DevCon #2016Securing AWS Infrastructure
About the speaker- Neil Alwin Hermosilla- Devops Engineer- Blogger [https://cebuserver.com]- Cebuano Native- Ansible Lover- Die-hard Debian User
Meet the threat
Focusing on ...- AWS Key Management- AWS IAM Management- AWS AMI Management- AWS Security Groups- Server Monitoring- Alert Notification- Art of Monitoring
Key Management
Key Management
Key Management
AWS IAM3rd Party Providers
- Make sure you don’t give full permission to execute unauthorized API Calls.- Make sure to evaluate permission every quarter- Use it dedicatedly
User
- Control resource access permission (ACL)- Utilize ReadOnly/Full policy- Don’t enable “password” (stick with access-key/secret-key)
AWS IAMGroup
- Group users properly - Best practice is to group it via Department/Team
- Developer Support - QA Engineer- Developer Release - Business Groups- System Admin I - Project Managers- System Admin II
Roles
- Utilize creating IAM Roles (enabling resource triggers from one or more services). Better than getting passwords all over the place.
AWS AMI- Evaluate preferred Distro- Evaluate AMI format/type- Evaluate AMI builds (components)- Evaluate defaults (libraries to be added)- Evaluate base softwares (pre-installed)
- Initiate a snapshot of the server- Use the snapshot to spawn additional machines
AWS Security GroupsThings to be aware:
- If instance is created via classic mode (default), once it’s fired up, there is no way for you to add more security groups to it.
*BETTER UTILIZE VPC -- SEGREGATE THE NETWORK*
- Always create a “spare-tire” Security-Group. Remote IP Whitelisting
Server Monitoring
Alert Notification
DEVOPSHQ.ORG@NeilUpbeta01
CebuServer.Com
AWSUGPH