Imperva - Data security Fabric - diagnostic logs RDS in AWS - amazon-rds

I am install data security fabric in my company, i work with postgre in heroku api in conection on AWS. i need collectar logs RDS for Imperva data security audit, is possible used heroku? wath logs is send for the RDS AWS? It is possible work with what is send for AWS?
I'm connect is AWS, but not moving in install

Related

TypeORM AWS RDS Proxy Integration

I am trying to use RDS proxy with TypeORM in a nestjs application. RDS Proxy uses IAM authentication, because of which I am getting authentication error after 15 minutes. Please let me know if there is a way to make typeorm refresh the token before it gets expire. (Type orm is loaded as part of app module in the nestjs lambda function)
you can give your ec2 access to your RDS via IAM Role.
If want to connect locally.
No need to pass the credentials via code.
How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?
OR
Install aws-cli.
Run: aws configure.
Add secret and access keys and session tokens, which should have access to your RDS.
This will add your credentials under the .aws/credentials file(or look for credentials file).
Write and run a background process that updates the credentials under credetails file before it expires.

How to connect to AWS ElastiCache Cluster from AWS CloudFront using Node.js?

I am new to AWS CloudFront and AWS in general. I have a Next.js (React SSR framework) website which I deployed onto AWS using serverless-nextjs (https://github.com/serverless-nextjs/serverless-next.js). However, I also need some sort of caching for my web app. I decided to use redis ElastiCache from AWS. I created an redis ElastiCache Cluster on the AWS console.
My attempt:
I setup the code for connecting to the redis ElastiCache like this:
import redis from 'redis';
...
export async function getServerSideProps() { // Server side function for Next.js
const cache = redis.createClient(6379, "{PRIMARY-ENDPOINT-URL-AWS}");
}
and I run the website locally on my PC. However, I get a timeout error from redis: Error: connect ETIMEDOUT.
How would I be able to connect to the redis ElastiCache Cluster from CloudFront and on my local PC?
Screenshot of the redis ElastiCache Cluster window:
redis ElastiCache
You can't connect to ES from outside (i.e. your local workstation) of AWS directly. ES domains are designed to be only accessible from within your resources (e.g. instances) in the same VPC as your ES domain. From docs:
Elasticache is a service designed to be used internally to your VPC. External access is discouraged due to the latency of Internet traffic and security concerns. However, if external access to Elasticache is required for test or development purposes, it can be done through a VPN.
The only way to enable connections from outside AWS to your ES is if you establish a VPN connection between home/work network or Direct Connect as explained in AWS docs:
This scenario is also supported providing there is connectivity between the customers’ VPC and the data center either through VPN or Direct Connect.
However, for quick, ad-hock setup you can use ssh tunnel between your local workstation and ES domain. This will require some jump/basion EC2 instance which the tunnel will go through.

best practice to deploy nodejs app on aws ec2 instance

I have deployed nodejs app on ec2 instance. I have used atlas for mongoDB, load balancer, Aws ssl to secure the connection and pm2. As iam already using aws load balancer should i need to use nginx. What is the best practice of deploying nodejs app on ec2. if i need to use ngnix where to configure http to https redirect?
Looks like you need a web application to be developed. I would suggest below architecture. enter image description here. This will eliminate pain of hosting/maintaining servers.
All AWS components can be programmatically integrated using AWS SDK and Amplify is a wrapper on top of this.
Develop your UI in any JavaScript framework and host it in AWS S3. Using CloudFront you can cache the UI layer. Put an API gateway layer which will intercept all the traffic from your UI. Using AWS Amplify can very much simplify your UI development with a lot of built-in wrapper components. It comes with CLI which can be used for deployment as well.
Host your Spring Boot+DB Driver (or NodeJS/C#/PHP/Python/etc.) Application with Rest API in AWS Beanstalk. BeanStalk can be configured with Load Balancing, Auto Scaling Group, etc. If AWS Beanstalk seems complicated for you, consider using AWS Lambda (Serverless, microservices) architecture.
AWS DocumentDB is a MongoDB extension and maybe you can leverage it. Which is again a highly scalable, very flexible NoSQL in this case.
You can leverage AWS Cognito (https://www.slideshare.net/awsugkochi/acdkochi19-enterprise-grade-security-for-web-and-mobile-applications-on-aws)to store User credentials in groups and add permissions and authenticate/authorise the users.
In API Gateway you can configure AWS Cognito Authoriser and protect the APIs from un-authorised calls.
Some of the auxiliary services can be used to integrate email/SMS etc. AWS SNS (Pub/Sub) + SQS (Queue) -> If you want to decouple any process, you can use SNS + SQS. You can send e-mails using AWS SES. AWS Route53 is the DNS and your domain can be hosted here.
If you have to upload any files to cloud and store it for users, leverage AWS S3.
You need to protect internet-facing components like API Gateway and Cloudfront using AWS WAF.
All these systems generate logs and it can be accessed from AWS cloudwatch. Your APIs can be monitored for performance and errors using AWS X-Ray.

Is it mandatory to use Cloud9 iDE to interact with the AWS?

I would like to know if it is mandatory to use Cloud9 IDE to interact with the amazon web services, or is it enough to have a local machine terminal ssh to AWS service?
What is the major difference of using Cloud9 IDE from the local machine ssh terminal?
I would like to accomplish building the Hyperledger fabric network, i.e., to create a Fabric network and provision a peer node in Amazon Managed Blockchain.
Here is the source where I came across Cloud9 IDE: https://github.com/aws-samples/non-profit-blockchain/blob/master/ngo-fabric/README.md, where they mentioned AWS Cloud9 IDE is one of the pre-requisites.
You don't need to use Cloud9 to connect with AWS services.
AWS provides several ways of connecting with them:
Web Management Console
Command Line Interface (CLI)
AWS SDKs
CloudFormation
REST API (which is used for example by Terraform)
To use AWS ClI on your local computer, you need to configure it with your AWS Access Key ID and Secret Access Key from IAM user which has programmatic access. https://aws.amazon.com/cli/
AWS Cloud9 comes with preinstalled AWS CLI and preconfigured IAM Role associated with it: https://docs.aws.amazon.com/cloud9/latest/user-guide/using-service-linked-roles.html
From AWS perspective, the IAM Role associated with Cloud9 has less access, than IAM administration user that you would probably create for AWS CLI on your local computer.

Security of hosting a RESTful API server on AWS Beanstalk or EC2

I want to host a RESTful API on AWS Beanstalk or EC2 so a client server in an on-premise data center can use it.
Is it secure to host a RESTful API server on AWS Beanstalk or EC2 without authentication and secure them only with security group ?
I put the client IP address into the security group which Beanstalk or EC2 instance uses. So only the client with this IP address can connect to the RESTful API server.
The client is located outside the AWS in a on-premise data center.
Is there any better solutions to handle this problem? I know it is possible to connect AWS VPC with on-premise network, but that seems to be a too expensive for us in such small use case.
Is it secure to host a RESTful API server on AWS Beanstalk or EC2 without authentication and secure them only with security group ?
No authentication is not a recommended method for securing RESTful API but security provided by AWS security groups is rock solid.
Another suggestion will be implementing HTTPS instead of HTTP. Please go through this article. http://aws.amazon.com/articles/1928

Resources