I would like to have all cost and ressources used of each IAM users.
Unfortunately, i can have only the cost of my master account. I know that i can create a organization and set OU and users AWS account to have a detail and record each events, but the ressources used by 'users' are used only for my application, i don't need to have real account, and i can't automatises all deployements if i must set password and credentials manually .
One solutions also is to create CloudTrail and Cloudwatch to record each events services but i found this 'too heavy' and i will need to calculate myself the cost because it only get the datas which are used.
I would like to know if they are exists others systemes to do that in preference with boto3.
Thank you for your responses.
Have a nice day/night.
Costs are not easily associated back to "users".
AWS resources are associated with an AWS Account. When a user creates a resource (eg an Amazon EC2 instance), IAM will confirm that they have permission to launch the resource, but the resource itself is not associated with the user who created it.
You would need to add tags to resources to have more fine-grained association of costs to people/projects/departments. These tags can be used in billing reports to provide cost breakdowns.
Related
I am in a situation where I need to do some calculations based upon data provided by the customer, store the result somewhere, and make the result available through APIs. For this, I have produced a NodeJS app that can store the data in a NoSQL DB.
My issue is that I want the customer to pay for everything without seeing the source-code. I dont need to make any money for myself, just allow the customer to pay the bills without seeing my calculations.
For this, I am considering AWS. I can spin out an EC2 instance, run my NodeJS code on it and store all the data in RDS, S3, etc. I have two possibilities from this point:
I pay for the AWS account (ie, put my Credit Card Details), and recover the bill from the customer; or
I ask the customer to create an AWS account, give me some sort of access so that I can download my code on EC2 etc
For option 1, the question is
Is there a way in AWS (IAM user etc) such that a customer can login to
the AWS console, view the billing and usage information, but cannot
logon to EC2 and see the Node source code
For option 2,
Is it even possible that the owner of the account doesnt get to see
the source-code on their EC2 instance
Please advise
Yes, Amazon has a tutorial on exactly that:
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html
I would suggest starting there and then asking additional questions here, and we can try and help you.
Is there a way in AWS (IAM user etc) such that a customer can login to
the AWS console, view the billing and usage information, but cannot
logon to EC2 and see the Node source code
This seems like a fit for AWS marketplace AMI based product offering. You can offer your AMI on the marketplace for your customers. Your customers would need an AWS account to buy your AMI and they will be charged by AWS on your behalf. You will be paid by AWS.
Is it even possible that the owner of the account doesn't get to see
the source-code on their EC2 instance
I believe one of the ways to do this to disable the sshd process on the AMI that you create. There can be better alternatives to this but I just put what I could guess.
It is difficult to totally protect something from the owner of an AWS Account.
To give an example, think of the pre-cloud world. If somebody has physical access to a computer, they could open the case and remove the hard disk. By attaching the disk to another computer, they could read the contents. But, you might say, what if the contents is password-protected? Yes, that would help, but how does the app access the contents without knowing the password?
Exactly the same thing applies in the cloud. If you are using an Amazon EC2 instance, then the disk can be copied via a Snapshot and attached to another computer. The contents can be read.
You might be super-smart and know how to make an EC2 instance with an encrypted volume that can boot and serve traffic, without giving people permission to login. If they attach the disk to another EC2 instance, it should be unreadable because the boot volume is encrypted. (But then how does it work when booted?)
If you want to be totally sure about protecting your code, I would recommend:
Use your own AWS Account (so they don't have access)
Setup Consolidated Billing (so they get the bill, but they don't have access to the account)
Provide an API that they can call (either via API Gateway + Lambda, or an Amazon EC2 instance). You can even get fancy and use AWS PrivateLink - Amazon Virtual Private Cloud Connectivity Options, which exposes a service in another AWS Account without traversing the Internet.
The result is that only you have total access to the resources, but they pay for the account. This would only work if you have a single customer using the service, since the whole cost of that account will go to them. (It wouldn't be appropriate if you are servicing multiple customers from the same account.)
I know nothing about azure. Experienced with AWS and GCP. What I've been tasked to do is set up a system where customers of ours have data in Azure storage containers (blobs), which are not public. The idea is that we would want to be able to serve content from our customers storage container to OUR customers using a SAS link that expires in a short period of time (say, a few seconds).
I'm finding the docs highly confusing and am just hoping I can get a pointer in the correct direction. Looking at the Ruby api, it looks like I need to supply an account name and an access secret to generate a SAS. So, presumably our customer would have to provide that to us. How would they create that account/key with minimal permissions so that all we can do is create the SAS link and serve it to our customers?
I'm reading all kinds of things about Active Directory and RBAC and SAS and Service Principles and all this stuff, but not sure how it fits together. I've implemented something similar in AWS, where the customer just creates an IAM user with GetObject permission on the bucket, they give us the key/secret, and we use it to generate a signed url. But azure is a whole different beast.
A group of friends and I are working on an private project and are considering hosting it on Azure.
