AWS Web Application Can Securely Share Files With Internal And External Users

One of our customers requested a simple web application that can securely share files with internal and external users. Ready-to-use solutions such as Dropbox or Gladinet were not enough because the client had more requirements for this web application. They are,

• The web page should show the name and size of all files stored in an S3 repository.
• The web page should allow the user to select certain files and share them with any email address.
• Your internal employees can view, load and share the selected files, while external users can only view and share the selected files.

• External users should not be able to upload any files to the S3 repository.
• When sharing, the recipient must receive an email with the download link and subsequent authentication, the recipient must be able to download the files with this link.
• The recipient must also be able to download the application console file.

Taking these requirements into account, we have created a simple web application with which you can safely share files between internal and external users.

In this publication, we'll walk you through the way the application works.

The application was created with S3 as the primary storage repository. The following AWS services were also used in this application.

FIG1.1 CLOUD COMPUTING 


• IAM function: to take over after login.
• SAML IAM Provider: with metadata from the ADFS Federation.
• S3 Bucket: to upload and share files.
AWS Cognito user group: to create external users.
AWS Cognito federated identity set: for authentication providers (SAML and Cognito user group).
• AWS EC2 Ubuntu Server: The application code is saved and served through a web server.
• AWS EC2 Windows Server: Active Directory and ADFS management for internal users.

Prerequisites
Cube S3
We create an S3 cube with the name "private-cognito-s3" with the following CORS configuration:
<? xml version = "1.0" encoding = "UTF-8"?>
<CORSConfiguration xmlns = "http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin> * </ AllowedOrigin>
<AllowedMethod> GET </ AllowedMethod>
<AllowedMethod> PUT </ AllowedMethod>
<MaxAgeSeconds> 3000 </ MaxAgeSeconds>
<AllowedHeader> * </ AllowedHeader>
</ CORSRule>
</ CORSConfiguration>


For internal users
The role of IAM is assumed by users
Create an IAM role with a lower trust relationship.
{
  "Version": "2012-10-17",
  "Declaration": [
    {
      "Sid": "",
      "Effect": "Allow",
      "School principal": {
        "Federated": "cognito-identity.amazonaws.com"
      }
      "Action": "pts: AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "Cognito-identity.amazonaws.com:aud": "<Cognito-federado-identity-pool-id>"
        }
        "ForAnyValue: StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

SAMS Supplier at AWS

Before you create a SAML provider, you must download the SAML metadata document from the ADFS federation server. By default, you can download it at the following address:
https: // <ADFSServerIP> /FederationMetadata/2007-06/FederationMetadata.xml
Create a SAML provider on the IAM with the previous metadata file.


Configuring ADFS

We follow the following link to configure a Windows server for ADFS.
Once we have provisioned the server, we created a party trust relationship refers to the endpoints that point to our application, as shown in the image below.
In addition, we have added the following declaration rules to the trust.

To transform
Obtain AD groups with the rule
c: [Type == "http://schemas.micraosoft.com/ws/2008/06/identity/claims/windowsaccountname" Issuer == "AD AUTHORITY"]
=> Add (store = "Active Directory", types = ("http: // temp / variable"), query = "; tokenGroups; {0}" param = c.Value);
Roles
Provide the SAML Arn and Arn of the IAM function to assume the value.
=> ARAM: AWS: iam :: xxxxxxxx: saml-provider / Cognito-s3-saml, ARN: AWS: iam (type = "https://aws.amazon.com/SAML/Attributes/Role" value = :: xxxxxxx: role / ADFS-Readonly ");
RoleSessionName with output declaration type

For external users

Create Cognito user group

We have created a cognitive user group with a powerapp application client.
Create a set of federated identities for SAML, as well as for the Cognito user group. We have created a set of federated identities of Cognito with authentication providers.
Cognito user group: Provide the user group ID and application client ID
Implementation

We provisioned an Ubuntu server and configured the Nginx Web Server to serve the application. See the l code for application in the repository atfollowing: https: //github.com/powerupcloud/aws-private-file-sharing-tool In addition, we use an API (the code exists in the repository directory API) to authenticate and redirect AD users to the correct page. Start the API using the following command: server.js nodeA API starts listening on port 8443.Main application resources


FIG1.2 CLOUD COMPUTING SERVER 


 • Users will be able to see the contents of their specific cube and a shared thread. Users can not access deposits owned by other users.
• Internal users, that is, AD users, can view, send, and share the selected files to any internal user or external files.
• External users, that is, Cognito users can view and share the selected files for any user internally or externally.

 • After login, the user will obtain the temporary credentials so that he can access the deposit. the existing files, the files can be downloaded from the same console by clicking on the file name.
• When a file is shared with a user, it will receive a download link at your email address. In addition, the file will be copied to your folder in the same S3 container. For example, if user A shares a file with user B (userb@gmail.com), file A is copied to user B's folder, that is, the structure of the repository is: S3Bucket / UserB @ gmail. com / usera @ gmail.com / fileA.

