Month: January 2019 | thoean.com

Manage ACM certificates through AWS CloudFormation

Certificate management has historically been fairly manual, costly and often related to trial and error (or long documentation). AWS ACM based certificates removed most of the pain.

ACM offers Email and DNS based validation. Email adds overhead in two ways. First, you need an Email address for the valid host (and you might not have an app.your-company.com Email address, forcing you into setting up AWS SES). Second, you need to regularly re-validate the certificates. DNS based validation removes those hassles and is the recommended way.

Remaining is still its setup. AWS CloudFormation (CF) offers creating a Certificate resource. Attaching DNS validation however isn’t straight forward, and the best way I could find so far was leveraging a Lambda function, which can be inlined in the CF template.

In short, the template creates the following resources:

An IAM role to execute the AWS Lambda function.
An AWS Lambda function that creates and deletes ACM certificates, and returns the created AWS Route53 RecordSet values that must be used for DNS validation.
An AWS Route53 RecordSet matching the ACM certificate’s DNS validation settings.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Parameters": {
    "hostedZoneName": {
      "Type": "String",
      "Description": "The name of the new Hosted Zone to create"
    }
  },
  "Resources": {
    "CreateAndReturnAcmCertificateArnRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [{
            "Effect": "Allow",
            "Principal": {
              "Service": ["lambda.amazonaws.com"]
            },
            "Action": ["sts:AssumeRole"]
          }]
        },
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
          "arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess"
        ]
      }
    },
    "CreateAndReturnAcmCertificateArnLambdaFunction": {
      "Type": "AWS::Lambda::Function",
      "Properties": {
        "FunctionName": {
          "Fn::Join": [
              "-",
              [
                {
                  "Fn::Join": [
                    "-",
                    {
                      "Fn::Split" : [
                        ".",
                        { "Ref": "hostedZoneName" }
                      ]
                    }
                  ]
                },
                "CertResolver"
              ]
          ]
      },
        "Code": {
          "ZipFile": {
            "Fn::Join": [ "\n", [
              "// http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-code.html",
              "const aws = require('aws-sdk');",
              "const cloudFormationResponseHandler = require('cfn-response');",
              "let acmClient = new aws.ACM();",
              "exports.handler = function(event, context) {",
              "  let domainName = event.ResourceProperties.DomainName;",
              "  if (event.RequestType === 'Delete') {",
              "    return acmClient.listCertificates({}).promise()",
              "      .then(certs => {",
              "        let foundCert = certs.CertificateSummaryList.find(cert => cert.DomainName === domainName);",
              "        if (foundCert) {",
              "          console.log('Certificate Deleted', foundCert.CertificateArn);",
              "          return acmClient.deleteCertificate({ CertificateArn: foundCert.CertificateArn }).promise();",
              "        }",
              "        return null;",
              "      })",
              "      .then(() => {",
              "        return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.SUCCESS);",
              "      })",
              "      .catch(error => {",
              "        return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.FAILED, { title: 'Failed to delete Certificate', error: error });",
              "      });",
              "  }",
              "  ",
              "  if (event.RequestType !== 'Create') {",
              "    return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.SUCCESS);",
              "  }",
              "  ",
              "  return acmClient.requestCertificate({ DomainName: domainName, SubjectAlternativeNames: [`*.${domainName}`], ValidationMethod: 'DNS' }).promise()",
              "    .then(data => {",
              "      return new Promise(resolve => setTimeout(resolve, 20000))",
              "        .then(() => {",
              "          return acmClient.describeCertificate({ CertificateArn: data.CertificateArn }).promise()",
              "            .then(validationData => {",
              "              let response = {",
              "                CertificateArn: data.CertificateArn,",
              "                VerificationRecordName: validationData.Certificate.DomainValidationOptions[0].ResourceRecord.Name,",
              "                VerificationRecordValue: validationData.Certificate.DomainValidationOptions[0].ResourceRecord.Value",
              "              };",
              "              console.log('Certificate created', response);",
              "              return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.SUCCESS, response);",
              "            });",
              "        });",
              "    })",
              "    .catch(error => {",
              "      return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.FAILED, { title: 'Failed to created Certificate', error: error });",
              "    });",
              "}"
            ]]
          }
        },
        "Handler": "index.handler",
        "Runtime": "nodejs6.10",
        "Timeout": "30",
        "Role": { "Fn::GetAtt": [ "CreateAndReturnAcmCertificateArnRole", "Arn" ] }
      }
    },
    "AcmCertificateForHostedZone": {
      "Type": "Custom::LambdaCallout",
      "Properties": {
        "ServiceToken": { "Fn::GetAtt": [ "CreateAndReturnAcmCertificateArnLambdaFunction", "Arn" ] },
        "DomainName": { "Ref": "hostedZoneName" }
      }
    },
    "AcmCertificateValidationForHostedZone": {
      "Type": "AWS::Route53::RecordSet",
      "Properties": {
        "HostedZoneName": {
            "Fn::Join": [
                "",
                [
                    { "Ref": "hostedZoneName" },
                    "."
                ]
            ]
        },
        "Name": { "Fn::GetAtt": [ "AcmCertificateForHostedZone", "VerificationRecordName" ] },
        "ResourceRecords": [{ "Fn::GetAtt": [ "AcmCertificateForHostedZone", "VerificationRecordValue" ] }],
        "TTL": "300",
        "Type": "CNAME"
      },
      "DependsOn": "AcmCertificateForHostedZone"
    }
  }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

