Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I Am What IAM for DevOps Vienna

Philipp Krenn
September 09, 2014
Programming
0
550

I Am What IAM for DevOps Vienna

Showing why you need to take care of your AWS credentials (CodeSpaces,...) and how to do that in practice

Philipp Krenn

September 09, 2014
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.8k
360° Monitoring of Your Microservices
xeraa
7
2.9k
Scale Your Metrics with Elasticsearch
xeraa
4
110
YAML Considered Harmful
xeraa
0
1.8k
Scale Your Elasticsearch Cluster
xeraa
1
240
Hands-On ModSecurity and Logging
xeraa
2
110
Centralized Logging Patterns
xeraa
1
860
Dashboards for Your Management with Kibana Canvas
xeraa
1
410
Make Your Data FABulous
xeraa
3
700

Other Decks in Programming

See All in Programming
PDF_TDX_2023_Apex__What_s_New_and_What_s_Coming.pdf
fishofprey
3
780
RuboCop Philosophy
koic
2
690
CyberAgentにおけるKubernetes as a Serviceの歩みと利用者を支える機能 / cainfra01-amsy810-kubernetes
masayaaoyama
1
800
mrubyでマイコンの世界に足を踏み入れる
yuuu
0
440
WEARのEKSコストを救いたい
mikobaaaaa0920
1
1.4k
オンプレミスK8s基盤をまるごと VMで仮想化した検証環境とその活用
yamatcha
1
450
Spring Modulithで始めるモジュラモノリス開発
yutootsuka
2
190
Rustの手続きマクロで黒魔術入門
lemolatoon
2
520
Swift Extension for Visual Studio Code
usamik26
1
150
APIスキーマ設計Tipsと (新)リッチエディタについて
microcms
1
580
Microsoft プレゼンター+の紹介
tomokusaba
0
130
ヘッドレスCMSのリッチエディタを支えるヘッドレス○○
microcms
1
160

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
The Cult of Friendly URLs
andyhume
70
5.2k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
182
15k
Git: the NoSQL Database
bkeepers
PRO
419
60k
Web Components: a chance to create the future
zenorocha
304
41k
Typedesign – Prime Four
hannesfritz
34
1.6k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
Intergalactic Javascript Robots from Outer Space
tanoku
261
26k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
38
3.7k
Navigating Team Friction
lara
177
12k
Learning to Love Humans: Emotional Interface Design
aarron
263
38k

Transcript

  1. i am what IAM
    Philipp Krenn, @xeraa

    View Slide

  2. Why?

    View Slide

  3. View Slide

  4. [...] our data, backups,
    machine configurations and
    offsite backups were either
    partially or completely
    deleted.
    1
    http://www.codespaces.com

    View Slide

  5. View Slide

  6. The person(s) used our
    account to order hundreds
    of expensive servers, likely
    to mine Bitcoin or other
    cryptocurrencies.
    1
    http://blog.drawquest.com

    View Slide

  7. View Slide

  8. This outage was the result
    of an attack on our
    systems using a
    compromised API key.
    1
    http://status.bonsai.io/incidents/qt70mqtjbf0s

    View Slide

  9. Remember:
    Starting with AWS is easy,
    but terminating everything
    is just as simple.

    View Slide

  10. How?

    View Slide

  11. Lock away your root
    account and never use it

    View Slide

  12. Always use Identity and
    Access Management
    (IAM)

    View Slide

  13. Create an IAM user for
    every service or action

    View Slide

  14. Use groups to manage
    permissions for users

    View Slide

  15. Lock users and groups
    down as much as possible

    View Slide

  16. { "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::com.example.backup/*"
    }
    ] }

    View Slide

  17. Strong password

    View Slide

  18. http://xkcd.com/936/

    View Slide

  19. 2 Factor Authentication
    (2FA)

    View Slide

  20. View Slide

  21. Never commit your
    credentials

    View Slide

  22. Enable IP restrictions

    View Slide

  23. { "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
    "NotIpAddress": {
    "aws:SourceIp": ["10.0.0.0/24", "10.10.0.0/24"]
    }
    }
    }
    ] }

    View Slide

  24. View Slide

  25. Enable billing alerts

    View Slide

  26. View Slide

  27. Enable CloudTrail

    View Slide

  28. { "Records": [
    {
    "eventVersion": "1.0",
    "userIdentity": {
    "type": "IAMUser",
    "principalId": "EX_PRINCIPAL_ID",
    "arn": "arn:aws:iam::123456789012:user/Alice",
    "accountId": "123456789012",
    "accessKeyId": "EXAMPLE_KEY_ID",
    "userName": "Alice"
    },
    "eventTime": "2014-09-09T19:01:59Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "StopInstances",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "205.251.233.176",
    "userAgent": "ec2-api-tools 1.6.12.2",
    "requestParameters": {
    "instancesSet": {
    "items": [
    { "instanceId": "i-ebeaf9e2" }
    ]
    },
    "force": false
    },
    ...
    },
    ...
    ] }

    View Slide

  29. Check Your Security Status

    View Slide

  30. View Slide

  31. Premium Support Goodie:
    Trusted Advisor Security

    View Slide

  32. View Slide

  33. Questions?

    View Slide

  34. PS: ViennaDB Redis
    meetup
    September 22nd 19:00 @sektorfuenf

    View Slide