https://docs.aws.amazon.com/ja_jp/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
https://dev.classmethod.jp/articles/cloudfront-field-level-encryption/
https://dev.classmethod.jp/articles/alb-backend-https/
https://qiita.com/daichi_sugiyama/items/623218b6e9173d5e7ed7
CloudFront --HTTPS--> ALB --HTTPS--> EC2
前提:
Route53 でドメイン取得済
セキュリティグループ で 443 許可済
ACMでワイルドカード証明書取得済み
-- 1. コマンド等のインストール
-- 1.1 aws cli version 2 インストール
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
-- 1.2 jqインストール
sudo yum -y install jq
-- 2. EC2インスタンス作成
-- ap-northeast-1a
vim a.sh
#!/bin/bash
yum -y update
yum -y install mod_ssl
systemctl start httpd
systemctl enable httpd
echo $(hostname) > /var/www/html/index.html
aws ec2 run-instances \
--image-id ami-0404778e217f54308 \
--instance-type t3.nano \
--key-name key1 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=instance01}]' \
--subnet-id subnet-11111111111111111 \
--user-data file://a.sh
aws ec2 describe-instances
-- 3. phpインストール
-- httpdサーバをインストールしたEC2インスタンスにログインして実行
-- user-dataではうまく実行できなかった
sudo su -
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum -y install http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php74
yum -y install php74 php74-php php74-php-fpm
ln -s /usr/bin/php74 /usr/bin/php
php -v
echo '<?php var_dump($_POST);' > /var/www/html/index.php
systemctl restart httpd
-- 4. ロードバランサーの作成
aws elbv2 create-load-balancer \
--name alb01 \
--subnets subnet-11111111111111111 subnet-22222222222222222 \
--security-groups sg-33333333333333333
aws elbv2 describe-load-balancers
aws elbv2 describe-load-balancers| jq -r .LoadBalancers.LoadBalancerArn
aws elbv2 create-target-group \
--name target01 \
--protocol HTTPS \
--port 443 \
--vpc-id vpc-44444444444444444 \
--ip-address-type ipv4 \
--target-type instance
aws elbv2 describe-target-groups
aws elbv2 describe-target-groups| jq -r .TargetGroups.TargetGroupArn
aws elbv2 describe-target-group-attributes \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555
aws elbv2 register-targets \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555 \
--targets Id=i-00000000000000000
aws elbv2 describe-target-health \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555
-- 5. リスナーの作成
aws elbv2 describe-ssl-policies
aws elbv2 create-listener \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666 \
--protocol HTTPS \
--port 443 \
--default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555 \
--certificates CertificateArn=arn:aws:acm:ap-northeast-1:999999999999:certificate/11111111-2222-3333-4444-555555555555 \
--ssl-policy ELBSecurityPolicy-2016-08
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666 | jq -r .Listeners.ListenerArn
-- 6. Route53へDNSレコード(ALBへのエイリアスレコード)を登録
-- 7. ディストリビューションの作成
aws cloudfront create-distribution \
--origin-domain-name test.yyyyyyyy.link
aws cloudfront list-distributions
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
-- 8. キャッシュ動作に設定を追加する
オリジンプロトコルポリシーをHTTPS onlyに変更
ビューワープロトコルポリシーをHTTPS onlyに変更
許可された HTTP メソッドを[GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE] に変更
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json
Origins -> Items -> CustomOriginConfig -> OriginProtocolPolicy を下記のように修正
"OriginProtocolPolicy": "https-only",
DefaultCacheBehavior -> ViewerProtocolPolicy を下記のように修正
"ViewerProtocolPolicy": "https-only",
DefaultCacheBehavior -> AllowedMethods を下記のように修正
"AllowedMethods": {
"Quantity": 7,
"Items": [
"HEAD",
"DELETE",
"POST",
"GET",
"OPTIONS",
"PUT",
"PATCH"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag
aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match BBBBBBBBBBBBBB \
--distribution-config file://distribution.json
-- 9. 信頼されたキーグループのキーペアを作成する
-- 9.1 パブリックとプライベートのキーペアを作成する
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
-- 9.2 パブリックキーを CloudFront にアップロードする
cat public_key.pem
※EncodedKeyの改行部分は\nで置き換える
{
"CallerReference": "cli-example",
"Name": "ExampleKey",
"EncodedKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxPMbCA2Ks0lnd7IR+3pw\nwd3H/7jPGwj8bLUmore7bX+oeGpZ6QmLAe/1UOWcmZX2u70dYcSIzB1ofZtcn4cJ\nenHBAzO3ohBY/L1tQGJfS2A+omnN6H16VZE1JCK8XSJyfze7MDLcUyHZETdxuvRb\nA9X343/vMAuQPnhinFJ8Wdy8YBXSPpy7r95ylUQd9LfYTBzVZYG2tSesplcOkjM3\n2Uu+oMWxQAw1NINnSLPinMVsutJy6ZqlV3McWNWe4T+STGtWhrPNqJEn45sIcCx4\nq+kGZ2NQ0FyIyT2eiLKOX5Rgb/a36E/aMk4VoDsaenBQgG7WLTnstb9sr7MIhS6A\nrwIDAQAB\n-----END PUBLIC KEY-----\n",
"Comment": "example public key"
}
aws cloudfront create-public-key \
--public-key-config file://pubkey.json