• The download link will be sent to the email address.
• If registered, the user will be prompted to enter credentials with the MFA to download the file.
• If you are not registered, the user will be redirected to the registration page. Once registered, you will be prompted to re-enter your credentials to download the file.Application in action: internal employees Step 1: press the application URL Step 2: Enter the credentials AD UserStep 3: After successful login, the user will be redirected to page S3. Note: We are having the prefix value equal to the username. Therefore, the deposit structure will be

• private-Cognito-s3
• user1@puc.com/files
 • user2@gmail.com/filesc Common / files

 Step 4: we are as connected as, we can see the contents of the specified folder and we can not see the contents of other folders.

Step 5: We can select the files and share them with any email address.

 Step 6: The email address is already registered in the AWS Cognito user group, so the download link will prompt you for login credentials.

Step 7: After entering the credentials, you also request the code sent to the registered mobile number.

Step 8: After successful login, the user can download the file. If the email is sent to an unregistered user, the workflow will be displayed in the screenshots below.

Step 9: The download link will redirect you to the registration page.

Step 10: Once registered, you must enter your credentials on the next page.

Step 11: After you login correctly, you can download the file. Application in Action: External Employees

Step 1: Log in as an external user

Step 2: After you enter the credentials, you will be prompted for the code that was sent to you. Phone number

Step 3: After you have successfully logged in, you will be redirected to page S3. where you can view and share files











Comments

  1. ManiDecember 23, 2020 at 12:19 AM

    PPC Course lets you learn how to structure and manage PPC campaigns to increase the number of targeted visitors, display advertising, conversion optimization, web analytics, bidding methods, ranking algorithms, performance measurement, ad platforms, lead generation improvement, and search engine marketing for campaigns that drive measurable Return on Investment (ROI). This course also specializes you in streamlining different types of Google Ads.
    https://www.esearchadvisors.com/pay-per-click-training.php

    ReplyDelete
  2. pranishaFebruary 2, 2022 at 4:47 AM

    Are you looking for the best
    Oracle training in Chennai     here is the best suggestion for you, Infycle Technologies the best Software training institute to study to also other technical courses like Cyber Security, Graphic Design and Animation, Block Security, Java, Cyber Security, Oracle, Python, Big data, Azure, Python, Manual and Automation Testing, DevOps, Medical Coding etc., with technical trainers with amazing training with a peaceful environment. And we also provide 100+ Live Practical Sessions and Real-Time scenarios which helps you to easily get through the interviews in top MNC’s. for more queries approach us on 7504633633, 7502633633.

    ReplyDelete
  3. AnonymousMay 17, 2022 at 10:47 PM

    PERDE MODELLERİ
    sms onay
    Turkcell Mobil Ödeme Bozdurma
    Nft nasıl alınır
    ankara evden eve nakliyat
    trafik sigortası
    dedektör
    web sitesi kurma
    aşk kitapları

    ReplyDelete
  4. AnonymousMay 26, 2022 at 11:18 PM

    Smm panel
    Smm Panel
    is ilanlari blog
    instagram takipçi satın al
    hirdavatciburada.com
    beyazesyateknikservisi.com.tr
    SERVİS
    tiktok jeton hilesi

    ReplyDelete

Post a Comment

Popular posts from this blog

Best To Know The Correct Method To Oversee Mysteries With AWS

Image
The way companies manage the secrets of applications is essential. Even today, mismanagement of secrets has led to a staggering number of high profile offenses. Having credentials of internet access is like leaving your key home under a rug that millions of people visit daily. Even though the secrets are hard to find, it's a shell game that you'll eventually lose. En Segment, centrally manage and protect our secrets with AWS parameter store, many Terraform configurations and camera. While tools like Vault, Credstash and Confident there have been many rumors recently store parameter constantly neglected when it comes to the administration of secrets. Having then used the store parameter for several months has come to a different conclusion: if you are running your entire infrastructure in AWS and you are not using Store Parameter to manage your secrets , then you're crazy! This publication has all the information you need to run with the Parameter Store in pr...
Read more

Guide To Know Main Besic Five Things You Must Know Before Trying Selenium:

Image
Selenium is an automated software testing framework that is used on web applications only, to test their functionalities and regression. Note that it does not support the desktop applications and therefore it is different from UTF tool. In this post are 5 things you need to know about Selenium.               FIG1.1 SELENIUM TOOLS                                                    Integrated development environment for selenium It is the simplest tool in the Selenium package because it is easy to install and use. The only disadvantage is that it is intended to be used only in the Firefox browser. However, simplicity means that most engineers use it as a prototyping tool rather than as a global solution for the development and maintenance of complex test suites.  To use the Selenium IDE tool ...
Read more

Best Top 10 Things to Monitor for Amazon RDS

Image
                                                                                                        Amazon's Relational Database Service (RDS) is one of the world's most popular database services, used by 47% of AWS companies according to the AWS Scorecard 2015 2nd Watch. Although media buzz tends to focus on the new Big Data and NoSQL data stores, relational databases continue to be the battleground for many websites and applications.  Companies like Qubole and Zenefits rely on relational databases such as Postgres and MySQL to scale millions of active users daily. Amazon Web Services (AWS) made it easy to scale thousands of requests per second and terabytes of data under administration. However, tracking all th...
Read more