AWS KMS Use Case With Serverless Application Model (SAM): An End To End Solution

This article demonstrates how to use AWS Key Management Service with Serverless Application Model for beginners. It has an hands on lab with full solution.

Rajan Panchal

Aug. 18, 20 · Tutorial

Likes (3)

Comment

Save

8.6K Views

The Basics

AWS KMS is a Key Management Service that lets you create Cryptographic keys that you can use to encrypt and decrypt data and also other keys. You can read more about it here.

Important Points About Keys

Please note that the CMK generated can only be used to encrypt a small amount of data like passwords, RSA keys. You can use AWS KMS customer master keys (CMKs) to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys.

You must use and manage data keys outside of AWS KMS. KMS API uses AWS KMS customer master key (CMK) in the encryption operations and they cannot accept more than 4 KB (4096 bytes) of data. To encrypt application data, use the server-side encryption features of an AWS service, or a client-side encryption library, such as the AWS Encryption SDK or the Amazon S3 encryption client.

Scenario

We want to create signup and login forms for a website. Passwords should be encrypted and stored in the AWS DynamoDB database.

What Do We Need?

KMS key to encrypt and decrypt data
DynamoDB table to store password.
Lambda functions & APIs to process Login and Sign up forms. 4.Sign up/ Login forms in HTML

Let's Implement it as Serverless Application Model (SAM)!

Lets first create the Key that we will use to encrypt and decrypt the password.

    YAML
   
x

KmsKey:
    Type: AWS::KMS::Key
    Properties: 
      Description: CMK for encrypting and decrypting
      KeyPolicy:
        Version: '2012-10-17'
        Id: key-default-1
        Statement:
        - Sid: Enable IAM User Permissions
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: kms:*
          Resource: '*'
        - Sid: Allow administration of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyAdmin}
          Action:
          - kms:Create*
          - kms:Describe*
          - kms:Enable*
          - kms:List*
          - kms:Put*
          - kms:Update*
          - kms:Revoke*
          - kms:Disable*
          - kms:Get*
          - kms:Delete*
          - kms:ScheduleKeyDeletion
          - kms:CancelKeyDeletion
          Resource: '*'
        - Sid: Allow use of the key
          Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:user/${KeyUser}
          Action:
          - kms:DescribeKey
          - kms:Encrypt
          - kms:Decrypt
          - kms:ReEncrypt*
          - kms:GenerateDataKey
          - kms:GenerateDataKeyWithoutPlaintext
          Resource: '*'

The important thing in the above snippet is the KeyPolicy. KMS requires a Key Administrator and Key User. As a best practice, your Key Administrator and Key User should be 2 separate users in your Organisation. We are allowing all permissions to the root users. So if your key Administrator leaves the organization, the root user will be able to delete this key. As you can see KeyAdmin can manage the key but not use it and KeyUser can only use the key. ${KeyAdmin} and ${KeyUser} are parameters in the SAM template. You would be asked to provide values for these parameters during SAM Deploy.

Parameters: KeyAdmin: Type: String KeyUser: Type: String

default arguments

Next, we will create a DynamoDB table. The partition key will be the user id. This is enough. You can add attributes as required.

    YAML
   
xxxxxxxxxx

myDynamoDBTable: 
    Type: AWS::DynamoDB::Table
    Properties: 
      BillingMode: PAY_PER_REQUEST 
      AttributeDefinitions: 
        - 
          AttributeName: "userid"
          AttributeType: "S"
       
      KeySchema: 
        - 
          AttributeName: "userid"
          KeyType: "HASH"

Now, let's create the API and Lambda handler that will process the Signup and Login requests.

    YAML
   
 

     
    

      

     

      

     

     

    
x

          

         

          

         

            
          
ApiGatewaySignupApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
    Auth:
     UsagePlan:
      CreateUsagePlan: PER_API
      Description: Usage plan for this API
      Quota:
       Limit: 500
       Period: MONTH
      Throttle:
       BurstLimit: 100
       RateLimit: 50
  SignupFunction:
    Type: AWS::Serverless::Function
    Properties:
      Environment:
        Variables:
          userTable: !Ref myDynamoDBTable
          keyid: !Ref KmsKey
      CodeUri: Lambda/
      Handler: signup.lambda_handler
      Runtime: python3.8
      Policies:
       - DynamoDBCrudPolicy:
          TableName: !Ref myDynamoDBTable
       - KMSEncryptPolicy:
          KeyId: !Ref KmsKey 
       - KMSDecryptPolicy:
          KeyId: !Ref KmsKey
      Events:
        getCounter:
          Type: Api
          Properties:
            Path: /signup
            Method: POST
            RestApiId: !Ref ApiGatewaySignupApi
  ApiGatewayLoginApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
    Auth:
     UsagePlan:
      CreateUsagePlan: PER_API
      Description: Usage plan for this API
      Quota:
       Limit: 500
       Period: MONTH
      Throttle:
       BurstLimit: 100
       RateLimit: 50
  LoginFunction:
    Type: AWS::Serverless::Function
    Properties:
      Environment:
        Variables:
          userTable: !Ref myDynamoDBTable
          keyid: !Ref KmsKey
      CodeUri: Lambda/
      Handler: login.lambda_handler
      Runtime: python3.8
      Policies:
        - DynamoDBCrudPolicy:
            TableName: !Ref myDynamoDBTable
        - KMSEncryptPolicy:
            KeyId: !Ref KmsKey 
        - KMSDecryptPolicy:
            KeyId: !Ref KmsKey
      Events:
        getCounter:
          Type: Api
          Properties:
            Path: /login
            Method: POST
            RestApiId: !Ref ApiGatewayLoginApi

