Securely send sensitive token to SNS for use in Lambda - amazon-sns

I need to send an AWS Lambda function a key and secret for another service. I could just bake the key/secret into the function but then I have to republish the Lambda functions when/if they change and that seems undesirable.
I am triggering my Lambda function via SNS. So my workflow would be:
Prepare Payload
Publish Payload to SNS Topic
Lambda Runs receiving payload,
Lambda uses key/secret provided in payload to perform necessary actions on another API
I assume the SNS publish is done over HTTPS so Server -> SNS topic would be encrypted.
What I have not seen specifically called out is the transfer from SNS -> Lambda. Again I can assume it's done securely but I was looking for verification.
My other option, which I have seen done in the AWS Lambda Example for a Slack Echo Service is using AWS Key Management for encrypting and decrypting. For example, using python:
kms = boto3.client('kms')
key = kms.decrypt(CiphertextBlob = b64decode(event["key"]))['Plaintext']
secret = kms.decrypt(CiphertextBlob = b64decode(event["secret"]))['Plaintext']
Would using Key Management Encryption Services be overkill/even necessary here or can I just send the payload and let HTTPS handle it?
OR
Should I be publicly flogged for even thinking of sending something like a key/secret over SNS -> Lambda and instead should bake it into the Lambda function itself.

I can't answer the question about SNS->Lambda encryption. I would assume, like you, that is is over HTTPS but I think you would need to contact AWS support to get confirmation of that.
As to your other question, I think KMS is actually a good fit for this and not necessarily overkill. Another option you might consider is storing the key in DynamoDB. I've also seen people suggest storing Lambda configuration data like this in S3.

Related

is it safe to store third party api keys in google cloud environment variables? Or Not?

I'm not sure if I am misunderstanding something or if the firebase docs contradict themselves.
Here it seems to suggest to store api keys in in env variables:
https://firebase.google.com/docs/functions/config-env
For instance, to store the Client ID and API key for "Some Service", you might run:
firebase functions:config:set someservice.key="THE API KEY" someservice.id="THE CLIENT ID"
But here it seems to say never to do it:
https://firebase.google.com/support/guides/security-checklist#cloud_function_safety
Cloud Function safety
Never put sensitive information in a Cloud Function’s environment variables
Often in a self-hosted Node.js app, you use environment variables to contain sensitive information like private keys. Do not do this in Cloud Functions.
There isn't only one correct answer. Generally, storing a critical/confidential data in plain text is a bad idea. It's better to use dedicated service to store the secret like secret manager.
However, you can imagine these use case:
Your deployment is automatic and no human can access to your Cloud Functions parameters (and env vars) -> Your secret is kept secure even if in plain text in Cloud Functions env vars
Your secret is stored in secret manager, but all the team members (and more) have the secret manager accessor role, and everyone can browse and see the secret in plain text. -> Even if you use secret manager, your IAM roles policy breaks the security and the confidentiality of the secret, it's public for everyone!
Think the security globally. There are best practices, but if you focus only on one topic, you can create bigger breach just beside!

How do I customize message in SNS topic notification triggered on cloudwatch rules?

I have a cloudwatch alarm for my s3 bucket, if there are no changes to the bucket in a day, the alarm is triggered and an SNS topic is sent.
I have set a cloudwatch event rule to schedule the target SNS topic daily if it meets the conditions.
However, I am having trouble customizing the SNS message needed to provided detail to the notifications.
I have attempted to use the input transformer, but I cannot wrap my head around keys I need to map for this service.
How can I map the details required? How can I find the key-value details to send to my Input Transformer to formulate a message?
The easiest method would be to trigger an AWS Lambda function that can read the incoming information, customize the content, and then send it as a message through Amazon SNS.
I don't think Amazon CloudWatch can directly trigger an AWS Lambda function, so you'll probably need two SNS topics:
One SNS topic used by CloudWatch, that triggers the Lambda function
One SNS topic that where Lambda sends the customized message and people can subscribe to receive it
The Lambda function can also do additional work, such as reporting on the size of the bucket and retrieving additional stats you would like mentioned.

