-
Notifications
You must be signed in to change notification settings - Fork 47
/
Copy pathSession-49.txt
68 lines (47 loc) · 2.04 KB
/
Session-49.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
IAM concept
---------------
only read access through console
create group(what is his position), add permission to group
add user to group --> automatically he will get group permissions
we had one work station, we were creating instances and R53 records through workstation...
a user with admin access like terraform, we get secret key and access key
a resource inside AWS can access other resources
-------------------------------------------
1. create a user and configure it inside EC2 using aws configure
once your credentials are exposed, hackers will have full access
user has to frequently change credentials, again run aws configure and update the creds
2. Use Roles instead of users directly
User --> human
Role --> non humans, create a role for EC2(EC2 is non human) and attach that role to EC2
AWS will frequently rotate the credentials automatically
aws ec2 run-instances --instance-type t2.micro
thin access -->
Roboshop
--------------------------
We are installing catalogue in EC2, catalogue needs to access configuration stored in SSM parameter store
We are developing applications, apps need configurations like DB URL, username, password, any other system configurations, etc.
if configuration is hard coded, whenever there is a change in config. application has to be rebuilt and redeploy
always keep the config seperately from app code, refer config dynamically...
if config is changed, just restart the application it will fetch new value automatically..
catalogue EC2 instance needs to access SSM parameter store
1. aws configure
2. best is create a role for EC2 give SSM access
1. create a role
2. attach policies
IAM
assign role to EC2 through terraform to access SSM parameter based on environment
change mangement process
---------------------
DEV success
PROD deploy --> a process of change
you raise a CR ticket
what is the change?
what happened in DEV
who needs to approve
team lead
team manager
business analyst
finally your client
what happened to testing?
what happend to scanning?
take the test manager approval