV-s0h#^*0s;VdX#s|OIOk7{x$CXB{jSorsjujDP?e-EXMtwtCk!{s0dV-^$|++8 z)ysp0eAk@n_W%F^EHHurCNC9O71OYBE5d;hyRisX#^&s#B!!UpX0T6(J;H_{9M-c<2>Cc0$1|!vE zWo(ej>9CzBnTHu(Xi-;HJ{S0qK?o?r1?IYJ562(n9_TAR2`+wJpNP?FR6cTqMh;L2 znOH|~{>08TYR5)97rXa@9`g@?tqp^H_oa%}>Teg!DRKD^UyM>~F(mFa@St-ence_+YCy-JT+`m6i#r83a< z&u3wu?J0e$W<4Dl=LBu6ZL*39E0;-|^xcP1hZNRO0}7xNUM7Z6giiSSoz>tZ!B3GI EkeBnG0ssI2 literal 0 HcmV?d00001 diff --git a/10-kms/secrets.json b/10-kms/secrets.json new file mode 100644 index 00000000..13a7c089 --- /dev/null +++ b/10-kms/secrets.json @@ -0,0 +1,6 @@ +{ + "mongoUsername": "mongo-user", + "mongoPassword": "IRrE!jwcJkz5wGFb$Sx*$N@8^", + "googleApiKey": "81cc9770-c3be-44d2-a18d-9039db1f062b", + "facebookApiKey": "6b494a8e-f9a2-4774-8cb9-281bd73e9270" +} \ No newline at end of file