AWS Solutions Architect – Associate Certification – Quick Notes

Earlier this week, I attempted (and passed!!) the AWS Solutions Architect – Associate certification.

This was my first look at an Amazon certification and here is a short write-up on my experience.

Worthy investment of time and money?

Depends how you look into it.

It’s a multiple choice question-answer type test, so there is a case of this certification not reflecting actual experience/practical skill of the taker – someone with a greater than average memory can just read through the documentation and possibly clear the exam.

Maybe yes…

…but the test was not quite what I expected it to be – it was very scenario based – things that you can answer only if you have done hands on deployments on the AWS, or at least, have done web based application deployment (in general) in the past.

Some of the questions are common sense experience questions that tests your generic N-tier architecture, network protocol, port level skills/understanding. These questions have nothing to do with AWS as such; which makes sense considering that as an Architect there are certain skills that one must have irrespective of the platform.

In fact there are no “what’s the full form of XZY service?” type of questions, at least in my test.

Worthy? – I’d say yes! Considering the level of adoption of AWS in different sectors, it’s almost certain that everyone in the technology sector will come in contact with AWS at some point. This certification/syllabus provides a very good introductory exposure to AWS.

Preparation Material:

1) AWS Certified Solutions Architect – Associate 2015 – Ryan Kroonenburg (Udemy link)

Do I recommend this? – Absolutely Yes! The training is very well paced and the hands on labs are very thorough. Ryan’s lectures are easy to follow.

Note: While this training has almost everything you need for this test, either as part of the lectures or additional information pointers provided, to pass the final exam will require you to go the extra mile by actually following these guidance/pointers. Please do.

2) AWS FAQs – I referred the general ones for VPC, EC2, S3, EBS, RDS, SQS

Do I recommend this? – Absolutely Yes! Read as many as you can.

3) Whitepapers – I was already versed with the AWS Security Best Practices one but I did read the following:

  1. Amazon Web Services: Overview of Security Processes
  2. Storage Options in the AWS Cloud
  3. Architecting for the AWS Cloud: Best Practices

Do I recommend this? – Absolutely Yes!

Practice Exam:

1)  AWS Practice Test – For $20 it gives a sense of the exam interface – that’s the only benefit I got out of this test.

Do I recommend this? – Not a must do.

2) Acloudguru AWS practice test on Android – Unlike the training program which is awesome, this app is more “work in progress”-like, there are lot of questions though (ones that are not in the course tests) but not many scenario based ones. I am sure this will improve over time.

Do I recommend this?  – Again, not a must do but considering the number of questions maybe worth looking if you can spare ~$20. I did and don’t regret.

Some additional notes:

My AWS experience:

I am an Applications Security Engineer by profession and my primary work responsibility do not involve going hands on with AWS deployments on a day to day basis. My AWS responsibilities are mainly limited to security related consultancy on an as needed basis.

The reason I wanted to take this certification is to vet my knowledge in carrying out that responsibility.

Note that I do have substantial web application architecture/development/deployment/security experience.

For those on the fence about whether they can pass the exam or not: The reason I mentioned my experience with AWS above is to drive home the point that on a Novice to Expert scale, I will rate myself as an low intermediate on  all but one domain (security!) covered in this exam and I passed.

So, with the right amount of time and focus, you can too!

Diffie-Hellman key exchange

Diffie-Hellman – Layman terms

Basic info (table 1):

(2x)y = 2xy = (2y)x

For DH, x and y are very large numbers.

Step 1: GB selects a large random number, x.

Step 2: GB raises 2 to the power of x and obtains, say G (=2x).

Step 3: GB sends G to SB.

Step 4: SB selects a large random number, y.

Step 5: SB raises 2 to the power of y and obtains, say S (=2y).

Step 6: SB sends S to GB.

Step 7: Following calculations are performed

SB calculations GB calculations
Sx Gx
(2y)x from Step 5 (2x)y from Step 2
2yx from table 1 2xy from table 1
(2x)y from table 1 (2x)y from table 1

Step 8: Both SB and GB now has a shared secret without actually have to transfer the key.

HTTP Secure Headers – How prevalent are these?

