Immutable Cloud Infrastructure one container at a time
Here’s the policy you need to attach to your instance’s IAM: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: “s3:*”, “Resource”: [ “arn:aws:s3:::bucket-name”, “arn:aws:s3:::bucket-name/*” ] } ] } You can replace the ‘*’ above with more restrictive permissions (e.g. read only) where necessary. This approach means you don’t need […]
This is a script I wrote that queries the ec2 tags of an aws console, in order to figure out what environment a node belongs to, and what class to assign to it. #!/bin/bash # https://docs.puppetlabs.com/guides/external_nodes.html # http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxx export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxx export AWS_DEFAULT_REGION=xxxxxxx instanceid=`echo $1 | awk -F”_” ‘{print […]
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/using-elb-listenerconfig-quickref.html https://blog.qruizelabs.com/2014/06/06/ssl-aws-elb/ In my case I replaced: !/elbcheck.html with: ^(.*)$
http://docs.aws.amazon.com/lambda/latest/dg/python-programming-model-handler-types.html http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/EventTypes.html#auto_scaling_event_types https://aws.amazon.com/blogs/compute/scheduling-ssh-jobs-using-aws-lambda/ https://github.com/fugue/emulambda https://github.com/nficano/python-lambda
Ensuring that your aws infrastructure is secure is a responsibility that’s shared between you and Amazon. Amazon is responsible for mainly: Ensuring physical hardware that your resources (e.g. EC2 instances are running on). E.g. limit access to who is allowed to walk into AWS’s AZs (data centres) Ensuring that internal […]
AWS offers a bunch of natively security features that we can use to enhance security: AWS API access security – via api keys buitin vpc firewalls – private and public subnets. Encourages us to use private subnets whenever possible IAM – only authenticated users and apps are granted access privileges […]
We can limit DDOS attacks in the following ways: identify ip range of ddos attacks and block it at the Network ACL level. Alternatively could do this at the Security Group Level, but it’s quicker at the Network ACL level. Install DDOS prevention software on our EC2 instances that will […]
You can encrypt the content of your resources. This basically means that the content can’t be viewable by an AWS employee. The only way to decrypt the content is via logging into the AWS Account that created the encrypted data in the first place, and also you need to login […]
If there is a particular file in an S3 bucket that is available to access, then there are three things that may want to download it: An AWS user – This request can be granted via IAM roles An AD user, who doesn’t have an AWS account – this user […]
Cloudwatch related API requests are signed with HMAC-SHA1signature from the request and the the user’s private key Cloudwatch’s (sdk) API is only accessible via https, not http, i.e. it is encrypted with ssl An IAM user can only access cloudwatch if they are given access via IAM You can configure […]