From a597819e8a964936e6bb9b45c6bcf084333502ad Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Wed, 21 Sep 2022 17:49:31 -0400 Subject: [PATCH 1/3] Lab 10-kms --- 10-kms/Practice-10.1/PlaintextFile | 1 + 10-kms/Practice-10.1/cmk_key.yml | 55 ++++++++++++++++++ 10-kms/Practice-10.1/encryptedFile | Bin 0 -> 174 bytes 10-kms/Practice-10.1/file.txt | 1 + 10-kms/Practice-10.1/scripts | 14 +++++ 10-kms/Practice-10.2/NewFile.txt | 1 + 10-kms/Practice-10.2/go.mod | 10 ++++ 10-kms/Practice-10.2/go.sum | 22 +++++++ .../Practice-10.2/s3_client_side_download.go | 55 ++++++++++++++++++ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ++++++++++++++++++ 10 files changed, 214 insertions(+) create mode 100644 10-kms/Practice-10.1/PlaintextFile create mode 100644 10-kms/Practice-10.1/cmk_key.yml create mode 100644 10-kms/Practice-10.1/encryptedFile create mode 100644 10-kms/Practice-10.1/file.txt create mode 100644 10-kms/Practice-10.1/scripts create mode 100644 10-kms/Practice-10.2/NewFile.txt create mode 100644 10-kms/Practice-10.2/go.mod create mode 100644 10-kms/Practice-10.2/go.sum create mode 100644 10-kms/Practice-10.2/s3_client_side_download.go create mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/PlaintextFile @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml new file mode 100644 index 00000000..704bbc4c --- /dev/null +++ b/10-kms/Practice-10.1/cmk_key.yml @@ -0,0 +1,55 @@ +Description: AWS CMK Key + +Resources: + myKey: + Type: 'AWS::KMS::Key' + Properties: + Description: A symmetric encryption KMS key + EnableKeyRotation: true + PendingWindowInDays: 20 + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" + Action: 'kms:*' + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:Create*' + - 'kms:Describe*' + - 'kms:Enable*' + - 'kms:List*' + - 'kms:Put*' + - 'kms:Update*' + - 'kms:Revoke*' + - 'kms:Disable*' + - 'kms:Get*' + - 'kms:Delete*' + - 'kms:ScheduleKeyDeletion' + - 'kms:CancelKeyDeletion' + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" + Action: + - 'kms:DescribeKey' + - 'kms:Encrypt' + - 'kms:Decrypt' + - 'kms:ReEncrypt*' + - 'kms:GenerateDataKey' + - 'kms:GenerateDataKeyWithoutPlaintext' + Resource: '*' + + myAlias: + Type: 'AWS::KMS::Alias' + Properties: + AliasName: alias/ndambi + TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile new file mode 100644 index 0000000000000000000000000000000000000000..4630c9e4002f05385c117521b5cb0c22ac647e70 GIT binary patch literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 literal 0 HcmV?d00001 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt new file mode 100644 index 00000000..6675f302 --- /dev/null +++ b/10-kms/Practice-10.1/file.txt @@ -0,0 +1 @@ +This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts new file mode 100644 index 00000000..f624bfba --- /dev/null +++ b/10-kms/Practice-10.1/scripts @@ -0,0 +1,14 @@ +aws kms encrypt \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --plaintext fileb://file.txt \ + --output text \ + --query CiphertextBlob | base64 \ + --decode > encryptedFile + +aws kms decrypt \ + --ciphertext-blob fileb://encryptedFile \ + --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ + --output text \ + --query Plaintext | base64 \ + --decode > PlaintextFile + diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt new file mode 100644 index 00000000..158a0601 --- /dev/null +++ b/10-kms/Practice-10.2/NewFile.txt @@ -0,0 +1 @@ +Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod new file mode 100644 index 00000000..d6845094 --- /dev/null +++ b/10-kms/Practice-10.2/go.mod @@ -0,0 +1,10 @@ +module kms + +go 1.19 + +require ( + github.com/aws/aws-sdk-go