What is the best practice to authenticate over firebase functions another server?

I want to call my firebase function HTTP API from another server -- which does not have an email and password (or any other firebase authentication method).
I want to be able to run a task like read/write in Firestore, however still protect the API. I would like to create some sort of programmatic keys like AWS does for calling their APIs. But, how to do this in firebase ? How can we generate such programmatic keys to communicate between one server to another?
It seems that the best available option that you might try - because it doesn't seem to have an official way to do it - it's by using API keys to perform the verification and security of your calls. As clarified in the official documentation Using API Keys, this is not supported by all Google applications, but Cloud Endpoints should work.
Considering that, you can use Cloud Endpoints in integration with your Cloud Functions, to provide security via API keys. You can find more information on how to achieve that in this article here.
Another alternative you may want to try, it's using a JWT token - as clarified here - as a header in your API calls. This way, you will be working with authetnication via keys - not exactly as in AWS, but it's a start - so you can secure your calls. :)
Anyway, if you don't find this useful, I would recommend you to raise a Feature Request in Google's Feature Tracker, so they can check about the possibility of further implementation in such functionality.
Let me know if the information helped you!

How to post message to slack channel\user using Signing Secret and python requests

Lately Slack API recommend using Signing Secrets - but I can't find in the documentation a proper explanation how to post a message with rest api.
Is there a good example \ proper documentation or even better - a code sample of posting a message to channel using Python Requests + Signing Secret?
(Or any other language\lib + Signing Secret).
Signing Secret isn't necessary in every situation.
If you are sending massage to channel you don't need to use signing key.
As documentation said Signing Secret is used when you are receiving information from Slack.
What are signed secrets?
Slack creates a unique string for your app and shares it with you.
Verify requests from Slack with confidence by verifying signatures
using your signing secret.
Grate examples with usage of Signing Secret you can find at their github:
With socket usage
With flask server usage
But TL;DR everything what you have to do is pass secret while you are creating App object.
Something like this:
app = App(signing_secret=os.environ["SLACK_SIGNING_SECRET"], authorize=authorize)
Implementation of request verification in Python Bolt framework:
https://github.com/slackapi/bolt-python/tree/main/slack_bolt/middleware/request_verification

Can a call to a Firebase https function directly from client side be intercepted?

So now that we can call HTTPS functions directly from client side, I'm wondering if I can use it for sensitive transactional requests and if it's safe. Before I was using forms with POST method but this could make things much simpler.
Is the call from the beginning to the end encrypted?
It may not be obvious at first, but you're asking a lot of questions here. It may take some time to unwind your concerns
First of all, both Cloud Functions HTTPS functions and callable functions are encrypted. In fact, all traffic in and out of Google is encrypted. That is the norm, and you can't even disable that if you wanted to. However, encrypted traffic doesn't necessarily mean that it's "safe". Encryption just guarantees that there can be no man-in-the-middle attacks that are eavesdropping or changing the content on the way in or out.
Encryption doesn't prevent someone from simply invoking the function directly from their own code. For HTTPS and callable functions, it's very much possible for anyone to invoke your function directly. There are no requirements that the call must be coming from your app or your web site. If this is a requirement for you, you need to perform some checks in your function itself to ensure that the call is valid.
With HTTP type functions, you can require that the caller send an authentication token with the request. Then, you can validate the token in your function, and proceed only if everything looks OK to you. There is an example of this in the official samples.
With callable type functions, an authentication token is automatically added if the user is logged in with Firebase Auth. The token is automatically validated as well. All you have to do is check to see if the user is allowed to do whatever it is the call wants to do.
"Safety" is not just about encryption. It includes both authentication and authorization as well.
The documentation you refer to explicitly mentions that Callable Functions are HTTPS ones, so yes the call is encrypted from end-to-end.
The Cloud Functions for Firebase client SDKs let you call functions
directly from a Firebase app. To call a function from your app in this
way, write and deploy an HTTPS Callable function in Cloud Functions,
and then add client logic to call the function from your app.

Resources