Impact of AWS Account Identifiers

情到浓时终转凉″ 提交于 2019-12-02 22:45:53

What you can do is have a single, super-locked down 'authentication server'. The secret key only exists on this one server, and all the other servers will need to ask it for permission. You can assign your own keys to the various servers, and lock it down by IP address as well. That way if a server gets compromised, you simply revoke its key from the 'authentication server'.

This is possible, because of the way the AWS authentication works. Say your webserver needs to upload a file to S3. First, it will generate the AWS request, and send that request along with your custom server key to the 'authentication server'. The authentication server will authenticate the request, doing the crypto magic stuff, and return the authenticated string back to the webserver. The webserver can then use this to actually submit the request along with the file to upload to S3.

AWS allows you to create multiple users with Identity and Access Management. This will allow you to implement either of your scenarios.

I would suggest defining an IAM user per EC2 instance, this allows you to revoke access to a specific user (or just their access keys) if the corresponding EC2 instance is compromised and also use fine-grained permissions to restrict what APIs the user can call and what resources they can access (e.g. only permit the user to upload to a specific bucket).

Furthermore, AWS IAM roles allow you to assign permissions to an EC2 instance rather than having to place keys on the instance. See the blog post at http://aws.typepad.com/aws/2012/06/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service-apis-from-ec2.html Most of the SDKs utilize the temporary keys created by the roles.

AWS offers "Consolidated Billing" which addresses your concern in the second thought.

https://aws-portal.amazon.com/gp/aws/developer/account/index.html?ie=UTF8&action=consolidated-billing

"Consolidated Billing enables you to consolidate payment for multiple Amazon Web Services (AWS) accounts within your company by designating a single paying account. You can see a combined view of AWS costs incurred by all accounts, as well as obtain a detailed cost report for each of the individual AWS accounts associated with your paying account. Consolidated Billing may also lower your overall costs since the rolled up usage across all of your accounts could help you reach lower-priced volume tiers more quickly."

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!