From a597819e8a964936e6bb9b45c6bcf084333502ad Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Wed, 21 Sep 2022 17:49:31 -0400 Subject: [PATCH 1/3] Lab 10-kms --- 10-kms/Practice-10.1/PlaintextFile | 1 + 10-kms/Practice-10.1/cmk_key.yml | 55 ++++++++++++++++++ 10-kms/Practice-10.1/encryptedFile | Bin 0 -> 174 bytes 10-kms/Practice-10.1/file.txt | 1 + 10-kms/Practice-10.1/scripts | 14 +++++ 10-kms/Practice-10.2/NewFile.txt | 1 + 10-kms/Practice-10.2/go.mod | 10 ++++ 10-kms/Practice-10.2/go.sum | 22 +++++++ .../Practice-10.2/s3_client_side_download.go | 55 ++++++++++++++++++ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ++++++++++++++++++ 10 files changed, 214 insertions(+) create mode 100644 10-kms/Practice-10.1/PlaintextFile create mode 100644 10-kms/Practice-10.1/cmk_key.yml create mode 100644 10-kms/Practice-10.1/encryptedFile create mode 100644 10-kms/Practice-10.1/file.txt create mode 100644 10-kms/Practice-10.1/scripts create mode 100644 10-kms/Practice-10.2/NewFile.txt create mode 100644 10-kms/Practice-10.2/go.mod create mode 100644 10-kms/Practice-10.2/go.sum create mode 100644 10-kms/Practice-10.2/s3_client_side_download.go create mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/PlaintextFile @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml new file mode 100644 index 00000000..704bbc4c --- /dev/null +++ b/10-kms/Practice-10.1/cmk_key.yml @@ -0,0 +1,55 @@ +Description: AWS CMK Key + +Resources: + myKey: + Type: 'AWS::KMS::Key' + Properties: + Description: A symmetric encryption KMS key + EnableKeyRotation: true + PendingWindowInDays: 20 + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Action: 'kms:*' + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:Create*' + - 'kms:Describe*' + - 'kms:Enable*' + - 'kms:List*' + - 'kms:Put*' + - 'kms:Update*' + - 'kms:Revoke*' + - 'kms:Disable*' + - 'kms:Get*' + - 'kms:Delete*' + - 'kms:ScheduleKeyDeletion' + - 'kms:CancelKeyDeletion' + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:DescribeKey' + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:ReEncrypt*' + - 'kms:GenerateDataKey' + - 'kms:GenerateDataKeyWithoutPlaintext' + Resource: '*' + + myAlias: + Type: 'AWS::KMS::Alias' + Properties: + AliasName: alias/ndambi + TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile new file mode 100644 index 0000000000000000000000000000000000000000..4630c9e4002f05385c117521b5cb0c22ac647e70 GIT binary patch literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 literal 0 HcmV?d00001 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/file.txt @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts new file mode 100644 index 00000000..f624bfba --- /dev/null +++ b/10-kms/Practice-10.1/scripts @@ -0,0 +1,14 @@ +aws kms encrypt \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --plaintext fileb://file.txt \ + --output text \ + --query CiphertextBlob | base64 \ + --decode > encryptedFile + +aws kms decrypt \ + --ciphertext-blob fileb://encryptedFile \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --output text \ + --query Plaintext | base64 \ + --decode > PlaintextFile + diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt new file mode 100644 index 00000000..158a0601 --- /dev/null +++ b/10-kms/Practice-10.2/NewFile.txt @@ -0,0 +1 @@ +Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod new file mode 100644 index 00000000..d6845094 --- /dev/null +++ b/10-kms/Practice-10.2/go.mod @@ -0,0 +1,10 @@ +module kms + +go 1.19 + +require ( + github.com/aws/aws-sdk-go v1.44.103 // indirect + github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect + github.com/aws/smithy-go v1.13.3 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect +) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum new file mode 100644 index 00000000..70c1397e --- /dev/null +++ b/10-kms/Practice-10.2/go.sum @@ -0,0 +1,22 @@ +github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= +github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= +github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= +github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= +github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go