Estafet Insights - Edition 10
Want to hear more about something?
We value your subscription to Estafet Insights and want to make our content perfect for you. Please take a moment to share your preferences with us so we can deliver what you want to read.
Welcome to our sunny summer edition. We welcome a couple of new enterprise customers this month and with it a positivity in business discussions that I haven’t experienced for 18 months. An August cut in interest rates would add to the confidence coming back into the UK economy.?
My podcast titled “I can't Unsee That: When Role-Based Access Exposes Too Much“ is a must listen for managers responsible for data. It arms you with the right questions when it comes to security and how to lower costs whilst increasing security levels.
Have a great summer and please contact us about your business plans for September 2024.
Thanks,
CEO and Founder, Estafet
Spring Boot Performance – Analysing Abnormal Process Behavior: Memory Leaks
By?Antonio Lyubchev, Consultant at Estafet
What Is a Memory Leak
A memory leak in software is a condition where a program consistently fails to release memory that is no longer needed, leading to a gradual fill-up of available memory resources. This issue is critical in the context of Spring Boot applications, which operate within a Java Virtual Machine (JVM) environment. Spring Boot’s convention-over-configuration principle simplifies application development, but it does not inherently safeguard against the improper management of memory.?
Memory leaks in Spring Boot can manifest through several scenarios, such as unclosed resources, long-lived collections growing unbounded, or static references preventing garbage collection. Detecting and addressing these leaks is essential for maintaining optimal application performance and preventing the exhaustion of JVM heap space, which can lead to OutOfMemoryError exceptions, application downtime, and costly resource usage. As such, understanding the mechanics of memory management within the JVM and employing tools and practices to monitor and analyse memory usage are crucial steps in identifying and rectifying memory leaks in Spring Boot applications.
The most common reason for memory leaks is heavy class static field usage. The reason for that is that static variables usually live throughout the entire uptime of the application, and if the memory around them is handled improperly, a memory leak is imminent.
Early Symptoms of a Memory Leak
The most obvious one – OutOfMemoryError error thrown/logged from the application. Gradual increase in memory consumption over runtime. The application crashes, lags, and loses connection, an overall performance degradation.
Is It “Really” a Memory Leak?
Surprisingly “OutOfMemoryError” does not always mean that you have a memory leak. There are cases where you unintentionally reserved too little memory for the heap. You may have heard of the two JVM parameters “-Xms2048m -Xmx4096m”. Have a look at this great article on the topic.
Example of a Memory Leak
Consider the following sample Spring Boot Application:
The application has 2 endpoints, one that adds values to a cache and one that manually clears the cache. Maybe we manually clear the cache at intervals, maybe another microservice calls that endpoint in fixed intervals, doesn’t matter. What matters is that there is no control over the maximum allowed cache size.?
Let’s say we added a few hundred chunks of cache:
100 * 10 MB = 1G of cache, thats not too much, but notice how nothing is stopping us from adding more and more. Let’s do that:
And we get a crash:
领英推荐
To be exact. Ok, this was an obvious and telling case, but imagine that we added like 2GB of cache and it stayed there for days without it being needed after the first hour. This and similar problems arise more often than you might think.?
Implementing Attribute Based Access Control (ABAC) with AWS Transfer Family SFTP Servers
By?Jeremy Gosling, Consultant at Estafet
I expect most people reading this will be familiar with Role Based Access Control (RBAC) for managing resource access where permissions are associated with roles and roles are assigned to users.? This works well for situations where groups of users have the same privileges and the number of roles is relatively small such as “administrator“, “developer“, “tester“, etc.
An alternative approach is Attribute Based Access Control (ABAC) where access to a particular resource is controlled by one or more attributes that a user possesses.? This technique is applicable where access control is based on a combination of characteristics of a user, so not only job-role as above, but maybe project as well, which can quickly result in an explosion of policies. ? Resources themselves can have ResourceTags applied, with the security policies then simply enforcing that the values of those specific tags match the user’s attributes.? This significantly reduces the number and complexity of the policies being managed.
