(SEC306) Turn on CloudTrail: Log API Activity in Your AWS Account | AWS re:Invent 2014
HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) -...
Transcript of HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) -...
![Page 1: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/1.jpg)
Unterföhring, 17.10.2016Andreas Sieferlinger
HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE
A short introduction: Why, how and dodging bullets
Munich AWS User Group
![Page 2: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/2.jpg)
2glomex – A company of ProSiebenSat.1 Media SE
Andreas Sieferlinger
Team OPS tasks:• base architecture• AWS base setup• tools and frameworks for teams• AWS consulting for internal teams
INTRO
![Page 3: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/3.jpg)
3glomex – A company of ProSiebenSat.1 Media SE
AGENDA
WHYwould Iwant amulti
account setup?
HOWhave weimplemented this?
WHICHpitfalls did weexperience? WHICHtools dowe
use?
![Page 4: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/4.jpg)
4glomex – A company of ProSiebenSat.1 Media SE
- AWS recommendation (depending on your setup)- separate billing- fine grain access control / security- mimic organization setup- separate stages / environments- à minimize blast radius
WHY?
![Page 5: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/5.jpg)
5glomex – A company of ProSiebenSat.1 Media SE
- account limits / capacity planning- API rate limits- complicated access control for certain resources (ec2)- complicated deprovisioning of complete products
WHY A SINGLE ACCOUNT IS BAD
![Page 6: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/6.jpg)
6glomex – A company of ProSiebenSat.1 Media SE
ACCOUNT STRUCTURE
TotalNumber of accounts:21
Product:NEnvironment:
dev
Product:NEnvironment:
qa
Product:NEnvironment:
stage
Product:NEnvironment:
prod
logging
CloudTrailLogging
very restrictive access
ManagementIAMBilling
2FAenforcedUsersync to FreeIPA
assume role
billing
role
role
role
role
![Page 7: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/7.jpg)
7glomex – A company of ProSiebenSat.1 Media SE
NETWORK STRUCTURE (WITHIN A SINGLE REGION)
infraVPC
corporate DCs
VPN
employee
productN– environment:qa
/22
productN– environment:stage
/22
productN– environment:dev
/22
productN– environment:prod
/22
![Page 8: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/8.jpg)
8glomex – A company of ProSiebenSat.1 Media SE
- Tool support for cross-account access is meh… - kinesis agent (since 16.09.2016, IAM roles are supported!)- many tools do not (easily) support profiles / roles à aws-mfa- cli with many accounts and MFA will slow you down
- AWS support for cross account access could be better ... - public VPC security groups- complex trust relationships- S3 Buckets 3+ account relationships
PAIN
![Page 9: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/9.jpg)
9glomex – A company of ProSiebenSat.1 Media SE
- DNS Zone separation- cross account DNS for corporate domain too complicated -> complex DNS- many SSL certificates required (ACM not available for all services)
DNS ZONE DELEGATION
glomex.cloud
vvs.glomex.cloud
dev.vss.glomex.cloud stage.vvs.glomex.cloud qa.vvs.glomex.cloud stage.vvs.glomex.cloud
hostname dev. vvs. glomex.cloud
* dev. vvs. glomex.cloud
* prod. vvs. glomex.cloud
![Page 10: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/10.jpg)
10glomex – A company of ProSiebenSat.1 Media SE
- complex networking setup- peering / routing easily gets out of hand- try to keep it simple!
- No single point of view over all accounts/metrics/monitoring with AWS services/tools- tools like datadog and security monkey help
- Costs and effort may multiply per account (config rules, support, vpn connections, management, sslcerts). About $70 per account in our environment
- User support and education more demanding- Everything solved or found feasible workarounds!
PAIN 2
![Page 11: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/11.jpg)
11glomex – A company of ProSiebenSat.1 Media SE
Request from developer: „We extended the instance base policy, but cannot enable it, please roll out forall“
EDUCATE YOUR USERS
Usersare unaware of potentialproblems they create.Educate!
{"Effect":"Allow","Action":"autoscaling:*","Resource":"*"
},{
"Effect":"Allow","Action":"elasticloadbalancing:*","Resource":"*“
}
![Page 12: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/12.jpg)
12glomex – A company of ProSiebenSat.1 Media SE
- FreeIPA is source of authentication- FreeIPA to AWS IAM sync tool (no SAML)- FreeIPA SSH Key User Management on instances- aws-mfa- Account / environment detection on instances to avoid bad things- security monkey- DataDog- Base setup tool: “kiso”: manages all accounts
- (CloudFormation / tropossphere + config + tooling)- Account creation automation (about 80%)
- custom application rollout tools: glomex cloud deployment tools (gcdt)- Kumo (cloudformation)- Tenkai (codedeploy)- Yugen (API gateway)- Ramuda (lambda)
TOOLS
![Page 13: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/13.jpg)
13glomex – A company of ProSiebenSat.1 Media SE
When to use AWS Multi Account Setupshttps://aws.amazon.com/de/answers/account-management/aws-multi-account-security-strategyS3 configuration for use with 3 accountshttp://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example4.htmlaws-mfa toolhttps://github.com/broamski/aws-mfaSecurity Monkeyhttps://github.com/Netflix/security_monkeySlideshttps://speakerdeck.com/andreassieferlingerglomex techblogcoming soon
LINKS
![Page 14: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/14.jpg)
Unterföhring, 17.10.2016Andreas Sieferlinger
Q & A
Short questions regarding the presentationMore time after the talk!
![Page 15: HOW TO MANAGE A MULTI AWS ACCOUNT INFRASTRUCTURE€¦ · - FreeIPA to AWS IAM sync tool (no SAML) - FreeIPA SSH Key User Management on instances - aws-mfa - Account / environment](https://reader036.fdocuments.net/reader036/viewer/2022081723/60169aee055c92498c5c1433/html5/thumbnails/15.jpg)
Unterföhring, 17.10.2016Andreas Sieferlinger
THANK YOU.
I’ll be availlable for your questions after the talk.