Recently Twitter added Public Key Pinning to their SecureHeaders Ruby Gem. There are 8 security headers now.

I wanted check the prevalence of these secure HTTP headers amongst the top websites to get a sense of the awareness around these very efficient mechanisms to address a plethora of security related issues.

For reference, CSP is documented here.

I checked most of the publicly available list of 2014 top 500 sites on the web from Fortune.com for this purpose and the stats for the 8 headers that SecureHeaders Ruby Gem covers is:

CSP HTTP Strict Transport Security (HSTS) X-Frame-Options (XFO) X-XSS-Protection X-Content-Type-Options X-Download-Options X-Permitted-Cross-Domain-Policies Public Key Pinning
2 5 81 12 26 0 1 0

This is not a comprehensive test (and possibly not error free) but these numbers do point towards a possible lack of adoption for these gradually improving (and easy to use) security enforcement mechanisms.

Part reason for this may be the touch unreliability in the way browsers enforce these checks (for example X-Download-Options is supported only on Internet Explorer) but considering that these do not break anything if used sensibly (like CSP and Public key pinning’s report on settings) can be used to gradually improve the security stance of most websites without much effort.

Note: Tristan Waldear has created a Python-Flask package for the same headers and is hosted here.

Drag Microsoft Office Excel Conditional format…

For the Umpteenth number of time, I spent >2 hours to figure out a way to drag my custom format in an incremental way across excel rows.

Here is the user case:

I have an excel spreadsheet that contains columns that look like below:

ExcelBlog-Pic-1

The custom format that I needed was:

1) Fill Green if value in the cells in B, C, and D is greater than or equal to the value in the cell A for that row.

2) Fill Yellow if value in the cells in B, C, and D is less than the value in the cell A for that row.

Exact Requirement: I want to create the formatting for the cells in one row, drag it down and expect Excel to do the incremental adjustments to the cell values as needed.

By default when I create the formula using the “Conditional Formatting” option it creates something like this:

ExcelBlog-Pic-2

If I “Format Paint” other cells then the “Cell Vale < $C$1” remains static. I wanted it to change based on the row it is on.

Fix was simple (I think other better ways too!):

1) In the formula remove the $ from the “Cell Value…” for the value that needs to reflect the changes. When I updated the formula like below I was able to format paint it over other cells:

ExcelBlog-Pic-3

In retrospect, that was simple…

Queue with 2 Stacks – Python

Problem – Implement a Queue with two Stacks

Language used: Python

Notes:
Queue is a FIFO DS and supports two methods: Enqueue and Dequeue
Enqueue -> Adds an item to the Queue
DeQueue -> Removed an item from the Queue
Stack is a LIFO DS and supports two methods: PUSH and POP
PUSH -> Adds an item to the top of the stack
POP -> Removes the item at the top of the stack

I will use the following algorithm:
1. PUSH the item to the stack1 using the Enqueue method of the
2. When item needs to be Dequeued, POP the items from stack1 and PUSH all but the last one to stack2
3. POP the last item in stack 1; this is the first item inserted in the stack and in the spirit of
Queue’s FIFO attribute, needs to be the item returned via dequeue.
4. PUSH the items in stack2 back into stack1

Python specific nuts and bolts: I used Python Lists as stacks. Note Lists can be directly used as queue too
”’

class QueueWith2Stack
   list1 = list()
   list2 = list()
   # Add an item to our queue
   def enq(item):
      list1.append(item)
   # Return an item from the queue
   def deq():
      for k in list1[1:]:
         list2.append(k)
         list1.remove(k)
         list1.pop()
      for k in list2:
         list1.append(k)
         list2[:]=[]

Working through a programming refresher in Udemy – the program is quite good!

GameSec – Unity3D – 1

Unity’s documentation is pretty good for the developers who want to create cool games, but ones on the critical supporting features like security are not very detailed. Make no mistake, Unity does have good security features like the web player sandbox that helps maintain the security posture but I feel the documentation coverage on these needs to be more detailed.

