$30 off During Our Annual Pro Sale. View Details »

I Am What IAM for DevOps Vienna

Philipp Krenn
September 09, 2014
Programming
0
590

I Am What IAM for DevOps Vienna

Showing why you need to take care of your AWS credentials (CodeSpaces,...) and how to do that in practice

Philipp Krenn

September 09, 2014
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.8k
360° Monitoring of Your Microservices
xeraa
7
3.1k
Scale Your Metrics with Elasticsearch
xeraa
4
110
YAML Considered Harmful
xeraa
0
1.9k
Scale Your Elasticsearch Cluster
xeraa
1
250
Hands-On ModSecurity and Logging
xeraa
2
120
Centralized Logging Patterns
xeraa
1
890
Dashboards for Your Management with Kibana Canvas
xeraa
1
430
Make Your Data FABulous
xeraa
3
710

Other Decks in Programming

See All in Programming
VimConf 2023 Tiny
skanehira
1
210
​고군분투 LLM 프로덕트 적용기: Blind Prompting 부터 Agent까지
huffon
1
780
kube-proxy入門
bells17
7
890
supabaseとSvelteKitで作るバックエンドレスなサーバーレスWebサイト / Creating with supabase and SvelteKit Backend-less serverless websites
seike460
PRO
3
1.5k
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
4
670
実践PubSubマイクロサービス / Implementation Pub Sub microservice
nrslib
3
940
Talk about CI and testing of the STORES
hogelog
2
280
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.5k
從零開始打造可觀測性平台
blueswen
3
1.4k
Python機械学習勉強会in新潟のロゴが無いので、生成AIで作ってみましょう / osc2023niigata
kasacchiful
0
190
SONY NEWS NetBSD移植作業とNWS-3260展示 / KOF2023
tsutsui
0
440
Angular 17 - Rainaissance
gregonnet
0
130

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
A designer walks into a library…
pauljervisheath
199
18k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
15k
A Modern Web Designer's Workflow
chriscoyier
688
190k
The Cost Of JavaScript in 2023
addyosmani
9
3k
WebSockets: Embracing the real-time Web
robhawkes
58
6.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
For a Future-Friendly Web
brad_frost
168
8.4k
A Tale of Four Properties
chriscoyier
150
22k
Optimizing for Happiness
mojombo
368
68k
The World Runs on Bad Software
bkeepers
PRO
59
6.1k

Transcript

  1. i am what IAM
    Philipp Krenn, @xeraa

    View Slide

  2. Why?

    View Slide

  3. View Slide

  4. [...] our data, backups,
    machine configurations and
    offsite backups were either
    partially or completely
    deleted.
    1
    http://www.codespaces.com

    View Slide

  5. View Slide

  6. The person(s) used our
    account to order hundreds
    of expensive servers, likely
    to mine Bitcoin or other
    cryptocurrencies.
    1
    http://blog.drawquest.com

    View Slide

  7. View Slide

  8. This outage was the result
    of an attack on our
    systems using a
    compromised API key.
    1
    http://status.bonsai.io/incidents/qt70mqtjbf0s

    View Slide

  9. Remember:
    Starting with AWS is easy,
    but terminating everything
    is just as simple.

    View Slide

  10. How?

    View Slide

  11. Lock away your root
    account and never use it

    View Slide

  12. Always use Identity and
    Access Management
    (IAM)

    View Slide

  13. Create an IAM user for
    every service or action

    View Slide

  14. Use groups to manage
    permissions for users

    View Slide

  15. Lock users and groups
    down as much as possible

    View Slide

  16. { "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::com.example.backup/*"
    }
    ] }

    View Slide

  17. Strong password

    View Slide

  18. http://xkcd.com/936/

    View Slide

  19. 2 Factor Authentication
    (2FA)

    View Slide

  20. View Slide

  21. Never commit your
    credentials

    View Slide

  22. Enable IP restrictions

    View Slide

  23. { "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
    "NotIpAddress": {
    "aws:SourceIp": ["10.0.0.0/24", "10.10.0.0/24"]
    }
    }
    }
    ] }

    View Slide

  24. View Slide

  25. Enable billing alerts

    View Slide

  26. View Slide

  27. Enable CloudTrail

    View Slide

  28. { "Records": [
    {
    "eventVersion": "1.0",
    "userIdentity": {
    "type": "IAMUser",
    "principalId": "EX_PRINCIPAL_ID",
    "arn": "arn:aws:iam::123456789012:user/Alice",
    "accountId": "123456789012",
    "accessKeyId": "EXAMPLE_KEY_ID",
    "userName": "Alice"
    },
    "eventTime": "2014-09-09T19:01:59Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "StopInstances",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "205.251.233.176",
    "userAgent": "ec2-api-tools 1.6.12.2",
    "requestParameters": {
    "instancesSet": {
    "items": [
    { "instanceId": "i-ebeaf9e2" }
    ]
    },
    "force": false
    },
    ...
    },
    ...
    ] }

    View Slide

  29. Check Your Security Status

    View Slide

  30. View Slide

  31. Premium Support Goodie:
    Trusted Advisor Security

    View Slide

  32. View Slide

  33. Questions?

    View Slide

  34. PS: ViennaDB Redis
    meetup
    September 22nd 19:00 @sektorfuenf

    View Slide