{

"AWSTemplateFormatVersion": "2010-09-09",

"Parameters": {

"hostedZoneName": {

"Type": "String",

"Description": "The name of the new Hosted Zone to create"

}

"Resources": {

"CreateAndReturnAcmCertificateArnRole": {

"Type": "AWS::IAM::Role",

"Properties": {

"AssumeRolePolicyDocument": {

"Version": "2012-10-17",

"Statement": [{

"Effect": "Allow",

"Principal": {

"Service": ["lambda.amazonaws.com"]

"Action": ["sts:AssumeRole"]

}]

"ManagedPolicyArns": [

"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",

"arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess"

]

}

"CreateAndReturnAcmCertificateArnLambdaFunction": {

"Type": "AWS::Lambda::Function",

"Properties": {

"FunctionName": {

"Fn::Join": [

"-",

[

{

"Fn::Join": [

"-",

{

"Fn::Split" : [

".",

{ "Ref": "hostedZoneName" }

]

}

]

"CertResolver"

]

"Code": {

"ZipFile": {

"Fn::Join": [ "\n", [

"// http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-code.html",

"const aws = require('aws-sdk');",

"const cloudFormationResponseHandler = require('cfn-response');",

"let acmClient = new aws.ACM();",

"exports.handler = function(event, context) {",

" let domainName = event.ResourceProperties.DomainName;",

" if (event.RequestType === 'Delete') {",

" return acmClient.listCertificates({}).promise()",

" .then(certs => {",

" let foundCert = certs.CertificateSummaryList.find(cert => cert.DomainName === domainName);",

" if (foundCert) {",

" console.log('Certificate Deleted', foundCert.CertificateArn);",

" return acmClient.deleteCertificate({ CertificateArn: foundCert.CertificateArn }).promise();",

" }",

" return null;",

" })",

" .then(() => {",

" return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.SUCCESS);",

" })",

" .catch(error => {",

" return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.FAILED, { title: 'Failed to delete Certificate', error: error });",

" });",

" }",

" ",

" if (event.RequestType !== 'Create') {",

" return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.SUCCESS);",

" }",

" ",

" return acmClient.requestCertificate({ DomainName: domainName, SubjectAlternativeNames: [`*.${domainName}`], ValidationMethod: 'DNS' }).promise()",

" .then(data => {",

" return new Promise(resolve => setTimeout(resolve, 20000))",

" .then(() => {",

" return acmClient.describeCertificate({ CertificateArn: data.CertificateArn }).promise()",