As I try to get more acquainted with Unity’s world of game development I am taking some notes on the questions I had, and kind of got answers to. And hence the ramblings below 🙂

Unity Security – Permissions Policy files

There are two security policy files that control the access permissions on content that a Unity web player is allowed to access, or not. These are: crossdomain.xml and socket security policy file.

Difference between crossdomain.xml file and the socket security policy file.

The crossdomain.xml file affects HTTP, HTTPS and FTP access to content on a server and it has no effect on restrictions to be imposed for socket connections. To impose restrictions for socket connections, a socket policy server is required to allow, or disallow, Unity web player based socket access.

Does Unity use/require both crossdomain.xml as well as the socket security policy files?

Yes! While both the files use the same policy schema, the crossdomain.xml file only defines permissions on the web services hosted on the server where the crossdomain.xml file is placed, the socket security policies apply to all TCP/UDP socket connections to that server.

For Unity, the http served policy file, crossdomain.xml, is relevant for WWW class in the UnityEngine namespace. For domains different from the domain that is hosting the unity3d file, the Unity web player expects the crossdomain.xml file to be available on the domain it wants to access with the WWW class.

Unity Socket Connections

Before Unity web players can connect to any serve, like the ones on the networks, it is required that the hosts permit such connections. The hosts can manage the socket level connection permissions using the socket policy file.

This socket security policy file is by default hosted by the target host on port 843.

Note: The socket security policy file can be hosted on other ports as well. The functional difference with a non-default port is that it must be manually fetched with Security.PrefetchSocketPolicy() API call and if it is hosted on a port higher than 1024 the policy can only give access to other ports higher than 1024.

A Socket policy file defines what hosts (think client) can connect to a system (think server) and to which ports those hosts are permitted to connect.

The format used for the Unity socket policy file is similar to that used by the Flash player. The schema of the file is as below:

<?xml version=”1.0″ encoding=”ISO-8859-1″?> 

<!ELEMENT cross-domain-policy (allow-access-from*)>

 

<!ELEMENT allow-access-from EMPTY>

<!–ATTLIST allow-access-from domain CDATA #REQUIRED>

<!–ATTLIST allow-access-from to-ports CDATA #REQUIRED>

 

Example Unity security socket policy file:

<?xml version=”1.0″?><cross-domain-policy>

<allow-access-from domain=”*” to-ports=”80, 443″/>

</cross-domain-policy>”

 

This policy effectively says “Content from any domain is free to make socket connections at ports 80 and 443”. The Unity web-player will reject any attempted socket connections using a port outside that range and will throw a SecurityException.

Note: The to-ports field in the allow-access-from element in the socket security policy file specifies what ports are available to the Unity web player trying to connect to the server. While wildcards (“*”), port ranges, and/or individual ports can be specified within this field, it recommended that administrators specify only those ports for which they explicitly want to allow access to the connecting web player.

The main points of distinction between the Flash and Unity socket security policy file are:

  1. A limitation with the Unity’s socket policy file vis-à-vis Flash socket policy file is that Unity web player only supports “*” as a valid value for the domain setting. The implication is that any web player in the wild can attempt to establish socket connectivity to the server.
  2. The Unity webplayer does not support the and tags.

 

To be continued…

 

CORS – Cross Origin Resource Sharing – A Simple Example

Local setup (I did it on Windows 7 and IIS): 1. Created two websites made to run on two different ports. In IIS a new website can be created using the option shown the screen shot below: clip_image001 A note about Same Origin: Note that most of the modern browsers define the following combination as “same origin” – Scheme (protocol), domain and Port number. As far as I know Internet Explorer tends to behave differently as it did not consider the port number but my memory may need a refresh with the latest releases, other browsers are quire consistent. The two sites I created were accessible using the following URLs:

i. http://localhost:8098/ – I called it Site 1 ii. http://localhost:8099/ – I called it Site 2

So for the sake of SoP these two are different origin sites even though they are on the same web server sitting in two adjacent folders 🙂 I created three landing pages:

i. cors.php on Site 1 ii. site1processor.php on site 1 iii. site2processor.php on site 2

