iam

Restricting Access to EC2 Instances Based on Tags

Restricting Access to EC2 Instances Based on Tags

The principle of least privilege is key when it comes to securing your infrastructure on AWS. For example, an engineer should only be able to control EC2 instances that are in scope for her day-to-day work. But how do you make sure an engineer is only a...

AWS Security Primer

AWS Security Primer

I was preparing some AWS Security related training. Soon, I realized that this topic is too huge to fit into my brain. So I structured my thoughts in a mind map1. Within a couple of minutes2 I came up with this: What is your first reaction? Mine was pr...

Complete AWS IAM Reference

Writing IAM policies is hard. Following the principle of least privilege is even harder. To write a secure IAM policy you need to know: What actions are needed? Are resource-level permissions supported and on what levels? Are conditions supported to restrict access? That’s a lot of stuff and the information is spread all across the AWS documentation. That’s why we created the Complete AWS IAM Reference. ExampleFor example, you want to allow the launch of new EC2 instances. First you need to find out w...

Your AWS Account is a mess? Learn how to fix it!

Your AWS Account is a mess? Learn how to fix it!

Have you no wildcard ec2:* in your IAM policies? Your Security Group rules are as strict as possible? Your S3 Bucket Access Policies only contain rules you know? You know about every single resource that runs in your account? If so, stop reading and ple...

Avoid security credentials on GitHub

Your AWS account is a valuable target for bad guys. With access to your security credentials an attacker is potential able to steal sensitive data, utilize resources on your costs, or sabotage your infrastructure. Two years ago AWS and their customers observed that bad guys started to crawl public GitHub repositories for security credentials granting them access to AWS accounts. Turns out even the most cautious engineer commits secrets to public GitHub repositories from time to time. We are all humans! W...

Manage AWS EC2 SSH access with IAM

Manage AWS EC2 SSH access with IAM

AWS can deploy one EC2 Key Pair to your EC2 instance. But this approach has several disadvantages: You can only use one key per EC2 instance. But you shouldn’t share keys between users. Access to EC2 instances via SSH can not be restricted to specific ...

CloudFormation vs Engineers: How to protect your CloudFormation managed AWS account from human intervention

To eliminate human error as much as possible I advised you to follow the idea of Infrastructure as Code implemented by AWS CloudFormation. Changes to your infrastructure like launching a new virtual server or making changes to a firewall configuration are no longer done manually. Instead you change the description of your infrastructure and let CloudFormation apply the changes.A common problem with CloudFormation are manual changes to resources managed by CloudFormation. A manual change to your AWS accou...

Your single AWS account is a serious risk

Your single AWS account is a serious risk

Your AWS account is one of the most valuable things you own if you run a business on AWS. If you only own a single AWS account, you’re facing a serious security risk! The post will show you why this a problem and how you can solve it. This post receive...

marbot

Are you part of a highly motivated DevOps team? Use marbot, a friendly chatbot, to forward all kind of alerts from your AWS infrastructure to Slack. Alerts are escalated across your team automatically allowing you to focus on your daily work.

Add to Slack
Amazon Web Services in Action (Second Edition)

Amazon Web Services in Action (Second Edition) introduces you to computing, storing, and networking in the AWS cloud.

Buy now

Popular posts

Subscribe

Legal

Projects