Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I Am What IAM for DevOps Vienna

Philipp Krenn
September 09, 2014
Programming
0
640

I Am What IAM for DevOps Vienna

Showing why you need to take care of your AWS credentials (CodeSpaces,...) and how to do that in practice

Philipp Krenn

September 09, 2014
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
2k
360° Monitoring of Your Microservices
xeraa
7
3.3k
Scale Your Metrics with Elasticsearch
xeraa
4
130
YAML Considered Harmful
xeraa
0
2k
Scale Your Elasticsearch Cluster
xeraa
1
280
Hands-On ModSecurity and Logging
xeraa
2
140
Centralized Logging Patterns
xeraa
1
970
Dashboards for Your Management with Kibana Canvas
xeraa
1
450
Make Your Data FABulous
xeraa
3
810

Other Decks in Programming

See All in Programming
EventSourcingの理想と現実
wenas
6
2.3k
Jakarta EE meets AI
ivargrimstad
0
520
CSC509 Lecture 12
javiergs
PRO
0
160
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
4
640
Amazon Qを使ってIaCを触ろう!
maruto
0
400
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
870
Ethereum_.pdf
nekomatu
0
460
Click-free releases & the making of a CLI app
oheyadam
2
110
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.3k
最新TCAキャッチアップ
0si43
0
140
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
150

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Become a Pro
speakerdeck
PRO
25
5k
Facilitating Awesome Meetings
lara
50
6.1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Agile that works and the tools we love
rasmusluckow
327
21k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Producing Creativity
orderedlist
PRO
341
39k
A better future with KSS
kneath
238
17k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
4 Signs Your Business is Dying
shpigford
180
21k

Transcript

  1. i am what IAM Philipp Krenn, @xeraa

  2. Why?

  3. None

  4. [...] our data, backups, machine configurations and offsite backups were

    either partially or completely deleted. 1 http://www.codespaces.com
  5. None

  6. The person(s) used our account to order hundreds of expensive

    servers, likely to mine Bitcoin or other cryptocurrencies. 1 http://blog.drawquest.com
  7. None

  8. This outage was the result of an attack on our

    systems using a compromised API key. 1 http://status.bonsai.io/incidents/qt70mqtjbf0s

  9. Remember: Starting with AWS is easy, but terminating everything is

    just as simple.

  10. How?

  11. Lock away your root account and never use it

  12. Always use Identity and Access Management (IAM)

  13. Create an IAM user for every service or action

  14. Use groups to manage permissions for users

  15. Lock users and groups down as much as possible

  16. { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }

  17. Strong password

  18. http://xkcd.com/936/

  19. 2 Factor Authentication (2FA)

  20. None

  21. Never commit your credentials

  22. Enable IP restrictions

  23. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["10.0.0.0/24", "10.10.0.0/24"] } } } ] }
  24. None

  25. Enable billing alerts

  26. None

  27. Enable CloudTrail

  28. { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser",

    "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ... }, ... ] }

  29. Check Your Security Status

  30. None

  31. Premium Support Goodie: Trusted Advisor Security

  32. None

  33. Questions?

  34. PS: ViennaDB Redis meetup September 22nd 19:00 @sektorfuenf