I Am What IAM for DevOps Vienna

Ce4685da897c912aa41a815435b40a5a?s=47 Philipp Krenn
September 09, 2014

I Am What IAM for DevOps Vienna

Showing why you need to take care of your AWS credentials (CodeSpaces,...) and how to do that in practice

Ce4685da897c912aa41a815435b40a5a?s=128

Philipp Krenn

September 09, 2014
Tweet

Transcript

  1. i am what IAM Philipp Krenn, @xeraa

  2. Why?

  3. None
  4. [...] our data, backups, machine configurations and offsite backups were

    either partially or completely deleted. 1 http://www.codespaces.com
  5. None
  6. The person(s) used our account to order hundreds of expensive

    servers, likely to mine Bitcoin or other cryptocurrencies. 1 http://blog.drawquest.com
  7. None
  8. This outage was the result of an attack on our

    systems using a compromised API key. 1 http://status.bonsai.io/incidents/qt70mqtjbf0s
  9. Remember: Starting with AWS is easy, but terminating everything is

    just as simple.
  10. How?

  11. Lock away your root account and never use it

  12. Always use Identity and Access Management (IAM)

  13. Create an IAM user for every service or action

  14. Use groups to manage permissions for users

  15. Lock users and groups down as much as possible

  16. { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }
  17. Strong password

  18. http://xkcd.com/936/

  19. 2 Factor Authentication (2FA)

  20. None
  21. Never commit your credentials

  22. Enable IP restrictions

  23. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["10.0.0.0/24", "10.10.0.0/24"] } } } ] }
  24. None
  25. Enable billing alerts

  26. None
  27. Enable CloudTrail

  28. { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser",

    "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ... }, ... ] }
  29. Check Your Security Status

  30. None
  31. Premium Support Goodie: Trusted Advisor Security

  32. None
  33. Questions?

  34. PS: ViennaDB Redis meetup September 22nd 19:00 @sektorfuenf