$30 off During Our Annual Pro Sale. View Details »

I Am What IAM for DevOps Vienna

Philipp Krenn
September 09, 2014

I Am What IAM for DevOps Vienna

Showing why you need to take care of your AWS credentials (CodeSpaces,...) and how to do that in practice

Philipp Krenn

September 09, 2014
Tweet

More Decks by Philipp Krenn

Other Decks in Programming

Transcript

  1. i am what IAM
    Philipp Krenn, @xeraa

    View Slide

  2. Why?

    View Slide

  3. View Slide

  4. [...] our data, backups,
    machine configurations and
    offsite backups were either
    partially or completely
    deleted.
    1
    http://www.codespaces.com

    View Slide

  5. View Slide

  6. The person(s) used our
    account to order hundreds
    of expensive servers, likely
    to mine Bitcoin or other
    cryptocurrencies.
    1
    http://blog.drawquest.com

    View Slide

  7. View Slide

  8. This outage was the result
    of an attack on our
    systems using a
    compromised API key.
    1
    http://status.bonsai.io/incidents/qt70mqtjbf0s

    View Slide

  9. Remember:
    Starting with AWS is easy,
    but terminating everything
    is just as simple.

    View Slide

  10. How?

    View Slide

  11. Lock away your root
    account and never use it

    View Slide

  12. Always use Identity and
    Access Management
    (IAM)

    View Slide

  13. Create an IAM user for
    every service or action

    View Slide

  14. Use groups to manage
    permissions for users

    View Slide

  15. Lock users and groups
    down as much as possible

    View Slide

  16. { "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:ListAllMyBuckets",
    "s3:ListBucket"
    ],
    "Resource": "arn:aws:s3:::*"
    },
    {
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:DeleteObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::com.example.backup/*"
    }
    ] }

    View Slide

  17. Strong password

    View Slide

  18. http://xkcd.com/936/

    View Slide

  19. 2 Factor Authentication
    (2FA)

    View Slide

  20. View Slide

  21. Never commit your
    credentials

    View Slide

  22. Enable IP restrictions

    View Slide

  23. { "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    },
    {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
    "NotIpAddress": {
    "aws:SourceIp": ["10.0.0.0/24", "10.10.0.0/24"]
    }
    }
    }
    ] }

    View Slide

  24. View Slide

  25. Enable billing alerts

    View Slide

  26. View Slide

  27. Enable CloudTrail

    View Slide

  28. { "Records": [
    {
    "eventVersion": "1.0",
    "userIdentity": {
    "type": "IAMUser",
    "principalId": "EX_PRINCIPAL_ID",
    "arn": "arn:aws:iam::123456789012:user/Alice",
    "accountId": "123456789012",
    "accessKeyId": "EXAMPLE_KEY_ID",
    "userName": "Alice"
    },
    "eventTime": "2014-09-09T19:01:59Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "StopInstances",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "205.251.233.176",
    "userAgent": "ec2-api-tools 1.6.12.2",
    "requestParameters": {
    "instancesSet": {
    "items": [
    { "instanceId": "i-ebeaf9e2" }
    ]
    },
    "force": false
    },
    ...
    },
    ...
    ] }

    View Slide

  29. Check Your Security Status

    View Slide

  30. View Slide

  31. Premium Support Goodie:
    Trusted Advisor Security

    View Slide

  32. View Slide

  33. Questions?

    View Slide

  34. PS: ViennaDB Redis
    meetup
    September 22nd 19:00 @sektorfuenf

    View Slide