" .then(validationData => {",

" let response = {",

" CertificateArn: data.CertificateArn,",

" VerificationRecordName: validationData.Certificate.DomainValidationOptions[0].ResourceRecord.Name,",

" VerificationRecordValue: validationData.Certificate.DomainValidationOptions[0].ResourceRecord.Value",

" };",

" console.log('Certificate created', response);",

" return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.SUCCESS, response);",

" });",

" })",

" .catch(error => {",

" return cloudFormationResponseHandler.send(event, context, cloudFormationResponseHandler.FAILED, { title: 'Failed to created Certificate', error: error });",

" });",

"}"

]]

}

"Handler": "index.handler",

"Runtime": "nodejs6.10",

"Timeout": "30",

"Role": { "Fn::GetAtt": [ "CreateAndReturnAcmCertificateArnRole", "Arn" ] }

}

"AcmCertificateForHostedZone": {

"Type": "Custom::LambdaCallout",

"Properties": {

"ServiceToken": { "Fn::GetAtt": [ "CreateAndReturnAcmCertificateArnLambdaFunction", "Arn" ] },

"DomainName": { "Ref": "hostedZoneName" }

}

"AcmCertificateValidationForHostedZone": {

"Type": "AWS::Route53::RecordSet",

"Properties": {

"HostedZoneName": {

"Fn::Join": [

"",

[

{ "Ref": "hostedZoneName" },

"."

]

"Name": { "Fn::GetAtt": [ "AcmCertificateForHostedZone", "VerificationRecordName" ] },

"ResourceRecords": [{ "Fn::GetAtt": [ "AcmCertificateForHostedZone", "VerificationRecordValue" ] }],

"TTL": "300",

"Type": "CNAME"

"DependsOn": "AcmCertificateForHostedZone"

}

Reading list 2018

After a slow start in 2017, I got to a few more books in 2018. I’m highly satisfied with the outcome regarding my learning, my acquired inspiration, and generally the selection I made to invest my limited reading time.

I started with A Second Chance: For You, For Me, And For The Rest Of Us by Catherine Hoke. It’s a fascinating story of Catherine believing in people that are at the bottom of their life, often 20 years or more in a high security prison. She brings them back to society. Not only in a safe way, but also making them successful entrepreneurs of small businesses.

A Beautiful Constraint : How To Transform Your Limitations Into Advantages, and Why It’s Everyone’s Business by Adam Morgan and Mark Barden was an inspiration read on how to frame challenges differently. It taught me to avoid seeing constraints as excuses to not pursue the next adventure, but instead see them from a different angle and leverage them to my advantage.

Start With Why by Simon Sinek is a classic based on his famous TED talk. As expected, the book isn’t revealing anything new. That said, I found it worthwhile time spent to inhale more of this simple, yet compelling idea by reading through a long list of good and bad examples.

Talking about “why” – I then moved on to understanding why the young generation needs to find purpose in everything they do. Drive: The Surprising Truth About What Motivates Us by Daniel H. Pink puts it in a usable framework. Valid for every generation. But especially good for dealing with the younger one.

The hardest read from a pure “understanding English” (which is my second language) was Finite and Infinite Games by James Carse. It took me a while to digest his ideas. But ever since I’m defining my infinite games and actually started to pursue some of them.

Then, Essentialism: The Disciplined Pursuit of Less by Greg McKeown got recommended to me, and I’d say it was the most influential book in 2018 for me personally. It’s a lot about saying “no” to clutter and “full commitment” to what’s essential in your life.

Another big one was Enlightenment Now: The Case for Reason, Science, Humanism, and Progress by Steven Pinker. Bill Gates mentions it as his new favorite book of all time. It adjusted my world view towards being more optimistic about where the world is heading. It’s towards less children dying after birth, less illiteracy world wide, better medication for the poor or many more people getting out of poverty.

Back to reality, Plain Talk: Lessons from a Business Maverick by Ken Iverson is a convincing story why working smarter over the course of decades outperforms those who look at short-term profit and squeezing out every penny of their employees. It’s about the believe in people and leveraging their will and motivation.