      

     

Here, we are creating 2 Lambda handlers, one that handles signup, and the other handles the login. We are limiting the usage of API under Auth property. This is to prevent abuse of our API. We are setting two environment variables, one for the database table name and another for KMS key name. We are not hard-coding the table/key names instead we let cloud formation to name it and we set it as environment variables with auto-generated values.

This will prevent name conflicts of resources and you can run multiple versions of your whole cloud environment. Then we set a policy that allows Lambda to access DynamoDB and the key. You can find 'out of the box' SAM policy templates here. With Events, we create the API Gateway resources. The final part of the SAM template is the Output section.

    YAML
   
xxxxxxxxxx

Outputs:
  ApiGatewaySignupApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ApiGatewaySignupApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/signup/"
  SignupFunction:
    Description: "Sign Up Lambda Function ARN"
    Value: !GetAtt SignupFunction.Arn
  ApiGatewayLoginApi:
    Description: "API Gateway endpoint URL for Prod stage for Hello World function"
    Value: !Sub "https://${ApiGatewayLoginApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/login/"
  LoginFunction:
    Description: "Login Lambda Function ARN"
    Value: !GetAtt LoginFunction.Arn

We output 2 important URLs in the above section, ApiGatewayLoginApi, and ApiGatewaySignupApi, We use these URLs in the fronted HTML form's action attribute. See below:

    HTML
   
xxxxxxxxxx

<html>
   <head></head>
   <body>
      <h1>Sign Up</h1>
      <form action="https://51v5ifsje1.execute-api.us-east-2.amazonaws.com/Prod/signup/" enctype="application/x-www-form-urlencoded" method="POST">
         <label>Username:</label><input type="text" name="uname" id="uname"> </input><br><br>
         <label>Password:</label><input type="password" name="password" id="password"> </input><br><br>
         <input type="submit"></input>
      </form>
   </body>
</html>

    HTML
   
xxxxxxxxxx

<html>
  <head></head>
  <body>
    <h1>Login</h1>
    <form action="https://4ezqeugqlf.execute-api.us-east-2.amazonaws.com/Prod/login/" enctype="application/x-www-form-urlencoded" method="POST">
      <label>username:</label><input type="text" name="uname" id="uname"> </input><br><br>
      <label>password:</label><input type="password" name="password" id="password"> </input><br><br>
      <input type="submit"></submit>
    </form>
  </body>
</html>

In HTML, we are using encoding type as "enctype="application/x-www-form-urlencoded". With this type of encoding, the form data is sent in below format

username=doryfish&password=nemo

The last piece in the puzzle is the Lambda handlers. Let's check it out. Python uses Boto3 to access AWS.

    Python
   
xxxxxxxxxx

import json
from urllib.parse import parse_qs
import urllib.parse
import boto3
import logging
import os
import base64
log = logging.getLogger()
log.setLevel(logging.INFO)
def lambda_handler(event, context):
    log.info(event)
    log.info(event.get("body"))
    qs = parse_qs(event.get("body"))
    log.info(qs)
    uname = qs.get("uname")[0] 
    pwd = qs.get("password")[0]
 
    dynamodb = boto3.resource('dynamodb')
    table = dynamodb.Table(os.environ['userTable'])
    log.info('key id:'+os.environ['keyid'])
    key = os.environ['keyid']
    client = boto3.client('kms')
    #Encrypt password
    response = client.encrypt(
    Plaintext=pwd,
    KeyId=key
    )
    log.info(response['CiphertextBlob'])
    b64_pass = str(base64.b64encode(response['CiphertextBlob']),'utf-8')
    log.info(b64_pass)
   
    response = table.update_item(
        Key={
            'userid': uname
        },
        AttributeUpdates={
            'password': {
                'Value': b64_pass,
            }
            }
        )
    data = {}
    data['status'] = 'Signup Success'
    json_data = json.dumps(data)    
    return {
        'statusCode': 200,
        'body': json_data
    }

The first two statements are logging statements, this is useful in debugging and the log statements will be logged in CloudWatch logs. The parse_qs module is used to read the form of data from the event object. Data are returned as a dictionary. The dictionary keys are the unique query variable names and the values are lists of values for each name. Hence, in the next 2 statements, we get the first value for each type — username and password.

