Great overview of permission management in AWS by @bjohnso5y (SEC308)

Lots of tools to secure your AWS environment (maybe that's why it's so hard to get right, lots of things to consider) but I love how it starts with "separate workloads using multiple accounts" Image
SCP for org-wide restrictions (e.g. Deny ec2:* 😉).

IAM perm boundary to stop ppl from creating permissions that exceed their own.

block S3 public access

These are the things that deny access to things (hence guardrails)

Use IAM principal and resource policies to grant perms ImageImage
"You should be using roles so you can focus on temporary credentials" 👍

Shouldn't be using IAM users and groups anymore, go set up AWS SSO and throw away the password for the root user (and use the forgotten password mechanism if you need to recover access)
Resource policies are great for cross-account access management and for delegating permission management to the resource owner.
All requests start with DENY, and have to pass a whole series of gates to get to ALLOW. This gets complicated sometimes, even for seasoned users... especially when cross-account access is involved.

Memorize this flow. Image
Here are some common things you can do with SCPs. Image
Brigid demoed creating a SCP in the console.

If you want to IaC your AWS Organization set up and SCPs, then check out org-formation. It lets you use a CloudFormation-like syntax to configure all that, plus creating new accounts, password policies, etc.…
For example, this is setting up the password policy and SCPs at the root of my AWS Organization

Can't stress how powerful this tool is. You should definitely go check it out! Kudos to @OConijn for such amazing work 👏👏👏 ImageImageImage
"We all know developers who like to work in the middle of the night. And you want to allow them to do that and let them manage permissions." - so that's why they created permission boundaries! 🤔😂 Image
mm.. IAM Access Analyzer sounds pretty cool, been meaning to try it out since it was announced at the last re:Invent, especially since it's a free service, and now it even supports AWS Organizations ImageImage
Use last accessed info to remove unused roles and unused permissions from roles 👍

I guess you can (and probably want to!) automate this with Lambda.

ps. who's Marie Kondo? ImageImage
Lastly, Brigid talks about ABAC.

In principle, I think ABAC is a great idea, but there're still a lot of gaps in the services that support it.

This post is still very relevant:… ImageImage
Thank you @bjohnso5y great session as always 👏 Image

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Yan Cui is making the AppSync Masterclass

Yan Cui is making the AppSync Masterclass Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @theburningmonk

5 Dec
If you missed @clare_liguori's Continuous Delivery session this week (like I did) then good news, it's available on-demand now 🎊…

And here's my play-by-play for the session

This is a typical CD pipeline in AWS.

This is far more complex than the most complex CD pipeline I have ever had! Just cos it's complex, doesn't mean it's over-engineered though. Given the blast radius, I'm glad they do releases carefully and safely. Image
If you look closely, beyond all the alpha, beta, gamma environments, it's one-box in a region first then the rest of the region, I assume starting with the least risky regions first.
Read 30 tweets
5 Dec
I've gotten a few questions about Aurora Serverless v2 preview, so here's what I've learnt so far. Please feel free to chime in if I've missed anything important or got any of the facts wrong.

Alright, here goes the 🧵...
Q: does it replace the existing Aurora Serverless offering?
A: no, it lives side-by-side with the existing Aurora Serverless, which will still be available to you as "v1".
Q: Aurora Serverless v1 takes a few seconds to scale up, that's too much for our use case where we get a lot of spikes. Is that the same with v2?
A: no, v2 scales up in milliseconds, during preview the max ACU is only 32 though
Read 11 tweets
3 Dec
Great session by @MarcJBrooker earlier on building technology standards at Amazon scale, and some interesting tidbits about the secret sauce behind Lambda and how they make technology choices - e.g. in whether to use Rust for the stateful load balancer v2 for Lambda.

Nice shout out to some of the benefits of Rust - no GC (good for p99+ percentile latency), memory safety with its ownership system… great support for multi-threading (which still works with the ownership system)
And why not to use Rust.

The interesting Q is how to balance technical strengths vs weaknesses that are more organizational.
Read 20 tweets
2 Dec
This is part 2 of my #aws #reinvent hot takes on the big #serverless related announcements.

Part 1 is here for anyone who missed it:

Same deal as before, if this gets 168 retweets then I'll do another batch 👍

Alright, here comes the mega 🧵...
1. Lambda now bills you by the ms as opposed to 100 ms. So if your function runs for 42ms you will be billed for 42ms, not 100ms.

This instantly makes everyone's lambda bills cheaper without having to lift a finger. It's the best kind of optimization 😎…
However, this might not mean much in practice for a lot of you because your Lambda bill is $5/month, so saving even 50% only buys you a cup of Starbucks coffee a month.

Still, that's a FREE cup of coffee!

Read 44 tweets
1 Dec
Given all the excitement over Lambda's per-ms billing change today, some of you might be thinking how much money you can save by shaving 10ms off your function.

Fight that temptation 🧘‍♂️until you can prove the ROI on doing the optimization.

#serverless #aws #awslambda
The moral of this tweet is as relevant now as ever:

Assuming $50 (which is VERY conservative) per dev per hour, it would have taken them 40 months to break even on just having the meeting, before writing a single line of code!
With the per-ms billing, you're automatically saving on your Lambda cost already, by NOT having your invocation time rounded up to the next 100ms.

Unless you're invoking a function at such high frequency, those micro-optimizations won't be worth the eng time you have to invest.
Read 4 tweets
30 Nov
re:Invent starts tomorrow, so let me round up the biggest #serverless related announcements from the last 2 weeks (I know, crazy!) and share a few thoughts on what they mean for you.

Mega 🧵If this gets 168 retweets then I'll add another batch!

#serverless #aws #reinvent
1. Lambda released Logs API which works with the Lambda Extensions mechanism that was released in Oct. This lets you subscribe to Lambda logs in a Lambda extension and ship them elsewhere WITHOUT going through CloudWatch Logs…
Why is it important?

a. it lets you side-step CloudWatch Logs, which often costs more (sometimes 10x more) than Lambda invocations in production apps.
b. it's possible (although not really feasible right now) to ship logs in real-time
Read 45 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!