AWS Key Encryption
This mApp® Solution uses AWS Access keys to make direct API calls to AWS. These keys are securely encrypted and used in the Generate Amazon Signature Action Block to generate a signature according to Amazon's sig4 signing process.
This topic covers the encryption process in this mApp Solution as well as some CSM encryption best practices. For details about how to authenticate with keys after applying this mApp Solution, see Configure AWS IAM for CSM and Add AWS Access Keys to CSM.
Encrypt Sensitive Data
To use this mApp Solution, your system is required to store private API keys in the database. You should rotate these keys as per AWS recommendation. For more details, see Best practices for managing AWS access keys.
While there is field-level encryption available in CSM, it is not designed to be used for values required in expressions and One-Step™ Actions. Instead, use the encryption modifier for these values.
There are three components needed for encryption with a modifier:
- Encryption Key: The Encryption Key is designed to be a global key unique to your CSM instance. When you apply the mApp Solution, this value will be blank. It will be set the first time you enter an encrypted value for your system, using the Set Encryption Key Action Block.
- Nonce: The nonce changes per encrypted value. A nonce is generated automatically for every record in the AWS Account table, where key values are stored.
- Value to be encrypted: In this case the secret key part of the AWS Access key
The encryption modifier uses both the Encryption key and the nonce values to encrypt and decrypt the AWS secret key value. Once a value has been encrypted using the key and nonce values, you will need those same values to decrypt it. Ensure that your nonce and encryption key values are not overwritten or accidentally changed as this would leave you unable to decrypt these values and make authenticated calls to the AWS API.
Secure Authentication to AWS
To facilitate authenticated AWS requests, there are two Action Blocks used by CSM to provide secure, encrypted authentication.
Set Encryption Key
The Set Encryption Key Action Block is called by the Store Secret Key One-Step Action to set the Encryption Key stored value, if it is empty.
The Set Encryption Key Action Block then checks to see whether the encryption key is currently populated. If it is, the Action Block cancels, but does not stop running the rest of the Store Secret Key One-Step Action. Although there is no need to set the encryption key if the value exists for the system, we do want to continue storing the secret key.
Generate Amazon Signature
The Generate Amazon Signature Action Block follows the standard Signature Version 4 signing process from Amazon. See Signature 4. This Action Block is the only one stored in the Blueprint scope as it is delicate and should not be changed, unless the signing process itself changes. Its reusability means that each call doesn’t need to add in these authentication steps (which can be difficult to troubleshoot), only call the Action Block and pass it the correct parameters for the specific API call.
Example: In the SearchProductsAsAdmin call, the Get Products As Admin Action Block calls the Generate Amazon Signature Action Block in step 2. See Search Products as Admin.
It then passes header information for the SearchProductAsAdmin call, which will be used by the Generate Amazon Signature Action Block to authenticate that specific call.
Decryption and Use of the AWS Secret Key
This mApp Solution implements the AWS Signature Version 4 (sig4) signing process within the Generate Amazon Signature Action Block. This block handles key decryption at the point where the key is used, to ensure that it is decrypted at the last possible moment. At no point is the secret key value stored or output to plain text.