As we will see below, ABAC can also be used where controlling access to many individual resources in arbitrary combinations is required.? Here one or more resource specific attributes can be applied to the user and referenced in the policies attached to the resources.
Although less frequently used, implementing ABAC on AWS is well documented … Attribute-Based Access Control – AWS Identity, What is ABAC for AWS? – AWS Identity and Access Management and Practicing the Principle of Least Privilege – DEV Community.
The first two describe the fundamental principles of ABAC with the last one detailing an implementations where Custom Attributes are defined for a User Pool in Cognito which can then be mapped to Custom Claims in a Cognito Identity Pool and then referenced as PrincipalTags in IAM Policies as such as an S3 bucket policy.??
This is great where temporary credentials can be obtained and passed in the API call for an AWS service such as an S3 list object request …
However, a recent client requirement to demonstrate using an ABAC approach to control access to individual folders within S3 buckets which would be accessed via an AWS Transfer Family SFTP Server turned out to be somewhat more challenging!
AWS Transfer Family Servers can maintain users within the service itself, within Active Directory or by using a Custom Identity Provider (custom idp) to access any Identity Provider with an API.? This could be another AWS service such as Cognito or Secrets Manager, or a third party identity provider such as Auth0.? The custom idp itself can be either an AWS Lambda Function or an Amazon API Gateway call.? In this case the client wanted users to be maintained in Cognito which appeared straightforward as this seemed to be close to the scenario described in the DEV Community article above.
However, after initially successfully creating a lambda function custom idp which was capable of retrieving a user from Cognito via its associated Identity Pool with their attributes automatically mapped into PrincipalTags, a significant hurdle was discovered as the interface between the Transfer Family Server and the lambda function is quite basic (see Using AWS Lambda to integrate your identity provider – AWS Transfer Family).??
When a user attempts to log in, the Transfer Family Server passes the following JSON payload to the lambda function ...
… which is fine.? The lambda function can use this information to authenticate the user as required.? The issue arose when looking at the response.? The only element which is used to communicate the privileges of the user back to the server is the ARN of an IAM Role which the server then uses to perform an assume role operation before accessing S3.
After a lot of head scratching and discussions with colleagues to try and find some way to propagate attributes from Cognito without success, I came up with a different approach.? Would it be possible to programmatically maintain an individual role per user, applying tags directly to the role which would hopefully then be available to the IAM policy to inspect and grant the appropriate access accordingly?
Manually creating a role with a tag and passing this back to the Transfer Family Service from the lambda function was successful, so then it was just a case of enhancing the lambda function to read the details of a user from Cognito including their custom attributes and create or update a role for that user with tags corresponding to the attributes that had been defined for that user in Cognito.
I decided to implement a scheme where the value of the attribute must match the value ‘allow’ (case insensitively) in order to grant access to a particular folder.? The S3 bucket policy itself contains a statement for each folder being protected (line 7) that specifies the PrincipleTag name and the required value (line10).? Each statement must also contain a Principle which cannot contain a wildcard to match a partial entity, so instead all principles are accepted (line 4) but the ArnLike condition restricts this to only allow roles with the chosen prefix (line 13).
E5 - I Can't Unsee That: When Role-Based Access Exposes Too Much
In this engaging episode, host Adrian Wright and expert Jeremy Gosling tackle the critical issue of data security. They discuss how outdated Role-Based Access Control (RBAC) systems can lead to dangerous over-privileged access, citing high-profile breaches like Equifax.
Jeremy shares his experience transitioning to the more flexible Attribute-Based Access Control (ABAC) system. He highlights the challenges, such as integrating AWS services, and the innovative solutions that made ABAC implementation successful. By tagging IAM roles with user attributes, they achieved more precise access control, greatly enhancing security.
The episode provides valuable advice for organizations considering ABAC, emphasizing the need for thorough assessment and robust attribute management. Jeremy's insights demonstrate how ABAC can prevent unauthorized access and reduce the risk of data breaches, making it a crucial upgrade for modern data security.