July 14, 2023
The project for the German Fintech Leader was responsible for collecting feedback data about the investors/borrower. The client created a massive mailing containing a specific URL to the SPA application with the steps forms system. A single-page application (SPA) is a web application or website that interacts with the user by dynamically rewriting the current web page with new data from the web server, instead of the default method of a web browser loading entire new pages.
Some steps included sensitive data, so the main challenge was to provide a safe solution and option to give all aggregate data to the operation team. The implementation of encryption had requirements to be independent of the infrastructure and can be hosted somewhere. The concept and implementation were verified and audited by the finance security department. Obviously, the safe connection (HTTPS) and some of the necessary HTTP headers have been configured as well.
To have good scalability and provide the low latency SPA application have been hosted on the AWS s3 bucket.
To provide a safe solution the following concept has been implemented:
As mentioned at the beginning the encryption concept has to be independent of the infrastructure. Also, the cloud (AWS) should not be able to decrypt the data. So the file is encrypted directly on the client browser. The ReactJs application fetches the public key and encrypts the CSV file generated from the form's data (steps 1 and 2).
As the next step, the new file is stored on S3 (step 4) based on the specific URL (generated on a specific lambda and provided by the API Gateway (step 3). AWS has called this mechanism as “presigned URL”. Following the AWS documentation:
“A presigned URL gives you access to the object identified in the URL, provided that the creator of the presigned URL has permission to access that object. That is, if you receive a presigned URL to upload an object, you can upload the object only if the creator of the presigned URL has the necessary permissions to upload that object. All objects and buckets by default are private.” - https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html
The Ops team needs to be notified when the new file has been uploaded. This case has been achieved by another lambda triggered every time when a new object (file) is uploaded to the specific bucket. The Ops team is notified by email based on the AWS service called SES.
A serverless solution based on Lambdas gives a scaled computing solution and moves the maintenance for AWS. The developers are focused on the implementation of services instead of configuring the infrastructure.
The concept of safe data provision has been implemented successfully. All steps have been audited and verified by the security team. The application was scalable and resistant to external attacks. The Ops team has been notified by email every time when a new file was created without delay.
Daniel
.png)