I have an account on Azure and will be the one controlling the costs.
Is it possible to assign a pool of resources (e.g. Functions + database) to another user(s), preferably also assigning a cost limit for it to avoid things exploding?
You can give them access to a subscription / resource group / resource by going to e.g. the subscription and clicking on Access Control (IAM).
There you can enter their email address, and give them the role needed. Reader for read-only, Contributor for Read/Write, and Owner for Read/Write + access management. There are a bunch of others too. More about Role-based access control
I am not aware of a way to limit cost for individual users, though you can for example setup Billing alerts.
You can use ARM policies to limit the types of resources that can be used. As an example, you can deny the use of certain very expensive VMs to a group of users. Some samples of these policy templates can be found here
As stated in other answers, you can assign access to others on various levels. You can assign to "live" accounts (Hotmail,outlook,live.com etc) but as part of your subscription you can also create an Azure Active Directory instance on which you can create users. You would also want to use this AAD to create service accounts in the future, register applications for authentication, etc.
To all those SaaS engineers/developers out there ...
I am building a SaaS product which will store customer data on S3. I wonder what is the best approach regarding security?
Have a single IAM user with a bucket policy. That would be simple but data security is handled purely by the SaaS app. In case of a glitch, other users could have access to restricted material.
What about creating an IAM user (via IAM REST API) for each new customer account and having object specific ACL for each stored object? More complex but it adds a layer of security in S3 as well.
Any other way?
Also, to provide access to the material via the SaaS app. I plan to have each object 'readable name' replaced with a guid so that it cannot be easily guessed and use pre-signed urls with a time limit to see and download them. Is that a best practice? What time limit is considered safe and user-friendly?
Thanks
You should never generate AWS IAM Users for "end-users" of your application (option 2). IAM grants permission to call AWS APIs and the end-users of your application should never need to call an API.
Information stored in Amazon S3 should be available to your SaaS application via standard methods:
Create an IAM Role for your application
Select the IAM Role when launching Amazon EC2 instances that run your application
Any code running on the Amazon EC2 instances that uses the AWS SDK will know how to automatically access credentials via the EC2 instance metadata service
If you wish to serve content from Amazon S3 directly to users of the application, generate Amazon S3 pre-signed URLs, that provide time-limited access to objects stored in S3 buckets. A 15-minute expiry duration could be a good trade-off between security and users who pause to take a phone call, but that timing is up to you.
Your S3 bucket should not have a bucket policy because all access will be via permissions granted to the IAM Role, or via pre-signed URLs.
The use of randomized GUIDs as filenames is irrelevant because you will have proper security rather than obfuscation.
Recently AWS created a blog post about how to Partitioning and Isolating Multi-Tenant SaaS Data with Amazon S3 which I believe addresses you question very well.
Here is the link:
https://aws.amazon.com/blogs/apn/partitioning-and-isolating-multi-tenant-saas-data-with-amazon-s3/?ck_subscriber_id=553485768
We had a bill shock scare in our corporate account when someone got access to the secure keys and started a lot of m3.large spot instances (50+) on the aws account.
The servers ran overnight before it was found and the bill went over $7000 for the day.
We have several security practices set up on the account after the incident including
key rotation
password minimum length
password expiry
Billing alerts
Cloudwatch
Git precommit hooks to look for AWS keys
I am yet to find a way to cap the bill amount to a desired top threshold.
Does AWS provide a method of setting a cap on the bill(daily/monthly) ? Is there any best practices on this front which can be added to the measures pointed out above to prevent unauthorized use ?
Amazon does not have a mechanism to "take action" in cases where bills skyrocket. You can do what you've already done:
Setup billing alerts to monitor for a skyrocketing bill
Setup good security practices to ensure that people cannot mess with your AWS account
But also, you can:
Setup internal company policies so that employees don't accidentally cause unnecessary charges
Ensure you're using IAM roles and policies appropriately so that no one can do the wrong thing
There's a good reason why AWS won't do anything active: what exactly would you expect them to do? Doing anything that isn't inline with your business practices could totally damage your company.
For example, you have an autoscaling group managing a small fleet of EC2 instances. One day, your company gets some unexpected good press and your website activity goes through the roof, launching new EC2 instances to meet the demand, and blasts past your billing alert. If AWS were to terminate or stop EC2 instances to prevent your bill from going nuts, then your customers wouldn't be able to access your website. This could cause damage to your company reputation, or worse.
If you want to take action, you can setup a trigger on the billing alert and handle it yourself according to your business needs. That's how AWS is built: it gives you the tools; you need to use those tools in a way that best suit your business.
You can definitely setup Billing Alerts to receive a notification when this kind of thing happens:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/monitor-charges.html
Also take a look at:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/checklistforunwantedcharges.html
Although AWS does not support a cap on billing, it does support caps on services including a cap on the number of EC2 instances - see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html. By default new accounts are caped at 20 EC2 instances, but this limit can be changed.