The code for each is as below: cors.php – Site 1 on port 8098 accessible via url: http://localhost:8098/cors.php image site2processor.php – Site 2 on port 8099 accessible via URL: http://localhost:8098/ site1processor.php  image site2processor.php – Site 2 on port 8099 accessible via URL: http://localhost:8099/ site2processor.php image I un-commented the following snippet in the cors.php file: image This request submits a request to the Site1 which is “same origin” as the cors.php. The request executes just fine and the “Success” alert pops up. No I comment the above code and un-comment the following snippet: image This request submits a request to Site 2 which is a different domain from the one where the cors.php file is hosted. Looking at the console windows of the developer tools (Chrome-F12) I see the following message: clip_image003 That is Site 2 does not permit access to its pages from any other domain. In case Site 2 wants to allow access to some content from other domains, there is an option to enable that: Access-Control-Allow-Origin header I tried the Access-Control-Allow-Origin header option by adding this header to the response from the site2processor.php file. The code for site2processor.php now looks like below: image What the above code change effectively does is allow access to the page site2processor.php hosted on Site 2 from Site 1. Now the following line of code is executed from the http://localhost:8098/cors.php the success pop up is displayed implying that the request was successful image

“No such host is known” error for new TcpClient socket connection set up

“No such host is known” error for new TcpClient socket connection set up using .Net Framework classes

I was trying to create a TcpSocket connection to check for .Net’s SSL certificate validation process and was using the TcpClient constructor of the System.Net.Sockets class.

The constructor has a signature like below:

public TcpClient(string hostname, int port)

The hostname is the DNS name of the remote host to which you intend to connect.

The code I wrote and the error was as below.

TcpClient clientFor = new TcpClient(“https://developers.facebook.com&#8221;, 443);

image

The funny thing is I put the uri for the host name instead of the DNS name L

The fix was simple:

TcpClient clientFor = new TcpClient(“developers.facebook.com”, 443);

Rails – Routes/resources

Routes in ruby are already confusing for a “new to ruby” person like myself. All my understanding of the fundamentals (read from http://guides.rubyonrails.org/routing.html) went for a walk when I saw the following in routes.rb file in one of the projects:

resources    :photos

AND

But the controller, PhotosController only contained definition for show.

Where are the other methods???

As usual http://stackoverflow.com/ came to the rescue and Miguel, Rajesh and Oliver provided the reasoning.

This note is to summarize the discussion on the thread here: http://stackoverflow.com/questions/18699721/rails-resource-controllers.

When some one defines a resource in routes.rb using the syntax above, Rails created the following routes for the 7 HTTP methods:

HTTP method Route Action
GET /photos index
GET /photos/new new
POST /photos create
GET /photos/:id show
GET /photos/:id/edit edit
PUT/PATCH /photos/:id update
DELETE /photos/:id destroy

 

If we want our application to take action on these method requests then we got to define these in the corresponding controller class, PhotosController.

In cases where the route is defined using [resources    :photos] and one or more of these action methods are not defined in the controller, Rails will throw an exception (code 500).

So what is the correct way to define only the action methods that we will use. As mentioned by Oliver/Miguel in the stackoverflow.com thread use definition like one of the following when defining the route:

resources :photos, only: [:show, :index, <other action methods you NEED>]

OR

resources :photos, except: [:create, :new, <other action methods you DO NOT NEED>]

Java ‘Mis’ adventures :) – Stumbling block 1 – Putting class files in different location then the source file

Creating package directory structure and putting class files in different location then the source file:

1. Create a folder structure that suits the purpose and taste. Here is what worked for me: clip_image001

2. “Dir” inside Code_Labs: clip_image002

3. Creates and saved my .java (with package definition as the first line) in the source folder I created inside Code_Labs. clip_image003

4. Compile the code using the following command: clip_image004

5. “Dir” inside Code_Labs again: clip_image005

6. Check that the class files are created inside the path provided in the package structure defined within the source file.

[After 3 hours of huffing and puffing…]

Struggled to execute the code I just took pain to create in a structured way. Thanks to Cameron’s short and simple explanation at http://stackoverflow.com/questions/5446700/java-class-execution-problem-java-lang-classnotfoundexception , finally got the code to run using the following syntax:

 clip_image006