Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I Am What IAM for DevOps Vienna

Philipp Krenn
September 09, 2014
Programming
0
600

I Am What IAM for DevOps Vienna

Showing why you need to take care of your AWS credentials (CodeSpaces,...) and how to do that in practice

Philipp Krenn

September 09, 2014
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
1.9k
360° Monitoring of Your Microservices
xeraa
7
3.2k
Scale Your Metrics with Elasticsearch
xeraa
4
120
YAML Considered Harmful
xeraa
0
1.9k
Scale Your Elasticsearch Cluster
xeraa
1
260
Hands-On ModSecurity and Logging
xeraa
2
120
Centralized Logging Patterns
xeraa
1
920
Dashboards for Your Management with Kibana Canvas
xeraa
1
440
Make Your Data FABulous
xeraa
3
750

Other Decks in Programming

See All in Programming
SIMD Parallel Programming with the Vector API
josepaumard
0
180
デフォルトにして至高、RubyMineの大好きな所
ruzia
0
390
雑に思考を整理する技術と効能
konifar
60
29k
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
110
Anthropic Cookbook のおすすめレシピ
schroneko
7
980
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
2
190
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
340
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
940
Hanami and htmx
bkuhlmann
0
210
try! Swift Tokyo 初参加報告LT
hinakko2
0
220
Goのmultiple errorsについて (2024年4月版)
syumai
4
900

Featured

See All Featured
A Tale of Four Properties
chriscoyier
151
22k
GraphQLとの向き合い方2022年版
quramy
32
12k
How STYLIGHT went responsive
nonsquared
92
4.8k
Done Done
chrislema
178
15k
For a Future-Friendly Web
brad_frost
172
9k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Being A Developer After 40
akosma
57
580k
Debugging Ruby Performance
tmm1
70
11k
What's new in Ruby 2.0
geeforr
337
31k
Designing with Data
zakiwarfel
96
4.8k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
The Power of CSS Pseudo Elements
geoffreycrofte
60
5k

Transcript

  1. i am what IAM Philipp Krenn, @xeraa

  2. Why?

  3. None

  4. [...] our data, backups, machine configurations and offsite backups were

    either partially or completely deleted. 1 http://www.codespaces.com
  5. None

  6. The person(s) used our account to order hundreds of expensive

    servers, likely to mine Bitcoin or other cryptocurrencies. 1 http://blog.drawquest.com
  7. None

  8. This outage was the result of an attack on our

    systems using a compromised API key. 1 http://status.bonsai.io/incidents/qt70mqtjbf0s

  9. Remember: Starting with AWS is easy, but terminating everything is

    just as simple.

  10. How?

  11. Lock away your root account and never use it

  12. Always use Identity and Access Management (IAM)

  13. Create an IAM user for every service or action

  14. Use groups to manage permissions for users

  15. Lock users and groups down as much as possible

  16. { "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket"

    ], "Resource": "arn:aws:s3:::*" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.example.backup/*" } ] }

  17. Strong password

  18. http://xkcd.com/936/

  19. 2 Factor Authentication (2FA)

  20. None

  21. Never commit your credentials

  22. Enable IP restrictions

  23. { "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*"

    }, { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": ["10.0.0.0/24", "10.10.0.0/24"] } } } ] }
  24. None

  25. Enable billing alerts

  26. None

  27. Enable CloudTrail

  28. { "Records": [ { "eventVersion": "1.0", "userIdentity": { "type": "IAMUser",

    "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-09-09T19:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "eu-west-1", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [ { "instanceId": "i-ebeaf9e2" } ] }, "force": false }, ... }, ... ] }

  29. Check Your Security Status

  30. None

  31. Premium Support Goodie: Trusted Advisor Security

  32. None

  33. Questions?

  34. PS: ViennaDB Redis meetup September 22nd 19:00 @sektorfuenf