I have an AWS RDS Instance that has IAM DB authentication enabled, where people can connect to the database via IAM roles as per the instructions at https://aws.amazon.com/premiumsupport/knowledge-center/rds-postgresql-connect-using-iam/. However, I want users to be able to connect to the RDS instance only via IAM roles, and not via the master username/password that was previously used? Is there a way to disable the master username/password, or enforce that people can only access the database via IAM roles?
Related
Scenario: We have an Azure cloud environment that contains three (Prod,Test,Dev) PaaS database servers (PostgreSQL Flexible Servers). Each server exists in its own VNet. The SQL data tables found in each server contain sensitive information. Let's say we require an external user (eg. a contractor, consultant) to access the data tables in a secure way, with MFA enabled. What would be a secure & simple way of enabling this?
Some options I can think of:
Share database server credentials with external user (high risk of credentials being misplaced. No MFA option?):
Whitelist user IP address against Azure firewalls
Send PaaS server credentials to external user via email or SMS.
They connect using an SQL client on their machine.
External user to use VM via Bastion:
Add external user to Azure AD
Turn on MFA for user in AD
Create VM in Azure, with SQL client software installed (ie. pgAdmin for PostgreSQL)
Configure access to the 3 PaaS servers (Prod, test, dev) from the VM
Set up Bastion server with access to VM
Enable user to access VM via Bastion server
Second option incurrs extaa costs for the VM and Bastion of course. Are there any other methods I should consider?
I am trying to use RDS proxy with TypeORM in a nestjs application. RDS Proxy uses IAM authentication, because of which I am getting authentication error after 15 minutes. Please let me know if there is a way to make typeorm refresh the token before it gets expire. (Type orm is loaded as part of app module in the nestjs lambda function)
you can give your ec2 access to your RDS via IAM Role.
If want to connect locally.
No need to pass the credentials via code.
How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?
OR
Install aws-cli.
Run: aws configure.
Add secret and access keys and session tokens, which should have access to your RDS.
This will add your credentials under the .aws/credentials file(or look for credentials file).
Write and run a background process that updates the credentials under credetails file before it expires.
We are attempting to configure Dev users at a project level with only 'viewer' access and also allow them to login to Cloud SQL. Strangely there are no granular permissions as there are for DataStore or Bigquery.
When attempting to connect after configuring the Cloud SQL proxy to follow Google best practice for connecting to V2 Cloud SQL instances.
The connection is refused in MySQL workbench and the following message appears in the Proxy window.
As soon as the Project privileges are changed to 'editor' in IAM, the same connection works fine. With a lack of roles for Cloud SQL, this means all users either cant access Cloud SQL v2 with proxy or can reset the root password.
Hopefully we are mistaken as this seems like a serious security issue?
You are correct, at this time the actor must have at least 'project editor' role to connect using the Cloud SQL Proxy.
I use Amazon EC2 to host some web sites and databases.
I have a new developer joining me tomorrow.
If I create an IAM User, and attach the "AmazonEC2FullAccess - arn:aws:iam::aws:policy/AmazonEC2FullAccess- Provides full access to Amazon EC2 via the AWS Management Console.) policy to him,
will he be able to access secrets stored inside the linux ec2 instances created in the past. Basically, does this policy somehow allow access to pre-created linux instances.
EDIT: what if he/ she attempts a disk recovery procedure? for example, mount the disk of a vm in a new ec2 instance
When you give AmazonEC2FullAccess access to the user he will be able to see all the EC2 instances in the AWS account. Even if you don't provide him the key to pre-created EC2 instances he will be able to take AMI of the pre created EC2 instance and launch it with a new key and get access to that instance.
He can also do disk recovery procedure as in you mentioned in your use case. So you have some of the below options.
Do not provide AmazonEC2FullAccess ask him what specification he needs for the server and launch the EC2 as per the specification and provide him ssh jailed user access to that EC2 instance.
Set up cloud trail so that you can monitor the resources created by that user for any suspicious activity https://aws.amazon.com/cloudtrail/
Third option is as you mentioned he is developer just provide him deployment and git access to the application running on the EC2 instance.
The IAM role only gives someone access to the AWS EC2 API, where you can do things like create new instances, shutdown existing instances, etc. This does not give someone access to login to any EC2 servers. For that you would need to give someone the SSH key (for Linux) or password (for Windows) that was setup when the server was created.
Is there a way to use IAM to manage developer access to an EC2 instance? (ssh not ec2 API).
Not the EC2 rest API or the online console but to manage individual ssh or ftp access to a server?
What you are looking for is a linux Pluggable Authentication Module (PAM) that talks to the AWS IAM service.
This is not available out of the box in an image, but have a look here:
https://github.com/denismo/aws-iam-ldap-bridge
This project allows you to sync an LDAP server with IAM, and then you can configure your sshd to use the LDAP server.
That might work for you.
You can use either of these two projects: https://github.com/widdix/aws-ec2-ssh or https://github.com/kislyuk/keymaker
They amount to synchronising the IAM accounts to the user accounts and can pull the SSH keys in. They both rely on a cron job to keep them up to date.
No, IAM is meant to control access to EC2 resources. Logging into an instance via SSH cannot be qualified as same. Anyone who has .pem key and can log into the instance (presuming the ssh access is allowed in security groups).