AWS Cloud Operations Blog
How to validate authentication using Amazon CloudWatch Synthetics – Part 2
In the second post of this two-part series, I will demonstrate how to utilize the Amazon CloudWatch Synthetics canary that uses the multiple HTTP endpoints blueprint in order to monitor an application requiring an authentication certificate. The first post Multi-step API monitoring using Amazon CloudWatch Synthetics provided steps to create an Amazon CloudWatch Synthetics script for executing a multi-step API verification. I also provide an additional reading section in this blog post that discusses certificate validation methods in the context of canaries.
Solution Overview
In the solution, I demonstrate the steps to create an API canary blueprint by using the HTTP Steps feature that incorporates a certificate to test an HTTP endpoint.
Creating the HTTP steps
CloudWatch Synthetics lets you utilize blueprint scripts that are ready to be consumed. However, we must utilize the editor in the console to add the extra code snippets in order to authenticate with a certificate.
To simulate how CloudWatch Synthetics handles authentication we will use the client.badssl.com website. You can also use your own HTTP endpoint to simulate the same output. The first call will return a failure response, as the certificate has not yet been added. However, the error will be fixed in the next steps.
To create an HTTP steps script:
- Open the Synthetics menu of the CloudWatch console.
- Choose Create Canary.
- Choose API canary from the blueprints list.
- Under Name, enter a name for your canary – for example, http-steps-test.
- Under HTTP requests, choose Add HTTP request.
- Under method, select the method GET.
- Enter the URL https://client.badssl.com/ under the Application or endpoint URL.
- Choose save.
On the Canaries page, choose Create canary. When the canary is created, it will be displayed in the Canaries list, as shown in Figure 1. For information about utilizing the API canary blueprint, see API canary in the Amazon CloudWatch User Guide.
Figure 1: Canaries page of the CloudWatch console
Checking reports
The canary reports show every step and result of the calls. In this case, the canary returned the 400 Bad Request error as shown in Figure 1. This error is expected, as the endpoint requires a certificate in order to return a valid response.
Figure 2: http-steps-test report
Adding the certificate
To solve the 400 Bad Request issue, the client key and certificate must be safely stored using AWS Secrets Manager. This will be utilized by the canary to authenticate the API request that calls the client.badssl.com. These certificates can be downloaded here and manually uploaded by using the AWS Management Console. However, it can also be done programmatically, as provided in the steps below.
Importing the key and certificate from badssl.com
I use AWS CloudShell, a browser-based shell that makes it easy to securely manage, explore, and interact with your AWS resources. We recommend CloudShell to run the scripts below. However, you can use your own command line for the same output.
CloudShell isn’t available in every region, but the environment variable AWS_REGION lets the commands be executed in the region where you are creating your canary. See Supported AWS Regions for AWS CloudShell for more information about the regions supported by the CloudShell.
The script below downloads the .pem file from badssl.com, creates a secret for the key and cert generated out of the .pem file, adds environment variables, and then lets the IAM role for the canary read the secret. Ensure the user is running the script has permissions to create a secret, get and update a canary, and attach policies to the canary role.
To deploy the script, follow these steps:
- Open the CloudShell console.
- Wait for the environment to be created.
- Copy and paste the script below – ensure that you adjust the AWS_REGION if needed.
- Choose Paste, and wait for the script to finish.
Figure 3: CloudShell popup to paste multiline text
Updating the script to collect key and certificate from Secrets Manager
The blueprint provided by the CloudWatch Synthetics must be updated in order to load the secrets from Secrets Manager and then connect using the client.badssl.com key and certificate.
To edit the code, follow these steps:
- Open the Synthetics menu of the CloudWatch console.
- Choose the canary created above – for example, http-steps-test.
- Choose Actions.
- Choose Edit.
- Using the Script Editor box, paste thecode snippet below at the beginning of the script.
In short, this snippet loads the Secrets Manager client and defines the getKeyCert() in order to collect the secrets.
To collect the secrets, call the function getKeyCert() inside of the canary function apiCanaryBlueprint().
Lastly, the key and cert must be added to the requestOptions of the client.badssl.com request.
After modifying the code, save and wait for the canary to run again. Next, canary run should be PASSED with the steps tab showing the request status as PASSED.
Figure 4: http-steps-test report showing the status as Passed
Additional Reading
NodeJS library options can be extended to check the server identity. Moreover, the function can also be utilized to check if the certificate is about to expire or check any other validation to the endpoint certificate properties.
The code below shows how to check if the certificate is issued to the host that the script is connecting. It also checks if the certificate is not close to its expiry date.
To edit the code, follow these steps:
- Open the Synthetics menu of the CloudWatch console.
- Choose the canary created above – for example, http-steps-test.
- Choose Actions.
- Choose Edit.
- Using the Script Editor box, paste the code snippet below at the beginning of the script.
Add the highlighted checkServerIdentity to the requestOptionStep1 variable.
Save the canary and check the report after running the script.
The script utilizes the environment variables created earlier to check that the certificate was issued to the correct hostname, the expiry date is not close, and sh256, which throws an exception if any of these checks fail. See TLS (SSL) documentation for more information about how the TLS library works.
Cleanup
After finishing this lab, I recommend removing the canary and the resources created by the canary in order to avoid unnecessary charges. The following script deletes the CloudWatch Synthetic script, the secrets manager, lambda, and IAM role. These steps can also be conducted via console. For future reference, read the page Editing or deleting a canary in order to learn how to delete a canary.
Conclusion
This post walked you through an example of how to monitor an endpoint requiring a client certificate authentication by using the tool badssl.com.
To learn more about how to use this feature and all other capabilities, read the CloudWatch Synthetics documentation. Also, the AWS Command Line Interface (CLI) documentation for Synthetics can be found here.