aws cloudfront list-public-keys
aws cloudfront get-public-key \
--id CCCCCCCCCCCCCC
-- 10. フィールドレベル暗号化のプロファイルを作成する
aws cloudfront create-field-level-encryption-profile \
--field-level-encryption-profile-config '{
"Name": "profile01",
"CallerReference": "cli-example",
"Comment": "prfile01",
"EncryptionEntities": {
"Quantity": 1,
"Items": [
{
"PublicKeyId": "CCCCCCCCCCCCCC",
"ProviderId": "test",
"FieldPatterns": {
"Quantity": 1,
"Items": [
"secret"
]
}
}
]
}
}'
aws cloudfront list-field-level-encryption-profiles
aws cloudfront get-field-level-encryption-profile \
--id DDDDDDDDDDDDD
-- 11. フィールドレベル暗号化の設定を作成する
aws cloudfront create-field-level-encryption-config \
--field-level-encryption-config '{
"CallerReference": "cli-example",
"Comment": "",
"QueryArgProfileConfig": {
"ForwardWhenQueryArgProfileIsUnknown": false,
"QueryArgProfiles": {
"Quantity": 0,
"Items":
}
},
"ContentTypeProfileConfig": {
"ForwardWhenContentTypeIsUnknown": false,
"ContentTypeProfiles": {
"Quantity": 1,
"Items": [
{
"Format": "URLEncoded",
"ProfileId": "DDDDDDDDDDDDD",
"ContentType": "application/x-www-form-urlencoded"
}
]
}
}
}'
aws cloudfront list-field-level-encryption-configs
aws cloudfront get-field-level-encryption-config \
--id EEEEEEEEEEEEEE
-- 12. ディストリビューションのビヘイビアでフィールドレベル暗号化を有効化
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json
DefaultCacheBehavior -> FieldLevelEncryptionId を下記のように修正
"FieldLevelEncryptionId": "EEEEEEEEEEEEEE",
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag
aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match FFFFFFFFFFFFF \
--distribution-config file://distribution.json
-- 13. 動作確認
curl -v -X GET https://test.yyyyyyyy.link/index.html
curl -v -X GET https://xxxxxxxxxxxxx.cloudfront.net/index.html
curl \
-d "param1=value1¶m2=value2" \
-H "Content-Type: application/x-www-form-urlencoded" \
-X POST \
https://xxxxxxxxxxxxx.cloudfront.net/index.php
curl \
-d "secret=value1¶m2=value2" \
-H "Content-Type: application/x-www-form-urlencoded" \
-X POST \
https://xxxxxxxxxxxxx.cloudfront.net/index.php
-- 14. クリーンアップ
-- ディストリビューションの無効化
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
※ distribution.jsonはget-distribution-configコマンドのDistributionConfigから取得し、Enabledをfalseに変更する
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .DistributionConfig > distribution.json
sed -i 's/"Enabled": true/"Enabled": false/' distribution.json
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag
aws cloudfront update-distribution \
--id AAAAAAAAAAAAAA \
--if-match GGGGGGGGGGGGG \
--distribution-config file://distribution.json
※ if-matchにはETagの値をセット
無効化されるまで待つ
-- ディストリビューションの削除
aws cloudfront get-distribution \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA
aws cloudfront get-distribution-config \
--id AAAAAAAAAAAAAA | jq -r .ETag
aws cloudfront delete-distribution \
--id AAAAAAAAAAAAAA \
--if-match HHHHHHHHHHHHHH
aws cloudfront list-distributions
-- フィールドレベル暗号化の設定の削除
aws cloudfront list-field-level-encryption-configs
aws cloudfront get-field-level-encryption-config \
--id EEEEEEEEEEEEEE
aws cloudfront delete-field-level-encryption-config \
--id EEEEEEEEEEEEEE \
--if-match IIIIIIIIIIIIII
-- フィールドレベル暗号化のプロファイルの削除
aws cloudfront list-field-level-encryption-profiles
aws cloudfront get-field-level-encryption-profile \
--id DDDDDDDDDDDDD
aws cloudfront delete-field-level-encryption-profile \
--id DDDDDDDDDDDDD \
--if-match IIIIIIIIIIIIII
-- パブリックキーの削除
aws cloudfront list-public-keys
aws cloudfront get-public-key \
--id CCCCCCCCCCCCCC
aws cloudfront delete-public-key \
--id CCCCCCCCCCCCCC \
--if-match JJJJJJJJJJJJJ
-- Route53からDNSレコード(ALBへのエイリアスレコード)を削除
-- リスナーの削除
aws elbv2 describe-listeners \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666
aws elbv2 delete-listener \
--listener-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:listener/app/alb01/6666666666666666/7777777777777777
-- ターゲットグループの削除
aws elbv2 describe-target-groups
aws elbv2 deregister-targets \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555 \
--targets Id=i-00000000000000000
aws elbv2 delete-target-group \
--target-group-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:targetgroup/target01/5555555555555555
-- ロードバランサーの削除
aws elbv2 describe-load-balancers
aws elbv2 delete-load-balancer \
--load-balancer-arn arn:aws:elasticloadbalancing:ap-northeast-1:999999999999:loadbalancer/app/alb01/6666666666666666
-- EC2インスタンスの削除
aws ec2 describe-instances
aws ec2 terminate-instances --instance-ids i-00000000000000000