new file mode 100644 index 00000000..096e6e33 --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_download.go @@ -0,0 +1,55 @@ +package main + +import ( + "fmt" + "io/ioutil" + "log" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" + "os" +) + +var ( + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess := session.New(&aws.Config{ + Region: aws.String("us-east-1"),}) + + client := s3crypto.NewDecryptionClient(sess) + + input := &s3.GetObjectInput{ + Bucket: &bucket, + Key: &key, + } + + result, err := client.GetObject(input) + // Aside from the S3 errors, here is a list of decryption client errors: + // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm + // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm + // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB + // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. + // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. + if err != nil { + log.Fatal(err) + } + + // Let's read the whole body from the response + b, err := ioutil.ReadAll(result.Body) + if err != nil { + log.Fatal(err) + } + //fmt.Println(string(b)) + + file, err := os.Create("NewFile.txt") + if err != nil { + fmt.Println(err) + return + } + fmt.Fprintf(file, "%v\n", string(b)) +} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go new file mode 100644 index 00000000..7f885b6b --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_upload.go @@ -0,0 +1,55 @@ +/* +Licensed under the MIT-0 license https://github.com/aws/mit-0 +*/ +package main + +import ( + "log" + "strings" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/kms" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" +) + +var ( + cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess, err := session.NewSession(&aws.Config{ + Region: aws.String("us-east-1"), + Credentials: credentials.NewSharedCredentials("", "default"), + }) + // This is our key wrap handler, used to generate cipher keys and IVs for + // our cipher builder. Using an IV allows more “spontaneous” encryption. + // The IV makes it more difficult for hackers to use dictionary attacks. + // The key wrap handler behaves as the master key. Without it, you can’t + // encrypt or decrypt the data. + keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) + // This is our content cipher builder, used to instantiate new ciphers + // that enable us to encrypt or decrypt the payload. + builder := s3crypto.AESGCMContentCipherBuilder(keywrap) + // Let's create our crypto client! + client := s3crypto.NewEncryptionClient(sess, builder) + + input := &s3.PutObjectInput{ + Bucket: &bucket, + Key: &key, + Body: strings.NewReader("Test Client-Side encryption"), + } + + _, err = client.PutObject(input) + // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. + // The s3crypto client can also return some errors: + // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN + if err != nil { + log.Fatal(err) + } +} + From c9056754893bbf19830f5f0c788e9f8d1e9af36f Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Thu, 22 Sep 2022 10:57:05 -0400 Subject: [PATCH 2/3] removing files --- 10-kms/Practice-10.1/PlaintextFile | 1 - 10-kms/Practice-10.1/cmk_key.yml | 55 ------------------ 10-kms/Practice-10.1/encryptedFile | Bin 174 -> 0 bytes 10-kms/Practice-10.1/file.txt | 1 - 10-kms/Practice-10.1/scripts | 14 ----- 10-kms/Practice-10.2/NewFile.txt | 1 - 10-kms/Practice-10.2/go.mod | 10 ---- 10-kms/Practice-10.2/go.sum | 22 ------- .../Practice-10.2/s3_client_side_download.go | 55 ------------------ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ------------------ 10 files changed, 214 deletions(-) delete mode 100644 10-kms/Practice-10.1/PlaintextFile delete mode 100644 10-kms/Practice-10.1/cmk_key.yml delete mode 100644 10-kms/Practice-10.1/encryptedFile delete mode 100644 10-kms/Practice-10.1/file.txt delete mode 100644 10-kms/Practice-10.1/scripts delete mode 100644 10-kms/Practice-10.2/NewFile.txt delete