On Fri, 1 Oct 2010, Liraz Siri wrote: > Mark Russell wrote: > > > Being able to automatically assign an Elastic IP on instance start up > > would be very cool. Here's one solution I found: > > http://www.krzywanski.net/archives/592. But it requires putting your > > private key and cert on the image. Seems like you could do something > > similar but more securely from your workstation though, maybe an option > > to cloud-utils "uec-run-instances"? > > Putting your private key and cert on an image is a bad idea. If one > machine gets compromised the attacker now has access to your entire EC2 > infrastructure.
Well, thanks to IAM, the above is not nearly as true as it used to be. I wrote two blog entries when I just started playing with IAM [1,2] on ubuntu. You could easily create a set of IAM credentials that is only able to the AssociateAddress api call [3], and stuff those credentials into the image. The point is still valid, though, that those credentials could then be used to make other 'AssociateAddress' calls. If you had credentials limited to only that call, the possibility for exploitation is somewhat low. Worst case, a hacker got those credentials and assigned an address to another of *your* instances (the target of the instance has to be owned by that account... you can't assign your IP to my instance-id). Additional, safeguards: a.) do not provide acl to 'DescribeAddresses', the exploiter then would have to guess at what IPs might be. b.) limit the acl to being used from inside the instance's IP address via a policy. All in all, not that bad. The IAM is a *huge* win for doing things like this, and I definitely expect for people to be experimenting with using it inside instances. One thing that you cannot do right now for EC2, is explicitly limit inputs to the 'AssociateAddress'. Ideally, you could create a ACL that could only call 'AssociateAddress' with 'PublicIp' == 'your-desired-ip' and 'InstanceId' == 'your-instance-id'. Of course, knowing the instance-id would prevent you from being able to do this before launching the instance, but you get the picture. -- [1] http://ubuntu-smoser.blogspot.com/2010/09/playing-with-aws-access-identity.html [2] http://ubuntu-smoser.blogspot.com/2010/09/using-policies-in-aws-identity-and.html [3] http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/ -- Ubuntu-cloud mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-cloud