I hesitated for a while, but then still jumped onto It Doesn’t Have to Be Crazy at Work by Jason Fried and David Heinemeier Hansson. I followed Jason Fried for a while already, and I’m working in an environment that isn’t crazy by many of those means. Still, it contained a lot of useful hints on how to do better, and again, believe in the individual.

Ok, too much philosophy, let’s do something for real. Measure What Matters: OKRs: The Simple Idea that Drives 10x Growth by John Doerr presents a 25 year old concept that John Doerr brought to Google and many other companies. The forword by Larry Page, as well as a recommendation by Bill Gates, gives this concept and book additional weight. While the concept is an old hat, it’s revamping goal setting into an easy to understand and execute framework.

The year couldn’t have ended with more insight into the meaing of life than reading Man’s Search For Meaning: The classic tribute to hope from the Holocaust by Viktor E Frankl. If you’re searching for purpose, or simply want to get reminded of the darker times almost a century ago, reading Frankl’s stories from his 5 years of imprisonment in concentration camps is putting everything you do into a different perspective.

Podcasts

During my commute, podcasts work better than reading. I started to listen to Akimbo by Seth Godin, which enhances Seth’s daily inspiration with a weekly 30min talk. Some of the talks from The Knowledge Project by Farnam Street are really twisting my perspective on our world. And Adam Grant interviewed a set of interesting people in WorkLife.

So what’s coming in 2019?

At the time of this writing, I already completed All Marketers are Liars by Seth Godin (no, I’m not switching jobs). To move on, I’m thinking of 21 Lessons for the 21st Century (Yuval Noah Harari), Principles: Life and Work (Ray Dalio), Mandela’s Way: Lessons on Life, Love, and Courage (Richard Stengel), The Infinite Game (Simon Sinek) and many more. What are your recommendations for me? Contact me, or tweet a reply.

Avoiding AWS Access Keys

The AWS Well-Architected framework is a recommendation by AWS, summarized in an 80 page PDF document. After focusing on cost optimization in my first article, this article looks at one specific aspect of the security pillar.

Passwords are bad

Yes, passwords are bad. I don’t need to repeat that, right? Anyways, a few words on that: Managing passwords is a challenge. Especially when you have to manage and hand them out as a central team. First, you end up spending a lot of time resetting passwords, and potentially even managing the secrets in some “secure” store. Second, you have a security risk by keeping passwords active after employees left the company or simply by having the headache on how to protect a central credentials store.

Instead of using AWS IAM users, use AWS IAM Roles. Roles are a central piece of the AWS infrastructure, and every AWS service supports them. Notably EC2 can have an attached IAM profile. Once you attach an IAM instance profile, all calls to AWS services from that EC2 machine are invoked with the specified IAM role.

Custom applications

I often experience teams discussing how to securely store AWS Secret Keys in their development environment or tool they configure. Discussions are usually around how to pass them along to the build server and the production server. The answer is almost always: You don’t. Just ensure the EC2 machine uses an IAM Instance Profile (limited to the required permissions).

But wait, what about local development? I can’t assign an IAM Instance Profile to my machine. Again, don’t do anything in code. Instead, rely on well-documented credential configuration outside of your application (see example documentation for Node.js). Short version is to simply configure your user’s AWS credentials (~/.aws/credentials) and auto-rotate them on a schedule (mirri.js is a good tool to do that).

If you use federated logins to your AWS account, an alternative is to leverage AWS STS and automatically generate a temporary key every time you need one. This eliminates key rotation completely.

External services

There is also the case where you need to grant access to external services. For example, an external build server like Travis CI, a log collector like SumoLogic, etc. Some might have an option to configure an IAM Role with an enterprise subscription, but often the only way is to actually use access keys. So you’re tied to simply rotate them regularly. The key is to automate the log rotation. Felix is a tool that supports some external services, and definitely gives a baseline on how automation can be written.

References

Two weeks after I wrote this blog post, the AWS Security team came up with a great summary or a related topic. See Guidelines for protecting your AWS account while using programmatic access.