mode 100644 10-kms/Practice-10.2/go.mod delete mode 100644 10-kms/Practice-10.2/go.sum delete mode 100644 10-kms/Practice-10.2/s3_client_side_download.go delete mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/PlaintextFile +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml deleted file mode 100644 index 704bbc4c..00000000 --- a/10-kms/Practice-10.1/cmk_key.yml +++ /dev/null @@ -1,55 +0,0 @@ -Description: AWS CMK Key - -Resources: - myKey: - Type: 'AWS::KMS::Key' - Properties: - Description: A symmetric encryption KMS key - EnableKeyRotation: true - PendingWindowInDays: 20 - KeyPolicy: - Version: 2012-10-17 - Id: key-default-1 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" - Action: 'kms:*' - Resource: '*' - - Sid: Allow administration of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:Create*' - - 'kms:Describe*' - - 'kms:Enable*' - - 'kms:List*' - - 'kms:Put*' - - 'kms:Update*' - - 'kms:Revoke*' - - 'kms:Disable*' - - 'kms:Get*' - - 'kms:Delete*' - - 'kms:ScheduleKeyDeletion' - - 'kms:CancelKeyDeletion' - Resource: '*' - - Sid: Allow use of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:DescribeKey' - - 'kms:Encrypt' - - 'kms:Decrypt' - - 'kms:ReEncrypt*' - - 'kms:GenerateDataKey' - - 'kms:GenerateDataKeyWithoutPlaintext' - Resource: '*' - - myAlias: - Type: 'AWS::KMS::Alias' - Properties: - AliasName: alias/ndambi - TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile deleted file mode 100644 index 4630c9e4002f05385c117521b5cb0c22ac647e70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/file.txt +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts deleted file mode 100644 index f624bfba..00000000 --- a/10-kms/Practice-10.1/scripts +++ /dev/null @@ -1,14 +0,0 @@ -aws kms encrypt \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --plaintext fileb://file.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > encryptedFile - -aws kms decrypt \ - --ciphertext-blob fileb://encryptedFile \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --output text \ - --query Plaintext | base64 \ - --decode > PlaintextFile - diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt deleted file mode 100644 index 158a0601..00000000 --- a/10-kms/Practice-10.2/NewFile.txt +++ /dev/null @@ -1 +0,0 @@ -Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod deleted file mode 100644 index d6845094..00000000 --- a/10-kms/Practice-10.2/go.mod +++ /dev/null @@ -1,10 +0,0 @@ -module kms - -go 1.19 - -require ( - github.com/aws/aws-sdk-go v1.44.103 // indirect - github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect - github.com/aws/smithy-go v1.13.3 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect -) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum deleted file mode 100644 index 70c1397e..00000000 --- a/10-kms/Practice-10.2/go.sum +++ /dev/null @@ -1,22 +0,0 @@ -github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= -github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= -github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= -github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go deleted file mode 100644 index 096e6e33..00000000 --- a/10-kms/Practice-10.2/s3_client_side_download.go +++ /dev/null @@ -1,55 +0,0 @@ -package main - -import ( - "fmt" - "io/ioutil" - "log" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" - "os" -) - -var ( - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess := session.New(&aws.Config{ - Region: aws.String("us-east-1"),}) - - client := s3crypto.NewDecryptionClient(sess) - - input := &s3.GetObjectInput{ - Bucket: &bucket, - Key: &key, - } - - result, err := client.GetObject(input) - // Aside from the S3 errors, here is a list of decryption client errors: - // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm - // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm - // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB - // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. - // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. - if err != nil { - log.Fatal(err) - } - - // Let's read the whole body from the response - b, err := ioutil.ReadAll(result.Body) - if err != nil { - log.Fatal(err) - } - //fmt.Println(string(b)) - - file, err := os.Create("NewFile.txt") - if err != nil { - fmt.Println(err) - return - } - fmt.Fprintf(file, "%v\n", string(b)) -} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go deleted file mode 100644 index 7f885b6b..00000000 --- a/10-kms/Practice-10.2/s3_client_side_upload.go +++ /dev/null @@ -1,55 +0,0 @@ -/* -Licensed under the MIT-0 license https://github.com/aws/mit-0 -*/ -package main - -import ( - "log" - "strings" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/kms" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" -) - -var ( - cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess, err := session.NewSession(&aws.Config{ - Region: aws.String("us-east-1"), - Credentials: credentials.NewSharedCredentials("", "default"), - }) - // This is our key wrap handler, used to generate cipher keys and IVs for - // our cipher builder. Using an IV allows more “spontaneous” encryption. - // The IV makes it more difficult for hackers to use dictionary attacks. - // The key wrap handler behaves as the master key. Without it, you can’t - // encrypt or decrypt the data. - keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) - // This is our content cipher builder, used to instantiate new ciphers - // that enable us to encrypt or decrypt the payload. - builder := s3crypto.AESGCMContentCipherBuilder(keywrap) - // Let's create our crypto client! - client := s3crypto.NewEncryptionClient(sess, builder) - - input := &s3.PutObjectInput{ - Bucket: &bucket, - Key: &key, - Body: strings.NewReader("Test Client-Side encryption"), - } - - _, err = client.PutObject(input) - // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. - // The s3crypto client can also return some errors: - // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN - if err != nil { - log.Fatal(err) - } -} - From d61b150107113bb0e56f36d4079a34b1e41d1292 Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Thu, 27 Oct 2022 14:59:33 -0400 Subject: [PATCH 3/3] Initial commit --- 14-Jenkins/Practice-14.1/config.txt | 9 + 14-Jenkins/Practice-14.1/stack.yml | 274 ++++++++++++++++++++++++++++ 14-Jenkins/Practice-14.1/vpc.yml | 90 +++++++++ 3 files changed, 373 insertions(+) create mode 100644 14-Jenkins/Practice-14.1/config.txt create mode 100644 14-Jenkins/Practice-14.1/stack.yml create mode 100644 14-Jenkins/Practice-14.1/vpc.yml diff --git a/14-Jenkins/Practice-14.1/config.txt b/14-Jenkins/Practice-14.1/config.txt new file mode 100644 index 00000000..5658b6b1 --- /dev/null +++ b/14-Jenkins/Practice-14.1/config.txt @@ -0,0 +1,9 @@ +# How to configure the master slave architecture of jenkins +1. Log into the master node and generate a key using + # ssh-keygen -t rsa +2. Copy the master's ~/.ssh/id_rsa.pub to the slave nodes' authorized_keys + # echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGP9mQOqjhpxJssQbqz9pHzmWUCMMbWpxyLChsl9MPvMcslqrOXSYrywWErA9Zj01tvu/hwxMv/lIY/iSdkCP68z5VjM3eZQ/iNqWnQ6dhK4EeVoF/wNoRBdQCIQlFHK222uuyPTsMfmjJZz8hsSgTmgQqX5ifeCYQKjQWB2264Z7bLy8ByOFAUYVfUrhd7+bbADV5eU5mAmUvNjEdinccAePSFMi2omAGX6K2ZaSj4bS6dTzgQLcEJJkg9H1bgnlK89b6N2IXmDZEWRvsXnucr1mFnqnuFVbo13xV36e/MUVIqqYp9C4LYLP3jKWGCSfo2u/ucvf/+FzhztGvEco1 ec2-user@ip-10-0-0-47.ec2.internal" >> ~/.ssh/authorized_keys + +Follow this link to configure the Slave nodes on jenkins install in Master node + # https:/www.bogotobogo.com/DevOps/Jenkins/Jenkins_on_EC2_setting_up_master_slaves.php +ssh -i "DesmondKey.pem" ec2-user@ec2-3-230-115-158.compute-1.amazonaws.com diff --git a/14-Jenkins/Practice-14.1/stack.yml b/14-Jenkins/Practice-14.1/stack.yml new file mode 100644 index 00000000..659a2d57 --- /dev/null +++ b/14-Jenkins/Practice-14.1/stack.yml @@ -0,0 +1,274 @@ +Description: "Jenkins CodeDeploy" + +Parameters: + JenkinsInstanceType: + Type: String + Description: "EC2 instance type for Jenkins Server" + Default: t2.medium + AllowedValues: + - t2.micro + - t2.small + - t2.medium + - m3.medium + - m3.large + - m3.xlarge + - m3.2xlarge + - c3.large + - c3.xlarge + - c3.2xlarge + - c3.4xlarge + - c3.8xlarge + - c4.large + - c4.xlarge + - c4.2xlarge + - c4.4xlarge + - c4.8xlarge + - r3.large + - r3.xlarge + - r3.2xlarge + - r3.4xlarge + - r3.8xlarge + - i2.xlarge + - i2.2xlarge + - i2.4xlarge + - i2.8xlarge + - hi1.4xlarge + - hs1.8xlarge + - cr1.8xlarge + - cc2.8xlarge + KeyName: + Description: "The EC2 Key Pair to allow SSH access to CodeDeploy EC2 instances and Jenkins Server" + Type: 'AWS::EC2::KeyPair::KeyName' + Default: DesmondKey + IPRange: + Description: "CIDR block of the network from where you will connect to the Jenkins server using HTTP and SSH" + Type: "String" + MinLength: "9" + MaxLength: "18" + AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})" + ConstraintDescription: "must be a valid IP CIDR range of the form x.x.x.x/x." + Default: 0.0.0.0/0 + +Mappings: + AWSRegionArch2AMI: + ap-northeast-1: + AMI: "ami-08847abae18baa040" + ap-northeast-2: + AMI: "ami-012566705322e9a8e" + ap-south-1: + AMI: "ami-00b6a8a2bd28daf19" + ap-southeast-1: + AMI: "ami-01da99628f381e50a" + ap-southeast-2: + AMI: "ami-00e17d1165b9dd3ec" + eu-central-1: + AMI: "ami-076431be05aaf8080" + eu-west-1: + AMI: "ami-0bdb1d6c15a40392c" + eu-west-2: + AMI: "ami-e1768386" + eu-west-3: + AMI: "ami-06340c8c12baa6a09" + sa-east-1: + AMI: "ami-0ad7b0031d41ed4b9" + us-east-1: + AMI: "ami-04681a1dbd79675a5" + us-east-2: + AMI: "ami-0cf31d971a3ca20d6" + us-west-1: + AMI: "ami-0782017a917e973e7" + us-west-2: + AMI: "ami-6cd6f714" + UbuntuAMI: + us-east-1: + AMI: "ami-08c40ec9ead489470" + + +Resources: + JenkinsServer: + Type: AWS::EC2::Instance + Properties: + KeyName: !Ref KeyName + ImageId: !FindInMap ['AWSRegionArch2AMI', {"Ref": 'AWS::Region'}, 'AMI'] + InstanceType: !Ref JenkinsInstanceType + IamInstanceProfile: !Ref JenkinsInstanceProfile + UserData: + Fn::Base64: !Sub | + #!/bin/bash + sudo yum update -y + sudo yum install wget + sudo amazon-linux-extras install java-openjdk11 + sudo amazon-linux-extras install epel -y + sudo wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo + sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key + sudo yum install jenkins -y + sudo systemctl enable jenkins + sudo systemctl start jenkins + sudo systemctl status jenkins + + #Installing CloudWatch Agent + sudo yum install -y awslogs + + #Installing git + sudo yum install git -y + + #Install Maven + sudo wget https://dlcdn.apache.org/maven/maven-3/3.8.6/binaries/apache-maven-3.8.6-bin.tar.gz + tar -xvf apache-maven-3.8.6-bin.tar.gz + sudo mv apache-maven-3.8.6 /opt/ + export M2_HOME=/opt/apache-maven-3.8.6 + export PATH="$PATH:$M2_HOME/bin" + + + NetworkInterfaces: + - AssociatePublicIpAddress: true + DeviceIndex: '0' + GroupSet: + - !Ref JenkinsSecurityGroup + SubnetId: + Fn::ImportValue: + PublicSubnet1 + Tags: + - Key: 'Name' + Value: 'Jenkins Server' + JenkinsRole: + Type: AWS::IAM::Role + Properties: + Path: / + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com] + Action: ['sts:AssumeRole'] + Policies: + - PolicyName: "JenkinsPolicy" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: [ + 's3:GetObject', + 's3:GetObjectVersion', + 's3:PutObject', + 's3:DeleteObject', + 's3:ListBucket' + ] + Resource: "*" + - PolicyName: "CloudWatch-agent-role" + PolicyDocument: + Statement: + - Effect: Allow + Action: [ + 'logs:CreateLogGroup', + 'logs:CreateLogStream', + 'logs:PutLogEvents', + 'logs:DescribeLogStreams' + ] + Resource: "*" + JenkinsInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!Ref 'JenkinsRole'] + JenkinsSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Enable SSH and HTTP access from specific CIDR block" + VpcId: + Fn::ImportValue: + VPCID + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIp: 0.0.0.0/0 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: !Ref IPRange + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: !Ref IPRange + - IpProtocol: tcp + FromPort: 8080 + ToPort: 8080 + CidrIp: !Ref IPRange + - IpProtocol: tcp + FromPort: 50000 + ToPort: 50000 + CidrIp: !Ref IPRange + AgentSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Enable Agent to Master communication" + VpcId: + Fn::ImportValue: + VPCID + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIp: 0.0.0.0/0 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: !Ref IPRange + Agent1Server: + Type: AWS::EC2::Instance + Properties: + KeyName: !Ref KeyName + ImageId: !FindInMap ['UbuntuAMI', {"Ref": 'AWS::Region'}, 'AMI'] + InstanceType: "t2.small" + IamInstanceProfile: !Ref JenkinsInstanceProfile + UserData: + Fn::Base64: !Sub | + #!