v1.44.103 // indirect + github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect + github.com/aws/smithy-go v1.13.3 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect +) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum new file mode 100644 index 00000000..70c1397e --- /dev/null +++ b/10-kms/Practice-10.2/go.sum @@ -0,0 +1,22 @@ +github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= +github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= +github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= +github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= +github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go new file mode 100644 index 00000000..096e6e33 --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_download.go @@ -0,0 +1,55 @@ +package main + +import ( + "fmt" + "io/ioutil" + "log" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" + "os" +) + +var ( + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess := session.New(&aws.Config{ + Region: aws.String("us-east-1"),}) + + client := s3crypto.NewDecryptionClient(sess) + + input := &s3.GetObjectInput{ + Bucket: &bucket, + Key: &key, + } + + result, err := client.GetObject(input) + // Aside from the S3 errors, here is a list of decryption client errors: + // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm + // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm + // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB + // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. + // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. + if err != nil { + log.Fatal(err) + } + + // Let's read the whole body from the response + b, err := ioutil.ReadAll(result.Body) + if err != nil { + log.Fatal(err) + } + //fmt.Println(string(b)) + + file, err := os.Create("NewFile.txt") + if err != nil { + fmt.Println(err) + return + } + fmt.Fprintf(file, "%v\n", string(b)) +} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go new file mode 100644 index 00000000..7f885b6b --- /dev/null +++ b/10-kms/Practice-10.2/s3_client_side_upload.go @@ -0,0 +1,55 @@ +/* +Licensed under the MIT-0 license https://github.com/aws/mit-0 +*/ +package main + +import ( + "log" + "strings" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/kms" + "github.com/aws/aws-sdk-go/service/s3" + "github.com/aws/aws-sdk-go/service/s3/s3crypto" +) + +var ( + cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" + bucket = "kms-bucket-ndambi" + key = "clientside.txt" +) + +func main() { + sess, err := session.NewSession(&aws.Config{ + Region: aws.String("us-east-1"), + Credentials: credentials.NewSharedCredentials("", "default"), + }) + // This is our key wrap handler, used to generate cipher keys and IVs for + // our cipher builder. Using an IV allows more “spontaneous” encryption. + // The IV makes it more difficult for hackers to use dictionary attacks. + // The key wrap handler behaves as the master key. Without it, you can’t + // encrypt or decrypt the data. + keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) + // This is our content cipher builder, used to instantiate new ciphers + // that enable us to encrypt or decrypt the payload. + builder := s3crypto.AESGCMContentCipherBuilder(keywrap) + // Let's create our crypto client! + client := s3crypto.NewEncryptionClient(sess, builder) + + input := &s3.PutObjectInput{ + Bucket: &bucket, + Key: &key, + Body: strings.NewReader("Test Client-Side encryption"), + } + + _, err = client.PutObject(input) + // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. + // The s3crypto client can also return some errors: + // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN + if err != nil { + log.Fatal(err) + } +} + From c9056754893bbf19830f5f0c788e9f8d1e9af36f Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Thu, 22 Sep 2022 10:57:05 -0400 Subject: [PATCH 2/3] removing files --- 10-kms/Practice-10.1/PlaintextFile | 1 - 10-kms/Practice-10.1/cmk_key.yml | 55 ------------------ 10-kms/Practice-10.1/encryptedFile | Bin 174 -> 0 bytes 10-kms/Practice-10.1/file.txt | 1 - 10-kms/Practice-10.1/scripts | 14 ----- 10-kms/Practice-10.2/NewFile.txt | 1 - 10-kms/Practice-10.2/go.mod | 10 ---- 10-kms/Practice-10.2/go.sum | 22 ------- .../Practice-10.2/s3_client_side_download.go | 55 ------------------ 10-kms/Practice-10.2/s3_client_side_upload.go | 55 ------------------ 10 files changed, 214 deletions(-) delete mode 100644 10-kms/Practice-10.1/PlaintextFile delete mode 100644 10-kms/Practice-10.1/cmk_key.yml delete mode 100644 10-kms/Practice-10.1/encryptedFile delete mode 100644 10-kms/Practice-10.1/file.txt delete mode 100644 10-kms/Practice-10.1/scripts delete mode 100644 10-kms/Practice-10.2/NewFile.txt delete mode 100644 10-kms/Practice-10.2/go.mod delete mode 100644 10-kms/Practice-10.2/go.sum delete mode 100644 10-kms/Practice-10.2/s3_client_side_download.go delete mode 100644 10-kms/Practice-10.2/s3_client_side_upload.go diff --git a/10-kms/Practice-10.1/PlaintextFile b/10-kms/Practice-10.1/PlaintextFile deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/PlaintextFile +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/cmk_key.yml b/10-kms/Practice-10.1/cmk_key.yml deleted file mode 100644 index 704bbc4c..00000000 --- a/10-kms/Practice-10.1/cmk_key.yml +++ /dev/null @@ -1,55 +0,0 @@ -Description: AWS CMK Key - -Resources: - myKey: - Type: 'AWS::KMS::Key' - Properties: - Description: A symmetric encryption KMS key - EnableKeyRotation: true - PendingWindowInDays: 20 - KeyPolicy: - Version: 2012-10-17 - Id: key-default-1 - Statement: - - Sid: Enable IAM User Permissions - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" - Action: 'kms:*' - Resource: '*' - - Sid: Allow administration of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:Create*' - - 'kms:Describe*' - - 'kms:Enable*' - - 'kms:List*' - - 'kms:Put*' - - 'kms:Update*' - - 'kms:Revoke*' - - 'kms:Disable*' - - 'kms:Get*' - - 'kms:Delete*' - - 'kms:ScheduleKeyDeletion' - - 'kms:CancelKeyDeletion' - Resource: '*' - - Sid: Allow use of the key - Effect: Allow - Principal: - AWS: !Sub "arn:aws:iam::${AWS::AccountId}:user/desmond.ndambi.labs" - Action: - - 'kms:DescribeKey' - - 'kms:Encrypt' - - 'kms:Decrypt' - - 'kms:ReEncrypt*' - - 'kms:GenerateDataKey' - - 'kms:GenerateDataKeyWithoutPlaintext' - Resource: '*' - - myAlias: - Type: 'AWS::KMS::Alias' - Properties: - AliasName: alias/ndambi - TargetKeyId: !Ref myKey diff --git a/10-kms/Practice-10.1/encryptedFile b/10-kms/Practice-10.1/encryptedFile deleted file mode 100644 index 4630c9e4002f05385c117521b5cb0c22ac647e70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 174 zcmZQ%Vq&PcB71b>S3|Z-2d=ss8{P2TaO9D})we2U??Niyzg{@oP@M6}vr4XZz6IN+ zc0PCHcv!xJfq|jKpoooAtIebBJ1-+U+k#YsWF|%igE)j3qk$Y7XF{6?V=6NXqn?2v z3(vIeQ-t3f`FAcqDM*EhQJ}$a+WH;W@`Qd~bjbW_d0g64DDZbj({&fdkp93v<18Pa Xd4GOX{}wiOjPWZ`6W+CSxjrudY>Pw4 diff --git a/10-kms/Practice-10.1/file.txt b/10-kms/Practice-10.1/file.txt deleted file mode 100644 index 6675f302..00000000 --- a/10-kms/Practice-10.1/file.txt +++ /dev/null @@ -1 +0,0 @@ -This is my secret file \ No newline at end of file diff --git a/10-kms/Practice-10.1/scripts b/10-kms/Practice-10.1/scripts deleted file mode 100644 index f624bfba..00000000 --- a/10-kms/Practice-10.1/scripts +++ /dev/null @@ -1,14 +0,0 @@ -aws kms encrypt \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --plaintext fileb://file.