Using Amazon Web Services to Capture CSP and HPKP Reports

I’ve been working to review and harden the security on my personal websites lately (maybe some other posts about cipher suite choices and server logging to AWS coming up).

One thing I’ve never utilised before are the reporting features available in both Content Security Policy (CSP) and HTTP Public Key Pinning (HPKP). This reporting lets you help tune your policies (in the case of CSP), and see violations for both HPKP and CSP. For both forms of reporting, you need to provide a URL in the CSP/HPKP header. The client’s browser, which detects whether there is a violation of either scheme, will simply send a HTTP POST request containing the report to that URL.

You generally have two choices here – develop your own mini-application to capture these reports, or use somebody else’s service. I wanted to keep the number of live web applications I had to maintain down to a bare minimum (so option 1 was not looking good), and I didn’t want to a third-party receiving my reports in perpetuity (so option 2 was struck-out).

Having an Amazon Web Services account, I decided to see whether it was possible to utilise some of the tooling available there to help me out. The idea was to provision something in my personal AWS instance that could maintain an endpoint to collect the logs and then export/view/search/alert on the logs as needed. Obviously, the idea was to keep the cost down as much as possible (this is only a personal endeavour, after all!)

To summarise what I ended up doing, my first solution to this problem is as follows:

AWS API Gateway allows you to create an “API” to receive requests. It’s reasonably cheap (you only pay a cup of coffee per million API queries plus cents per GB for data traffic). There’s also a free tier for the first 12 months – which means I’ll be able to estimate roughly how much this will cost me longer term.

Some good things I’ve discovered about the AWS API Gateway service:

  • The AWS API Gateway service can be configured using the AWS Management Console GUI to log all requests to CloudWatch Logs (including full header and responses).
  • You only need to set up a single POST API on the root URL for receiving the report requests – this is only a couple of quick clicks in the AWS Management Console GUI.
  • You can set that single POST API to either do nothing (mock execution) or act as a HTTP proxy for another service (theoretically, I can think this means you could daisy-chain to a secondary service as well, like Report-URI).

The raw logs appear from the API Gateway service (Which includes the violation reports), then get thrown into a Log Group in AWS CloudWatch Logs. You can then use in the inbuilt search/parse tool in Cloudwatch Logs in the Management Console, export the entire log file to Amazon S3 to dice up offline, or pass onto a couple of other AWS services (which I haven’t looked into just yet).

Setting up the API:

API Gateway 1

Configuring the logging:
API Gateway 2

Viewing the reports:
Cloudwatch Logs 1

What I’d like to do in the future:

  1. See if I can use a custom domain with Amazon API Gateway (Definitely possible, but I’d want to see if the new AWS Certificate Manager would provide a free SSL certificate for that endpoint.)
  2. See if I can stream this data into an AWS service for live-analysis when I need to search it (more than the string based search the AWS Management Console provides on Cloudwatch Log data.
  3. See whether I can get alerting in place based on particular keywords of interest and/or volumes of violations seen per day, or on a certain page.

Leave a Reply

Your email address will not be published. Required fields are marked *