We're very pleased that you want to get in touch with us. Please fill in the form below:



or   Close this form  
Some content

Peter Pilgrim :: Java Champion :: Digital Developer Architect

I design Java EE and Scala software solutions for the blue-chip clients and private sector

Hey all! Thanks for visiting. I provide fringe benefits to interested readers: checkout consultancy, training or mentorship Please make enquiries by email or call +44 (0)7397 067 658.

Due to the Off-Payroll Working plan for the UK government, unfortunately, I am no longer accepting standard GOV.UK contract engagements for the public sector. Please enquire for further information.

Hot shot 006 – Securing your AWS account

08 June 2018 Comments off

4 minutes

773

This are my verbatim notes to the PEAT UK podcast:

 

 

Hot shot 006 – Securing your AWS account

 

Friday, 18th May 2018

 

Hello there once again to another hot shot. My name is Peter Pilgrim, Platform engineer and DevOps specialist, and Java Champion.

 

Securing your AWS account and in particular the Identity and Access Management (IAM) console.

 

 

 

Here are some tips:

  1. You will want to change your personal Amazon account password immediately and make it very secure and very strong. Especially, if you are share the username for your residential Amazon deliveries with your AWS console. Treat your Amazon and AWS root user accounts like a precious gold bar. Because if you lose possession of it, then your goose is, indeed, cooked.
  2. If you run your own business, you may want to associate your AWS root user account with a business account. Make sure that only you the business owner has access to this account.
  3. Learn about AWS security, the Identity and Access Management interface otherwise known IAM. Get a deep-dive, I recommend this alot.
  4. Store the AWS root password in a cyber vault such as a very secure LastPass account that only you can access with a few trusted left tenants (lieutenants USA).
  5. Create for yourself a read-only user that lets you look at things without accidentally destroying important things like EC clusters, groups, instances, networks and VPCs, security group, databases and resources
  6. Consider adding Multiple Factor Authentication to protect your account. You’re quids in, if you are already using Google Authenticator mobile phone application like I do for Google Mail and Google account access.
  7. Create separate IAM Users and IAM Groups. For example, you may want to create EC2 instance user and groups, which allow trusted people to start and stop instances. You may want create another set of users, who can only access database instances such as RDS, Aurora and MySQL.
  8. Learn about IAM Roles give you an option to allow powered users to assume roles. For example you might create a Administrator group and allow trusted Platform Engineers and DevOps technical-leads (vis-a-vis Anchors) to become Administrator.
  9. Create IAM Roles with multiple management policies. Amazon has this concept of managed policies for each service that they have in the AWS platform. So for example, you provision an EC2 instance with role so that it launches with enough permissions. You need the policies AWSCodeDeployFullAccess, AmazonInspectorFullAccess, AmazonEC2RoleforSSM and AmazonEC2ReadOnlyAccess. If you want EC instances attached to the IAM Role to also access the S3 service, then you have add additional policy for the other service. You can add the custom IAMRole a policy AmazonS3ReadOnlyAccess. This allows an EC instance with web server to synchronise a static web site with the data on S3. Of course, you will not a script to synchronise the data first at launch time. The benefit of IAM Roles are they share no secrets, but they only provide permissions. Roles can be granted temporarily for users and systems.
  10. If you are going to secure your AWS account, you definitely want to learn how about monitoring AWS beforehand. So delve into the CloudFront and CloudWatch screens.
  11. Re-evaluate the default AWS IAM password policy – Follow the advanced user advice from AWS. Once you are really good at AWS, then follow the advice to remove your root access keys. Enable password expiration and set expiration periods. Maybe you want to expire passwords every 3 months, but at 6 months. It depends on your situation (and, of course, your instituation).
  12. Finally, if you want to call yourself an AWS expert, then you will have already watched the YouTube video from AWS Reinvent 2015 by Anders Samuelsson about IAM Best Practices. Please watch it now to become experienced.

 

That’s for this hotshot. I hope you liked it.

Bye

+PP+
May 2018

 

 

By the way, all your Shares, Likes, Comments are always more than welcomed!

Addendum: I also recommend that you also watch AWS Reinvent 2017 How to become IAM Ninja, AWS re:Invent 2017: IAM Policy Ninja (SID314) , which has some updated information.

Addendum II: My apologies to my listeners and readers, because I forgot add the User data script for AWS AMI, which modified to chmod write access to the Apache server.

 

#!/bin/bash
yum update -y
yum install -y httpd24 php70
chown -R 777 /var/www/html
aws s3 sync s3://your.website.hosted.on.aws.s3  /var/www/html
service httpd start
chkconfig httpd on

 

 

References:

[1] Official guide to Identity and Access Management
[2] IAM User Guide and Identities
[3] IAM Roles for Amazone EC2 roles

 

 

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Contents of this blog entry are under copyright © 2017 by Peter Pilgrim and associates. For enquiries after republishing, please contact us for permission. All requests for syndicated content will be ignored /dev/null, consider yourself warned!

I help to design, create and build JVM components and services that are behind popular e-commerce websites.

My Blurb

Please get in touch , directly, to establish hire availability, contract & consulting opportunities.

Speaking at Your Conference

Contact by invitation

What Peter Does

Contact