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > encryptedFile - -aws kms decrypt \ - --ciphertext-blob fileb://encryptedFile \ - --key-id fbc58ad0-2bac-40fe-96ee-5ebd24d2f006 \ - --output text \ - --query Plaintext | base64 \ - --decode > PlaintextFile - diff --git a/10-kms/Practice-10.2/NewFile.txt b/10-kms/Practice-10.2/NewFile.txt deleted file mode 100644 index 158a0601..00000000 --- a/10-kms/Practice-10.2/NewFile.txt +++ /dev/null @@ -1 +0,0 @@ -Test Client-Side encryption diff --git a/10-kms/Practice-10.2/go.mod b/10-kms/Practice-10.2/go.mod deleted file mode 100644 index d6845094..00000000 --- a/10-kms/Practice-10.2/go.mod +++ /dev/null @@ -1,10 +0,0 @@ -module kms - -go 1.19 - -require ( - github.com/aws/aws-sdk-go v1.44.103 // indirect - github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect - github.com/aws/smithy-go v1.13.3 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect -) diff --git a/10-kms/Practice-10.2/go.sum b/10-kms/Practice-10.2/go.sum deleted file mode 100644 index 70c1397e..00000000 --- a/10-kms/Practice-10.2/go.sum +++ /dev/null @@ -1,22 +0,0 @@ -github.com/aws/aws-sdk-go v1.44.103 h1:tbhBHKgiZSIUkG8FcHy3wYKpPVvp65Wn7ZiX0B8phpY= -github.com/aws/aws-sdk-go v1.44.103/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= -github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk= -github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k= -github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA= -github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= -github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/10-kms/Practice-10.2/s3_client_side_download.go b/10-kms/Practice-10.2/s3_client_side_download.go deleted file mode 100644 index 096e6e33..00000000 --- a/10-kms/Practice-10.2/s3_client_side_download.go +++ /dev/null @@ -1,55 +0,0 @@ -package main - -import ( - "fmt" - "io/ioutil" - "log" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" - "os" -) - -var ( - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess := session.New(&aws.Config{ - Region: aws.String("us-east-1"),}) - - client := s3crypto.NewDecryptionClient(sess) - - input := &s3.GetObjectInput{ - Bucket: &bucket, - Key: &key, - } - - result, err := client.GetObject(input) - // Aside from the S3 errors, here is a list of decryption client errors: - // * InvalidWrapAlgorithmError - returned on an unsupported Wrap algorithm - // * InvalidCEKAlgorithmError - returned on an unsupported CEK algorithm - // * V1NotSupportedError - the SDK doesn’t support v1 because security is an issue for AES ECB - // These errors don’t necessarily mean there’s something wrong. They just tell us we couldn't decrypt some data. - // Users can choose to log this and then continue decrypting the data that they can, or simply return the error. - if err != nil { - log.Fatal(err) - } - - // Let's read the whole body from the response - b, err := ioutil.ReadAll(result.Body) - if err != nil { - log.Fatal(err) - } - //fmt.Println(string(b)) - - file, err := os.Create("NewFile.txt") - if err != nil { - fmt.Println(err) - return - } - fmt.Fprintf(file, "%v\n", string(b)) -} diff --git a/10-kms/Practice-10.2/s3_client_side_upload.go b/10-kms/Practice-10.2/s3_client_side_upload.go deleted file mode 100644 index 7f885b6b..00000000 --- a/10-kms/Practice-10.2/s3_client_side_upload.go +++ /dev/null @@ -1,55 +0,0 @@ -/* -Licensed under the MIT-0 license https://github.com/aws/mit-0 -*/ -package main - -import ( - "log" - "strings" - - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/kms" - "github.com/aws/aws-sdk-go/service/s3" - "github.com/aws/aws-sdk-go/service/s3/s3crypto" -) - -var ( - cmkId = "fbc58ad0-2bac-40fe-96ee-5ebd24d2f006" - bucket = "kms-bucket-ndambi" - key = "clientside.txt" -) - -func main() { - sess, err := session.NewSession(&aws.Config{ - Region: aws.String("us-east-1"), - Credentials: credentials.NewSharedCredentials("", "default"), - }) - // This is our key wrap handler, used to generate cipher keys and IVs for - // our cipher builder. Using an IV allows more “spontaneous” encryption. - // The IV makes it more difficult for hackers to use dictionary attacks. - // The key wrap handler behaves as the master key. Without it, you can’t - // encrypt or decrypt the data. - keywrap := s3crypto.NewKMSKeyGenerator(kms.New(sess), cmkId) - // This is our content cipher builder, used to instantiate new ciphers - // that enable us to encrypt or decrypt the payload. - builder := s3crypto.AESGCMContentCipherBuilder(keywrap) - // Let's create our crypto client! - client := s3crypto.NewEncryptionClient(sess, builder) - - input := &s3.PutObjectInput{ - Bucket: &bucket, - Key: &key, - Body: strings.NewReader("Test Client-Side encryption"), - } - - _, err = client.PutObject(input) - // What to expect as errors? You can expect any sort of S3 errors, http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html. - // The s3crypto client can also return some errors: - // * MissingCMKIDError - when using AWS KMS, the user must specify their key's ARN - if err != nil { - log.Fatal(err) - } -} - From 5302173f17e2cd7f923019a1e8dfd111a65f6ef6 Mon Sep 17 00:00:00 2001 From: Dezo2018 Date: Fri, 21 Oct 2022 11:28:04 -0400 Subject: [PATCH 3/3] Lab 15 Kubernetes --- .../ecr/custom-deployment-lab71.yaml | 29 +++++ 15-Kubernetes/ecr/custom-deployment.yaml | 29 +++++ 15-Kubernetes/ecr/custom-service.yaml | 17 +++ 15-Kubernetes/ecr/ecr.yaml | 3 +- .../eksctl/busybox-pod-definition-lab-22.yaml | 103 ++++++++++++++++++ .../eksctl/busybox-pod-definition-lab-23.yaml | 69 ++++++++++++ 15-Kubernetes/eksctl/cluster.yaml | 2 +- .../eksctl/nginx-deployment-lab32.yaml | 67 ++++++++++++ .../eksctl/nginx-deployment-lab33.yaml | 24 ++++ .../eksctl/nginx-deployment-lab41.yaml | 24 ++++ 10 files changed, 365 insertions(+), 2 deletions(-) create mode 100644 15-Kubernetes/ecr/custom-deployment-lab71.yaml create mode 100644 15-Kubernetes/ecr/custom-deployment.yaml create mode 100644 15-Kubernetes/ecr/custom-service.yaml create mode 100644 15-Kubernetes/eksctl/busybox-pod-definition-lab-22.yaml create mode 100644 15-Kubernetes/eksctl/busybox-pod-definition-lab-23.yaml create mode 100644 15-Kubernetes/eksctl/nginx-deployment-lab32.yaml create mode 100644 15-Kubernetes/eksctl/nginx-deployment-lab33.yaml create mode 100644 15-Kubernetes/eksctl/nginx-deployment-lab41.yaml diff --git a/15-Kubernetes/ecr/custom-deployment-lab71.yaml b/15-Kubernetes/ecr/custom-deployment-lab71.yaml new file mode 100644 index 00000000..df1151b0 --- /dev/null +++ b/15-Kubernetes/ecr/custom-deployment-lab71.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app: custom-deployment + name: custom-deployment +spec: + replicas: 5 + selector: + matchLabels: + app: custom-deployment + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: custom-deployment + spec: + containers: + - image: 324320755747.dkr.ecr.us-east-1.amazonaws.com/desmond-kubernetes:latest + name: custom-deployment + ports: + - containerPort: 3000 + env: + - name: REACT_APP_BG_COLOR + value: "#ffffff" + resources: {} +status: {} diff --git a/15-Kubernetes/ecr/custom-deployment.yaml b/15-Kubernetes/ecr/custom-deployment.yaml new file mode 100644 index 