/bin/bash + sudo apt update -y + sudo apt install openjdk-11-jre-headless -y + NetworkInterfaces: + - AssociatePublicIpAddress: true + DeviceIndex: '0' + GroupSet: + - !Ref AgentSecurityGroup + SubnetId: + Fn::ImportValue: + PublicSubnet1 + Tags: + - Key: 'Name' + Value: 'Slave Node(1)' + Agent2Server: + Type: AWS::EC2::Instance + Properties: + KeyName: !Ref KeyName + ImageId: !FindInMap ['AWSRegionArch2AMI', {"Ref": 'AWS::Region'}, 'AMI'] + InstanceType: 't2.micro' + IamInstanceProfile: !Ref JenkinsInstanceProfile + UserData: + Fn::Base64: !Sub | + #!/bin/bash + sudo yum update -y + sudo amazon-linux-extras install java-openjdk11 -y + sudo amazon-linux-extras install epel -y + sudo yum install git -y + sudo wget https://dlcdn.apache.org/maven/maven-3/3.8.6/binaries/apache-maven-3.8.6-bin.tar.gz + tar -xvf apache-maven-3.8.6-bin.tar.gz + sudo mv apache-maven-3.8.6 /opt/ + export M2_HOME=/opt/apache-maven-3.8.6 + export PATH="$PATH:$M2_HOME/bin" + NetworkInterfaces: + - AssociatePublicIpAddress: true + DeviceIndex: '0' + GroupSet: + - !Ref AgentSecurityGroup + SubnetId: + Fn::ImportValue: + PublicSubnet1 + Tags: + - Key: 'Name' + Value: 'Slave Node(2)' + + \ No newline at end of file diff --git a/14-Jenkins/Practice-14.1/vpc.yml b/14-Jenkins/Practice-14.1/vpc.yml new file mode 100644 index 00000000..3039e678 --- /dev/null +++ b/14-Jenkins/Practice-14.1/vpc.yml @@ -0,0 +1,90 @@ +Description: > + Jenkins VPC Resources + +Mappings: + SubnetConfig: + VPC: + CIDR: '10.0.0.0/16' + PublicSubnet1: + CIDR: '10.0.0.0/24' + PublicSubnet2: + CIDR: '10.0.1.0/24' + +Resources: + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: !FindInMap ['SubnetConfig', 'VPC', 'CIDR'] + EnableDnsHostnames: true + EnableDnsSupport: true + PublicSubnetOne: + Type: AWS::EC2::Subnet + Properties: + AvailabilityZone: + Fn::Select: + - 0 + - Fn::GetAZs: {Ref: 'AWS::Region'} + VpcId: !Ref 'VPC' + CidrBlock: !FindInMap ['SubnetConfig', 'PublicSubnet1', 'CIDR'] + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: "Public Subnet (AZ1)" + PublicSubnetTwo: + Type: AWS::EC2::Subnet + Properties: + AvailabilityZone: + Fn::Select: + - 1 + - Fn::GetAZs: {Ref: 'AWS::Region'} + VpcId: !Ref 'VPC' + CidrBlock: !FindInMap ['SubnetConfig', 'PublicSubnet2', 'CIDR'] + MapPublicIpOnLaunch: true + Tags: + - Key: Name + Value: "Public Subnet (AZ2)" + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachement: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref 'VPC' + InternetGatewayId: !Ref 'InternetGateway' + PublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref 'VPC' + PublicRoute: + Type: AWS::EC2::Route + DependsOn: GatewayAttachement + Properties: + RouteTableId: !Ref 'PublicRouteTable' + DestinationCidrBlock: '0.0.0.0/0' + GatewayId: !Ref 'InternetGateway' + PublicSubnetOneRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PublicSubnetOne + RouteTableId: !Ref PublicRouteTable + PublicSubnetTwoRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref PublicSubnetTwo + RouteTableId: !Ref PublicRouteTable + +Outputs: + VPC: + Description: A reference to the created VPC + Value: !Ref VPC + Export: + Name: VPCID + PublicSubnet1: + Description: A reference to the public subnet in the 1st Availability Zone + Value: !Ref PublicSubnetOne + Export: + Name: PublicSubnet1 + PublicSubnet2: + Description: A reference to the public subnet in the 2nd Availability Zone + Value: !Ref PublicSubnetTwo + Export: + Name: PublicSubnet2 \ No newline at end of file