We retrieve the DynamoDB table using the table name from the environment variable - userTable. Environment variables in Lambda can be accessed using os.environ['key']. Now we got the username and password. Its time to encrypt the password and store it in DB. The password to encrypt is passed to the Plaintext attribute of the encrypted request and key id is retrieved from the environment variable. CiphertextBlob is the encrypted binary value in the response object. For example:

    Java
   
          x
         
b'\x01\x02\x02\x00x\x9dN"\xa4\xf9\xfe\xb4\xc7&\x01\xdc\xb6J\xdf\xf1\xdc\xf2;)|7\x1b\'{8\xe6(\x80Q\xe5\x11\x8c\x010w"-\x11w\x10b\x9d\xd0w\xa7+\xd1\xa5\xc5\x00\x00\x00e0c\x06\t*\x86H\x86\xf7\r\x01\x07\x06\xa0V0T\x02\x01\x000O\x06\t*\x86H\x86\xf7\r\x01\x07\x010\x1e\x06\t`\x86H\x01e\x03\x04\x01.0\x11\x04\x0ca\xb4\xaa\x00\x10\xc0\xd1\xa6r\x07\xce\xc7\x02\x01\x10\x80"@\nL\xde<\x03s\xc6\xe0g\x80\xd4\x87\x8e\x1e\t\xa2\xac\x10\xfek\xb6\x1d\xf3\x87\x910\xabf\xd1d}x\xdb'

Now we convert this binary value to ASCII text using

str(base64.b64encode(response['CiphertextBlob']),'utf-8')

and the result we store it in the database.

    Java
   
xxxxxxxxxx

AQICAHidTiKk+f60xyYB3LZK3/Hc8jspfDcbJ3s45iiAUeURjAEwdyItEXcQYp3Qd6cr0aXFAAAAZTBjBgkqhkiG9w0BBwagVjBUAgEAME8GCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYbSqABDA0aZyB87HAgEQgCJACkzePANzxuBngNSHjh4JoqwQ/mu2HfOHkTCrZtFkfXjb

In Login Lambda handler, username and password are retrieved from the request like we did in Sign Up.

    Python
   
xxxxxxxxxx

import json
from urllib.parse import parse_qs
import urllib.parse
import boto3
import secrets
import logging
import os
import base64
log = logging.getLogger()
log.setLevel(logging.INFO)
def lambda_handler(event, context):
  
    log.info(event.get("body"))
    qs = parse_qs(event.get("body"))
  
    uname = qs.get("uname")[0] 
    pwd = qs.get("password")[0]
    
    dynamodb = boto3.resource('dynamodb')
    table = dynamodb.Table(os.environ['userTable'])
    response = table.get_item(Key={'userid': uname})
    json_str =  json.dumps( response['Item'])
    #using json.loads will turn your data into a python dictionary
    resp_dict = json.loads(json_str)
    dbpass = resp_dict.get("password")
    
    #Decrypt password
    log.info('key id:'+os.environ['keyid'])
    key = os.environ['keyid']
    client = boto3.client('kms')
   
    response = client.decrypt(
    CiphertextBlob=(base64.b64decode(dbpass)),
    KeyId=key
    )
    log.info("Decrypted value")
    decryptedPass = response['Plaintext'].decode('UTF-8')
    
    response = {}
   
    if decryptedPass == pwd : 
      response['status'] = 'Login Success'
      return {
        'statusCode': 200,
        'body': json.dumps(response) 
      }
    else:
     response['status'] = 'Login Failed'
     return {
        'statusCode': 200,
        'body': json.dumps(response) 
      }

In decrypt requests, the encrypted password string from the database is converted into binary using base64.b64decode(dbpass) and passed to the CiphertextBlob attribute. A decrypted password is returned as bytes in the Plaintext attribute of the response. The password is encoded in UTF-8 to get the final decrypted password. The decrypted password is then compared with the password from the request and if it matches, 'Login Success' response is sent back.

Phew! Finally, we are done coding. Let's test it out.

Let's do SAM build and Deploy.

build and deploy

deploying

Stack creation complete!

Testing

Note that we are not deploying HTML forms as a static site on S3 but we will locally open the forms in the browser and hit the APIs. Add username/password, hit submit. sign up

Item in the database. Password is encrypted Now, Login using the same username and password submit password

Source Code: github.com/rajanpanchal/aws-kms-signup-login

In the next post, we will extend this example to use AWS STS!

AWS Sam (text editor) application Database Use case Data (computing) Form (document)

Published at DZone with permission of Rajan Panchal. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

Trending