00000000..bb29dce0 --- /dev/null +++ b/15-Kubernetes/ecr/custom-deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app: custom-deployment + name: custom-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: custom-deployment + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: custom-deployment + spec: + containers: + - image: 324320755747.dkr.ecr.us-east-1.amazonaws.com/desmond-kubernetes:latest + name: custom-deployment + ports: + - containerPort: 3000 + env: + - name: REACT_APP_BG_COLOR + value: "#094679" + resources: {} +status: {} diff --git a/15-Kubernetes/ecr/custom-service.yaml b/15-Kubernetes/ecr/custom-service.yaml new file mode 100644 index 00000000..4e604d70 --- /dev/null +++ b/15-Kubernetes/ecr/custom-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: custom-deployment + name: custom-service +spec: + ports: + - port: 3000 + protocol: TCP + targetPort: 3000 + selector: + app: custom-deployment + type: LoadBalancer +status: + loadBalancer: {} diff --git a/15-Kubernetes/ecr/ecr.yaml b/15-Kubernetes/ecr/ecr.yaml index 4b0e6a8d..3a928db6 100644 --- a/15-Kubernetes/ecr/ecr.yaml +++ b/15-Kubernetes/ecr/ecr.yaml @@ -4,6 +4,7 @@ Description: "Kubernetes ECR Repository" Parameters: Prefix: Type: String + Default: desmond Description: ECR Repostory Prefix Resources: @@ -34,4 +35,4 @@ Resources: Outputs: ECRRepoName: Value: !Ref KubernetesECR - Description: ECR Repository Name \ No newline at end of file + Description: ECR Repository Name diff --git a/15-Kubernetes/eksctl/busybox-pod-definition-lab-22.yaml b/15-Kubernetes/eksctl/busybox-pod-definition-lab-22.yaml new file mode 100644 index 00000000..5f339a4f --- /dev/null +++ b/15-Kubernetes/eksctl/busybox-pod-definition-lab-22.yaml @@ -0,0 +1,103 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubernetes.io/psp: eks.privileged + creationTimestamp: "2022-10-21T13:19:40Z" + labels: + run: busybox + name: busybox + namespace: default + resourceVersion: "2840" + uid: 5852d2df-225d-4470-83f5-6ce2bb784cd4 +spec: + containers: + - args: + - sleep + - "3000" + image: busybox:latest + imagePullPolicy: Always + name: busybox + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-4fqq2 + readOnly: true + dnsPolicy: ClusterFirst + enableServiceLinks: true + nodeName: ip-192-168-50-198.ec2.internal + preemptionPolicy: PreemptLowerPriority + priority: 0 + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 300 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 300 + volumes: + - name: kube-api-access-4fqq2 + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +status: + conditions: + - lastProbeTime: null + lastTransitionTime: "2022-10-21T13:19:40Z" + status: "True" + type: Initialized + - lastProbeTime: null + lastTransitionTime: "2022-10-21T13:19:42Z" + status: "True" + type: Ready + - lastProbeTime: null + lastTransitionTime: "2022-10-21T13:19:42Z" + status: "True" + type: ContainersReady + - lastProbeTime: null + lastTransitionTime: "2022-10-21T13:19:40Z" + status: "True" + type: PodScheduled + containerStatuses: + - containerID: docker://248455dfecdaff499c1829b3e717843d2a1368a8438c082958f7008d0e06c6ed + image: busybox:latest + imageID: docker-pullable://busybox@sha256:9810966b5f712084ea05bf28fc8ba2c8fb110baa2531a10e2da52c1efc504698 + lastState: {} + name: busybox + ready: true + restartCount: 0 + started: true + state: + running: + startedAt: "2022-10-21T13:19:42Z" + hostIP: 192.168.50.198 + phase: Running + podIP: 192.168.55.137 + podIPs: + - ip: 192.168.55.137 + qosClass: BestEffort + startTime: "2022-10-21T13:19:40Z" diff --git a/15-Kubernetes/eksctl/busybox-pod-definition-lab-23.yaml b/15-Kubernetes/eksctl/busybox-pod-definition-lab-23.yaml new file mode 100644 index 00000000..17124914 --- /dev/null +++ b/15-Kubernetes/eksctl/busybox-pod-definition-lab-23.