AWS Developer Blog

AWS SSM ASP.NET Core Data Protection Provider

The antiforgery framework is a critical part of ASP.NET Core. It ensures web forms and login pages haven’t been tampered with by storing crypto data with the form and then validating the form with a key created by the Data Protection framework. An ASP.NET Core Data Protection Provider is the building block that provides encryption and decryption of secret data to the antiforgery framework.

To support the use of ASP.NET Core’s antiforgery framework in AWS we’ve released an ASP.NET Core Data Protection Provider backed by AWS Systems Manager (SSM).

Why use the AWS SSM ASP.NET Core Data Protection Provider?

By default ASP.NET Core creates the data protection keys in memory. That works for local development on a single machine but can pose a problem for production systems where multiple web servers are used. When you deploy your application to AWS Elastic Beanstalk or AWS Fargate, for example, you need a mechanism to share the data protection keys between servers in order to load balance requests.

The AWS SSM ASP.NET Core Data Protection Provider enables you to share ASP.NET Core data protection keys between web servers by storing them in a secure central location.

Open source project and NuGet support

The open source project for the AWS SSM ASP.NET Core Data Protection Provider is on GitHub at https://github.com/aws/aws-ssm-data-protection-provider-for-aspnet. You can build from source or contribute to the project by following the instructions on GitHub.

The NuGet package can be found at https://www.nuget.org/packages/Amazon.AspNetCore.DataProtection.SSM.

Using the Amazon.AspNetCore.DataProtection.SSM NuGet package

To use Amazon.AspNetCore.DataProtection.SSM first add a reference to the NuGet package to your .csproj file.


<Project Sdk="Microsoft.NET.Sdk">
...  
  <ItemGroup>
  ...
	  <PackageReference Include="Amazon.AspNetCore.DataProtection.SSM" Version="1.0.0" />
  </ItemGroup>
... 
</Project>

Then you add calls to the appropriate extension methods in the ConfigureService method of your Startup class.


public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .PersistKeysToAWSSystemsManager("/MyApplication/DataProtection");

    services.AddMvc()
            .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}