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubernetes.io/psp: eks.privileged + creationTimestamp: "2022-10-21T13:29:30Z" + labels: + run: busybox + name: busybox + namespace: default + resourceVersion: "4314" + uid: 44802981-6c85-411b-ab6f-2c96f8ad2330 +spec: + containers: + - args: + - ' --dry-run' + - sleep + - "3000" + image: busybox:latest + imagePullPolicy: Always + name: busybox + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-k7564 + readOnly: true + dnsPolicy: ClusterFirst + enableServiceLinks: true + preemptionPolicy: PreemptLowerPriority + priority: 0 + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 300 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 300 + volumes: + - name: kube-api-access-k7564 + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +status: + phase: Pending + qosClass: BestEffort diff --git a/15-Kubernetes/eksctl/cluster.yaml b/15-Kubernetes/eksctl/cluster.yaml index 11860e91..ff4e9d33 100644 --- a/15-Kubernetes/eksctl/cluster.yaml +++ b/15-Kubernetes/eksctl/cluster.yaml @@ -2,7 +2,7 @@ apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: - name: stelligent-u-cluster + name: desmond-cluster region: us-east-1 # availabilityZones: ["us-east-1a", "us-east-1b"] diff --git a/15-Kubernetes/eksctl/nginx-deployment-lab32.yaml b/15-Kubernetes/eksctl/nginx-deployment-lab32.yaml new file mode 100644 index 00000000..ac4edf5b --- /dev/null +++ b/15-Kubernetes/eksctl/nginx-deployment-lab32.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubernetes.io/psp: eks.privileged + creationTimestamp: "2022-10-21T13:39:46Z" + labels: + run: nginx-deployment + name: nginx-deployment + namespace: default + resourceVersion: "5936" + uid: f6814e25-59d8-4170-b736-e2cf339e5196 +spec: + containers: + - args: + - ' --dry-run' + image: nginx:latest + imagePullPolicy: Always + name: nginx-deployment + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-g6vfp + readOnly: true + dnsPolicy: ClusterFirst + enableServiceLinks: true + preemptionPolicy: PreemptLowerPriority + priority: 0 + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: default + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 300 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 300 + volumes: + - name: kube-api-access-g6vfp + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +status: + phase: Pending + qosClass: BestEffort diff --git a/15-Kubernetes/eksctl/nginx-deployment-lab33.yaml b/15-Kubernetes/eksctl/nginx-deployment-lab33.yaml new file mode 100644 index 00000000..25766224 --- /dev/null +++ b/15-Kubernetes/eksctl/nginx-deployment-lab33.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app: nginx-deployment + name: nginx-deployment +spec: + replicas: 3 + selector: + matchLabels: + app: nginx-deployment + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: nginx-deployment + spec: + containers: + - image: nginx:latest + name: nginx + resources: {} +status: {} diff --git a/15-Kubernetes/eksctl/nginx-deployment-lab41.yaml b/15-Kubernetes/eksctl/nginx-deployment-lab41.yaml new file mode 100644 index 00000000..bf36bd60 --- /dev/null +++ b/15-Kubernetes/eksctl/nginx-deployment-lab41.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app: nginx-deployment + name: nginx-deployment +spec: + replicas: 10 + selector: + matchLabels: + app: nginx-deployment + strategy: {} + template: + metadata: + creationTimestamp: null + labels: + app: nginx-deployment + spec: + containers: + - image: nginx:alpine + name: nginx + resources: {} +status: {}